thenatog commented on pull request #5110: URL: https://github.com/apache/nifi/pull/5110#issuecomment-877286398
Tested this out with a pkcs12 keystore containing a secret key (`keytool -genseckey -alias primary-key -keyalg AES -keysize 256 -keystore repository.p12 -storetype PKCS12`) and setting it to be used in nifi.properties: `nifi.provenance.repository.implementation=org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository nifi.provenance.repository.encryption.key.provider.implementation=org.apache.nifi.security.kms.KeyStoreKeyProvider nifi.provenance.repository.encryption.key.provider.location=./conf/repository.p12 nifi.provenance.repository.encryption.key.provider.password=password nifi.provenance.repository.encryption.key.id=primary-key` and verified that the data is encrypted in the provenance repo data in ./provenance_repository. Thought there was an issue with querying which turned out to be an authZ issue. I also ran into the below exception when opening the provenance UI: > 2021-07-09 00:02:10,594 ERROR [Provenance Repository Maintenance-1] o.a.n.p.index.lucene.LuceneEventIndex Failed to perform background maintenance procedures java.lang.ClassCastException: org.apache.nifi.provenance.EventIdFirstSchemaRecordReader cannot be cast to org.apache.nifi.provenance.EncryptedSchemaRecordReader at org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository.lambda$initialize$1(EncryptedWriteAheadProvenanceRepository.java:115) at org.apache.nifi.provenance.store.iterator.SequentialRecordReaderEventIterator.rotateReader(SequentialRecordReaderEventIterator.java:109) at org.apache.nifi.provenance.store.iterator.SequentialRecordReaderEventIterator.nextEvent(SequentialRecordReaderEventIterator.java:65) at org.apache.nifi.provenance.store.iterator.AuthorizingEventIterator.nextEvent(AuthorizingEventIterator.java:47) at org.apache.nifi.provenance.store.PartitionedEventStore.getEvents(PartitionedEventStore.java:193) at org.apache.nifi.provenance.store.PartitionedEventStore.getEvents(PartitionedEventStore.java:159) at org.apache.nifi.provenance.store.PartitionedEventStore.getEvents(PartitionedEventStore.java:149) at org.apache.nifi.provenance.index.lucene.LuceneEventIndex.performMaintenance(LuceneEventIndex.java:824) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) which was a result of having an existing unencrypted provenance database. I stopped NiFi, deleted ./provenance_repository/* and started back up and provenance was working once I fixed the authz issue. +1, will merge. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org