[ https://issues.apache.org/jira/browse/NIFI-4701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16306531#comment-16306531 ]
ASF GitHub Bot commented on NIFI-4701: -------------------------------------- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2350#discussion_r159102294 --- Diff: nifi-toolkit/nifi-toolkit-encrypt-config/src/main/groovy/org/apache/nifi/properties/ConfigEncryptionTool.groovy --- @@ -921,6 +1090,39 @@ class ConfigEncryptionTool { } } + /** + * Writes the contents of the authorizers configuration file with encrypted values to the output {@code authorizers.xml} file. + * + * @throw IOException if there is a problem reading or writing the authorizers.xml file + */ + private void writeAuthorizers() throws IOException { + if (!outputAuthorizersPath) { + throw new IllegalArgumentException("Cannot write encrypted properties to empty authorizers.xml path") + } + + File outputAuthorizersFile = new File(outputAuthorizersPath) + + if (isSafeToWrite(outputAuthorizersFile)) { + try { + String updatedXmlContent + File authorizersFile = new File(authorizersPath) + if (authorizersFile.exists() && authorizersFile.canRead()) { + // Instead of just writing the XML content to a file, this method attempts to maintain the structure of the original file and preserves comments + updatedXmlContent = serializeAuthorizersAndPreserveFormat(authorizers, authorizersFile).join("\n") + } --- End diff -- Due to a possible race condition (`authorizersFile` exists and can be read when the tool execution starts, but has been deleted/made unreadable by an external process before `writeAuthorizers` executes), the value of `updatedXmlContent` will be empty, and it will overwrite `authorizers.xml`. There should be an `else` branch here which simply serializes `authorizers` to XML without the preserved whitespace and comments in order to maintain the content. This should probably also be done for the LDAP section. > Support encrypted properties in authorizers.xml > ----------------------------------------------- > > Key: NIFI-4701 > URL: https://issues.apache.org/jira/browse/NIFI-4701 > Project: Apache NiFi > Issue Type: Improvement > Components: Configuration > Reporter: Kevin Doran > Assignee: Kevin Doran > Fix For: 1.5.0 > > > Since the addition of LdapUserGroupProvider (see NIFI-4059) in v1.4.0, > authorizers.xml can now contain properties for LDAP Server credentials. > This ticket is to enable properties in authorizers.xml to be encrypted, so > that the LDAP Server Manager credentials can be protected similar to > LdapProvider which is configured via login-identity-providers.xml. > The main changes are in nifi-authorizers are: > * authorizers.xsd to add an encryption attribute to Property > * to PropertyAuthorizerFactoryBean to check for that attribute and decrypt > the property value if necessary when creating the the configuration context > Additionally, support for creating an encrypted authorizers.xml, protected by > the NiFi master key, should be added to the Encrypt Tool in NiFi Toolkit. -- This message was sent by Atlassian JIRA (v6.4.14#64029)