One of the great dangers of a multi-tenant environment is ensuring that all of the necessary data is being properly archived. In migrating from one Nifi version to another, we realized that not all of the passwords had been stored in a password safe. This would have slowed down our migration significantly.
Nifi holds its passwords in the flow.xml.gz file, but they are encryptted. To recover the passwords, we had to find a way to decrypt all of them easily. Luckily, Nifi has a toolkit for just this!
Big props to my coworker, who did the following.
The encrypt-config.sh shell script calls the following class:
org.apache.nifi.toolkit.encryptconfig.EncryptConfigMain
On line 814, you can see the following code, where the password is decoded.
String plaintext = decryptFlowElement(wrappedCipherText, existingFlowPassword, existingAlgorithm, existingProvider)
With one line of code, and a quick recompile, the script now outputs all of the formerly encrypted passwords.
Code to add after line 814:
flowXmlContent.findAll(WRAPPED_FLOW_XML_CIPHER_TEXT_REGEX) {String wrappedCipherText ->
logger.warn("Original: "+wrappedCipherText+"\t Decrypted:"+decryptFlowElement(wrappedCipherText, existingFlowPassword, existingAlgorithm, existingProvider))
}
This worked out really well, we can now archive all of the passwords into a password safe and continue with the migration.
Thanks for this post. I also wrote a similar post and added github repo (https://link.medium.com/otjmSunqDR)
ReplyDeleteManaging encrypted credentials and securely handling sensitive configuration data are essential aspects of enterprise platforms. Exploring Information Security Projects helps students understand secure credential management, encryption techniques, access control, and best practices for protecting application configurations in real-world environments.
ReplyDeleteThe migration experience also emphasizes the need for strong security practices throughout the software lifecycle. Working on Cyber Security Projects for Final Year Students provides valuable exposure to secure system design, vulnerability assessment, and safeguarding enterprise applications against configuration and credential-related risks.
ReplyDelete