Re: [PR] MINIFICPP-2282 Support re-encryption of sensitive properties [nifi-minifi-cpp]

Mon, 11 Mar 2024 08:13:02 -0700 


lordgamez commented on code in PR #1739:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1739#discussion_r1519863114


##########
encrypt-config/EncryptConfigMain.cpp:
##########


Review Comment:
   I encrypted a flow config in interactive mode using a `PutS3Object` 
processor which has 2 sensitive properties `Secret Key` and `Proxy Password`. I 
set the `Secret Key` but did not set the `Proxy Password` to any value, so the 
flow config had 1 encrypted property set in the processor. After I set the 
`nifi.bootstrap.sensitive.properties.key` to 
`nifi.bootstrap.sensitive.properties.key.old` in the `bootstrap.conf` and tried 
using re-encrypt on it, it successfully generated a new key and re-encrypted 
the `Secret Key` property, but also the `Proxy Password` appeared in the flow 
config with an encrypted value:
   
   `Proxy Password: 
enc{ilN0h9zhIwVCMGn0GuuJGkupRmmGUR8z||2mqjr67fi2r2sr2Bojg6WQ==}`
   
   If it was not set, I think it should not be set after re-encrypt call 
either, also what value would this be set to in this case?



##########
encrypt-config/EncryptConfigMain.cpp:
##########
@@ -62,18 +65,19 @@ int main(int argc, char* argv[]) try {
   if (operation == OPERATION_MINIFI_PROPERTIES) {
     encrypt_config.encryptSensitiveValuesInMinifiProperties();
   } else if (operation == OPERATION_FLOW_CONFIG) {
+    auto re_encrypt = argument_parser.get<bool>("--re-encrypt");
     auto component_id = argument_parser.present("--component-id");
     auto property_name = argument_parser.present("--property-name");
     auto property_value = argument_parser.present("--property-value");

Review Comment:
   Could we return an error when these options are specified, but not the 
flow-config operation is set? It could be a bit misleading if the user wants to 
encrypt flow config values, the operation runs successfully, but it actually 
changed the minifi.properties.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to