[
https://issues.apache.org/jira/browse/NIFI-4701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16306528#comment-16306528
]
ASF GitHub Bot commented on NIFI-4701:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2350#discussion_r159102075
--- Diff:
nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy
---
@@ -772,6 +899,48 @@ class ConfigEncryptionTool {
}
}
+ String encryptAuthorizers(String plainXml, String newKeyHex = keyHex) {
+ AESSensitivePropertyProvider sensitivePropertyProvider = new
AESSensitivePropertyProvider(newKeyHex)
+
+ // TODO: Switch to XmlParser & XmlNodePrinter to maintain "empty"
element structure
+ try {
+ def doc = new XmlSlurper().parseText(plainXml)
+ // Find the provider element by class even if it has been
renamed
+ def passwords = doc.userGroupProvider.find { it.'class' as
String == LDAP_USER_GROUP_PROVIDER_CLASS }
+ .property.findAll {
+ // Only operate on un-encrypted passwords
+ it.@name =~ "Password" && (it.@encryption == "none" ||
it.@encryption == "") && it.text()
+ }
+
+ if (passwords.isEmpty()) {
+ if (isVerbose) {
+ logger.info("No unencrypted password property elements
found in login-identity-providers.xml")
+ }
+ return plainXml
+ }
+
+ passwords.each { password ->
+ if (isVerbose) {
+ logger.info("Attempting to encrypt ${password.name()}")
+ }
+ String encryptedValue =
sensitivePropertyProvider.protect(password.text().trim())
+ password.replaceNode {
+ property(name: password.@name, encryption:
sensitivePropertyProvider.identifierKey, encryptedValue)
+ }
+ }
+
+ // Does not preserve whitespace formatting or comments
+ String updatedXml = XmlUtil.serialize(doc)
+ logger.info("Updated XML content: ${updatedXml}")
+ updatedXml
+ } catch (Exception e) {
+ if (isVerbose) {
+ logger.error("Encountered exception", e)
+ }
+ printUsageAndThrow("Cannot encrypt login identity providers
XML content", ExitCode.SERVICE_ERROR)
--- End diff --
This message should also be updated to `authorizers.xml`.
> Support encrypted properties in authorizers.xml
> -----------------------------------------------
>
> Key: NIFI-4701
> URL: https://issues.apache.org/jira/browse/NIFI-4701
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Configuration
> Reporter: Kevin Doran
> Assignee: Kevin Doran
> Fix For: 1.5.0
>
>
> Since the addition of LdapUserGroupProvider (see NIFI-4059) in v1.4.0,
> authorizers.xml can now contain properties for LDAP Server credentials.
> This ticket is to enable properties in authorizers.xml to be encrypted, so
> that the LDAP Server Manager credentials can be protected similar to
> LdapProvider which is configured via login-identity-providers.xml.
> The main changes are in nifi-authorizers are:
> * authorizers.xsd to add an encryption attribute to Property
> * to PropertyAuthorizerFactoryBean to check for that attribute and decrypt
> the property value if necessary when creating the the configuration context
> Additionally, support for creating an encrypted authorizers.xml, protected by
> the NiFi master key, should be added to the Encrypt Tool in NiFi Toolkit.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
