Repository: nifi Updated Branches: refs/heads/master 675f4f544 -> 47d715741
NIFI-3299 Added example of sensitive property key migration to the admin guide. This closes #1404. Signed-off-by: Andy LoPresto <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/47d71574 Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/47d71574 Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/47d71574 Branch: refs/heads/master Commit: 47d7157412ff8235ba567bb2dbb8f6e6ca4d660e Parents: 675f4f5 Author: Bryan Bende <[email protected]> Authored: Fri Jan 6 15:12:57 2017 -0500 Committer: Andy LoPresto <[email protected]> Committed: Fri Jan 6 17:55:27 2017 -0800 ---------------------------------------------------------------------- .../src/main/asciidoc/administration-guide.adoc | 23 ++++++++++++++++++++ 1 file changed, 23 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/47d71574/nifi-docs/src/main/asciidoc/administration-guide.adoc ---------------------------------------------------------------------- diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc index 2c643c1..c5beb08 100644 --- a/nifi-docs/src/main/asciidoc/administration-guide.adoc +++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc @@ -1113,6 +1113,10 @@ When applied to 'login-identity-providers.xml', the property elements are update </provider> ---- +[encrypt_config_property_migration] +Sensitive Property Key Migration +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In order to change the key used to encrypt the sensitive values, indicate *migration mode* using the `-m` or `--migrate` flag, provide the new key or password using the `-k` or `-p` flags as usual, and provide the existing key or password using `-e` or `-w` respectively. This will allow the toolkit to decrypt the existing values and re-encrypt them, and update `bootstrap.conf` with the new key. Only one of the key or password needs to be specified for each phase (old vs. new), and any combination is sufficient: * old key -> new key @@ -1120,6 +1124,25 @@ In order to change the key used to encrypt the sensitive values, indicate *migra * old password -> new key * old password -> new password +[encrypt_config_flow_migration] +Existing Flow Migration +~~~~~~~~~~~~~~~~~~~~~~~ + +This tool can also be used to change the value of `nifi.sensitive.props.key` for an existing flow. The tool will read the existing `flow.xml.gz` and decrypt any sensitive component properties using the original key, +then re-encrypt the sensitive properties with the new key, and write out a new version of the `flow.xml.gz`, or overwrite the existing one. + +The current sensitive properties key is not provided as a command-line argument, as it is read directly from `nifi.properties`. As this file is a required parameter, the `-x`/`--encryptFlowXmlOnly` flags tell the tool *not* to attempt to encrypt the properties in `nifi.properties`, but rather to *only* update the `nifi.sensitive.props.key` value with the new key. The exception to this is if the `nifi.properties` is *already* encrypted, the new sensitive property key will also be encrypted before being written to `nifi.properties`. + +The following command would migrate the sensitive properties key in place, meaning it would overwrite the existing `flow.xml.gz` and `nifi.properties`: +---- +./encrypt-config.sh -f /path/to/flow.xml.gz -n ./path/to/nifi.properties -s newpassword -x +---- + +The following command would migrate the sensitive properties key and write out a separate `flow.xml.gz` and `nifi.properties`: +---- +./encrypt-config.sh -f ./path/to/src/flow.xml.gz -g /path/to/dest/flow.xml.gz -n /path/to/src/nifi.properties -o /path/to/dest/nifi.properties -s newpassword -x +---- + [[encrypt-config_password]] Password Key Derivation ~~~~~~~~~~~~~~~~~~~~~~~
