[jira] [Updated] (NIFI-8447) Add HashiCorp Vault encryption as an option in the Encrypt Tool

Joseph Gresock (Jira) Mon, 14 Jun 2021 08:44:42 -0700


     [ 
https://issues.apache.org/jira/browse/NIFI-8447?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Joseph Gresock updated NIFI-8447:
---------------------------------
    Description: 
Add support for a HASHICORP_VAULT_TRANSIT PropertyProtectionScheme in the 
Encrypt Config Tool that can be configured with a Secrets Engine path and the 
relevant bootstrap.conf properties.  This path will be used in the identifier 
key: "vault/transit/[path]"

The bootstrap.conf provided in the command line must be configured with the 
following relevant properties in order for the encryption to work:

{code}
# HashiCorp Vault Sensitive Property Provider (not enabled if the following two 
properties are not set)
nifi.bootstrap.sensitive.props.hashicorp.vault.uri=
nifi.bootstrap.sensitive.props.hashicorp.vault.auth.props.file=

# HashiCorp Vault Secrets Engine configuration
# If set, enables PropertyProtectionScheme.HASHICORP_VAULT_TRANSIT
nifi.bootstrap.sensitive.props.hashicorp.vault.transit.path=

# Optional HashiCorp Vault configuration
nifi.bootstrap.sensitive.props.hashicorp.vault.connection.timeout=5 secs
nifi.bootstrap.sensitive.props.hashicorp.vault.read.timeout=15 secs
nifi.bootstrap.sensitive.props.hashicorp.vault.enabled.tls.cipher.suites=
nifi.bootstrap.sensitive.props.hashicorp.vault.enabled.tls.protocols=
nifi.bootstrap.sensitive.props.hashicorp.vault.keystore=
nifi.bootstrap.sensitive.props.hashicorp.vault.keystoreType=
nifi.bootstrap.sensitive.props.hashicorp.vault.keystorePasswd=
nifi.bootstrap.sensitive.props.hashicorp.vault.truststore=
nifi.bootstrap.sensitive.props.hashicorp.vault.truststoreType=
nifi.bootstrap.sensitive.props.hashicorp.vault.truststorePasswd=
{code}

  was:
Using the StandardHashiCorpVaultCommunicationService, add options to the 
Encrypt Tool in nifi-toolkit for the following:
 # Select encryption method (aes/gcm vs. vault)
 # Select vault configuration (recommended as a vault-configuration.properties 
file, since there are so many configuration properties).  Vault configuration 
properties include: 

{code}
nifi.sensitive.props.hashicorp.vault.uri=
nifi.sensitive.props.hashicorp.vault.transit.key=
nifi.sensitive.props.hashicorp.vault.auth.properties.file=

# Optional TLS options if addr is https
nifi.security.keystore=
nifi.security.keystoreType=
nifi.security.keystorPasswd=
nifi.security.keyPasswd=
nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
{code}

Selecting vault encryption method should set the encryption value in XML files 
or the *.protected property in properties files to "vault/[transitKey]"

A transitKey represents a distinct Vault configuration of encryption settings.

Additionally, the corresponding nifi.sensitive.props.hashicorp.vault.* 
properties should be configured in the resulting nifi.properties file so that 
the NiFi instance can use the same Vault configuration.


> Add HashiCorp Vault encryption as an option in the Encrypt Tool
> ---------------------------------------------------------------
>
>                 Key: NIFI-8447
>                 URL: https://issues.apache.org/jira/browse/NIFI-8447
>             Project: Apache NiFi
>          Issue Type: Sub-task
>            Reporter: Joseph Gresock
>            Priority: Minor
>
> Add support for a HASHICORP_VAULT_TRANSIT PropertyProtectionScheme in the 
> Encrypt Config Tool that can be configured with a Secrets Engine path and the 
> relevant bootstrap.conf properties.  This path will be used in the identifier 
> key: "vault/transit/[path]"
> The bootstrap.conf provided in the command line must be configured with the 
> following relevant properties in order for the encryption to work:
> {code}
> # HashiCorp Vault Sensitive Property Provider (not enabled if the following 
> two properties are not set)
> nifi.bootstrap.sensitive.props.hashicorp.vault.uri=
> nifi.bootstrap.sensitive.props.hashicorp.vault.auth.props.file=
> # HashiCorp Vault Secrets Engine configuration
> # If set, enables PropertyProtectionScheme.HASHICORP_VAULT_TRANSIT
> nifi.bootstrap.sensitive.props.hashicorp.vault.transit.path=
> # Optional HashiCorp Vault configuration
> nifi.bootstrap.sensitive.props.hashicorp.vault.connection.timeout=5 secs
> nifi.bootstrap.sensitive.props.hashicorp.vault.read.timeout=15 secs
> nifi.bootstrap.sensitive.props.hashicorp.vault.enabled.tls.cipher.suites=
> nifi.bootstrap.sensitive.props.hashicorp.vault.enabled.tls.protocols=
> nifi.bootstrap.sensitive.props.hashicorp.vault.keystore=
> nifi.bootstrap.sensitive.props.hashicorp.vault.keystoreType=
> nifi.bootstrap.sensitive.props.hashicorp.vault.keystorePasswd=
> nifi.bootstrap.sensitive.props.hashicorp.vault.truststore=
> nifi.bootstrap.sensitive.props.hashicorp.vault.truststoreType=
> nifi.bootstrap.sensitive.props.hashicorp.vault.truststorePasswd=
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (NIFI-8447) Add HashiCorp Vault encryption as an option in the Encrypt Tool

Reply via email to