Daniel Salwerowicz created NIFI-10018:
-----------------------------------------
Summary: NiFi instance encrypted with AES_GCM fails to start
Key: NIFI-10018
URL: https://issues.apache.org/jira/browse/NIFI-10018
Project: Apache NiFi
Issue Type: Bug
Components: Configuration, Configuration Management, Tools and Build
Affects Versions: 1.16.1
Environment: CentOS server, Java 11
Reporter: Daniel Salwerowicz
During setup of new NiFi instance on server I decided to encrypt the its
configuration. It seemed to work well, at least there were no errors given
during encryption:
{noformat}
nifi-toolkit-1.16.1/bin/encrypt-config.sh \
-n "$nifi_props" \
-l "$login_identity_providers" \
-a "$authorizers" \
-b "$bootstrap_conf" \
-S "$scheme" \
-p "$passwd" \
-w "$props_key" \
-m
[main] WARN org.apache.nifi.properties.ConfigEncryptionTool - The source
nifi.properties and destination nifi.properties are identical
[/disk1/nifi/prod/nifi-1.16.1/conf/nifi.properties] so the original will be
overwritten
[main] WARN org.apache.nifi.properties.ConfigEncryptionTool - The source
login-identity-providers.xml and destination login-identity-providers.xml are
identical [/disk1/nifi/prod/config/login-identity-providers.xml] so the
original will be overwritten
[main] WARN org.apache.nifi.properties.ConfigEncryptionTool - The source
authorizers.xml and destination authorizers.xml are identical
[/disk1/nifi/prod/config/authorizers.xml] so the original will be overwritten
[main] WARN org.apache.nifi.properties.AbstractBootstrapPropertiesLoader -
System Property [nifi.properties.file.path] not found: Using Relative Path
[conf/nifi.properties]
[main] INFO org.apache.nifi.properties.NiFiPropertiesLoader - Loading
Application Properties [/disk1/nifi/prod/nifi-1.16.1/conf/nifi.properties]
[main] INFO org.apache.nifi.properties.NiFiPropertiesLoader - Loading
Application Properties [/disk1/nifi/prod/nifi-1.16.1/conf/nifi.properties]
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Loaded
NiFiProperties instance with 202 properties
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Loaded login
identity providers content (52 lines)
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated XML
content: ...
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Loaded
authorizers content (98 lines)
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected
[nifi.security.keyPasswd] using [aes/gcm] ->
pcGwPE3hcZ2lLkjT||0mDlQs30cpZDCE+fwnMmk4908Wb9gLNdQ1lzgrB7BDZHjptS+oTPRVKlv+SglBw7WKLS+9xY0ryu3w==
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated
protection key [nifi.security.keyPasswd.protected]
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected
[nifi.security.keystorePasswd] using [aes/gcm] ->
VwUaUqRLyXN/6X28||/0T7d6w/5PQdgw/aM7hp1Xq3pPaEeGax/mxQ9s4HVn9yeCiT3tulzzA9nyh63Pw2eWdbKnH3s6jAXw==
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated
protection key [nifi.security.keystorePasswd.protected]
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected
[nifi.security.truststorePasswd] using [aes/gcm] ->
gHP8eniagijAt2Gz||4ocM4NcfeZX/57FDLwXDlziKX8ZIsa05wof+3vbUl09Q61HT0bagVMDtE1tlvADBIk950oI11hPn2g==
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated
protection key [nifi.security.truststorePasswd.protected]
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected
[nifi.sensitive.props.key] using [aes/gcm] ->
vyb30QVW4kK/yiAx||LPpSqZ580UVIebndOMtgdKwfE+o7HMX8YrER80/7S7hcg+m9PYIvbLNPVdSlV9n4ri/G6MnuUVvLTA==
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated
protection key [nifi.sensitive.props.key.protected]
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Final result: 205
keys including 4 protected keys
{noformat}
However when I started the NiFi instance I saw following message in the
"nifi-bootstrap.log" file:
{noformat}
2022-05-11 11:08:57,700 ERROR [NiFi logging handler] org.apache.nifi.StdErr
Failed to start web server: Error creating bean with name
'niFiWebApiConfiguration': BeanPostProcessor before instantiation of bean
failed; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'metaDataSourceAdvisor': Cannot resolve reference to bean
'methodSecurityMetadataSource' while setting constructor argument; nested
exception is org.springframework.beans.factory.UnsatisfiedDependencyException:
Error creating bean with name
'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration':
Unsatisfied dependency expressed through method 'setObjectPostProcessor'
parameter 0; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name
'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration':
Unsatisfied dependency expressed through constructor parameter 2; nested
exception is org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'authorizer': FactoryBean threw exception on object
creation; nested exception is
org.apache.nifi.properties.SensitivePropertyProtectionException: Protection
Scheme [aes/gcm/256] not supported
2022-05-11 11:08:57,701 ERROR [NiFi logging handler] org.apache.nifi.StdErr
Shutting down...{noformat}
In the "nifi.properties" I have following:
{noformat}
nifi.sensitive.props.key=...
nifi.sensitive.props.key.protected=aes/gcm/256
nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.sensitive.props.additional.keys={noformat}
Why is it that the standard AES_GCM encrypted instance fails to starts with
message: "Protection Scheme [aes/gcm/256] not supported"?
There's nothing in the documentation that states otherwise.
[https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#AES_GCM]
The toolkit guide says nothing about this being unsupported.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
