NIFI-2652 [WIP] Handle encrypted config key migration#1186
NIFI-2652 [WIP] Handle encrypted config key migration#1186alopresto wants to merge 1 commit intoapache:masterfrom
Conversation
|
@alopresto happy to review (understanding this is WIP) |
|
@alopresto I also received problems running unit test but confirmed that I could migrate keys using several scenarios: raw key -> raw key Also tried negative conditions including incorrect old password/rawkey and received expected exception. Once unit test issue is resolved I can reevaluate for merge. Thanks @alopresto! |
|
@alopresto just to add clarity on unit test failures, I am specifically receiving a problem when running the ConfigEncryptionToolTest. Several tests are failing for me and the failure appears to be due to a generated key that looks truncated. |
|
@YolandaMDavis made a good catch; the tests are ambivalent in regards to JCE jurisdiction policy, but some of the test resources I generated relied on 256-bit keys and so were not compatible with an environment that did not have the policies installed. I am provided resources with 128-bit keys to allow them to run on any environment. |
|
@YolandaMDavis I believe I have resolved the issue you were encountering, and the unrelated test failure was due to DNS settings on my machine which I have now fixed. Please perform the review. Thank you. |
|
@alopresto re-ran the unit tests and scenarios looks good +1 |
Added test resources with 128-bit encryption for environments without unlimited strength cryptographic jurisdiction policies installed. All tests pass in both 128- and 256-bit environments. (+8 squashed commits) Squashed commits: [55f127c] NIFI-2652 Updated Admin Guide with instructions for encrypted config key migration. [05abf0e] NIFI-2652 Added unit tests for negative cases for migration argument parsing. Cleaned up TODOs and comments. [9b73b22] NIFI-2652 Removed SCrypt mock from one unit test that didn't need it. Test pollution is removed and all tests pass. [d17ea77] NIFI-2652 Removed SCrypt mock from one redundant unit test. One offender remains ignored. [0924ce0] NIFI-2652 Removed SCrypt mock from one unit test that did not need it. Two offenders remain ignored. [cb5f850] NIFI-2652 Expanded unit test for combinations into individual tests due to System.exit() only be capturable once per test. Three tests which mock Scrypt for speed are temporarily ignored to perform test pollution identification. [c9cc5dc] NIFI-2652 Added logic and unit test for all combinations of original key/password and new key/password. [19713ec] NIFI-2652 Implemented first pass of key migration logic and provided single comprehensive unit test.
2 participants
Submitting a WIP PR because other features depend on this work. There is an unrelated test failure that I got locally after rebasing against master, so I will investigate that, but the module where I did all of this work is fine.
I will also update the Admin Guide with instructions for key migration and squash these commits.
Thank you for submitting a contribution to Apache NiFi.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
For all changes:
Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
Has your PR been rebased against the latest commit within the target branch (typically master)?
Is your initial contribution a single, squashed commit?
For code changes:
For documentation related changes:
Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.