You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Daniel Salwerowicz (Jira)" <ji...@apache.org> on 2022/05/11 12:06:00 UTC
[jira] [Created] (NIFI-10018) NiFi instance encrypted with AES_GCM fails to start
Daniel Salwerowicz created NIFI-10018:
-----------------------------------------
Summary: NiFi instance encrypted with AES_GCM fails to start
Key: NIFI-10018
URL: https://issues.apache.org/jira/browse/NIFI-10018
Project: Apache NiFi
Issue Type: Bug
Components: Configuration, Configuration Management, Tools and Build
Affects Versions: 1.16.1
Environment: CentOS server, Java 11
Reporter: Daniel Salwerowicz
During setup of new NiFi instance on server I decided to encrypt the its configuration. It seemed to work well, at least there were no errors given during encryption:
{noformat}
nifi-toolkit-1.16.1/bin/encrypt-config.sh \
-n "$nifi_props" \
-l "$login_identity_providers" \
-a "$authorizers" \
-b "$bootstrap_conf" \
-S "$scheme" \
-p "$passwd" \
-w "$props_key" \
-m
[main] WARN org.apache.nifi.properties.ConfigEncryptionTool - The source nifi.properties and destination nifi.properties are identical [/disk1/nifi/prod/nifi-1.16.1/conf/nifi.properties] so the original will be overwritten
[main] WARN org.apache.nifi.properties.ConfigEncryptionTool - The source login-identity-providers.xml and destination login-identity-providers.xml are identical [/disk1/nifi/prod/config/login-identity-providers.xml] so the original will be overwritten
[main] WARN org.apache.nifi.properties.ConfigEncryptionTool - The source authorizers.xml and destination authorizers.xml are identical [/disk1/nifi/prod/config/authorizers.xml] so the original will be overwritten
[main] WARN org.apache.nifi.properties.AbstractBootstrapPropertiesLoader - System Property [nifi.properties.file.path] not found: Using Relative Path [conf/nifi.properties]
[main] INFO org.apache.nifi.properties.NiFiPropertiesLoader - Loading Application Properties [/disk1/nifi/prod/nifi-1.16.1/conf/nifi.properties]
[main] INFO org.apache.nifi.properties.NiFiPropertiesLoader - Loading Application Properties [/disk1/nifi/prod/nifi-1.16.1/conf/nifi.properties]
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Loaded NiFiProperties instance with 202 properties
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Loaded login identity providers content (52 lines)
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated XML content: ...
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Loaded authorizers content (98 lines)
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected [nifi.security.keyPasswd] using [aes/gcm] -> pcGwPE3hcZ2lLkjT||0mDlQs30cpZDCE+fwnMmk4908Wb9gLNdQ1lzgrB7BDZHjptS+oTPRVKlv+SglBw7WKLS+9xY0ryu3w==
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated protection key [nifi.security.keyPasswd.protected]
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected [nifi.security.keystorePasswd] using [aes/gcm] -> VwUaUqRLyXN/6X28||/0T7d6w/5PQdgw/aM7hp1Xq3pPaEeGax/mxQ9s4HVn9yeCiT3tulzzA9nyh63Pw2eWdbKnH3s6jAXw==
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated protection key [nifi.security.keystorePasswd.protected]
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected [nifi.security.truststorePasswd] using [aes/gcm] -> gHP8eniagijAt2Gz||4ocM4NcfeZX/57FDLwXDlziKX8ZIsa05wof+3vbUl09Q61HT0bagVMDtE1tlvADBIk950oI11hPn2g==
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated protection key [nifi.security.truststorePasswd.protected]
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected [nifi.sensitive.props.key] using [aes/gcm] -> vyb30QVW4kK/yiAx||LPpSqZ580UVIebndOMtgdKwfE+o7HMX8YrER80/7S7hcg+m9PYIvbLNPVdSlV9n4ri/G6MnuUVvLTA==
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated protection key [nifi.sensitive.props.key.protected]
[main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Final result: 205 keys including 4 protected keys
{noformat}
However when I started the NiFi instance I saw following message in the "nifi-bootstrap.log" file:
{noformat}
2022-05-11 11:08:57,700 ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiConfiguration': BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'metaDataSourceAdvisor': Cannot resolve reference to bean 'methodSecurityMetadataSource' while setting constructor argument; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration': Unsatisfied dependency expressed through method 'setObjectPostProcessor' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.properties.SensitivePropertyProtectionException: Protection Scheme [aes/gcm/256] not supported
2022-05-11 11:08:57,701 ERROR [NiFi logging handler] org.apache.nifi.StdErr Shutting down...{noformat}
In the "nifi.properties" I have following:
{noformat}
nifi.sensitive.props.key=...
nifi.sensitive.props.key.protected=aes/gcm/256
nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.sensitive.props.additional.keys={noformat}
Why is it that the standard AES_GCM encrypted instance fails to starts with message: "Protection Scheme [aes/gcm/256] not supported"?
There's nothing in the documentation that states otherwise.
[https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#AES_GCM]
The toolkit guide says nothing about this being unsupported.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)