One of the great dangers of a multi-tenant environment is ensuring that all of the necessary data is being properly archived. In migrating from one Nifi version to another, we realized that not all of the passwords had been stored in a password safe. This would have slowed down our migration significantly.
Nifi holds its passwords in the flow.xml.gz file, but they are encryptted. To recover the passwords, we had to find a way to decrypt all of them easily. Luckily, Nifi has a toolkit for just this!
Big props to my coworker, who did the following.
The encrypt-config.sh shell script calls the following class:
org.apache.nifi.toolkit.encryptconfig.EncryptConfigMain
On line 814, you can see the following code, where the password is decoded.
String plaintext = decryptFlowElement(wrappedCipherText, existingFlowPassword, existingAlgorithm, existingProvider)
With one line of code, and a quick recompile, the script now outputs all of the formerly encrypted passwords.
Code to add after line 814:
flowXmlContent.findAll(WRAPPED_FLOW_XML_CIPHER_TEXT_REGEX) {String wrappedCipherText ->
logger.warn("Original: "+wrappedCipherText+"\t Decrypted:"+decryptFlowElement(wrappedCipherText, existingFlowPassword, existingAlgorithm, existingProvider))
}
This worked out really well, we can now archive all of the passwords into a password safe and continue with the migration.
Thanks for this post. I also wrote a similar post and added github repo (https://link.medium.com/otjmSunqDR)
ReplyDelete