[
https://issues.apache.org/jira/browse/NIFI-12501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17795411#comment-17795411
]
Ferenc Erdei commented on NIFI-12501:
-------------------------------------
Thanks for the feedback [~exceptionfactory].
Unfortunately, at the moment the configuration structure of the MiNiFi is a
little bit different from NiFi so we can not reuse the existing
ApplicationPropertiesFileTransformer and BootstrapConfigurationFileTransformer.
In MiNiFi the bootstrap.conf contains all of the properties, both bootstrap and
minifi/nifi properties and the bootstrap code (re)generates the application
property file (minifi.properties) during startup. This means that we need to
encrypt only the properties in the bootstrap.conf file and write the root key
there. As the current base classes are quite limited to the nifi/nifi registry
bootstrap/application properties separation it doesn't make sense to make
modifications there that would likely be removed shortly.
The long-term goal is to eliminate this difference as well and have separate
files with bootstrap only, and static minifi.properties file (it would match
with NiFi). This would allow us to completely remove the above custom
minifi-toolkit-encrypt-config and use the one that is provided in NiFi toolkit.
Unfortunately, this requires a bigger refactor in the MiNiFi bootstrap around
the configuration ingestors, but I can't work on it in the upcoming 1 or 2
months.
I can create a separate follow-up Jira with the required work if that's fine
for you.
> [MiNiFi] Encrypt MiNiFi bootstrap.conf properties
> -------------------------------------------------
>
> Key: NIFI-12501
> URL: https://issues.apache.org/jira/browse/NIFI-12501
> Project: Apache NiFi
> Issue Type: Improvement
> Components: MiNiFi
> Reporter: Ferenc Erdei
> Assignee: Ferenc Erdei
> Priority: Major
> Labels: minifi-java
>
> Currently, there is no way to encrypt sensitive properties in bootstrap.conf
> and in the generated minifi.properties file.
> The goal of this story is to make it possible to encrypt sensitive property
> values in the bootstrap configuration file, and the generated
> minifi.properties file also should contain only encrypted values.
> * The supported encryption provider should be AES/GCM.
> * The encryption key can be defined in the minifi.bootstrap.sensitive.key
> property
> * We should provide a tool(minifi-toolkit-encrypt-config) to encrypt the
> bootstrap.conf properties, we can use the nifi-toolkit-encrypt-config as an
> inspiration
> Make sure that the solution works with change ingestors and c2 protocol as
> well
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
