You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by Toivo Adams <to...@gmail.com> on 2018/03/12 10:02:50 UTC
DBCPConnectionPool encrypted password
Hi,
I need to encrypt DBCPConnectionPool password.
I have working decryption code.
Problem is how to make decrypted password available to DBCPConnectionPool.
I thought to use expression language and JVM System Property’s.
DBCPConnectionPool is capable to read System property value.
But how to set System property value after decryption.
I could create custom Controller service, but this service should be
executed before DBCPConnectionPool.
Is order of execution Controller services anyhow defined?
Thank you
Toivo
--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Re: DBCPConnectionPool encrypted password
Posted by Bryan Bende <bb...@gmail.com>.
Toivo,
I think there needs to be some improvements around variables &
sensitive property handling, but it is a challenging situation.
Some things you could investigate with the current capabilities..
- With the registry scenario, you could define a DBCPConnectionPool at
the root process group of each of your environments, then all your
versioned process groups can reference the DBCPConnectionPool from the
level above. When deploying a versioned flow you would still need to
go in the first time and update any processors to reference the
appropriate connection pool, but maybe this could be scripted?
- Similar to above, but if each versioned process group had its own
DBCPConnectionPool, then maybe after importing the flow you can script
the process of setting the password on the connection pool.
- You could possibly implement a custom version of DBCPConnectionPool
that obtained the password from somewhere outside the flow, although
this isn't great because it only works for this one component.
-Bryan
On Mon, Mar 12, 2018 at 9:59 AM, Toivo Adams <to...@gmail.com> wrote:
> Hi Bryan,
>
> We start using Registry soon anyway, so this is useful info.
> But it would be event better when we don’t need to enter passwords manually
> each time we deploy template.
> Any ideas how to do this?
>
> Thank you
> Toivo
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Re: DBCPConnectionPool encrypted password
Posted by Toivo Adams <to...@gmail.com>.
Hi Bryan,
We start using Registry soon anyway, so this is useful info.
But it would be event better when we don’t need to enter passwords manually
each time we deploy template.
Any ideas how to do this?
Thank you
Toivo
--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Re: DBCPConnectionPool encrypted password
Posted by Bryan Bende <bb...@gmail.com>.
You may want to consider moving from templates to NiFi Registry for
your deployment approach. The idea of this approach is that your flow
will get saved to registry with no sensitive values, when you import
the flow to the next environment you enter the sensitive values there
the first time and they get encrypted like normal, and then on future
deployments it retains the values you entered in the current
environment. There was actually a bug with this that is fixed on
master and will be in the next release [1].
[1] https://issues.apache.org/jira/browse/NIFI-4920
On Mon, Mar 12, 2018 at 9:22 AM, Toivo Adams <to...@gmail.com> wrote:
> Hi Bryan,
>
>>> Are you saying you are trying to externalize the value outside the
>>> w and keep it encrypted somewhere else?
>
> Yes, exactly. We have different passwords on different environments (dev,
> test, production).
> After development flow (using template currently) will be deployed to test
> env. And if testing is successful we deploy same flow to production.
> Ideally flow should remain unmodified.
> So we keep password outside of flow – in properties file.
>
> Thank you
> Toivo
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Re: DBCPConnectionPool encrypted password
Posted by Toivo Adams <to...@gmail.com>.
Hi Bryan,
>> Are you saying you are trying to externalize the value outside the
>> w and keep it encrypted somewhere else?
Yes, exactly. We have different passwords on different environments (dev,
test, production).
After development flow (using template currently) will be deployed to test
env. And if testing is successful we deploy same flow to production.
Ideally flow should remain unmodified.
So we keep password outside of flow – in properties file.
Thank you
Toivo
--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Re: DBCPConnectionPool encrypted password
Posted by Bryan Bende <bb...@gmail.com>.
Toivo,
The password property on DBCPConnectionPool is a "sensitive" property
which means it is already encrypted in the flow.xml.gz using
nifi.sensitive.props.key.
Are you saying you are trying to externalize the value outside the
flow and keep it encrypted somewhere else?
-Bryan
On Mon, Mar 12, 2018 at 6:02 AM, Toivo Adams <to...@gmail.com> wrote:
> Hi,
>
> I need to encrypt DBCPConnectionPool password.
> I have working decryption code.
> Problem is how to make decrypted password available to DBCPConnectionPool.
>
> I thought to use expression language and JVM System Property’s.
> DBCPConnectionPool is capable to read System property value.
>
> But how to set System property value after decryption.
> I could create custom Controller service, but this service should be
> executed before DBCPConnectionPool.
> Is order of execution Controller services anyhow defined?
>
> Thank you
> Toivo
>
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/