[
https://issues.apache.org/jira/browse/NIFI-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15982504#comment-15982504
]
ASF subversion and git services commented on NIFI-3045:
-------------------------------------------------------
Commit 995c7ce2fa5799bd2bbcc09c205dc823b2b405d5 in nifi's branch
refs/heads/master from [~skrewz]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=995c7ce ]
NIFI-2656: replace -k [password] with -K [passwordfile].
This approaches a proper solution on how to hand over the key from
RunNiFi to NiFi. Insofar the password file is pruned as part of the
startup, NiFi processors can't read it.
See also: NIFI-3045.
This closes #1302.
Signed-off-by: Andy LoPresto <[email protected]>
> Usage of -k undermines encrypted configuration
> ----------------------------------------------
>
> Key: NIFI-3045
> URL: https://issues.apache.org/jira/browse/NIFI-3045
> Project: Apache NiFi
> Issue Type: Bug
> Components: Configuration
> Affects Versions: 1.0.0
> Reporter: Anders Breindahl
> Labels: bootstrap, configuration, encryption, security
> Attachments: 2016-11-16_dash-ks-extraction.png,
> extract-dash-ks-from-process-list.xml
>
>
> Hey,
> When setting up a hardened NiFi installation I ran into this. I hope I'm
> mistaken.
> When running the {{encrypt-config.sh}} script, one has a
> {{nifi.bootstrap.sensitive.key}} string configured in {{bootstrap.conf}}. The
> service startup script makes this be passed from {{RunNifi}} to{{NiFi}} by a
> {{-k}} parameter.
> This however can be retrieved by any user of the interface -- which, combined
> with NiFi being able to read from (the
> encrypted-under-{{nifi.bootstrap.sensitive.key}}) {{nifi.properties}} file
> means that e.g. the {{nifi.security.keystorePasswd}} property can be
> decrypted offline.
> Does this have anything to it?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
