I also forgot to mention that if you do want Ansible to generate a new key, you can use the Encrypt Config Tool (part of the NiFi Toolkit) to perform key rotation and encrypted value migration [1] of the nifi.properties and flow.xml.gz files. I should probably write a blog entry with step-by-step instructions, but the Admin Guide does have an explanation and you can script this operation via Ansible if you desire.
[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#existing-flow-migration <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#existing-flow-migration> Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jul 26, 2017, at 10:47 AM, Andy LoPresto <[email protected]> wrote: > > Russell, > > Thanks for following up and documenting this. If you are willing to file a > Jira, we can hopefully improve the error messaging to make this easier for > users to diagnose, and as there is already a ticket (NIFI-3116 [1]) to remove > Jasypt (the underlying library which is generating the stacktrace), they may > be done in conjunction. Thanks. > > [1] https://issues.apache.org/jira/browse/NIFI-3116 > <https://issues.apache.org/jira/browse/NIFI-3116> > > Andy LoPresto > [email protected] <mailto:[email protected]> > [email protected] <mailto:[email protected]> > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > >> On Jul 26, 2017, at 8:39 AM, Russell Bateman <[email protected] >> <mailto:[email protected]>> wrote: >> >> Follow-up... >> >> We use openJRE, so the JCE problem doesn't affect us. >> >> The problem was as Mark suggested: Our Ansible instructions upgraded NiFi >> and created a new nifi.sensitive.props.key. In nifi.properties this >> property, if extant, is used to encrypt sensitive properties in flow.xml.gz. >> Thus, upon relaunching NiFi, the wrong key was used to decrypt resulting in >> the reported failure to start, flow.xml.gz is no longer useful. >> >> How did we solve it? >> >> We looked in the nifi.properties.rpmsave file, what RPM does with a file >> it's changed, and copied the old key from this property to paste in over the >> newly generated key in nifi.properties. Relaunched, NiFi worked with no >> problem. The full solution, in our case, is to insist in Ansible that it not >> generate for and replace nifi.sensitive.props.key with a new key. >> >> Many thanks to Mark and Joe for their very immediate and useful help saving >> us much time down! >> >> Russ >> >> >> On 07/26/2017 07:53 AM, Russell Bateman wrote: >>> Thanks for these suggestions, guys. I've only come in this morning to this >>> complaint on a customer's production server to which I don't have access. >>> So, I'm at the beginning of it, but I've never seen this before and thought >>> I'd ask in the meantime. Your suggestions are invaluable; I'm sure that >>> something like what you say must be going on. I'll confer with the DevOps >>> guys when they get in for the day. >>> >>> Many thanks, >>> >>> Russ >>> >>> On 07/26/2017 07:46 AM, Joe Witt wrote: >>>> Has the version of java being used changed by chance on the system? >>>> And if so, or perhaps even if not, were the JCE extensions >>>> installed/configured previously and now it is not? Other than that >>>> the only other thing that comes to mind is if the sensitive properties >>>> key was changed >>>> >>>> On Wed, Jul 26, 2017 at 9:40 AM, Russell Bateman <[email protected]> >>>> <mailto:[email protected]> wrote: >>>>> I'm getting this stack trace reported. I'm completely unfamiliar with this >>>>> problem or what could cause it--never having seen it before. I could use >>>>> some help here. >>>>> >>>>> Thanks. >>>>> >>>>> 2017-07-25 23:23:31,148 WARN [main] org.apache.nifi.web.server.JettyServer >>>>> Failed to start web server... shutting down. >>>>> org.apache.nifi.encrypt.EncryptionException: >>>>> org.jasypt.exceptions.EncryptionOperationNotPossibleException >>>>> at >>>>> org.apache.nifi.encrypt.StringEncryptor.decrypt(StringEncryptor.java:149) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.controller.serialization.FlowFromDOMFactory.decrypt(FlowFromDOMFactory.java:474) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.controller.serialization.FlowFromDOMFactory.getProperties(FlowFromDOMFactory.java:411) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.controller.serialization.FlowFromDOMFactory.getControllerService(FlowFromDOMFactory.java:96) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.fingerprint.FingerprintFactory.addFlowControllerFingerprint(FingerprintFactory.java:211) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.fingerprint.FingerprintFactory.createFingerprint(FingerprintFactory.java:176) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.fingerprint.FingerprintFactory.createFingerprint(FingerprintFactory.java:146) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.controller.StandardFlowSynchronizer.checkFlowInheritability(StandardFlowSynchronizer.java:1335) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.controller.StandardFlowSynchronizer.checkFlowInheritability(StandardFlowSynchronizer.java:1325) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.controller.StandardFlowSynchronizer.sync(StandardFlowSynchronizer.java:240) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.controller.FlowController.synchronize(FlowController.java:1461) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.persistence.StandardXMLFlowConfigurationDAO.load(StandardXMLFlowConfigurationDAO.java:83) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.controller.StandardFlowService.loadFromBytes(StandardFlowService.java:678) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.controller.StandardFlowService.load(StandardFlowService.java:508) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> at >>>>> org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:69) >>>>> ~[na:na] >>>>> at >>>>> org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:837) >>>>> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:533) >>>>> ~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:810) >>>>> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:345) >>>>> ~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1404) >>>>> ~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1366) >>>>> ~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:772) >>>>> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:262) >>>>> ~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:520) >>>>> ~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) >>>>> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) >>>>> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) >>>>> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) >>>>> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) >>>>> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) >>>>> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:106) >>>>> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) >>>>> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.server.handler.gzip.GzipHandler.doStart(GzipHandler.java:231) >>>>> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) >>>>> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) >>>>> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at org.eclipse.jetty.server.Server.start(Server.java:411) >>>>> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:106) >>>>> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) >>>>> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at org.eclipse.jetty.server.Server.doStart(Server.java:378) >>>>> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) >>>>> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] >>>>> at >>>>> org.apache.nifi.web.server.JettyServer.start(JettyServer.java:675) >>>>> ~[nifi-jetty-1.1.2.jar:1.1.2] >>>>> at org.apache.nifi.NiFi.<init>(NiFi.java:156) >>>>> [nifi-runtime-1.1.2.jar:1.1.2] >>>>> at org.apache.nifi.NiFi.main(NiFi.java:262) >>>>> [nifi-runtime-1.1.2.jar:1.1.2] >>>>> Caused by: org.jasypt.exceptions.EncryptionOperationNotPossibleException: >>>>> null >>>>> at >>>>> org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:1055) >>>>> ~[jasypt-1.9.2.jar:na] >>>>> at >>>>> org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:725) >>>>> ~[jasypt-1.9.2.jar:na] >>>>> at >>>>> org.apache.nifi.encrypt.StringEncryptor.decrypt(StringEncryptor.java:147) >>>>> ~[nifi-framework-core-1.1.2.jar:1.1.2] >>>>> ... 42 common frames omitted >>> >> >
signature.asc
Description: Message signed with OpenPGP using GPGMail
