thenatog commented on pull request #5110:
URL: https://github.com/apache/nifi/pull/5110#issuecomment-877286398
Tested this out with a pkcs12 keystore containing a secret key (`keytool
-genseckey -alias primary-key -keyalg AES -keysize 256 -keystore repository.p12
-storetype PKCS12`) and setting it to be used in nifi.properties:
`nifi.provenance.repository.implementation=org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository
nifi.provenance.repository.encryption.key.provider.implementation=org.apache.nifi.security.kms.KeyStoreKeyProvider
nifi.provenance.repository.encryption.key.provider.location=./conf/repository.p12
nifi.provenance.repository.encryption.key.provider.password=password
nifi.provenance.repository.encryption.key.id=primary-key`
and verified that the data is encrypted in the provenance repo data in
./provenance_repository. Thought there was an issue with querying which turned
out to be an authZ issue. I also ran into the below exception when opening the
provenance UI:
> 2021-07-09 00:02:10,594 ERROR [Provenance Repository Maintenance-1]
o.a.n.p.index.lucene.LuceneEventIndex Failed to perform background maintenance
procedures
java.lang.ClassCastException:
org.apache.nifi.provenance.EventIdFirstSchemaRecordReader cannot be cast to
org.apache.nifi.provenance.EncryptedSchemaRecordReader
at
org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository.lambda$initialize$1(EncryptedWriteAheadProvenanceRepository.java:115)
at
org.apache.nifi.provenance.store.iterator.SequentialRecordReaderEventIterator.rotateReader(SequentialRecordReaderEventIterator.java:109)
at
org.apache.nifi.provenance.store.iterator.SequentialRecordReaderEventIterator.nextEvent(SequentialRecordReaderEventIterator.java:65)
at
org.apache.nifi.provenance.store.iterator.AuthorizingEventIterator.nextEvent(AuthorizingEventIterator.java:47)
at
org.apache.nifi.provenance.store.PartitionedEventStore.getEvents(PartitionedEventStore.java:193)
at
org.apache.nifi.provenance.store.PartitionedEventStore.getEvents(PartitionedEventStore.java:159)
at
org.apache.nifi.provenance.store.PartitionedEventStore.getEvents(PartitionedEventStore.java:149)
at
org.apache.nifi.provenance.index.lucene.LuceneEventIndex.performMaintenance(LuceneEventIndex.java:824)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
which was a result of having an existing unencrypted provenance database. I
stopped NiFi, deleted ./provenance_repository/* and started back up and
provenance was working once I fixed the authz issue.
+1, will merge.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
