Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-9953

The config encryption tool is too complicated to use and can be simplified

    XMLWordPrintableJSON

Details

    • Rebuild encrypt config tool into the 'Property Encryptor' tool
    • To Do

    Description

      It may be worth creating a new Property Encryptor tool (Encrypt Config 2.0) tool rather than converting the existing module. This would allow us to eventually deprecate the 1.0 tool and not mandate us to maintain backwards compatibility in 2.0.

      Goals:

      • Eliminate Groovy
      • Reduce complexity of code and complexity of usage
      • Logical separation of components/modularization

      Key design concerns:

      1. The tool should be implicit rather than explicit - too many parameter inputs has made 1.0 too complex and difficult to use (eg. having to specify every single input and output file etc)
      2. Should work for current and future products (NiFi, NiFi Registry, MiNiFi etc)
      3. Should be atomic/transactional (all files succeed or fail)
      4. Should stream read/write the input and output files
      5. Should use Java instead of Groovy
      6. Should use PicoCLI as a full featured CLI library which allows subcommands (https://github.com/remkop/picocli)
      7. Concise error and debug logging to allow users to rectify issues
      8. Re-evaluate need for any extra modes (eg migrate, key input vs password input)

      The command interface is expected to look something like this:

      ngough$ ./property-encryptor.sh --help

      usage: org.apache.nifi.toolkit.propertyencryptor.PropertyEncryptorMain [-h] [-v] [encrypt | decrypt | migrate | translate-cli]

      This tool can be used to easily encrypt configuration files for NiFi and its sub-projects (NiFi Registry, MiNiFi), as well as the flow.xml.gz or flow.json.gz files. Given a root directory, password and scheme it will protect all secret values within configuration files or within the flow.xml.gz/flow.json.gz with the key/password. The tool can also decrypt configuration files given the correct credentials. It also allows for migrating the password used from old to new, and changing the encryption scheme used.

      h,-help           Show usage information (this message)

      v,-verbose        Sets verbose mode (default false)

       

      Command examples:

      ./property-encryptor.sh encrypt [config | flow] [root-nifi-dir | root-nifi-registry-dir | root-minifi-dir] [password] [scheme]

      ./property-encryptor.sh decrypt config [root-nifi-dir | root-nifi-registry-dir | root-minifi-dir] [password] [scheme]

      ./property-encryptor.sh migrate [config | flow] [root-nifi-dir | root-nifi-registry-dir | root-minifi-dir] [new-password] [new-scheme]

      ./property-encryptor.sh translate-cli nifi.properties

      Attachments

        Issue Links

          requires

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-9965 Refactor encryption and decryption of sensitive flow properties

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          links to

          Web Link GitHub Pull Request #6273

          Activity

            People

              thenatog Nathan Gough
              thenatog Nathan Gough
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 3.5h
                  3.5h