Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-3045

Usage of -k undermines encrypted configuration

    XMLWordPrintableJSON

Details

    Description

      Hey,

      When setting up a hardened NiFi installation I ran into this. I hope I'm mistaken.

      When running the encrypt-config.sh script, one has a nifi.bootstrap.sensitive.key string configured in bootstrap.conf. The service startup script makes this be passed from RunNifi to{{NiFi}} by a -k parameter.

      This however can be retrieved by any user of the interface – which, combined with NiFi being able to read from (the encrypted-under-nifi.bootstrap.sensitive.key) nifi.properties file means that e.g. the nifi.security.keystorePasswd property can be decrypted offline.

      Does this have anything to it?

      Attachments

        1. extract-dash-ks-from-process-list.xml
          7 kB
          Anders Breindahl
        2. 2016-11-16_dash-ks-extraction.png
          54 kB
          Anders Breindahl

        Issue Links

          duplicates

          New Feature - A new feature of the product, which has yet to be developed. NIFI-2656 Allow bootstrap process to prompt for password/key

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          New Feature - A new feature of the product, which has yet to be developed. NIFI-2656 Allow bootstrap process to prompt for password/key

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              skrewz Anders Breindahl
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: