[
https://issues.apache.org/jira/browse/NIFI-4942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16436345#comment-16436345
]
ASF GitHub Bot commented on NIFI-4942:
--------------------------------------
Github user YolandaMDavis commented on the issue:
https://github.com/apache/nifi/pull/2628
@alopresto ran through test cases and this works as expected. One question
for you is there a way to designate an output location for the secure-hash.key
file? Such as if I want to pipe it to stdin or just to another location?
Also as a side note I tested with -p (password) input where it may contain
certain characters (@, -, and &). The '&' caused the script to fail but also to
stall, needed to do a Control-C to break out of it. The below is resolved by
simply including quotes around the password but may be good to document for
users:
`ydavis$
/Users/ydavis/dev/projects/nifi/nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.7.0-SNAPSHOT-bin/nifi-toolkit-1.7.0-SNAPSHOT/bin/encrypt-config.sh
-v -m -b bootstrap.conf -n nifi-migrated-from-hash-key-break-2.properties -o
nifi-migrated-from-hash-key-break-3.properties -p thisIs&ABadPassword4 -y
'$s0$100801$j8z9NeI9DZEBTbCzOaQJbA$MI0iN/ZPQ5bk4YxcgJ2H95gCToQy3ZbIr7B6OMxB3oA'
[1] 5576
-bash: ABadPassword4: command not found
HW13535:conf ydavis$ 2018/04/12 17:30:13 INFO [main]
org.apache.nifi.properties.ConfigEncryptionTool: Handling encryption of
nifi.properties
2018/04/12 17:30:13 INFO [main]
org.apache.nifi.properties.ConfigEncryptionTool: bootstrap.conf:
bootstrap.conf
2018/04/12 17:30:13 INFO [main]
org.apache.nifi.properties.ConfigEncryptionTool: (src) nifi.properties:
nifi-migrated-from-hash-key-break-2.properties
2018/04/12 17:30:13 INFO [main]
org.apache.nifi.properties.ConfigEncryptionTool: (dest) nifi.properties:
nifi-migrated-from-hash-key-break-3.properties
2018/04/12 17:30:13 INFO [main]
org.apache.nifi.properties.ConfigEncryptionTool: (src)
login-identity-providers.xml: null
2018/04/12 17:30:13 INFO [main]
org.apache.nifi.properties.ConfigEncryptionTool: (dest)
login-identity-providers.xml: null
2018/04/12 17:30:13 INFO [main]
org.apache.nifi.properties.ConfigEncryptionTool: (src) authorizers.xml:
null
2018/04/12 17:30:13 INFO [main]
org.apache.nifi.properties.ConfigEncryptionTool: (dest) authorizers.xml:
null
2018/04/12 17:30:13 INFO [main]
org.apache.nifi.properties.ConfigEncryptionTool: (src) flow.xml.gz:
null
2018/04/12 17:30:13 INFO [main]
org.apache.nifi.properties.ConfigEncryptionTool: (dest) flow.xml.gz:
null
2018/04/12 17:30:13 INFO [main]
org.apache.nifi.properties.ConfigEncryptionTool: Key migration mode activated
2018/04/12 17:30:13 INFO [main]
org.apache.nifi.properties.NiFiPropertiesLoader: Loaded 151 properties from
/Users/ydavis/dev/tools/nifi-1.7.0-SNAPSHOT/conf/nifi-migrated-from-hash-key-break-2.properties
2018/04/12 17:30:13 ERROR [main]
org.apache.nifi.properties.ConfigEncryptionTool: Encountered an error
java.security.KeyException: Cannot derive key from empty/short password --
password must be at least 12 characters
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:83)
at
org.codehaus.groovy.reflection.CachedConstructor.doConstructorInvoke(CachedConstructor.java:77)
at
org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrap.callConstructor(ConstructorSite.java:84)
at
org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:60)
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:235)
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:247)
at
org.apache.nifi.properties.ConfigEncryptionTool.deriveKeyFromPassword(ConfigEncryptionTool.groovy:1493)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
at
org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite$StaticMetaMethodSiteNoUnwrapNoCoerce.invoke(StaticMetaMethodSite.java:151)
at
org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:102)
at
org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:206)
at
org.apache.nifi.properties.ConfigEncryptionTool.getKeyInternal(ConfigEncryptionTool.groovy:527)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite$PogoCachedMethodSiteNoUnwrapNoCoerce.invoke(PogoMetaMethodSite.java:210)
at
org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite.callCurrent(PogoMetaMethodSite.java:59)
at
org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallCurrent(CallSiteArray.java:52)
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:154)
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:190)
at
org.apache.nifi.properties.ConfigEncryptionTool.getKey(ConfigEncryptionTool.groovy:542)
at
org.apache.nifi.properties.ConfigEncryptionTool.getKey(ConfigEncryptionTool.groovy:541)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite$PogoCachedMethodSiteNoUnwrapNoCoerce.invoke(PogoMetaMethodSite.java:210)
at
org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite.call(PogoMetaMethodSite.java:71)
at
org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:117)
at
org.apache.nifi.properties.ConfigEncryptionTool.main(ConfigEncryptionTool.groovy:1659)
at org.apache.nifi.properties.ConfigEncryptionTool$main.call(Unknown
Source)
at
org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125)
at
org.apache.nifi.toolkit.encryptconfig.LegacyMode.run(LegacyMode.groovy:30)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite$PogoCachedMethodSite.invoke(PogoMetaMethodSite.java:169)
at
org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite.call(PogoMetaMethodSite.java:71)
at
org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
at
org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125)
at
org.apache.nifi.toolkit.encryptconfig.EncryptConfigMain.main(EncryptConfigMain.groovy:109)
Cannot derive key from empty/short password -- password must be at least 12
characters
usage: org.apache.nifi.properties.ConfigEncryptionTool [-h] [-v] [-n
<file>] [-o <file>] [-l <file>] [-i <file>] [-a <file>] [-u <file>] [-f <file>]
[-g <file>]
[-b <file>] [-k <keyhex>] [-e <keyhex>] [-p <password>] [-w
<password>] [-y <hashed_keyhex>] [-z <hashed_password>] [-r] [-m] [-x] [-s
<password|keyhex>]
[-A <algorithm>] [-P <algorithm>] [--currentHashParams]
This tool reads from a nifi.properties and/or login-identity-providers.xml
file with plain sensitive configuration values, prompts the user for a master
key,
and encrypts each value. It will replace the plain value with the protected
value in the same file (or write to a new file if specified). It can also be
used to
migrate already-encrypted values in those files or in flow.xml.gz to be
encrypted with a new key.
-h,--help Show usage information (this
message)
-v,--verbose Sets verbose mode (default
false)
-n,--niFiProperties <file> The nifi.properties file
containing unprotected config values (will be overwritten unless -o is
specified)
-o,--outputNiFiProperties <file> The destination
nifi.properties file containing protected config values (will not modify input
nifi.properties)
-l,--loginIdentityProviders <file> The
login-identity-providers.xml file containing unprotected config values (will be
overwritten unless -i is
specified)
-i,--outputLoginIdentityProviders <file> The destination
login-identity-providers.xml file containing protected config values (will not
modify input
login-identity-providers.xml)
-a,--authorizers <file> The authorizers.xml file
containing unprotected config values (will be overwritten unless -u is
specified)
-u,--outputAuthorizers <file> The destination
authorizers.xml file containing protected config values (will not modify input
authorizers.xml)
-f,--flowXml <file> The flow.xml.gz file currently
protected with old password (will be overwritten unless -g is specified)
-g,--outputFlowXml <file> The destination flow.xml.gz
file containing protected config values (will not modify input flow.xml.gz)
-b,--bootstrapConf <file> The bootstrap.conf file to
persist master key
-k,--key <keyhex> The raw hexadecimal key to use
to encrypt the sensitive properties
-e,--oldKey <keyhex> The old raw hexadecimal key to
use during key migration
-p,--password <password> The password from which to
derive the key to use to encrypt the sensitive properties
-w,--oldPassword <password> The old password from which to
derive the key during migration
-y,--secureHashKey <hashed_keyhex> The old securely-hashed
hexadecimal key to authenticate during key migration (see NiFi Admin Guide)
-z,--secureHashPassword <hashed_password> The old securely-hashed
password to authenticate during key migration (see NiFi Admin Guide)
-r,--useRawKey If provided, the secure
console will prompt for the raw key value in hexadecimal form
-m,--migrate If provided, the
nifi.properties and/or login-identity-providers.xml sensitive properties will
be re-encrypted with
a new key
-x,--encryptFlowXmlOnly If provided, the properties in
flow.xml.gz will be re-encrypted with a new key but the nifi.properties and/or
login-identity-providers.xml
files will not be modified
-s,--propsKey <password|keyhex> The password or key to use to
encrypt the sensitive processor properties in flow.xml.gz
-A,--newFlowAlgorithm <algorithm> The algorithm to use to
encrypt the sensitive processor properties in flow.xml.gz
-P,--newFlowProvider <algorithm> The security provider to use
to encrypt the sensitive processor properties in flow.xml.gz
--currentHashParams Returns the current salt and
cost params used to store the hashed key/password
Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home
NiFi Toolkit home:
/Users/ydavis/dev/projects/nifi/nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.7.0-SNAPSHOT-bin/nifi-toolkit-1.7.0-SNAPSHOT`
> NiFi Toolkit - Allow migration of master key without previous password
> ----------------------------------------------------------------------
>
> Key: NIFI-4942
> URL: https://issues.apache.org/jira/browse/NIFI-4942
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Tools and Build
> Affects Versions: 1.5.0
> Reporter: Yolanda M. Davis
> Assignee: Andy LoPresto
> Priority: Major
>
> Currently the encryption cli in nifi toolkit requires that, in order to
> migrate from one master key to the next, the previous master key or password
> should be provided. In cases where the provisioning tool doesn't have the
> previous value available this becomes challenging to provide and may be prone
> to error. In speaking with [~alopresto] we can allow toolkit to support a
> mode of execution such that the master key can be updated without requiring
> the previous password. Also documentation around it's usage should be updated
> to be clear in describing the purpose and the type of environment where this
> command should be used (admin only access etc).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
