[GitHub] nifi issue #834: NIFI-1831 Implemented encrypted configuration capabilities

Fri, 19 Aug 2016 16:01:17 -0700 

Github user alopresto commented on the issue:

    https://github.com/apache/nifi/pull/834
  
    @joewitt @mattyb149 @bbende @brosander 
    
    As of right now, this PR (commit `ffab01d`) is rebased against the latest 
master. The tool is found in 
`nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT/`.
 Running the command below (for example) will read an existing 
_nifi.properties_ file, encrypt all sensitive non-empty values using the 
provided _key_, populate those values (and the associated protection schemes -- 
`x.y.z.protected=aes/gcm/256`) into the new _nifi-encrypted.properties_ file, 
and persist the key in _bootstrap.conf_. 
    
    * `$ ./bin/encrypt-config.sh -h` -- prints a usage message
    * `$ ./bin/encrypt-config.sh -b path/to/bootstrap.conf -n 
path/to/nifi.properties -o path/to/nifi-encrypted.properties -p 
thisIsABadPropertiesPassword` -- normal use as described above
    * `$ ./bin/encrypt-config.sh -b path/to/bootstrap.conf -n 
path/to/nifi.properties -o path/to/nifi-encrypted.properties -k 
0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210` -- normal use 
as described above with raw hex key instead of password
    * `$ ./bin/encrypt-config.sh -b path/to/bootstrap.conf -n 
path/to/nifi.properties -o path/to/nifi-encrypted.properties` -- normal use as 
described above but will prompt for key in secure console read
    
    By default, it considers *sensitive* properties as anything that would be a 
password or key:
    * `nifi.sensitive.props.key`
    * `nifi.security.keystorePasswd`
    * `nifi.security.keyPasswd`
    * `nifi.security.truststorePasswd`
    
    You can mark additional keys as *sensitive* by including them in a comma or 
semi-colon delimited string as follows (do this by hand in the input 
_nifi.properties_ before running the tool):
    `nifi.sensitive.props.additional.keys=nifi.ui.banner.text`
    
    Example:
    
    *before* -- `~/Workspace/scratch/encrypted-configs/nifi.properties`
    ```
    nifi.ui.banner.text=This is the banner text
    ...
    # security properties #
    nifi.sensitive.props.key=
    nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
    nifi.sensitive.props.provider=BC
    nifi.sensitive.props.additional.keys=nifi.ui.banner.text
    
    nifi.security.keystore=keystore.jks
    nifi.security.keystoreType=jks
    nifi.security.keystorePasswd=thisIsABadKeystorePassword
    nifi.security.keyPasswd=thisIsABadKeyPassword
    nifi.security.truststore=truststore.jks
    nifi.security.truststoreType=jks
    nifi.security.truststorePasswd=thisIsABadTruststorePassword
    nifi.security.needClientAuth=
    nifi.security.user.authorizer=file-provider
    nifi.security.user.login.identity.provider=
    nifi.security.ocsp.responder.url=
    nifi.security.ocsp.responder.certificate=
    ...
    ```
    
    *run tool* -- 
    ```
    
hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT
 (NIFI-1831) alopresto
    🔓 167s @ 15:49:34 $ ./bin/encrypt-config.sh -b 
~/Workspace/scratch/encrypted-configs/bootstrap.conf -n 
~/Workspace/scratch/encrypted-configs/nifi.properties -o 
~/Workspace/scratch/encrypted-configs/nifi-encrypted.properties -p 
thisIsABadPropertiesPassword
    2016-08-19 15:57:48,097 INFO [main] 
o.a.nifi.properties.ConfigEncryptionTool Invoked ConfigEncryptionTool with args 
[-b,/Users/alopresto/Workspace/scratch/encrypted-configs/bootstrap.conf,-n,/Users/alopresto/Workspace/scratch/encrypted-configs/nifi.properties,-o,/Users/alopresto/Workspace/scratch/encrypted-configs/nifi-encrypted.properties,-p,thisIsABadPropertiesPassword]
    2016-08-19 15:57:48,794 INFO [main] 
o.a.nifi.properties.NiFiPropertiesLoader Loaded 112 properties from 
/Users/alopresto/Workspace/scratch/encrypted-configs/nifi.properties
    2016-08-19 15:57:48,796 INFO [main] 
o.a.n.properties.ProtectedNiFiProperties Loaded 112 properties (including 0 
protection schemes) into ProtectedNiFiProperties
    2016-08-19 15:57:48,800 INFO [main] 
o.a.nifi.properties.ConfigEncryptionTool Loaded NiFiProperties instance with 
112 properties
    2016-08-19 15:57:48,805 INFO [main] 
o.a.n.properties.ProtectedNiFiProperties Loaded 112 properties (including 0 
protection schemes) into ProtectedNiFiProperties
    2016-08-19 15:57:49,149 INFO [main] o.a.n.p.AESSensitivePropertyProvider 
AES Sensitive Property Provider encrypted a sensitive value successfully
    2016-08-19 15:57:49,151 INFO [main] 
o.a.nifi.properties.ConfigEncryptionTool Protected nifi.ui.banner.text with 
aes/gcm/256 ->      
2ZJZaFqqXl62HB5w||I57IDLE7hYJf2vJmrkC29ZjDztRJT00CVV1QkDiGte4VIfUB+n2X
    2016-08-19 15:57:49,152 INFO [main] 
o.a.nifi.properties.ConfigEncryptionTool Updated protection key 
nifi.ui.banner.text.protected
    2016-08-19 15:57:49,152 INFO [main] o.a.n.p.AESSensitivePropertyProvider 
AES Sensitive Property Provider encrypted a sensitive value successfully
    2016-08-19 15:57:49,152 INFO [main] 
o.a.nifi.properties.ConfigEncryptionTool Protected nifi.security.keyPasswd with 
aes/gcm/256 ->          
icyABIxwN8FBBd6Q||GL+I6P5tv4ThiVXcAYkFaPsQLK2jZHyJui02W2YxydXfA0sEfg
    2016-08-19 15:57:49,152 INFO [main] 
o.a.nifi.properties.ConfigEncryptionTool Updated protection key 
nifi.security.keyPasswd.protected
    2016-08-19 15:57:49,152 INFO [main] o.a.n.p.AESSensitivePropertyProvider 
AES Sensitive Property Provider encrypted a sensitive value successfully
    2016-08-19 15:57:49,153 INFO [main] 
o.a.nifi.properties.ConfigEncryptionTool Protected nifi.security.keystorePasswd 
with aes/gcm/256 ->             
eXpm2ylPEzfxpnEz||5Iqj7wReXHudmu/q7/q4vj2ooxFGN0R+o4VjV0BjboZ7zD6tqIEX3/Eq
    2016-08-19 15:57:49,153 INFO [main] 
o.a.nifi.properties.ConfigEncryptionTool Updated protection key 
nifi.security.keystorePasswd.protected
    2016-08-19 15:57:49,153 INFO [main] o.a.n.p.AESSensitivePropertyProvider 
AES Sensitive Property Provider encrypted a sensitive value successfully
    2016-08-19 15:57:49,153 INFO [main] 
o.a.nifi.properties.ConfigEncryptionTool Protected 
nifi.security.truststorePasswd with aes/gcm/256 ->           
LGB8TUHtBTHemkzF||J5IqJpEB2i6QlFRqCEvgdq0koNPJv/oV4i3znyoAfzUV4laNv3TmWkeHFfs
    2016-08-19 15:57:49,153 INFO [main] 
o.a.nifi.properties.ConfigEncryptionTool Updated protection key 
nifi.security.truststorePasswd.protected
    2016-08-19 15:57:49,167 INFO [main] 
o.a.n.properties.ProtectedNiFiProperties Loaded 115 properties (including 4 
protection schemes) into ProtectedNiFiProperties
    2016-08-19 15:57:49,167 INFO [main] 
o.a.nifi.properties.ConfigEncryptionTool Final result: 115 keys including 4 
protected keys
    2016-08-19 15:57:49,195 INFO [main] 
o.a.n.properties.ProtectedNiFiProperties Loaded 115 properties (including 4 
protection schemes) into ProtectedNiFiProperties
    
hw12203:...assembly/target/nifi-toolkit-1.0.0-SNAPSHOT-bin/nifi-toolkit-1.0.0-SNAPSHOT
 (NIFI-1831) alopresto
    🔓 495s @ 15:57:50 $
    ```
    
    *after* -- `nifi-encrypted.properties`
    
    ```
    
nifi.ui.banner.text=2ZJZaFqqXl62HB5w||I57IDLE7hYJf2vJmrkC29ZjDztRJT00CVV1QkDiGte4VIfUB+n2X
    nifi.ui.banner.text.protected=aes/gcm/256
    ...
    # security properties #
    nifi.sensitive.props.key=
    nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
    nifi.sensitive.props.provider=BC
    nifi.sensitive.props.additional.keys=nifi.ui.banner.text
    
    nifi.security.keystore=keystore.jks
    nifi.security.keystoreType=jks
    
nifi.security.keystorePasswd=eXpm2ylPEzfxpnEz||5Iqj7wReXHudmu/q7/q4vj2ooxFGN0R+o4VjV0BjboZ7zD6tqIEX3/Eq
    nifi.security.keystorePasswd.protected=aes/gcm/256
    
nifi.security.keyPasswd=icyABIxwN8FBBd6Q||GL+I6P5tv4ThiVXcAYkFaPsQLK2jZHyJui02W2YxydXfA0sEfg
    nifi.security.keyPasswd.protected=aes/gcm/256
    nifi.security.truststore=truststore.jks
    nifi.security.truststoreType=jks
    
nifi.security.truststorePasswd=LGB8TUHtBTHemkzF||J5IqJpEB2i6QlFRqCEvgdq0koNPJv/oV4i3znyoAfzUV4laNv3TmWkeHFfs
    nifi.security.truststorePasswd.protected=aes/gcm/256
    nifi.security.needClientAuth=
    nifi.security.user.authorizer=file-provider
    nifi.security.user.login.identity.provider=
    nifi.security.ocsp.responder.url=
    nifi.security.ocsp.responder.certificate=
    ```
    
    I am still working on a couple small features like handling secure password 
entry to the console instead of just the key (and *then will remove the 
debugging of the invocation parameters which includes the key/password*). 
Please exercise what is here and report any issues. Thanks. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---

Reply via email to