You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2021/07/28 01:53:43 UTC
[GitHub] [nifi] gresockj opened a new pull request #5255: NIFI-8696: Adding HashiCorp Vault K/V SPP
gresockj opened a new pull request #5255:
URL: https://github.com/apache/nifi/pull/5255
#### Description of PR
Adds a Sensitive Property Provider that uses the HashiCorp Vault Key/Value secrets engine. This will allow the encrypt-config tool to write secrets to Vault when selecting the HASHICORP_VAULT_KV protection scheme, and NiFi/NiFi Registry to read these secrets from Vault.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [x] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [x] Has your PR been rebased against the latest commit within the target branch (typically `main`)?
- [x] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._
### For code changes:
- [x] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder?
- [x] Have you written or updated unit tests to verify your changes?
- [x] Have you verified that the full build is successful on JDK 8?
- [x] Have you verified that the full build is successful on JDK 11?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`?
- [ ] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`?
- [ ] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties?
### For documentation related changes:
- [x] Have you ensured that format looks appropriate for the output in which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] asfgit closed pull request #5255: NIFI-8696: Adding HashiCorp Vault K/V SPP
Posted by GitBox <gi...@apache.org>.
asfgit closed pull request #5255:
URL: https://github.com/apache/nifi/pull/5255
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on a change in pull request #5255: NIFI-8696: Adding HashiCorp Vault K/V SPP
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on a change in pull request #5255:
URL: https://github.com/apache/nifi/pull/5255#discussion_r680962075
##########
File path: nifi-commons/nifi-sensitive-property-provider/src/main/java/org/apache/nifi/properties/HashiCorpVaultKeyValueSensitivePropertyProvider.java
##########
@@ -0,0 +1,90 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.properties;
+
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.Objects;
+
+/**
+ * Uses the HashiCorp Vault Key/Value (unversioned) Secrets Engine to store sensitive values.
+ */
+public class HashiCorpVaultKeyValueSensitivePropertyProvider extends AbstractHashiCorpVaultSensitivePropertyProvider {
+
+ private static final String KEY_VALUE_PATH = "vault.kv.path";
+
+ HashiCorpVaultKeyValueSensitivePropertyProvider(final BootstrapProperties bootstrapProperties) {
+ super(bootstrapProperties);
+ }
+
+ @Override
+ protected String getSecretsEnginePath(final BootstrapProperties vaultBootstrapProperties) {
+ if (vaultBootstrapProperties == null) {
+ return null;
+ }
+ final String kvPath = vaultBootstrapProperties.getProperty(KEY_VALUE_PATH);
+ // Validate transit path
+ try {
+ PropertyProtectionScheme.fromIdentifier(getProtectionScheme().getIdentifier(kvPath));
+ } catch (IllegalArgumentException e) {
+ throw new SensitivePropertyProtectionException(String.format("%s [%s] contains unsupported characters", KEY_VALUE_PATH, kvPath), e);
+ }
+
+ return kvPath;
+ }
+
+ @Override
+ protected PropertyProtectionScheme getProtectionScheme() {
+ return PropertyProtectionScheme.HASHICORP_VAULT_KV;
+ }
+
+ /**
+ * Stores the sensitive value in Vault and returns a description of the secret.
+ *
+ * @param unprotectedValue the sensitive value
+ * @param context The property context, unused in this provider
+ * @return the value to persist in the {@code nifi.properties} file
+ * @throws SensitivePropertyProtectionException if there is an exception writing the secret
+ */
+ @Override
+ public String protect(final String unprotectedValue, final ProtectedPropertyContext context) throws SensitivePropertyProtectionException {
+ if (StringUtils.isBlank(unprotectedValue)) {
+ throw new IllegalArgumentException("Cannot protect an empty value");
+ }
+ Objects.requireNonNull(context, "Context is required to protect a value");
+
+ getVaultCommunicationService().writeKeyValueSecret(getPath(), context.getContextKey(), unprotectedValue);
+ return String.format("Protected by [%s] at [%s/%s]", getName(), getPath(), context.getContextKey());
Review comment:
Although this provides a clear explanation, it seems more verbose than necessary given that the `protected` sibling property describes the protection scheme. What do you think about changing this to just the Vault path and context key along the following lines?
```suggestion
return String.format("%s/%s", getPath(), context.getContextKey());
```
##########
File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/bootstrap.conf
##########
@@ -66,6 +66,21 @@ nifi.bootstrap.protection.hashicorp.vault.conf=./conf/bootstrap-hashicorp-vault.
# AWS KMS Sensitive Property Providers
nifi.bootstrap.protection.aws.kms.conf=./conf/bootstrap-aws.conf
+# Note: the following mapping properties only apply if a Sensitive Property Provider that uses property contexts
+# is configured. Otherwise, these values are ignored.
+#
+# If no nifi.bootstrap.protection.context.mapping.* properties are provided, the context for protected
+# properties uses a 'default' context, as in "default/Manager Password". Properties in nifi.properties are always
+# assigned this context, but there is a possibility of naming conflicts among the other configuration files.
+#
+# To create separate contexts for properties, you may provide context mappings in the format:
+# nifi.bootstrap.protection.context.mapping.<contextName>=<identifier matching regex>
+# With the following configuration, for example, any property named "Manager Password" located inside
+# a block whose <identifier> starts with "ldap-" will be mapped to the context named "ldap/Manager Password",
+# regardless of whether it resides in authorizers.xml or login-identity-providers.xml.
+#
+# nifi.bootstrap.protection.context.mapping.ldap=ldap-.*
Review comment:
These details and example are helpful, but it seems like it would be better to include in the Admin Guide as opposed to configuration file comments. Perhaps just a line or two mentioning that NiFi uses the `default` context when the bootstrap configuration does not include additional mappings. With a new section in the Admin Guide, the comment could also mention something along the lines of: See Administrator's Guide section on Context Mapping for Sensitive Properties Providers for more details.
##########
File path: nifi-commons/nifi-vault-utils/src/main/java/org/apache/nifi/vault/hashicorp/StandardHashiCorpVaultCommunicationService.java
##########
@@ -61,12 +70,56 @@ public StandardHashiCorpVaultCommunicationService(final HashiCorpVaultProperties
}
@Override
- public String encrypt(final String transitKey, final byte[] plainText) {
- return transitOperations.encrypt(transitKey, Plaintext.of(plainText)).getCiphertext();
+ public String encrypt(final String transitPath, final byte[] plainText) {
+ return transitOperations.encrypt(transitPath, Plaintext.of(plainText)).getCiphertext();
+ }
+
+ @Override
+ public byte[] decrypt(final String transitPath, final String cipherText) {
+ return transitOperations.decrypt(transitPath, Ciphertext.of(cipherText)).getPlaintext();
+ }
+
+ /**
+ * Writes the value to the "value" key of the secret with the path [keyValuePath]/[key].
+ * @param keyValuePath The Vault path to use for the configured Key/Value v1 Secrets Engine
+ * @param key The secret key
+ * @param value The secret value
+ */
+ @Override
+ public void writeKeyValueSecret(final String keyValuePath, final String key, final String value) {
+ final VaultKeyValueOperations keyValueOperations = keyValueOperationsMap
+ .computeIfAbsent(keyValuePath, path -> vaultTemplate.opsForKeyValue(path, KV_1));
+ keyValueOperations.put(key, new SecretData(value));
}
+ /**
+ * Returns the value of the "value" key from the secret at the path [keyValuePath]/[key].
+ * @param keyValuePath The Vault path to use for the configured Key/Value v1 Secrets Engine
+ * @param key The secret key
+ * @return The value of the secret
+ */
@Override
- public byte[] decrypt(final String transitKey, final String cipherText) {
- return transitOperations.decrypt(transitKey, Ciphertext.of(cipherText)).getPlaintext();
+ public Optional<String> readKeyValueSecret(final String keyValuePath, final String key) {
+ final VaultKeyValueOperations keyValueOperations = keyValueOperationsMap
+ .computeIfAbsent(keyValuePath, path -> vaultTemplate.opsForKeyValue(path, KV_1));
+ final VaultResponseSupport<SecretData> response = keyValueOperations.get(key, SecretData.class);
+ return response == null ? Optional.empty() : Optional.ofNullable(response.getRequiredData().getValue());
+ }
+
+ private static class SecretData {
+ private final String value;
+
+ // required for Jackson deserialization
+ private SecretData() {
+ value = null;
+ }
Review comment:
Is it worth replacing this specialized constructor with a Jackson annotation on the constructor with the `value` argument, or using this constructor and adding a set method instead?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org