[
https://issues.apache.org/jira/browse/NIFI-4701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16306531#comment-16306531
]
ASF GitHub Bot commented on NIFI-4701:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2350#discussion_r159102294
--- Diff:
nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy
---
@@ -921,6 +1090,39 @@ class ConfigEncryptionTool {
}
}
+ /**
+ * Writes the contents of the authorizers configuration file with
encrypted values to the output {@code authorizers.xml} file.
+ *
+ * @throw IOException if there is a problem reading or writing the
authorizers.xml file
+ */
+ private void writeAuthorizers() throws IOException {
+ if (!outputAuthorizersPath) {
+ throw new IllegalArgumentException("Cannot write encrypted
properties to empty authorizers.xml path")
+ }
+
+ File outputAuthorizersFile = new File(outputAuthorizersPath)
+
+ if (isSafeToWrite(outputAuthorizersFile)) {
+ try {
+ String updatedXmlContent
+ File authorizersFile = new File(authorizersPath)
+ if (authorizersFile.exists() && authorizersFile.canRead())
{
+ // Instead of just writing the XML content to a file,
this method attempts to maintain the structure of the original file and
preserves comments
+ updatedXmlContent =
serializeAuthorizersAndPreserveFormat(authorizers, authorizersFile).join("\n")
+ }
--- End diff --
Due to a possible race condition (`authorizersFile` exists and can be read
when the tool execution starts, but has been deleted/made unreadable by an
external process before `writeAuthorizers` executes), the value of
`updatedXmlContent` will be empty, and it will overwrite `authorizers.xml`.
There should be an `else` branch here which simply serializes `authorizers` to
XML without the preserved whitespace and comments in order to maintain the
content.
This should probably also be done for the LDAP section.
> Support encrypted properties in authorizers.xml
> -----------------------------------------------
>
> Key: NIFI-4701
> URL: https://issues.apache.org/jira/browse/NIFI-4701
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Configuration
> Reporter: Kevin Doran
> Assignee: Kevin Doran
> Fix For: 1.5.0
>
>
> Since the addition of LdapUserGroupProvider (see NIFI-4059) in v1.4.0,
> authorizers.xml can now contain properties for LDAP Server credentials.
> This ticket is to enable properties in authorizers.xml to be encrypted, so
> that the LDAP Server Manager credentials can be protected similar to
> LdapProvider which is configured via login-identity-providers.xml.
> The main changes are in nifi-authorizers are:
> * authorizers.xsd to add an encryption attribute to Property
> * to PropertyAuthorizerFactoryBean to check for that attribute and decrypt
> the property value if necessary when creating the the configuration context
> Additionally, support for creating an encrypted authorizers.xml, protected by
> the NiFi master key, should be added to the Encrypt Tool in NiFi Toolkit.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
