Anders Breindahl created NIFI-3045:
--------------------------------------
Summary: Usage of -k undermines encrypted configuration
Key: NIFI-3045
URL: https://issues.apache.org/jira/browse/NIFI-3045
Project: Apache NiFi
Issue Type: Bug
Reporter: Anders Breindahl
Hey,
When setting up a hardened NiFi installation I ran into this. I hope I'm
mistaken.
When running the `encrypt-config.sh` script, one has a
`nifi.bootstrap.sensitive.key` string configured in `bootstrap.conf`. The
service startup script makes this be passed from `RunNifi` to`NiFi` by a `-k`
parameter.
This however can be retrieved by any user of the interface---which, combined
with NiFi being able to read from (the
encrypted-under-`nifi.bootstrap.sensitive.key`) `nifi.properties` file means
that e.g. the `nifi.security.keystorePasswd` property can be decrypted offline.
Does this have anything to it?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
