You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Nathan Gough (Jira)" <ji...@apache.org> on 2022/04/22 23:02:00 UTC
[jira] [Updated] (NIFI-9953) The config encryption tool is too complicated to use and can be simplified
[ https://issues.apache.org/jira/browse/NIFI-9953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nathan Gough updated NIFI-9953:
-------------------------------
Epic Name: Rebuild encrypt config tool into the 'Property Encryptor' tool (was: Rebuild encrypt config tool)
Description:
It may be worth creating a new Property Encryptor tool (Encrypt Config 2.0) tool rather than converting the existing module. This would allow us to eventually deprecate the 1.0 tool and not mandate us to maintain backwards compatibility in 2.0.
Goals:
* Eliminate Groovy
* Reduce complexity of code and complexity of usage
* Logical separation of components/modularization
Key design concerns:
# The tool should be implicit rather than explicit - too many parameter inputs has made 1.0 too complex and difficult to use (eg. having to specify every single input and output file etc)
# Should work for current and future products (NiFi, NiFi Registry, MiNiFi etc)
# Should be atomic/transactional (all files succeed or fail)
# Should stream read/write the input and output files
# Should use Java instead of Groovy
# Should use PicoCLI as a full featured CLI library which allows subcommands ([https://github.com/remkop/picocli])
# Concise error and debug logging to allow users to rectify issues
# Re-evaluate need for any extra modes (eg migrate, key input vs password input)
The command interface is expected to look something like this:
{quote}ngough$ ./property-encryptor.sh --help
usage: org.apache.nifi.toolkit.propertyencryptor.PropertyEncryptorMain [-h] [-v] [encrypt | decrypt | migrate | translate-cli]
This tool can be used to easily encrypt configuration files for NiFi and its sub-projects (NiFi Registry, MiNiFi), as well as the flow.xml.gz or flow.json.gz files. Given a root directory, password and scheme it will protect all secret values within configuration files or within the flow.xml.gz/flow.json.gz with the key/password. The tool can also decrypt configuration files given the correct credentials. It also allows for migrating the password used from old to new, and changing the encryption scheme used.
-h,--help Show usage information (this message)
-v,--verbose Sets verbose mode (default false)
Command examples:
./property-encryptor.sh encrypt [config | flow] [root-nifi-dir | root-nifi-registry-dir | root-minifi-dir] [password] [scheme]
./property-encryptor.sh decrypt config [root-nifi-dir | root-nifi-registry-dir | root-minifi-dir] [password] [scheme]
./property-encryptor.sh migrate [config | flow] [root-nifi-dir | root-nifi-registry-dir | root-minifi-dir] [new-password] [new-scheme]
./property-encryptor.sh translate-cli nifi.properties
{quote}
was:
It may be worth creating a new Encrypt Config 2.0 tool rather than converting the existing module. This would allow us to eventually deprecate the 1.0 tool and not mandate us to maintain backwards compatibility in 2.0.
Goals:
* Eliminate Groovy
* Reduce complexity of code and complexity of usage
* Logical separation of components/modularization
Key design concerns:
# The tool should be implicit rather than explicit - too many parameter inputs has made 1.0 too complex and difficult to use (eg. having to specify every single input and output file etc)
# Should work for current and future products (NiFi, NiFi Registry, MiNiFi etc)
# Should be atomic/transactional (all files succeed or fail)
# Should stream read/write the input and output files
# Should use Java instead of Groovy
# Should use PicoCLI as a full featured CLI library which allows subcommands (https://github.com/remkop/picocli)
# Concise error and debug logging to allow users to rectify issues
# Re-evaluate need for any extra modes (eg migrate, key input vs password input)
The command interface is expected to look something like this:
{quote}ngough$ ./encrypt-config-2.sh --help
usage: org.apache.nifi.toolkit.encryptconfig2.EncryptConfigMain [-h] [options]
This tool enables easy encryption and decryption of configuration files for NiFi and its sub-projects. Given a root NiFi directory, password and scheme it will protect all sensitive values within configuration files with the key/password. The tool can also decrypt the files given the correct password.
-h,--help Show usage information (this message)
--nifiRegistry Specifies target NiFi Registry. When this flag is not included, NiFi is the target. *// Not sure if required*
-v,--verbose Sets verbose mode (default false)
Command examples:
./encrypt-config-2.sh encrypt [root-nifi-dir | root-nifi-registry-dir | root-minifi-dir] password scheme [--flowXml]
./encrypt-config-2.sh decrypt root-nifi-dir password
./encrypt-config-2.sh migrate root-nifi-dir oldpassword newpassword [oldscheme newscheme]
./encrypt-config-2.sh translate-cli nifi.properties
{quote}
> The config encryption tool is too complicated to use and can be simplified
> --------------------------------------------------------------------------
>
> Key: NIFI-9953
> URL: https://issues.apache.org/jira/browse/NIFI-9953
> Project: Apache NiFi
> Issue Type: Epic
> Components: Tools and Build
> Affects Versions: 1.16.1
> Reporter: Nathan Gough
> Assignee: Nathan Gough
> Priority: Major
> Labels: config, encrypt-config, encryption
>
> It may be worth creating a new Property Encryptor tool (Encrypt Config 2.0) tool rather than converting the existing module. This would allow us to eventually deprecate the 1.0 tool and not mandate us to maintain backwards compatibility in 2.0.
> Goals:
> * Eliminate Groovy
> * Reduce complexity of code and complexity of usage
> * Logical separation of components/modularization
> Key design concerns:
> # The tool should be implicit rather than explicit - too many parameter inputs has made 1.0 too complex and difficult to use (eg. having to specify every single input and output file etc)
> # Should work for current and future products (NiFi, NiFi Registry, MiNiFi etc)
> # Should be atomic/transactional (all files succeed or fail)
> # Should stream read/write the input and output files
> # Should use Java instead of Groovy
> # Should use PicoCLI as a full featured CLI library which allows subcommands ([https://github.com/remkop/picocli])
> # Concise error and debug logging to allow users to rectify issues
> # Re-evaluate need for any extra modes (eg migrate, key input vs password input)
> The command interface is expected to look something like this:
> {quote}ngough$ ./property-encryptor.sh --help
> usage: org.apache.nifi.toolkit.propertyencryptor.PropertyEncryptorMain [-h] [-v] [encrypt | decrypt | migrate | translate-cli]
> This tool can be used to easily encrypt configuration files for NiFi and its sub-projects (NiFi Registry, MiNiFi), as well as the flow.xml.gz or flow.json.gz files. Given a root directory, password and scheme it will protect all secret values within configuration files or within the flow.xml.gz/flow.json.gz with the key/password. The tool can also decrypt configuration files given the correct credentials. It also allows for migrating the password used from old to new, and changing the encryption scheme used.
> -h,--help Show usage information (this message)
> -v,--verbose Sets verbose mode (default false)
>
> Command examples:
> ./property-encryptor.sh encrypt [config | flow] [root-nifi-dir | root-nifi-registry-dir | root-minifi-dir] [password] [scheme]
> ./property-encryptor.sh decrypt config [root-nifi-dir | root-nifi-registry-dir | root-minifi-dir] [password] [scheme]
> ./property-encryptor.sh migrate [config | flow] [root-nifi-dir | root-nifi-registry-dir | root-minifi-dir] [new-password] [new-scheme]
> ./property-encryptor.sh translate-cli nifi.properties
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)