gresockj commented on a change in pull request #5154:
URL: https://github.com/apache/nifi/pull/5154#discussion_r654778816
##########
File path:
nifi-commons/nifi-sensitive-property-provider/src/main/java/org/apache/nifi/properties/PropertyProtectionScheme.java
##########
@@ -24,7 +24,8 @@
* SensitivePropertyProvider.
*/
public enum PropertyProtectionScheme {
- AES_GCM("aes/gcm/(128|192|256)", "aes/gcm/%s", "AES Sensitive Property
Provider", true);
+ AES_GCM("aes/gcm/(128|192|256)", "aes/gcm/%s", "AES Sensitive Property
Provider", true),
+ HASHICORP_VAULT_TRANSIT("vault/transit/[a-z0-9-]+", "vault/transit/%s",
"HashiCorp Vault Transit Engine Sensitive Property Provider", false);
Review comment:
This could be any valid path in Vault, and will be the value of
vault.transit.path in the bootstrap-hashicorp-vault.conf file. So if
vault.transit.path=nifi-transit, then the scheme will be
"hashicorp/vault/transit/nifi-transit", and the SPP will create a Vault path
called "transit/keys/nifi-transit". I chose to let this path be configurable
to give the user the flexibility to fit it into an existing Vault naming scheme
they might have. The only mention I can find of character restrictions in
Vault key paths is this post, which seems to say only slashes are reserved
characters: https://groups.google.com/g/vault-tool/c/_E2N0SLryv8. However, I
chose to restrict this so that it wasn't wide open. I think this means I need
some validation to ensure their configured transit path matches the regex,
however, so I'll add that.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
