Add 1.26.0 and 2.0.0-M4 (experimental) (#744)

maltesander · web-flow · commit 0ff5e25dc183 · 2024-07-05T10:16:14.000Z
* add new versions and patches

* adapted changelog

* fixes

* fixes for 2.0.0

* improve mvn version check for 2.0.0

* fix comment
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,6 +26,7 @@ All notable changes to this project will be documented in this file.
 - opa: Add log processing script to opa for decision logging ([#695], [#704]).
 - stackable-base: Add [config-utils](https://github.com/stackabletech/config-utils) ([#706]).
 - omid: Include Apache Omid Examples to simplify testing ([#721]).
+- nifi: Add support for 1.26.0 and 2.0.0-M4 ([#744]).
 - kafka: Add versions `3.6.2` and `3.7.1` ([#745]).
 - trino & trino-cli: Add version 451 ([#XXX]).
 
@@ -70,6 +71,7 @@ All notable changes to this project will be documented in this file.
 - zookeeper: Remove unsupported version 3.8.3 and 3.9.1 ([#628], [#736]).
 - java-base: Remove openjdk-devel rpm package again to reduce the vulnerability surface ([#665])
 - trino: Remove unsupported version 428 ([#687]).
+- nifi: Remove unsupported version 1.23.2 ([#744]).
 - kafka: Remove unsupported version `3.5.2` ([#745]).
 
 [#583]: https://github.com/stackabletech/docker-images/pull/583
@@ -113,6 +115,7 @@ All notable changes to this project will be documented in this file.
 [#736]: https://github.com/stackabletech/docker-images/pull/736
 [#737]: https://github.com/stackabletech/docker-images/pull/737
 [#743]: https://github.com/stackabletech/docker-images/pull/743
+[#744]: https://github.com/stackabletech/docker-images/pull/744
 [#745]: https://github.com/stackabletech/docker-images/pull/745
 
 ## [24.3.0] - 2024-03-20
diff --git a/nifi/Dockerfile b/nifi/Dockerfile
@@ -6,14 +6,27 @@
 
 # Not tagging base image because it is built as part of the same process
 # hadolint ignore=DL3006
-FROM stackable/image/java-devel AS builder
+FROM stackable/image/java-devel AS nifi-builder
 
 ARG PRODUCT
+ARG MAVEN_VERSION="3.9.8"
 
 RUN microdnf update && \
     microdnf clean all && \
     rm -rf /var/cache/yum
 
+# NOTE: From NiFi 2.0.0 upwards Apache Maven 3.9.6+ is required. As of 2024-07-04 the java-devel image
+# ships 3.6.3. This will update maven accordingly depending on the version. The error is due to the maven-enforer-plugin.
+#
+# [ERROR] Rule 2: org.apache.maven.enforcer.rules.version.RequireMavenVersion failed with message:
+# [ERROR] Detected Maven Version: 3.6.3 is not in the allowed range [3.9.6,).
+#
+WORKDIR /tmp
+RUN if [[ "${PRODUCT}" == 2.* ]] ; then \
+        curl --fail -L "https://repo.stackable.tech/repository/packages/maven/apache-maven-${MAVEN_VERSION}-bin.tar.gz" | tar -xzC . && \
+        ln -sf /tmp/apache-maven-${MAVEN_VERSION}/bin/mvn /usr/bin/mvn ; \
+    fi
+
 USER stackable
 WORKDIR /stackable
 
@@ -37,7 +50,14 @@ RUN if [[ "${PRODUCT}" == "1.21.0" ]] ; then \
         unzip /stackable/nifi-${PRODUCT}-bin.zip && \
         rm /stackable/nifi-${PRODUCT}-bin.zip && \
         # Remove generated docs in binary
-        rm -rf /stackable/nifi-${PRODUCT}/docs ; \
+        rm -rf /stackable/nifi-${PRODUCT}/docs && \
+        # Add Iceberg extensions as they are not included by default and are important enough
+        # They need to be build from source, as https://mvnrepository.com/artifact/org.apache.nifi/nifi-iceberg-processors-nar does not ship the org.apache.hadoop.fs.s3a.S3AFileSystem (see https://github.com/apache/nifi/pull/6368#issuecomment-1502175258)
+        # See https://repo.stackable.tech/repository/packages/nifi/iceberg-nars/README.md for details on how to build them
+        cd /stackable/nifi-${PRODUCT}/lib/ && \
+        curl --fail -O "https://repo.stackable.tech/repository/packages/nifi/iceberg-nars/nifi-iceberg-processors-nar-${PRODUCT}-with-aws.nar" && \
+        curl --fail -O "https://repo.stackable.tech/repository/packages/nifi/iceberg-nars/nifi-iceberg-services-nar-${PRODUCT}-with-aws.nar" && \
+        curl --fail -O "https://repo.stackable.tech/repository/packages/nifi/iceberg-nars/nifi-iceberg-services-api-nar-${PRODUCT}-with-aws.nar" ; \        
     else \
         curl --fail -L 'https://repo.stackable.tech/repository/m2/tech/stackable/nifi/stackable-bcrypt/1.0-SNAPSHOT/stackable-bcrypt-1.0-20240508.153334-1-jar-with-dependencies.jar' \
         # This used to be located in /bin/stackable-bcrypt.jar. We create a softlink for /bin/stackable-bcrypt.jar in the main container for backwards compatibility.
@@ -56,7 +76,7 @@ RUN if [[ "${PRODUCT}" == "1.21.0" ]] ; then \
         patches/apply_patches.sh ${PRODUCT} && \
         # Build NiFi
         cd /stackable/nifi-${PRODUCT}-src/ && \
-        mvn clean install -Dmaven.javadoc.skip=true -DskipTests && \
+        mvn clean install -Dmaven.javadoc.skip=true -DskipTests --activate-profiles include-iceberg,include-hadoop-aws && \
         # Copy the binaries to the /stackable folder
         mv /stackable/nifi-${PRODUCT}-src/nifi-assembly/target/nifi-${PRODUCT}-bin/nifi-${PRODUCT} /stackable/nifi-${PRODUCT} && \
         # Remove the unzipped sources
@@ -65,14 +85,6 @@ RUN if [[ "${PRODUCT}" == "1.21.0" ]] ; then \
         rm -rf /stackable/nifi-${PRODUCT}/docs ; \
     fi
 
-# Add Iceberg extensions as they are not included by default and are important enough
-# They need to be build from source, as https://mvnrepository.com/artifact/org.apache.nifi/nifi-iceberg-processors-nar does not ship the org.apache.hadoop.fs.s3a.S3AFileSystem (see https://github.com/apache/nifi/pull/6368#issuecomment-1502175258)
-# See https://repo.stackable.tech/repository/packages/nifi/iceberg-nars/README.md for details on how to build them
-RUN cd /stackable/nifi-${PRODUCT}/lib/ && \
-    curl --fail -O "https://repo.stackable.tech/repository/packages/nifi/iceberg-nars/nifi-iceberg-processors-nar-${PRODUCT}-with-aws.nar" && \
-    curl --fail -O "https://repo.stackable.tech/repository/packages/nifi/iceberg-nars/nifi-iceberg-services-nar-${PRODUCT}-with-aws.nar" && \
-    curl --fail -O "https://repo.stackable.tech/repository/packages/nifi/iceberg-nars/nifi-iceberg-services-api-nar-${PRODUCT}-with-aws.nar"
-
 # ===
 # For earlier versions this script removes the .class file that contains the
 # vulnerable code.
@@ -120,10 +132,10 @@ RUN microdnf update && \
 
 USER stackable
 
-COPY --chown=stackable:stackable --from=builder /stackable/nifi-${PRODUCT} /stackable/nifi-${PRODUCT}/
-COPY --chown=stackable:stackable --from=builder /stackable/stackable-bcrypt.jar /stackable/stackable-bcrypt.jar
+COPY --chown=stackable:stackable --from=nifi-builder /stackable/nifi-${PRODUCT} /stackable/nifi-${PRODUCT}/
+COPY --chown=stackable:stackable --from=nifi-builder /stackable/stackable-bcrypt.jar /stackable/stackable-bcrypt.jar
 
-COPY --chown=stackable:stackable nifi/stackable /stackable
+COPY --chown=stackable:stackable nifi/stackable/bin /stackable/bin
 COPY --chown=stackable:stackable nifi/licenses /licenses
 COPY --chown=stackable:stackable nifi/python /stackable/python
 
diff --git a/nifi/stackable/patches/1.26.0/001-NIFI-no-zip-assembly-1.26.0.patch b/nifi/stackable/patches/1.26.0/001-NIFI-no-zip-assembly-1.26.0.patch
@@ -1,5 +1,5 @@
 diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
-index b520c113ce..5cf04f421d 100644
+index 8778f3dc53..045c0daa64 100644
 --- a/nifi-assembly/pom.xml
 +++ b/nifi-assembly/pom.xml
 @@ -66,7 +66,6 @@ language governing permissions and limitations under the License. -->
diff --git a/nifi/stackable/patches/1.26.0/002-NIFI-no-host-header-check-1.26.0.patch b/nifi/stackable/patches/1.26.0/002-NIFI-no-host-header-check-1.26.0.patch
@@ -26,33 +26,35 @@ Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
 <+>UTF-8
 ===================================================================
 diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
---- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java	(revision 6ecc398d3f92425447e43242af4992757e25b3c5)
-+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java	(date 1716453739677)
-@@ -47,6 +47,7 @@
+index 051e2f19d6..6baac7fda7 100644
+--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
++++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
+@@ -47,6 +47,7 @@ public class HostHeaderHandler extends ScopedHandler {
      private final String serverName;
      private final int serverPort;
      private final List<String> validHosts;
 +    private boolean allowAllHosts = false;
-
+ 
      /**
       * Instantiates a handler with a given server name and port 0.
-@@ -107,6 +108,10 @@
+@@ -107,6 +108,11 @@ public class HostHeaderHandler extends ScopedHandler {
          // The value(s) from nifi.web.proxy.host
          hosts.addAll(parseCustomHostnames(niFiProperties));
-
+ 
 +        // Check if the setting for allowed hosts has only the wildcard entry and
 +        // if so store this in allowAllHost for later use
 +        List<String> configuredHostNames = niFiProperties.getAllowedHostsAsList();
 +        this.allowAllHosts = configuredHostNames.size() == 1 && configuredHostNames.contains("*");
++
          // empty is ok here
          hosts.add("");
-
-@@ -205,7 +210,7 @@
+ 
+@@ -205,7 +211,7 @@ public class HostHeaderHandler extends ScopedHandler {
      }
-
+ 
      boolean hostHeaderIsValid(String hostHeader) {
 -        return validHosts.contains(hostHeader.toLowerCase().trim());
 +        return this.allowAllHosts || validHosts.contains(hostHeader.toLowerCase().trim());
      }
-
+ 
      @Override
diff --git a/nifi/stackable/patches/2.0.0-M4/001-NIFI-no-zip-assembly-2.0.0-M4.patch b/nifi/stackable/patches/2.0.0-M4/001-NIFI-no-zip-assembly-2.0.0-M4.patch
@@ -0,0 +1,12 @@
+diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
+index 83eb8214f9..0764b3716d 100644
+--- a/nifi-assembly/pom.xml
++++ b/nifi-assembly/pom.xml
+@@ -66,7 +66,6 @@ language governing permissions and limitations under the License. -->
+                             <tarLongFileMode>posix</tarLongFileMode>
+                             <formats>
+                                 <format>dir</format>
+-                                <format>zip</format>
+                             </formats>
+                         </configuration>
+                     </execution>
diff --git a/nifi/stackable/patches/2.0.0-M4/002-NIFI-no-host-header-check-2.0.0-M4.patch b/nifi/stackable/patches/2.0.0-M4/002-NIFI-no-host-header-check-2.0.0-M4.patch
@@ -0,0 +1,60 @@
+Subject: [PATCH] Allow bypassing check for host header.
+NiFi has the configuration option 'nifi.web.proxy.host' which controls allowed
+values for the host header field in any incoming request for the web ui.
+
+This frequently causes issues when trying to expose the NiFi UI via for example
+an ingress, loadbalancer or any similar type of mechanism.
+
+NiFi does not allow to disable this behavior, so at the moment the nifi operator
+simply hardcodes all even remotely possible values into this field.
+But in order to allow putting for example in ingress in front of NiFi this means
+using config overrides to change the value of this option, copy all the values
+the operator put in there and add the extra value you need.
+
+This is less than ideal, the proper solution would probably be
+https://github.com/stackabletech/nifi-operator/issues/604
+
+But until that is merged this is a simple workaround that allows overriding the list of allowed
+hostnames by just setting it to "*" and this will effectively bypass the hostname check entirely if set.
+
+This allows us to keep the default behavior in place for those users where it works and not remove
+security features, but also enables users to disable this check if they know what they are doing.
+---
+Index: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
+index 97337d63e2..0f7a272de7 100644
+--- a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
++++ b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
+@@ -47,6 +47,7 @@ public class HostHeaderHandler extends Handler.Abstract {
+     private final String serverName;
+     private final int serverPort;
+     private final List<String> validHosts;
++    private boolean allowAllHosts = false;
+ 
+     /**
+      * Instantiates a handler which accepts incoming requests with a host header that is empty or contains one of the
+@@ -68,6 +69,11 @@ public class HostHeaderHandler extends Handler.Abstract {
+         // The value(s) from nifi.web.proxy.host
+         hosts.addAll(parseCustomHostnames(niFiProperties));
+ 
++        // Check if the setting for allowed hosts has only the wildcard entry and
++        // if so store this in allowAllHost for later use
++        List<String> configuredHostNames = niFiProperties.getAllowedHostsAsList();
++        this.allowAllHosts = configuredHostNames.size() == 1 && configuredHostNames.contains("*");
++
+         // empty is ok here
+         hosts.add("");
+ 
+@@ -160,7 +166,7 @@ public class HostHeaderHandler extends Handler.Abstract {
+      * @return Valid status
+      */
+     boolean hostHeaderIsValid(final String hostHeader) {
+-        return hostHeader != null && validHosts.contains(hostHeader.toLowerCase().trim());
++        return this.allowAllHosts || (hostHeader != null && validHosts.contains(hostHeader.toLowerCase().trim()));
+     }
+ 
+     @Override
diff --git a/nifi/versions.py b/nifi/versions.py
@@ -4,14 +4,19 @@
         "java-base": "11",
         "java-devel": "11",
     },
-    {
-        "product": "1.23.2",
-        "java-base": "11",
-        "java-devel": "11",
-    },
     {
         "product": "1.25.0",
         "java-base": "21",
         "java-devel": "11", # There is an error when trying to use java-devel 21 (for nifi 1.25.0):
     },
+    {
+        "product": "1.26.0",
+        "java-base": "11",
+        "java-devel": "11", # There is an error when trying to use java-devel 21 (for nifi 1.26.0):
+    },
+    {
+        "product": "2.0.0-M4",
+        "java-base": "21",
+        "java-devel": "21",
+    }          
 ]
