[GitHub] nifi issue #1261: NIFI-3024 Added key migration for sensitive processor prop...

[alopresto]

Github user alopresto commented on the issue:

    https://github.com/apache/nifi/pull/1261
  
    @YolandaMDavis I have good news and bad news -- I am able to reproduce the 
`pad block corrupted` error on the resources you provided me, but I am not able 
to reproduce getting the resources to that state when running multiple 
invocations of the tool in standalone mode. I therefore think it is likely a 
conflict with cluster synchronization of the flow definition (even though you 
said each node has the same `nifi.sensitive.props.key` value). 
    
    I added two unit tests to the PR:
    * `testShouldMigrateFlowXmlContentMultipleTimes` performs flow.xml.gz 
migration (contained) between 7 different passwords to verify that the flow XML 
can be decrypted and encrypted multiple times
    * `testShouldPerformFullOperationOnFlowXmlMultipleTimes` performs the 
entire tool invocation between 7 flow passwords (#main invocation with caught 
System.exit()). 
    
    I've included sample output below:
    
    ```
    ...
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Migrating from 
thisIsABadPassword4 to thisIsABadPassword5
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Invoked #main 
with -n target/tmp/tmp-nifi.properties -f target/tmp/tmp-flow.xml.gz -b 
target/tmp/tmp_bootstrap.conf -x -v -s thisIsABadPassword5
    16/11/23 12:40:05 WARN properties.ConfigEncryptionTool: The source 
nifi.properties and destination nifi.properties are identical 
[target/tmp/tmp-nifi.properties] so the original will be overwritten
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: Handling encryption 
of flow.xml.gz
    16/11/23 12:40:05 WARN properties.ConfigEncryptionTool: The source 
flow.xml.gz and destination flow.xml.gz are identical 
[target/tmp/tmp-flow.xml.gz] so the original will be overwritten
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool:        
bootstrap.conf:                      target/tmp/tmp_bootstrap.conf
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: (src)  
nifi.properties:                     target/tmp/tmp-nifi.properties
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: (dest) 
nifi.properties:                     target/tmp/tmp-nifi.properties
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: (src)  
login-identity-providers.xml:        null
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: (dest) 
login-identity-providers.xml:        null
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: (src)  flow.xml.gz: 
                                        target/tmp/tmp-flow.xml.gz
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: (dest) flow.xml.gz: 
                                        target/tmp/tmp-flow.xml.gz
    16/11/23 12:40:05 INFO properties.NiFiPropertiesLoader: Loaded 15 
properties from 
/Users/alopresto/Workspace/nifi/nifi-toolkit/nifi-toolkit-encrypt-config/target/tmp/tmp-nifi.properties
    16/11/23 12:40:05 DEBUG properties.ProtectedNiFiProperties: Loaded 15 
properties (including 3 protection schemes) into ProtectedNiFiProperties
    16/11/23 12:40:05 INFO properties.NiFiPropertiesLoader: Loaded 15 
properties from 
/Users/alopresto/Workspace/nifi/nifi-toolkit/nifi-toolkit-encrypt-config/target/tmp/tmp-nifi.properties
    16/11/23 12:40:05 DEBUG properties.ProtectedNiFiProperties: Loaded 15 
properties (including 3 protection schemes) into ProtectedNiFiProperties
    16/11/23 12:40:05 INFO properties.ProtectedNiFiProperties: There are 3 
protected properties of 4 sensitive properties (75%)
    16/11/23 12:40:05 INFO properties.AESSensitivePropertyProvider: AES 
Sensitive Property Provider decrypted a sensitive value successfully
    16/11/23 12:40:05 INFO properties.AESSensitivePropertyProvider: AES 
Sensitive Property Provider decrypted a sensitive value successfully
    16/11/23 12:40:05 INFO properties.AESSensitivePropertyProvider: AES 
Sensitive Property Provider decrypted a sensitive value successfully
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: Loaded 
NiFiProperties instance with 12 properties
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: Decrypted and 
re-encrypted 2 elements for flow.xml.gz
    16/11/23 12:40:05 INFO properties.AESSensitivePropertyProvider: AES 
Sensitive Property Provider encrypted a sensitive value successfully
    16/11/23 12:40:05 INFO properties.ConfigEncryptionTool: Tool is not 
configured to encrypt nifi.properties, but the existing nifi.properties is 
encrypted and flow.xml.gz was migrated, so manually persisting the new 
encrypted value to nifi.properties
    16/11/23 12:40:05 DEBUG properties.ProtectedNiFiProperties: Loaded 13 
properties (including 1 protection schemes) into ProtectedNiFiProperties
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: [EXPECTED] 
Tried to exit with status 0.
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Updated key 
line: 
nifi.sensitive.props.key=ufsXsiPb0WNDfJLv||EkMx8/CtHeBtQIezmvONWavw/2y4mAZKbuxOGYWQwQR9F0Y
    16/11/23 12:40:05 INFO properties.NiFiPropertiesLoader: Loaded 15 
properties from 
/Users/alopresto/Workspace/nifi/nifi-toolkit/nifi-toolkit-encrypt-config/target/tmp/tmp-nifi.properties
    16/11/23 12:40:05 DEBUG properties.ProtectedNiFiProperties: Loaded 15 
properties (including 3 protection schemes) into ProtectedNiFiProperties
    16/11/23 12:40:05 INFO properties.AESSensitivePropertyProvider: AES 
Sensitive Property Provider decrypted a sensitive value successfully
    16/11/23 12:40:05 INFO properties.AESSensitivePropertyProvider: AES 
Sensitive Property Provider decrypted a sensitive value successfully
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Sensitive 
property key currently protected with aes/gcm/128
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Updated key 
line: nifi.bootstrap.sensitive.key=2C576A9585DB862F5ECBEE5B4FFFCCA1
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Original 
flow.xml.gz cipher texts: 
[enc{5bd4893252c3e11255a56cbdfac83976af3d4953f80f6447dd9c5c51a96bdf1af468aa80ab7e521586d496d81b277629},
 
enc{5bd4893252c3e11255a56cbdfac83976af3d4953f80f6447dd9c5c51a96bdf1af468aa80ab7e521586d496d81b277629}]
    16/11/23 12:40:05 INFO properties.ConfigEncryptionToolTest: Updated  
flow.xml.gz cipher texts: 
[enc{3151548439c7d34ddd6e1ca40c33a32f87b424fa9f5daf7dc206818eccbfff73f67c8e14d0b952e6b4097a37eafadfea},
 
enc{3151548439c7d34ddd6e1ca40c33a32f87b424fa9f5daf7dc206818eccbfff73f67c8e14d0b952e6b4097a37eafadfea}]
    ```
    
    At this point, I propose opening a separate Jira to investigate the cluster 
multiple-migration issue, and merge this PR to facilitate the upcoming release. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---