[
https://issues.apache.org/jira/browse/NIFI-9953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nathan Gough updated NIFI-9953:
-------------------------------
Epic Name: Rebuild encrypt config tool into the 'Property Encryptor' tool
(was: Rebuild encrypt config tool)
Description:
It may be worth creating a new Property Encryptor tool (Encrypt Config 2.0)
tool rather than converting the existing module. This would allow us to
eventually deprecate the 1.0 tool and not mandate us to maintain backwards
compatibility in 2.0.
Goals:
* Eliminate Groovy
* Reduce complexity of code and complexity of usage
* Logical separation of components/modularization
Key design concerns:
# The tool should be implicit rather than explicit - too many parameter inputs
has made 1.0 too complex and difficult to use (eg. having to specify every
single input and output file etc)
# Should work for current and future products (NiFi, NiFi Registry, MiNiFi etc)
# Should be atomic/transactional (all files succeed or fail)
# Should stream read/write the input and output files
# Should use Java instead of Groovy
# Should use PicoCLI as a full featured CLI library which allows subcommands
([https://github.com/remkop/picocli])
# Concise error and debug logging to allow users to rectify issues
# Re-evaluate need for any extra modes (eg migrate, key input vs password
input)
The command interface is expected to look something like this:
{quote}ngough$ ./property-encryptor.sh --help
usage: org.apache.nifi.toolkit.propertyencryptor.PropertyEncryptorMain [-h]
[-v] [encrypt | decrypt | migrate | translate-cli]
This tool can be used to easily encrypt configuration files for NiFi and its
sub-projects (NiFi Registry, MiNiFi), as well as the flow.xml.gz or
flow.json.gz files. Given a root directory, password and scheme it will protect
all secret values within configuration files or within the
flow.xml.gz/flow.json.gz with the key/password. The tool can also decrypt
configuration files given the correct credentials. It also allows for migrating
the password used from old to new, and changing the encryption scheme used.
-h,--help Show usage information (this message)
-v,--verbose Sets verbose mode (default false)
Command examples:
./property-encryptor.sh encrypt [config | flow] [root-nifi-dir |
root-nifi-registry-dir | root-minifi-dir] [password] [scheme]
./property-encryptor.sh decrypt config [root-nifi-dir | root-nifi-registry-dir
| root-minifi-dir] [password] [scheme]
./property-encryptor.sh migrate [config | flow] [root-nifi-dir |
root-nifi-registry-dir | root-minifi-dir] [new-password] [new-scheme]
./property-encryptor.sh translate-cli nifi.properties
{quote}
was:
It may be worth creating a new Encrypt Config 2.0 tool rather than converting
the existing module. This would allow us to eventually deprecate the 1.0 tool
and not mandate us to maintain backwards compatibility in 2.0.
Goals:
* Eliminate Groovy
* Reduce complexity of code and complexity of usage
* Logical separation of components/modularization
Key design concerns:
# The tool should be implicit rather than explicit - too many parameter inputs
has made 1.0 too complex and difficult to use (eg. having to specify every
single input and output file etc)
# Should work for current and future products (NiFi, NiFi Registry, MiNiFi etc)
# Should be atomic/transactional (all files succeed or fail)
# Should stream read/write the input and output files
# Should use Java instead of Groovy
# Should use PicoCLI as a full featured CLI library which allows subcommands
(https://github.com/remkop/picocli)
# Concise error and debug logging to allow users to rectify issues
# Re-evaluate need for any extra modes (eg migrate, key input vs password
input)
The command interface is expected to look something like this:
{quote}ngough$ ./encrypt-config-2.sh --help
usage: org.apache.nifi.toolkit.encryptconfig2.EncryptConfigMain [-h] [options]
This tool enables easy encryption and decryption of configuration files for
NiFi and its sub-projects. Given a root NiFi directory, password and scheme it
will protect all sensitive values within configuration files with the
key/password. The tool can also decrypt the files given the correct password.
-h,--help Show usage information (this message)
--nifiRegistry Specifies target NiFi Registry. When this flag is not
included, NiFi is the target. *// Not sure if required*
-v,--verbose Sets verbose mode (default false)
Command examples:
./encrypt-config-2.sh encrypt [root-nifi-dir | root-nifi-registry-dir |
root-minifi-dir] password scheme [--flowXml]
./encrypt-config-2.sh decrypt root-nifi-dir password
./encrypt-config-2.sh migrate root-nifi-dir oldpassword newpassword [oldscheme
newscheme]
./encrypt-config-2.sh translate-cli nifi.properties
{quote}
> The config encryption tool is too complicated to use and can be simplified
> --------------------------------------------------------------------------
>
> Key: NIFI-9953
> URL: https://issues.apache.org/jira/browse/NIFI-9953
> Project: Apache NiFi
> Issue Type: Epic
> Components: Tools and Build
> Affects Versions: 1.16.1
> Reporter: Nathan Gough
> Assignee: Nathan Gough
> Priority: Major
> Labels: config, encrypt-config, encryption
>
> It may be worth creating a new Property Encryptor tool (Encrypt Config 2.0)
> tool rather than converting the existing module. This would allow us to
> eventually deprecate the 1.0 tool and not mandate us to maintain backwards
> compatibility in 2.0.
> Goals:
> * Eliminate Groovy
> * Reduce complexity of code and complexity of usage
> * Logical separation of components/modularization
> Key design concerns:
> # The tool should be implicit rather than explicit - too many parameter
> inputs has made 1.0 too complex and difficult to use (eg. having to specify
> every single input and output file etc)
> # Should work for current and future products (NiFi, NiFi Registry, MiNiFi
> etc)
> # Should be atomic/transactional (all files succeed or fail)
> # Should stream read/write the input and output files
> # Should use Java instead of Groovy
> # Should use PicoCLI as a full featured CLI library which allows subcommands
> ([https://github.com/remkop/picocli])
> # Concise error and debug logging to allow users to rectify issues
> # Re-evaluate need for any extra modes (eg migrate, key input vs password
> input)
> The command interface is expected to look something like this:
> {quote}ngough$ ./property-encryptor.sh --help
> usage: org.apache.nifi.toolkit.propertyencryptor.PropertyEncryptorMain [-h]
> [-v] [encrypt | decrypt | migrate | translate-cli]
> This tool can be used to easily encrypt configuration files for NiFi and its
> sub-projects (NiFi Registry, MiNiFi), as well as the flow.xml.gz or
> flow.json.gz files. Given a root directory, password and scheme it will
> protect all secret values within configuration files or within the
> flow.xml.gz/flow.json.gz with the key/password. The tool can also decrypt
> configuration files given the correct credentials. It also allows for
> migrating the password used from old to new, and changing the encryption
> scheme used.
> -h,--help Show usage information (this message)
> -v,--verbose Sets verbose mode (default false)
>
> Command examples:
> ./property-encryptor.sh encrypt [config | flow] [root-nifi-dir |
> root-nifi-registry-dir | root-minifi-dir] [password] [scheme]
> ./property-encryptor.sh decrypt config [root-nifi-dir |
> root-nifi-registry-dir | root-minifi-dir] [password] [scheme]
> ./property-encryptor.sh migrate [config | flow] [root-nifi-dir |
> root-nifi-registry-dir | root-minifi-dir] [new-password] [new-scheme]
> ./property-encryptor.sh translate-cli nifi.properties
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
