From 47d7157412ff8235ba567bb2dbb8f6e6ca4d660e Mon Sep 17 00:00:00 2001 From: Bryan Bende Date: Fri, 6 Jan 2017 15:12:57 -0500 Subject: [PATCH] NIFI-3299 Added example of sensitive property key migration to the admin guide. This closes #1404. Signed-off-by: Andy LoPresto --- .../main/asciidoc/administration-guide.adoc | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc index 2c643c1798..c5beb084da 100644 --- a/nifi-docs/src/main/asciidoc/administration-guide.adoc +++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc @@ -1113,6 +1113,10 @@ When applied to 'login-identity-providers.xml', the property elements are update ---- +[encrypt_config_property_migration] +Sensitive Property Key Migration +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In order to change the key used to encrypt the sensitive values, indicate *migration mode* using the `-m` or `--migrate` flag, provide the new key or password using the `-k` or `-p` flags as usual, and provide the existing key or password using `-e` or `-w` respectively. This will allow the toolkit to decrypt the existing values and re-encrypt them, and update `bootstrap.conf` with the new key. Only one of the key or password needs to be specified for each phase (old vs. new), and any combination is sufficient: * old key -> new key @@ -1120,6 +1124,25 @@ In order to change the key used to encrypt the sensitive values, indicate *migra * old password -> new key * old password -> new password +[encrypt_config_flow_migration] +Existing Flow Migration +~~~~~~~~~~~~~~~~~~~~~~~ + +This tool can also be used to change the value of `nifi.sensitive.props.key` for an existing flow. The tool will read the existing `flow.xml.gz` and decrypt any sensitive component properties using the original key, +then re-encrypt the sensitive properties with the new key, and write out a new version of the `flow.xml.gz`, or overwrite the existing one. + +The current sensitive properties key is not provided as a command-line argument, as it is read directly from `nifi.properties`. As this file is a required parameter, the `-x`/`--encryptFlowXmlOnly` flags tell the tool *not* to attempt to encrypt the properties in `nifi.properties`, but rather to *only* update the `nifi.sensitive.props.key` value with the new key. The exception to this is if the `nifi.properties` is *already* encrypted, the new sensitive property key will also be encrypted before being written to `nifi.properties`. + +The following command would migrate the sensitive properties key in place, meaning it would overwrite the existing `flow.xml.gz` and `nifi.properties`: +---- +./encrypt-config.sh -f /path/to/flow.xml.gz -n ./path/to/nifi.properties -s newpassword -x +---- + +The following command would migrate the sensitive properties key and write out a separate `flow.xml.gz` and `nifi.properties`: +---- +./encrypt-config.sh -f ./path/to/src/flow.xml.gz -g /path/to/dest/flow.xml.gz -n /path/to/src/nifi.properties -o /path/to/dest/nifi.properties -s newpassword -x +---- + [[encrypt-config_password]] Password Key Derivation ~~~~~~~~~~~~~~~~~~~~~~~