[
https://issues.apache.org/jira/browse/NIFI-4942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16445191#comment-16445191
]
ASF GitHub Bot commented on NIFI-4942:
--------------------------------------
Github user ijokarumawak commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2648#discussion_r182934080
--- Diff: nifi-toolkit/nifi-toolkit-encrypt-config/pom.xml ---
@@ -167,10 +167,12 @@
<groupId>org.apache.rat</groupId>
<artifactId>apache-rat-plugin</artifactId>
<configuration>
+ <consoleOutput>true</consoleOutput>
<excludes combine.children="append">
<exclude>src/test/resources/scrypt.py</exclude>
-
<exclude>src/test/resources/secure_hash.key</exclude>
-
<exclude>src/test/resources/secure_hash_128.key</exclude>
+ <!-- use wildcard for below files as tests
generate additional files during the build -->
+ <exclude>**/secure_hash.key</exclude>
+ <exclude>**/secure_hash_128.key</exclude>
--- End diff --
@kevdoran Yeah, I looked at the source code and it doesn't seem to be a way
to change output dir currently. I think it is not only a problem for test, but
also it might be problematic in real usage. When I executed the tool, it
generates `secure_hash.key` in current directory:
```
$ ./bin/encrypt-config.sh -n /tmp/enc-test/nifi.properties -o
/tmp/enc-test/nifi-enc.properties -b /tmp/enc-test/bootstrap.conf --verbose
$ ll
total 60
drwxrwxr-x 6 nifi nifi 4096 Apr 20 02:42 ./
drwxrwxr-x 3 nifi nifi 4096 Apr 19 03:57 ../
drwxr-xr-x 2 nifi nifi 4096 Apr 19 01:45 bin/
drwxr-xr-x 3 nifi nifi 4096 Apr 19 01:45 classpath/
drwxr-xr-x 2 nifi nifi 4096 Apr 19 01:45 conf/
drwxrwxr-x 2 nifi nifi 12288 Apr 19 03:57 lib/
-rw-r--r-- 1 nifi nifi 15986 Apr 19 01:45 LICENSE
-rw-r--r-- 1 nifi nifi 5473 Apr 19 01:45 NOTICE
-rw------- 1 nifi nifi 91 Apr 20 02:42 secure_hash.key
```
Since the key is baked into the bootstrap.conf, the secure_hash.key is not
needed to be written as a file I guess. I'm new to this tool, so I can be wrong.
> NiFi Toolkit - Allow migration of master key without previous password
> ----------------------------------------------------------------------
>
> Key: NIFI-4942
> URL: https://issues.apache.org/jira/browse/NIFI-4942
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Tools and Build
> Affects Versions: 1.5.0
> Reporter: Yolanda M. Davis
> Assignee: Andy LoPresto
> Priority: Major
> Fix For: 1.7.0
>
>
> Currently the encryption cli in nifi toolkit requires that, in order to
> migrate from one master key to the next, the previous master key or password
> should be provided. In cases where the provisioning tool doesn't have the
> previous value available this becomes challenging to provide and may be prone
> to error. In speaking with [~alopresto] we can allow toolkit to support a
> mode of execution such that the master key can be updated without requiring
> the previous password. Also documentation around it's usage should be updated
> to be clear in describing the purpose and the type of environment where this
> command should be used (admin only access etc).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
