[jira] [Created] (NIFI-13182) Unable to upgrade NiFi with a different algorithm

Wed, 08 May 2024 02:39:50 -0700 

John Joseph created NIFI-13182:
----------------------------------

             Summary: Unable to upgrade NiFi with a different algorithm 
                 Key: NIFI-13182
                 URL: https://issues.apache.org/jira/browse/NIFI-13182
             Project: Apache NiFi
          Issue Type: Bug
            Reporter: John Joseph
         Attachments: image-2024-05-08-15-07-06-963.png

We have NiFi version 1.24 running in Kubernetes with PVCs for the templates. 
Deployment is done via Statefulset.

nifi-0                                     3/3     Running     0                
4h25m
nifi-1                                     3/3     Running     0                
4h25m

before the nifi.sh start is invoked we have scripts running to set the 
encryption algorithm and the key. 

On an upgrade we scale down the pods and another version/revision are run. 

Since NiFi allows 2 algorithms [NiFi System Administrator’s Guide 
(apache.org)|https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#property-encryption-algorithms],
 We have a requirement to provide an option to change the algorithm when an 
upgrade rus for NiFi

We verified when templates are available. We installed NiFi with algorithm 
NIFI_PBKDF2_AES_GCM_256. then ran upgrade to change "NIFI_PBKDF2_AES_GCM_256" 
to NIFI_ARGON2_AES_GCM_256.
But, when we tried to run another upgrade from NIFI_ARGON2_AES_GCM_256 to 
NIFI_PBKDF2_AES_GCM_256, NiFi's upgrade failed with Exception 
{code:java}
org.apache.nifi.encrypt.EncryptionException: Decryption Failed with Algorithm 
[AES/GCM/NoPadding]{code}

!image-2024-05-08-15-07-06-963.png!


{code:java}
[main] org.apache.nifi.web.server.JettyServer Failed to start web server... 
shutting down.<nl>org.apache.nifi.encrypt.EncryptionException: Decryption 
Failed with Algorithm [AES/GCM/NoPadding]_ at 
org.apache.nifi.encrypt.CipherPropertyEncryptor.decrypt(CipherPropertyEncryptor.java:78)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory.decrypt(FingerprintFactory.java:996)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory.getLoggableRepresentationOfSensitiveValue(FingerprintFactory.java:605)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory.access$200(FingerprintFactory.java:72)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory$6.compare(FingerprintFactory.java:914)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory$6.compare(FingerprintFactory.java:907)_
 at java.base/java.util.TimSort.countRunAndMakeAscending(TimSort.java:360)_ at 
java.base/java.util.TimSort.sort(TimSort.java:220)_ at 
java.base/java.util.Arrays.sort(Arrays.java:1307)_ at 
java.base/java.util.ArrayList.sort(ArrayList.java:1721)_ at 
java.base/java.util.Collections.sort(Collections.java:179)_ at 
org.apache.nifi.fingerprint.FingerprintFactory.sortElements(FingerprintFactory.java:956)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory.addFlowFileProcessorFingerprint(FingerprintFactory.java:535)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory.addProcessGroupFingerprint(FingerprintFactory.java:411)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory.addProcessGroupFingerprint(FingerprintFactory.java:439)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory.addProcessGroupFingerprint(FingerprintFactory.java:439)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory.addProcessGroupFingerprint(FingerprintFactory.java:439)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory.addFlowControllerFingerprint(FingerprintFactory.java:226)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory.createFingerprint(FingerprintFactory.java:155)_
 at 
org.apache.nifi.fingerprint.FingerprintFactory.createFingerprint(FingerprintFactory.java:129)_
 at 
org.apache.nifi.controller.inheritance.FlowFingerprintCheck.checkInheritability(FlowFingerprintCheck.java:45)_
 at 
org.apache.nifi.controller.XmlFlowSynchronizer.sync(XmlFlowSynchronizer.java:205)_
 at 
org.apache.nifi.controller.serialization.StandardFlowSynchronizer.sync(StandardFlowSynchronizer.java:42)_
 at 
org.apache.nifi.controller.FlowController.synchronize(FlowController.java:1530)_
 at 
org.apache.nifi.persistence.StandardFlowConfigurationDAO.load(StandardFlowConfigurationDAO.java:104)_
 at 
org.apache.nifi.controller.StandardFlowService.loadFromBytes(StandardFlowService.java:817)_
 at 
org.apache.nifi.controller.StandardFlowService.load(StandardFlowService.java:457)_
 at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:896)_ at 
org.apache.nifi.NiFi.<init>(NiFi.java:172)_ at 
org.apache.nifi.NiFi.<init>(NiFi.java:83)_ at 
org.apache.nifi.NiFi.main(NiFi.java:332)_ Caused by: 
javax.crypto.AEADBadTagException: Tag mismatch!_ at 
java.base/com.sun.crypto.provider.GaloisCounterMode$GCMDecrypt.doFinal(GaloisCounterMode.java:1395)_
 at 
java.base/com.sun.crypto.provider.GaloisCounterMode.engineDoFinal(GaloisCounterMode.java:406)_
 at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2205)_ at 
org.apache.nifi.encrypt.CipherPropertyEncryptor.decrypt(CipherPropertyEncryptor.java:74)_
 ... 30 common frames omitted_ {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to