[jira] [Commented] (NIFI-2656) Allow bootstrap process to prompt for password/key

Tue, 24 Jan 2017 11:47:58 -0800 

    [ 
https://issues.apache.org/jira/browse/NIFI-2656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15836522#comment-15836522
 ] 

ASF GitHub Bot commented on NIFI-2656:
--------------------------------------

Github user alopresto commented on the issue:

    https://github.com/apache/nifi/pull/1302
  
    @skrewz Yes, please make the changes and then as @apiri mentioned just push 
to the same branch and the PR will update automatically. Thanks for the quick 
response to my comments. Sorry again for the delay. Really appreciate this 
valuable work. 


> Allow bootstrap process to prompt for password/key
> --------------------------------------------------
>
>                 Key: NIFI-2656
>                 URL: https://issues.apache.org/jira/browse/NIFI-2656
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Configuration, Core Framework
>    Affects Versions: 1.0.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Minor
>              Labels: bootstrap, config, encryption, security
>             Fix For: 1.2.0
>
>         Attachments: NIFI-2656.-K_support.1.patch
>
>
> The bootstrap process {{RunNiFi.java}} is currently responsible for reading 
> the key from {{bootstrap.conf}} and sending it to the running NiFi process 
> {{NiFi.java}} to be used for sensitive property decryption. This exposes the 
> key in two places:
> * Plaintext in {{bootstrap.conf}}
> * In the process invocation
> Running the following command ({{ps -aef | grep -i nifi}}) will result in the 
> following output:
> {code}
> ...
>   501 11597 11596   0  6:51PM ttys001    0:08.55 
> /Users/alopresto/.jenv/versions/1.8/bin/java -classpath 
> /Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./conf:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/bcprov-jdk15on-1.54.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/commons-lang3-3.4.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/jcl-over-slf4j-1.7.12.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/jul-to-slf4j-1.7.12.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/log4j-over-slf4j-1.7.12.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/logback-classic-1.1.3.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/logback-core-1.1.3.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/nifi-api-1.0.0-SNAPSHOT.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/nifi-documentation-1.0.0-SNAPSHOT.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/nifi-framework-api-1.0.0-SNAPSHOT.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/nifi-nar-utils-1.0.0-SNAPSHOT.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/nifi-properties-1.0.0-SNAPSHOT.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/nifi-properties-loader-1.0.0-SNAPSHOT.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/nifi-runtime-1.0.0-SNAPSHOT.jar:/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./lib/slf4j-api-1.7.12.jar
>  -Dorg.apache.jasper.compiler.disablejsr199=true -Xmx512m -Xms512m 
> -Dsun.net.http.allowRestrictedHeaders=true -Djava.net.preferIPv4Stack=true 
> -Djava.awt.headless=true -XX:+UseG1GC 
> -Djava.protocol.handler.pkgs=sun.net.www.protocol 
> -Dnifi.properties.file.path=/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/./conf/nifi.properties
>  -Dnifi.bootstrap.listen.port=58213 -Dapp=NiFi 
> -Dorg.apache.nifi.bootstrap.config.log.dir=/Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.0.0-SNAPSHOT-bin/nifi-1.0.0-SNAPSHOT/logs
>  org.apache.nifi.NiFi -k 
> 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
> ...
> {code}
> To allow for a more secure invocation, the NiFi process could pause and 
> prompt for the password/key entry in a secure console if it is not provided 
> in the invocation arguments from bootstrap (or if a special flag is 
> provided). While this would require manual intervention to start the process, 
> it would not be default behavior. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to