[
https://issues.apache.org/jira/browse/NIFI-12080?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17878349#comment-17878349
]
ASF subversion and git services commented on NIFI-12080:
--------------------------------------------------------
Commit f828907df50de98abdc73cb6d1c08cba4c4f8271 in nifi's branch
refs/heads/main from Pierre Villard
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=f828907df5 ]
NIFI-12080 Added support for KV_2 in HashiCorp Parameter Provider
This closes #9209
Signed-off-by: David Handermann <exceptionfact...@apache.org>
> HashiCorp Vault parameter context kv2 compatability.
> ----------------------------------------------------
>
> Key: NIFI-12080
> URL: https://issues.apache.org/jira/browse/NIFI-12080
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.20.0
> Environment: Tested on OpenShift 4.11 and local environment.
> Reporter: Robert D
> Assignee: Pierre Villard
> Priority: Minor
> Attachments: image-2023-09-18-15-54-55-187.png,
> image-2023-09-18-15-55-10-366.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When trying to use hashicorp vault with a kv2 backend I can successfully
> authenticate with vault but trying to use a parameter provider it can't list
> any secrets.
> I believe it's because {{KeyValueBackend.KV_1}} is hardcoded in the
> {{listKeyValueSecrets}} function instead of using the member variable
> {{{}keyValueBackend{}}}.
> The code can be seen
> [here|https://github.com/apache/nifi/blob/main/nifi-commons/nifi-hashicorp-vault/src/main/java/org/apache/nifi/vault/hashicorp/StandardHashiCorpVaultCommunicationService.java#L148].
> !image-2023-09-18-15-54-55-187.png!
>
> !image-2023-09-18-15-55-10-366.png!
>
> After that is changed to {{keyValueBackend}} another issue that comes up is
> that it can only list the top level secrets.
> This is because {{listKeyValueSecrets}} hardcodes the path to the [root
> path|https://github.com/apache/nifi/blob/main/nifi-commons/nifi-hashicorp-vault/src/main/java/org/apache/nifi/vault/hashicorp/StandardHashiCorpVaultCommunicationService.java#L149].
> For example if there is a secret under the path {{shared/test}} it is
> inaccessible.
> Adding the {{shared}} path to the Key/Value path parameter also doesn't fix
> it because Vault expects the metadata path after the kv engine.
> A valid path would be {{/kv/metadata/shared/?list=true}} adding {{shared }}to
> the Key/Value path makes a request to {{{}/kv/shared/metadata/?list=true{}}}.
> Adding a parameter to the {{listKeyValueSecrets}} function to specify the
> secret path fixes it.
>
> In the parameter provider it says it's for Key/Value version 1 secrets but
> after these changes I could use it with a kv2 backend. The only downside is
> that it can only get the latest version of the secret but that is good enough
> for my usecase.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
