[
https://issues.apache.org/jira/browse/NIFI-3024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15690592#comment-15690592
]
ASF GitHub Bot commented on NIFI-3024:
--------------------------------------
Github user YolandaMDavis commented on the issue:
https://github.com/apache/nifi/pull/1261
Encountered issue while attempting the below test cases (3 node cluster):
#initial encryption
/Users/ydavis/dev/tools/nifi-1.1.0/toolkit/nifi-toolkit-1.1.0-pr-1261/bin/encrypt-config.sh
-b
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-1/conf/bootstrap.conf
-n
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-1/conf/nifi.properties
-f
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-1/conf/flow.xml.gz
-s thisIsABadPassword -p whomever12345! -v
/Users/ydavis/dev/tools/nifi-1.1.0/toolkit/nifi-toolkit-1.1.0-pr-1261/bin/encrypt-config.sh
-b
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/bootstrap.conf
-n
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/nifi.properties
-f
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/flow.xml.gz
-s thisIsABadPassword -p whomever12345! -v
/Users/ydavis/dev/tools/nifi-1.1.0/toolkit/nifi-toolkit-1.1.0-pr-1261/bin/encrypt-config.sh
-b
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-3/conf/bootstrap.conf
-n
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-3/conf/nifi.properties
-f
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-3/conf/flow.xml.gz
-s thisIsABadPassword -p whomever12345! -v
#Migration
/Users/ydavis/dev/tools/nifi-1.1.0/toolkit/nifi-toolkit-1.1.0-pr-1261/bin/encrypt-config.sh
-b
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-1/conf/bootstrap.conf
-n
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-1/conf/nifi.properties
-f
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-1/conf/flow.xml.gz
-s thisIsABadPassword -m -w whomever12345! -p whatever12345! -v
/Users/ydavis/dev/tools/nifi-1.1.0/toolkit/nifi-toolkit-1.1.0-pr-1261/bin/encrypt-config.sh
-b
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/bootstrap.conf
-n
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/nifi.properties
-f
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/flow.xml.gz
-s thisIsABadPassword -m -w whomever12345! -p whatever12345! -v
/Users/ydavis/dev/tools/nifi-1.1.0/toolkit/nifi-toolkit-1.1.0-pr-1261/bin/encrypt-config.sh
-b
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-3/conf/bootstrap.conf
-n
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-3/conf/nifi.properties
-f
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-3/conf/flow.xml.gz
-s thisIsABadPassword -m -w whomever12345! -p whatever12345! -v
#Update all encrypt passwords exclude others
/Users/ydavis/dev/tools/nifi-1.1.0/toolkit/nifi-toolkit-1.1.0-pr-1261/bin/encrypt-config.sh
-b
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-1/conf/bootstrap.conf
-n
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-1/conf/nifi.properties
-x -f
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-1/conf/flow.xml.gz
-s thisIsADifferentPassword
/Users/ydavis/dev/tools/nifi-1.1.0/toolkit/nifi-toolkit-1.1.0-pr-1261/bin/encrypt-config.sh
-b
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/bootstrap.conf
-n
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/nifi.properties
-x -f
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/flow.xml.gz
-s thisIsADifferentPassword
/Users/ydavis/dev/tools/nifi-1.1.0/toolkit/nifi-toolkit-1.1.0-pr-1261/bin/encrypt-config.sh
-b
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-3/conf/bootstrap.conf
-n
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-3/conf/nifi.properties
-x -f
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-3/conf/flow.xml.gz
-s thisIsADifferentPassword
All 3 above worked successfully and cluster was able to start and stop each
time as well as run flow.
I attempted my fourth test case to change 1 node's senstive key using the
command below:
/Users/ydavis/dev/tools/nifi-1.1.0/toolkit/nifi-toolkit-1.1.0-pr-1261/bin/encrypt-config.sh
-b
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/bootstrap.conf
-n
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/nifi.properties
-x -f
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/flow.xml.gz
-s thisIsASpecialPassword
On this run config tool reported the following error:
HW11205:nifi-1.1.0 ydavis$
/Users/ydavis/dev/tools/nifi-1.1.0/toolkit/nifi-toolkit-1.1.0-pr-1261/bin/encrypt-config.sh
-b
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/bootstrap.conf
-n
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/nifi.properties
-x -f
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/flow.xml.gz
-s thisIsASpecialPassword
2016/11/23 11:06:40 WARN [main]
org.apache.nifi.properties.ConfigEncryptionTool: The source nifi.properties and
destination nifi.properties are identical
[/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/nifi.properties]
so the original will be overwritten
2016/11/23 11:06:40 WARN [main]
org.apache.nifi.properties.ConfigEncryptionTool: The source flow.xml.gz and
destination flow.xml.gz are identical
[/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/flow.xml.gz]
so the original will be overwritten
2016/11/23 11:06:40 INFO [main]
org.apache.nifi.properties.NiFiPropertiesLoader: Loaded 121 properties from
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/nifi.properties
2016/11/23 11:06:40 INFO [main]
org.apache.nifi.properties.NiFiPropertiesLoader: Loaded 121 properties from
/Users/ydavis/dev/tools/nifi-1.1.0/cluster/nifi-1.1.0-pr-1261-2/conf/nifi.properties
2016/11/23 11:06:40 INFO [main]
org.apache.nifi.properties.ConfigEncryptionTool: Loaded NiFiProperties instance
with 121 properties
pad block corrupted
Attempting to try this on the other nodes resulted in the same error.
Bootstrap/Properties files appeared unchanged however cluster now fails startup.
> Encrypted configuration migrator should be able to update sensitive
> properties key and migrate flow.xml.gz
> ----------------------------------------------------------------------------------------------------------
>
> Key: NIFI-3024
> URL: https://issues.apache.org/jira/browse/NIFI-3024
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Configuration, Tools and Build
> Affects Versions: 1.0.0
> Reporter: Bryan Rosander
> Assignee: Andy LoPresto
> Labels: config, encryption, security, serialization
> Fix For: 1.1.0
>
>
> In order to allow changing of nifi.sensitive.props.key and updating of the
> flow.xml.gz, the ConfigEncryptionTool should be able to accept a new value
> for that field and update encrypted values in the flow.xml.gz appropriately.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
