You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2018/04/04 19:23:00 UTC

[jira] [Commented] (NIFI-4942) NiFi Toolkit - Allow migration of master key without previous password

    [ https://issues.apache.org/jira/browse/NIFI-4942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16426051#comment-16426051 ] 

Andy LoPresto commented on NIFI-4942:
-------------------------------------

I coordinated with Yolanda again today to discuss how Ambari would get the salt and cost parameters for the hash generation (hashes with different salts/costs cannot be compared directly, but rather each can be compared to the raw input value. As we will not have access to this at the toolkit stage, the hash *must* be generated with the same salt and costs that are stored for comparison). The toolkit will provide a {{--current-hash-params}} flag to query the existing salt and cost parameters in JSON format and then accept the hash generated with those inputs. 

Example:

{code}
$ ./bin/encrypt-config.sh --current-hash-params
{"N": "1024", "r": "8", "p": "1", salt: "ABCDEFGHIJKLMNOPQRSTUV"}
{code}

> NiFi Toolkit - Allow migration of master key without previous password
> ----------------------------------------------------------------------
>
>                 Key: NIFI-4942
>                 URL: https://issues.apache.org/jira/browse/NIFI-4942
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Tools and Build
>    Affects Versions: 1.5.0
>            Reporter: Yolanda M. Davis
>            Assignee: Andy LoPresto
>            Priority: Major
>
> Currently the encryption cli in nifi toolkit requires that, in order to migrate from one master key to the next, the previous master key or password should be provided. In cases where the provisioning tool doesn't have the previous value available this becomes challenging to provide and may be prone to error. In speaking with [~alopresto] we can allow toolkit to support a mode of execution such that the master key can be updated without requiring the previous password. Also documentation around it's usage should be updated to be clear in describing the purpose and the type of environment where this command should be used (admin only access etc).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)