[ https://issues.apache.org/jira/browse/NIFI-4942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16436345#comment-16436345 ]
ASF GitHub Bot commented on NIFI-4942: -------------------------------------- Github user YolandaMDavis commented on the issue: https://github.com/apache/nifi/pull/2628 @alopresto ran through test cases and this works as expected. One question for you is there a way to designate an output location for the secure-hash.key file? Such as if I want to pipe it to stdin or just to another location? Also as a side note I tested with -p (password) input where it may contain certain characters (@, -, and &). The '&' caused the script to fail but also to stall, needed to do a Control-C to break out of it. The below is resolved by simply including quotes around the password but may be good to document for users: `ydavis$ /Users/ydavis/dev/projects/nifi/nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.7.0-SNAPSHOT-bin/nifi-toolkit-1.7.0-SNAPSHOT/bin/encrypt-config.sh -v -m -b bootstrap.conf -n nifi-migrated-from-hash-key-break-2.properties -o nifi-migrated-from-hash-key-break-3.properties -p thisIs&ABadPassword4 -y '$s0$100801$j8z9NeI9DZEBTbCzOaQJbA$MI0iN/ZPQ5bk4YxcgJ2H95gCToQy3ZbIr7B6OMxB3oA' [1] 5576 -bash: ABadPassword4: command not found HW13535:conf ydavis$ 2018/04/12 17:30:13 INFO [main] org.apache.nifi.properties.ConfigEncryptionTool: Handling encryption of nifi.properties 2018/04/12 17:30:13 INFO [main] org.apache.nifi.properties.ConfigEncryptionTool: bootstrap.conf: bootstrap.conf 2018/04/12 17:30:13 INFO [main] org.apache.nifi.properties.ConfigEncryptionTool: (src) nifi.properties: nifi-migrated-from-hash-key-break-2.properties 2018/04/12 17:30:13 INFO [main] org.apache.nifi.properties.ConfigEncryptionTool: (dest) nifi.properties: nifi-migrated-from-hash-key-break-3.properties 2018/04/12 17:30:13 INFO [main] org.apache.nifi.properties.ConfigEncryptionTool: (src) login-identity-providers.xml: null 2018/04/12 17:30:13 INFO [main] org.apache.nifi.properties.ConfigEncryptionTool: (dest) login-identity-providers.xml: null 2018/04/12 17:30:13 INFO [main] org.apache.nifi.properties.ConfigEncryptionTool: (src) authorizers.xml: null 2018/04/12 17:30:13 INFO [main] org.apache.nifi.properties.ConfigEncryptionTool: (dest) authorizers.xml: null 2018/04/12 17:30:13 INFO [main] org.apache.nifi.properties.ConfigEncryptionTool: (src) flow.xml.gz: null 2018/04/12 17:30:13 INFO [main] org.apache.nifi.properties.ConfigEncryptionTool: (dest) flow.xml.gz: null 2018/04/12 17:30:13 INFO [main] org.apache.nifi.properties.ConfigEncryptionTool: Key migration mode activated 2018/04/12 17:30:13 INFO [main] org.apache.nifi.properties.NiFiPropertiesLoader: Loaded 151 properties from /Users/ydavis/dev/tools/nifi-1.7.0-SNAPSHOT/conf/nifi-migrated-from-hash-key-break-2.properties 2018/04/12 17:30:13 ERROR [main] org.apache.nifi.properties.ConfigEncryptionTool: Encountered an error java.security.KeyException: Cannot derive key from empty/short password -- password must be at least 12 characters at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:83) at org.codehaus.groovy.reflection.CachedConstructor.doConstructorInvoke(CachedConstructor.java:77) at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrap.callConstructor(ConstructorSite.java:84) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:60) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:235) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:247) at org.apache.nifi.properties.ConfigEncryptionTool.deriveKeyFromPassword(ConfigEncryptionTool.groovy:1493) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93) at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite$StaticMetaMethodSiteNoUnwrapNoCoerce.invoke(StaticMetaMethodSite.java:151) at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.callStatic(StaticMetaMethodSite.java:102) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:206) at org.apache.nifi.properties.ConfigEncryptionTool.getKeyInternal(ConfigEncryptionTool.groovy:527) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite$PogoCachedMethodSiteNoUnwrapNoCoerce.invoke(PogoMetaMethodSite.java:210) at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite.callCurrent(PogoMetaMethodSite.java:59) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallCurrent(CallSiteArray.java:52) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:154) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:190) at org.apache.nifi.properties.ConfigEncryptionTool.getKey(ConfigEncryptionTool.groovy:542) at org.apache.nifi.properties.ConfigEncryptionTool.getKey(ConfigEncryptionTool.groovy:541) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite$PogoCachedMethodSiteNoUnwrapNoCoerce.invoke(PogoMetaMethodSite.java:210) at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite.call(PogoMetaMethodSite.java:71) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:117) at org.apache.nifi.properties.ConfigEncryptionTool.main(ConfigEncryptionTool.groovy:1659) at org.apache.nifi.properties.ConfigEncryptionTool$main.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125) at org.apache.nifi.toolkit.encryptconfig.LegacyMode.run(LegacyMode.groovy:30) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite$PogoCachedMethodSite.invoke(PogoMetaMethodSite.java:169) at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite.call(PogoMetaMethodSite.java:71) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125) at org.apache.nifi.toolkit.encryptconfig.EncryptConfigMain.main(EncryptConfigMain.groovy:109) Cannot derive key from empty/short password -- password must be at least 12 characters usage: org.apache.nifi.properties.ConfigEncryptionTool [-h] [-v] [-n <file>] [-o <file>] [-l <file>] [-i <file>] [-a <file>] [-u <file>] [-f <file>] [-g <file>] [-b <file>] [-k <keyhex>] [-e <keyhex>] [-p <password>] [-w <password>] [-y <hashed_keyhex>] [-z <hashed_password>] [-r] [-m] [-x] [-s <password|keyhex>] [-A <algorithm>] [-P <algorithm>] [--currentHashParams] This tool reads from a nifi.properties and/or login-identity-providers.xml file with plain sensitive configuration values, prompts the user for a master key, and encrypts each value. It will replace the plain value with the protected value in the same file (or write to a new file if specified). It can also be used to migrate already-encrypted values in those files or in flow.xml.gz to be encrypted with a new key. -h,--help Show usage information (this message) -v,--verbose Sets verbose mode (default false) -n,--niFiProperties <file> The nifi.properties file containing unprotected config values (will be overwritten unless -o is specified) -o,--outputNiFiProperties <file> The destination nifi.properties file containing protected config values (will not modify input nifi.properties) -l,--loginIdentityProviders <file> The login-identity-providers.xml file containing unprotected config values (will be overwritten unless -i is specified) -i,--outputLoginIdentityProviders <file> The destination login-identity-providers.xml file containing protected config values (will not modify input login-identity-providers.xml) -a,--authorizers <file> The authorizers.xml file containing unprotected config values (will be overwritten unless -u is specified) -u,--outputAuthorizers <file> The destination authorizers.xml file containing protected config values (will not modify input authorizers.xml) -f,--flowXml <file> The flow.xml.gz file currently protected with old password (will be overwritten unless -g is specified) -g,--outputFlowXml <file> The destination flow.xml.gz file containing protected config values (will not modify input flow.xml.gz) -b,--bootstrapConf <file> The bootstrap.conf file to persist master key -k,--key <keyhex> The raw hexadecimal key to use to encrypt the sensitive properties -e,--oldKey <keyhex> The old raw hexadecimal key to use during key migration -p,--password <password> The password from which to derive the key to use to encrypt the sensitive properties -w,--oldPassword <password> The old password from which to derive the key during migration -y,--secureHashKey <hashed_keyhex> The old securely-hashed hexadecimal key to authenticate during key migration (see NiFi Admin Guide) -z,--secureHashPassword <hashed_password> The old securely-hashed password to authenticate during key migration (see NiFi Admin Guide) -r,--useRawKey If provided, the secure console will prompt for the raw key value in hexadecimal form -m,--migrate If provided, the nifi.properties and/or login-identity-providers.xml sensitive properties will be re-encrypted with a new key -x,--encryptFlowXmlOnly If provided, the properties in flow.xml.gz will be re-encrypted with a new key but the nifi.properties and/or login-identity-providers.xml files will not be modified -s,--propsKey <password|keyhex> The password or key to use to encrypt the sensitive processor properties in flow.xml.gz -A,--newFlowAlgorithm <algorithm> The algorithm to use to encrypt the sensitive processor properties in flow.xml.gz -P,--newFlowProvider <algorithm> The security provider to use to encrypt the sensitive processor properties in flow.xml.gz --currentHashParams Returns the current salt and cost params used to store the hashed key/password Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home NiFi Toolkit home: /Users/ydavis/dev/projects/nifi/nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.7.0-SNAPSHOT-bin/nifi-toolkit-1.7.0-SNAPSHOT` > NiFi Toolkit - Allow migration of master key without previous password > ---------------------------------------------------------------------- > > Key: NIFI-4942 > URL: https://issues.apache.org/jira/browse/NIFI-4942 > Project: Apache NiFi > Issue Type: Improvement > Components: Tools and Build > Affects Versions: 1.5.0 > Reporter: Yolanda M. Davis > Assignee: Andy LoPresto > Priority: Major > > Currently the encryption cli in nifi toolkit requires that, in order to > migrate from one master key to the next, the previous master key or password > should be provided. In cases where the provisioning tool doesn't have the > previous value available this becomes challenging to provide and may be prone > to error. In speaking with [~alopresto] we can allow toolkit to support a > mode of execution such that the master key can be updated without requiring > the previous password. Also documentation around it's usage should be updated > to be clear in describing the purpose and the type of environment where this > command should be used (admin only access etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)