Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
1.16.1
-
None
-
CentOS server, Java 11
Description
During setup of new NiFi instance on server I decided to encrypt the its configuration. It seemed to work well, at least there were no errors given during encryption:
nifi-toolkit-1.16.1/bin/encrypt-config.sh \ -n "$nifi_props" \ -l "$login_identity_providers" \ -a "$authorizers" \ -b "$bootstrap_conf" \ -S "$scheme" \ -p "$passwd" \ -w "$props_key" \ -m [main] WARN org.apache.nifi.properties.ConfigEncryptionTool - The source nifi.properties and destination nifi.properties are identical [/disk1/nifi/prod/nifi-1.16.1/conf/nifi.properties] so the original will be overwritten [main] WARN org.apache.nifi.properties.ConfigEncryptionTool - The source login-identity-providers.xml and destination login-identity-providers.xml are identical [/disk1/nifi/prod/config/login-identity-providers.xml] so the original will be overwritten [main] WARN org.apache.nifi.properties.ConfigEncryptionTool - The source authorizers.xml and destination authorizers.xml are identical [/disk1/nifi/prod/config/authorizers.xml] so the original will be overwritten [main] WARN org.apache.nifi.properties.AbstractBootstrapPropertiesLoader - System Property [nifi.properties.file.path] not found: Using Relative Path [conf/nifi.properties] [main] INFO org.apache.nifi.properties.NiFiPropertiesLoader - Loading Application Properties [/disk1/nifi/prod/nifi-1.16.1/conf/nifi.properties] [main] INFO org.apache.nifi.properties.NiFiPropertiesLoader - Loading Application Properties [/disk1/nifi/prod/nifi-1.16.1/conf/nifi.properties] [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Loaded NiFiProperties instance with 202 properties [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Loaded login identity providers content (52 lines) [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated XML content: ... [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Loaded authorizers content (98 lines) [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected [nifi.security.keyPasswd] using [aes/gcm] -> pcGwPE3hcZ2lLkjT||0mDlQs30cpZDCE+fwnMmk4908Wb9gLNdQ1lzgrB7BDZHjptS+oTPRVKlv+SglBw7WKLS+9xY0ryu3w== [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated protection key [nifi.security.keyPasswd.protected] [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected [nifi.security.keystorePasswd] using [aes/gcm] -> VwUaUqRLyXN/6X28||/0T7d6w/5PQdgw/aM7hp1Xq3pPaEeGax/mxQ9s4HVn9yeCiT3tulzzA9nyh63Pw2eWdbKnH3s6jAXw== [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated protection key [nifi.security.keystorePasswd.protected] [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected [nifi.security.truststorePasswd] using [aes/gcm] -> gHP8eniagijAt2Gz||4ocM4NcfeZX/57FDLwXDlziKX8ZIsa05wof+3vbUl09Q61HT0bagVMDtE1tlvADBIk950oI11hPn2g== [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated protection key [nifi.security.truststorePasswd.protected] [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Protected [nifi.sensitive.props.key] using [aes/gcm] -> vyb30QVW4kK/yiAx||LPpSqZ580UVIebndOMtgdKwfE+o7HMX8YrER80/7S7hcg+m9PYIvbLNPVdSlV9n4ri/G6MnuUVvLTA== [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Updated protection key [nifi.sensitive.props.key.protected] [main] INFO org.apache.nifi.properties.ConfigEncryptionTool - Final result: 205 keys including 4 protected keys
However when I started the NiFi instance I saw following message in the "nifi-bootstrap.log" file:
2022-05-11 11:08:57,700 ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiConfiguration': BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'metaDataSourceAdvisor': Cannot resolve reference to bean 'methodSecurityMetadataSource' while setting constructor argument; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration': Unsatisfied dependency expressed through method 'setObjectPostProcessor' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.properties.SensitivePropertyProtectionException: Protection Scheme [aes/gcm/256] not supported 2022-05-11 11:08:57,701 ERROR [NiFi logging handler] org.apache.nifi.StdErr Shutting down...
In the "nifi.properties" I have following:
nifi.sensitive.props.key=... nifi.sensitive.props.key.protected=aes/gcm/256 nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256 nifi.sensitive.props.additional.keys=
Why is it that the standard AES_GCM encrypted instance fails to starts with message: "Protection Scheme [aes/gcm/256] not supported"?
There's nothing in the documentation that states otherwise.
https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#AES_GCM
The toolkit guide says nothing about this being unsupported.
Attachments
Issue Links
- is fixed by
-
-
- Resolved
-