Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-10235

Provenance replay fails when repository encryption is enabled

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      Problem summary

      When repository encryption is enabled, replaying a DROP provenance record fails, with the following error appearing in the logs:

      org.apache.nifi.processor.exception.FlowFileAccessException: Failed to export StandardFlowFileRecord[uuid=df985fc5-23da-4094-8783-2e0186bcb92d,claim=StandardContentClaim [resourceClaim=StandardResourceClaim[id=1657864218374-23, container=default, section=23], offset=379, length=1048576],offset=0,name=b29633c4-324e-42fe-b3e8-1ea455fc3650,size=1048576] to /opt/nifi/nifi-current/data/store/.b29633c4-324e-42fe-b3e8-1ea455fc3650 due to java.io.EOFException: Attempted to copy 1048576 bytes but only 1048197 bytes were available

       
      I've observed that the difference between the sizes mentioned in the log is always 379 bytes, regardless of the length of the input file.
       
      With repository encryption disabled, provenance replay works as expected.

      Configuration

      1. NiFi v1.16.3 running as a three-node cluster in Kubernetes.
      2. Each node has up to 8GB memory and 4 CPUs available to it.
      3. Testing has included both NFS and ephemeral (emptyDir) storage.
      4. The encryption key was generated by the following command, using the same JDK version:
        1. keytool -genseckey -alias key-1 -keyalg AES -keysize 256 -keystore repository.p12 -storetype PKCS12

      nifi.properties

      nifi.repository.encryption.protocol.version=1
      nifi.repository.encryption.key.id=key-1
      nifi.repository.encryption.key.provider=KEYSTORE
      nifi.repository.encryption.key.provider.keystore.location=conf/repository.p12
      nifi.repository.encryption.key.provider.keystore.password=<password>

      Processor group

      GenerateFlowFile processor generating 1MB random files every second to a PutFile processor. Have also tested with InvokeHTTP.

      Other comments

      With repository encryption enabled, I am able to download files via the provenance UI (suggesting that encryption/decryption works). The processor group also performs all other actions as expected.

      Not having the ability to replay provenance records is a blocker for our deployment, which requires data to be encrypted at rest and in transit.

      Attachments

        1. NiFi_Flow.json
          5 kB
          Peter Kimberley
        2. error-base-install.log
          5 kB
          Peter Kimberley
        3. error.log
          3 kB
          Peter Kimberley

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            exceptionfactory David Handermann
            p-kimberley Peter Kimberley
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h
                1h

                Slack

                  Issue deployment