[jira] [Resolved] (NIFI-10018) NiFi instance encrypted with AES_GCM fails to start

Wed, 11 May 2022 05:57:16 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-10018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

David Handermann resolved NIFI-10018.
-------------------------------------
    Fix Version/s: 1.17.0
                   1.16.2
         Assignee: David Handermann
       Resolution: Fixed

Thanks for reporting this issue [~daniel.salwerowicz]. NiFi 1.16.1 introduced 
changes that inadvertently introduced this problem with 
login-identity-providers.xml and authorizers.xml. The resolution will be 
included in NiFi 1.16.2, which is currently in release candidate status.

> NiFi instance encrypted with AES_GCM fails to start
> ---------------------------------------------------
>
>                 Key: NIFI-10018
>                 URL: https://issues.apache.org/jira/browse/NIFI-10018
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Configuration, Configuration Management, Tools and Build
>    Affects Versions: 1.16.1
>         Environment: CentOS server, Java 11
>            Reporter: Daniel Salwerowicz
>            Assignee: David Handermann
>            Priority: Critical
>             Fix For: 1.17.0, 1.16.2
>
>
> During setup of new NiFi instance on server I decided to encrypt the its 
> configuration. It seemed to work well, at least there were no errors given 
> during encryption:
> {noformat}
> nifi-toolkit-1.16.1/bin/encrypt-config.sh \
>     -n "$nifi_props" \
>     -l "$login_identity_providers" \
>     -a "$authorizers" \
>     -b "$bootstrap_conf" \
>     -S "$scheme" \
>     -p "$passwd" \
>     -w "$props_key" \
>     -m
> [main] WARN org.apache.nifi.properties.ConfigEncryptionTool - The source 
> nifi.properties and destination nifi.properties are identical 
> [/disk1/nifi/prod/nifi-1.16.1/conf/nifi.properties] so the original will be 
> overwritten
> [main] WARN org.apache.nifi.properties.ConfigEncryptionTool - The source 
> login-identity-providers.xml and destination login-identity-providers.xml are 
> identical [/disk1/nifi/prod/config/login-identity-providers.xml] so the 
> original will be overwritten
> [main] WARN org.apache.nifi.properties.ConfigEncryptionTool - The source 
> authorizers.xml and destination authorizers.xml are identical 
> [/disk1/nifi/prod/config/authorizers.xml] so the original will be overwritten
> [main] WARN org.apache.nifi.properties.AbstractBootstrapPropertiesLoader - 
> System Property [nifi.properties.file.path] not found: Using Relative Path 
> [conf/nifi.properties]
> [main] INFO org.apache.nifi.properties.NiFiPropertiesLoader - Loading 
> Application Properties [/disk1/nifi/prod/nifi-1.16.1/conf/nifi.properties]
> [main] INFO org.apache.nifi.properties.NiFiPropertiesLoader - Loading 
> Application Properties [/disk1/nifi/prod/nifi-1.16.1/conf/nifi.properties]
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Loaded 
> NiFiProperties instance with 202 properties
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Loaded login 
> identity providers content (52 lines)
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated XML 
> content: ...
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Loaded 
> authorizers content (98 lines)
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected 
> [nifi.security.keyPasswd] using [aes/gcm] ->    
> pcGwPE3hcZ2lLkjT||0mDlQs30cpZDCE+fwnMmk4908Wb9gLNdQ1lzgrB7BDZHjptS+oTPRVKlv+SglBw7WKLS+9xY0ryu3w==
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated 
> protection key [nifi.security.keyPasswd.protected]
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected 
> [nifi.security.keystorePasswd] using [aes/gcm] ->      
> VwUaUqRLyXN/6X28||/0T7d6w/5PQdgw/aM7hp1Xq3pPaEeGax/mxQ9s4HVn9yeCiT3tulzzA9nyh63Pw2eWdbKnH3s6jAXw==
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated 
> protection key [nifi.security.keystorePasswd.protected]
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected 
> [nifi.security.truststorePasswd] using [aes/gcm] ->    
> gHP8eniagijAt2Gz||4ocM4NcfeZX/57FDLwXDlziKX8ZIsa05wof+3vbUl09Q61HT0bagVMDtE1tlvADBIk950oI11hPn2g==
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated 
> protection key [nifi.security.truststorePasswd.protected]
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected 
> [nifi.sensitive.props.key] using [aes/gcm] ->   
> vyb30QVW4kK/yiAx||LPpSqZ580UVIebndOMtgdKwfE+o7HMX8YrER80/7S7hcg+m9PYIvbLNPVdSlV9n4ri/G6MnuUVvLTA==
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated 
> protection key [nifi.sensitive.props.key.protected]
> [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Final result: 
> 205 keys including 4 protected keys
> {noformat}
> However when I started the NiFi instance I saw following message in the 
> "nifi-bootstrap.log" file:
> {noformat}
> 2022-05-11 11:08:57,700 ERROR [NiFi logging handler] org.apache.nifi.StdErr 
> Failed to start web server: Error creating bean with name 
> 'niFiWebApiConfiguration': BeanPostProcessor before instantiation of bean 
> failed; nested exception is 
> org.springframework.beans.factory.BeanCreationException: Error creating bean 
> with name 'metaDataSourceAdvisor': Cannot resolve reference to bean 
> 'methodSecurityMetadataSource' while setting constructor argument; nested 
> exception is 
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
> creating bean with name 
> 'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration':
>  Unsatisfied dependency expressed through method 'setObjectPostProcessor' 
> parameter 0; nested exception is 
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
> creating bean with name 
> 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration':
>  Unsatisfied dependency expressed through constructor parameter 2; nested 
> exception is org.springframework.beans.factory.BeanCreationException: Error 
> creating bean with name 'authorizer': FactoryBean threw exception on object 
> creation; nested exception is 
> org.apache.nifi.properties.SensitivePropertyProtectionException: Protection 
> Scheme [aes/gcm/256] not supported
> 2022-05-11 11:08:57,701 ERROR [NiFi logging handler] org.apache.nifi.StdErr 
> Shutting down...{noformat}
> In the "nifi.properties" I have following:
> {noformat}
> nifi.sensitive.props.key=...
> nifi.sensitive.props.key.protected=aes/gcm/256
> nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
> nifi.sensitive.props.additional.keys={noformat}
> Why is it that the standard AES_GCM encrypted instance fails to starts with 
> message: "Protection Scheme [aes/gcm/256] not supported"?
> There's nothing in the documentation that states otherwise.
> [https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#AES_GCM]
> The toolkit guide says nothing about this being unsupported.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to