[jira] [Commented] (NIFI-3024) Encrypted configuration migrator should be able to update sensitive properties key and migrate flow.xml.gz

Wed, 23 Nov 2016 13:01:12 -0800 

    [ 
https://issues.apache.org/jira/browse/NIFI-3024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15691353#comment-15691353
 ] 

ASF GitHub Bot commented on NIFI-3024:
--------------------------------------

Github user alopresto commented on the issue:

    https://github.com/apache/nifi/pull/1261
  
    @YolandaMDavis I have good news and bad news -- I am able to reproduce the 
`pad block corrupted` error on the resources you provided me, but I am not able 
to reproduce getting the resources to that state when running multiple 
invocations of the tool in standalone mode. I therefore think it is likely a 
conflict with cluster synchronization of the flow definition (even though you 
said each node has the same `nifi.sensitive.props.key` value). 
    
    I added two unit tests to the PR:
    * `testShouldMigrateFlowXmlContentMultipleTimes` performs flow.xml.gz 
migration (contained) between 7 different passwords to verify that the flow XML 
can be decrypted and encrypted multiple times
    * `testShouldPerformFullOperationOnFlowXmlMultipleTimes` performs the 
entire tool invocation between 7 flow passwords (#main invocation with caught 
System.exit()). 
    
    I've included sample output below:
    
    ```
    ...
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Migrating from 
thisIsABadPassword4 to thisIsABadPassword5
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Invoked #main 
with -n target/tmp/tmp-nifi.properties -f target/tmp/tmp-flow.xml.gz -b 
target/tmp/tmp_bootstrap.conf -x -v -s thisIsABadPassword5
    16/11/23 12:40:05 WARN properties.ConfigEncryptionTool: The source 
nifi.properties and destination nifi.properties are identical 
[target/tmp/tmp-nifi.properties] so the original will be overwritten
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: Handling encryption 
of flow.xml.gz
    16/11/23 12:40:05 WARN properties.ConfigEncryptionTool: The source 
flow.xml.gz and destination flow.xml.gz are identical 
[target/tmp/tmp-flow.xml.gz] so the original will be overwritten
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool:        
bootstrap.conf:                      target/tmp/tmp_bootstrap.conf
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: (src)  
nifi.properties:                     target/tmp/tmp-nifi.properties
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: (dest) 
nifi.properties:                     target/tmp/tmp-nifi.properties
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: (src)  
login-identity-providers.xml:        null
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: (dest) 
login-identity-providers.xml:        null
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: (src)  flow.xml.gz: 
                                        target/tmp/tmp-flow.xml.gz
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: (dest) flow.xml.gz: 
                                        target/tmp/tmp-flow.xml.gz
    16/11/23 12:40:05 INFO properties.NiFiPropertiesLoader: Loaded 15 
properties from 
/Users/alopresto/Workspace/nifi/nifi-toolkit/nifi-toolkit-encrypt-config/target/tmp/tmp-nifi.properties
    16/11/23 12:40:05 DEBUG properties.ProtectedNiFiProperties: Loaded 15 
properties (including 3 protection schemes) into ProtectedNiFiProperties
    16/11/23 12:40:05 INFO properties.NiFiPropertiesLoader: Loaded 15 
properties from 
/Users/alopresto/Workspace/nifi/nifi-toolkit/nifi-toolkit-encrypt-config/target/tmp/tmp-nifi.properties
    16/11/23 12:40:05 DEBUG properties.ProtectedNiFiProperties: Loaded 15 
properties (including 3 protection schemes) into ProtectedNiFiProperties
    16/11/23 12:40:05 INFO properties.ProtectedNiFiProperties: There are 3 
protected properties of 4 sensitive properties (75%)
    16/11/23 12:40:05 INFO properties.AESSensitivePropertyProvider: AES 
Sensitive Property Provider decrypted a sensitive value successfully
    16/11/23 12:40:05 INFO properties.AESSensitivePropertyProvider: AES 
Sensitive Property Provider decrypted a sensitive value successfully
    16/11/23 12:40:05 INFO properties.AESSensitivePropertyProvider: AES 
Sensitive Property Provider decrypted a sensitive value successfully
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: Loaded 
NiFiProperties instance with 12 properties
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: Decrypted and 
re-encrypted 2 elements for flow.xml.gz
    16/11/23 12:40:05 INFO properties.AESSensitivePropertyProvider: AES 
Sensitive Property Provider encrypted a sensitive value successfully
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: Tool is not 
configured to encrypt nifi.properties, but the existing nifi.properties is 
encrypted and flow.xml.gz was migrated, so manually persisting the new 
encrypted value to nifi.properties
    16/11/23 12:40:05 DEBUG properties.ProtectedNiFiProperties: Loaded 13 
properties (including 1 protection schemes) into ProtectedNiFiProperties
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: [EXPECTED] 
Tried to exit with status 0.
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Updated key 
line: 
nifi.sensitive.props.key=ufsXsiPb0WNDfJLv||EkMx8/CtHeBtQIezmvONWavw/2y4mAZKbuxOGYWQwQR9F0Y
    16/11/23 12:40:05 INFO properties.NiFiPropertiesLoader: Loaded 15 
properties from 
/Users/alopresto/Workspace/nifi/nifi-toolkit/nifi-toolkit-encrypt-config/target/tmp/tmp-nifi.properties
    16/11/23 12:40:05 DEBUG properties.ProtectedNiFiProperties: Loaded 15 
properties (including 3 protection schemes) into ProtectedNiFiProperties
    16/11/23 12:40:05 INFO properties.AESSensitivePropertyProvider: AES 
Sensitive Property Provider decrypted a sensitive value successfully
    16/11/23 12:40:05 INFO properties.AESSensitivePropertyProvider: AES 
Sensitive Property Provider decrypted a sensitive value successfully
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Sensitive 
property key currently protected with aes/gcm/128
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Updated key 
line: nifi.bootstrap.sensitive.key=2C576A9585DB862F5ECBEE5B4FFFCCA1
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Original 
flow.xml.gz cipher texts: 
[enc{5bd4893252c3e11255a56cbdfac83976af3d4953f80f6447dd9c5c51a96bdf1af468aa80ab7e521586d496d81b277629},
 
enc{5bd4893252c3e11255a56cbdfac83976af3d4953f80f6447dd9c5c51a96bdf1af468aa80ab7e521586d496d81b277629}]
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Updated  
flow.xml.gz cipher texts: 
[enc{3151548439c7d34ddd6e1ca40c33a32f87b424fa9f5daf7dc206818eccbfff73f67c8e14d0b952e6b4097a37eafadfea},
 
enc{3151548439c7d34ddd6e1ca40c33a32f87b424fa9f5daf7dc206818eccbfff73f67c8e14d0b952e6b4097a37eafadfea}]
    ```
    
    At this point, I propose opening a separate Jira to investigate the cluster 
multiple-migration issue, and merge this PR to facilitate the upcoming release. 


> Encrypted configuration migrator should be able to update sensitive 
> properties key and migrate flow.xml.gz
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-3024
>                 URL: https://issues.apache.org/jira/browse/NIFI-3024
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Configuration, Tools and Build
>    Affects Versions: 1.0.0
>            Reporter: Bryan Rosander
>            Assignee: Andy LoPresto
>              Labels: config, encryption, security, serialization
>             Fix For: 1.1.0
>
>
> In order to allow changing of nifi.sensitive.props.key and updating of the 
> flow.xml.gz, the ConfigEncryptionTool should be able to accept a new value 
> for that field and update encrypted values in the flow.xml.gz appropriately.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to