[GitHub] [nifi] thenatog commented on pull request #5110: NIFI-8511 Added KeyStore implementation of KeyProvider

[GitBox]

thenatog commented on pull request #5110:
URL: https://github.com/apache/nifi/pull/5110#issuecomment-877286398


   Tested this out with a pkcs12 keystore containing a secret key (`keytool 
-genseckey -alias primary-key -keyalg AES -keysize 256 -keystore repository.p12 
-storetype PKCS12`) and setting it to be used in nifi.properties:
   
   
`nifi.provenance.repository.implementation=org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository
   
nifi.provenance.repository.encryption.key.provider.implementation=org.apache.nifi.security.kms.KeyStoreKeyProvider
   
nifi.provenance.repository.encryption.key.provider.location=./conf/repository.p12
   nifi.provenance.repository.encryption.key.provider.password=password
   nifi.provenance.repository.encryption.key.id=primary-key`
   
   and verified that the data is encrypted in the provenance repo data in 
./provenance_repository. Thought there was an issue with querying which turned 
out to be an authZ issue. I also ran into the below exception when opening the 
provenance UI:
   
   > 2021-07-09 00:02:10,594 ERROR [Provenance Repository Maintenance-1] 
o.a.n.p.index.lucene.LuceneEventIndex Failed to perform background maintenance 
procedures
   java.lang.ClassCastException: 
org.apache.nifi.provenance.EventIdFirstSchemaRecordReader cannot be cast to 
org.apache.nifi.provenance.EncryptedSchemaRecordReader
           at 
org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository.lambda$initialize$1(EncryptedWriteAheadProvenanceRepository.java:115)
           at 
org.apache.nifi.provenance.store.iterator.SequentialRecordReaderEventIterator.rotateReader(SequentialRecordReaderEventIterator.java:109)
           at 
org.apache.nifi.provenance.store.iterator.SequentialRecordReaderEventIterator.nextEvent(SequentialRecordReaderEventIterator.java:65)
           at 
org.apache.nifi.provenance.store.iterator.AuthorizingEventIterator.nextEvent(AuthorizingEventIterator.java:47)
           at 
org.apache.nifi.provenance.store.PartitionedEventStore.getEvents(PartitionedEventStore.java:193)
           at 
org.apache.nifi.provenance.store.PartitionedEventStore.getEvents(PartitionedEventStore.java:159)
           at 
org.apache.nifi.provenance.store.PartitionedEventStore.getEvents(PartitionedEventStore.java:149)
           at 
org.apache.nifi.provenance.index.lucene.LuceneEventIndex.performMaintenance(LuceneEventIndex.java:824)
           at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
           at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
           at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
           at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
           at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
           at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
           at java.lang.Thread.run(Thread.java:748)
   
   which was a result of having an existing unencrypted provenance database. I 
stopped NiFi, deleted ./provenance_repository/* and started back up and 
provenance was working once I fixed the authz issue.
   
   +1, will merge.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org