NIFI-3299 Added example of sensitive property key migration to the admin guide.

This closes #1404.

Signed-off-by: Andy LoPresto <alopresto@apache.org>
This commit is contained in:
Bryan Bende 2017-01-06 15:12:57 -05:00 committed by Andy LoPresto
parent 675f4f544c
commit 47d7157412
No known key found for this signature in database
GPG Key ID: 3C6EF65B2F7DEF69
1 changed files with 23 additions and 0 deletions

View File

@ -1113,6 +1113,10 @@ When applied to 'login-identity-providers.xml', the property elements are update
</provider> </provider>
---- ----
[encrypt_config_property_migration]
Sensitive Property Key Migration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In order to change the key used to encrypt the sensitive values, indicate *migration mode* using the `-m` or `--migrate` flag, provide the new key or password using the `-k` or `-p` flags as usual, and provide the existing key or password using `-e` or `-w` respectively. This will allow the toolkit to decrypt the existing values and re-encrypt them, and update `bootstrap.conf` with the new key. Only one of the key or password needs to be specified for each phase (old vs. new), and any combination is sufficient: In order to change the key used to encrypt the sensitive values, indicate *migration mode* using the `-m` or `--migrate` flag, provide the new key or password using the `-k` or `-p` flags as usual, and provide the existing key or password using `-e` or `-w` respectively. This will allow the toolkit to decrypt the existing values and re-encrypt them, and update `bootstrap.conf` with the new key. Only one of the key or password needs to be specified for each phase (old vs. new), and any combination is sufficient:
* old key -> new key * old key -> new key
@ -1120,6 +1124,25 @@ In order to change the key used to encrypt the sensitive values, indicate *migra
* old password -> new key * old password -> new key
* old password -> new password * old password -> new password
[encrypt_config_flow_migration]
Existing Flow Migration
~~~~~~~~~~~~~~~~~~~~~~~
This tool can also be used to change the value of `nifi.sensitive.props.key` for an existing flow. The tool will read the existing `flow.xml.gz` and decrypt any sensitive component properties using the original key,
then re-encrypt the sensitive properties with the new key, and write out a new version of the `flow.xml.gz`, or overwrite the existing one.
The current sensitive properties key is not provided as a command-line argument, as it is read directly from `nifi.properties`. As this file is a required parameter, the `-x`/`--encryptFlowXmlOnly` flags tell the tool *not* to attempt to encrypt the properties in `nifi.properties`, but rather to *only* update the `nifi.sensitive.props.key` value with the new key. The exception to this is if the `nifi.properties` is *already* encrypted, the new sensitive property key will also be encrypted before being written to `nifi.properties`.
The following command would migrate the sensitive properties key in place, meaning it would overwrite the existing `flow.xml.gz` and `nifi.properties`:
----
./encrypt-config.sh -f /path/to/flow.xml.gz -n ./path/to/nifi.properties -s newpassword -x
----
The following command would migrate the sensitive properties key and write out a separate `flow.xml.gz` and `nifi.properties`:
----
./encrypt-config.sh -f ./path/to/src/flow.xml.gz -g /path/to/dest/flow.xml.gz -n /path/to/src/nifi.properties -o /path/to/dest/nifi.properties -s newpassword -x
----
[[encrypt-config_password]] [[encrypt-config_password]]
Password Key Derivation Password Key Derivation
~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~