NIFI-5481 Additional Sensitive Property Providers #3672
Conversation
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CipherUtils.java
Outdated
Show resolved
Hide resolved
| * @return integer value such that upper >= value >= lower | ||
| */ | ||
| public static int getRandomInt(int lower, int upper) { | ||
| int value = random.nextInt(upper); |
There was a problem hiding this comment.
I would suggest a construct of random.nextInt(upper - lower) + lower; which avoids the while() loop.
...commons/nifi-security-utils/src/test/java/org/apache/nifi/security/util/CipherUtilsTest.java
Outdated
Show resolved
Hide resolved
...properties-loader/src/main/java/org/apache/nifi/properties/sensitive/ExternalProperties.java
Show resolved
Hide resolved
...rties-loader/src/main/java/org/apache/nifi/properties/sensitive/ProtectedNiFiProperties.java
Show resolved
Hide resolved
| String keyPassword; // and that key has a random password, too | ||
| } | ||
|
|
||
| private static final String[] keyAlgos = {"RSA", "DSA", "ECDSA", "AES"}; |
There was a problem hiding this comment.
If the wrapped SPP in the KeyStoreSensitivePropertyProvider is AESSensitivePropertyProvider, I am confused about what actually happens when an RSA, DSA, or ECDSA key is retrieved from the keystore and used -- if it's just raw key bytes, the lengths still shouldn't match the 128, 192, or 256 bit expected key lengths.
There was a problem hiding this comment.
We should enforce a validation check on line 104 of KeyStoreSensitivePropertyProvider which ensures the returned SecretKey from the keystore is an AES key (.secretKey.getAlgorithm()).
|
|
||
| @Before | ||
| public void setUpTest() throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException { | ||
| final byte[] keyBytes = new byte[32]; |
There was a problem hiding this comment.
This will fail on systems that do not have the unlimited strength crypto jurisdiction policies installed. As more people move to 1.8 112+ we will be ok, but some users are still on 1.8 prior. Recommend using 16 byte / 128 bit key length.
| } | ||
| } | ||
|
|
||
| // These tests show we can use an AWS KMS key to encrypt/decrypt property values. |
There was a problem hiding this comment.
Copy/paste error on comment.
| mkdir -p /runtime | ||
|
|
||
| openssl genrsa -out /runtime/root.key 4096 | ||
| openssl req -x509 -new -nodes -sha256 -days 1024 -subj "/C=US/ST=AK/O=Data in Motion/CN=localhost" -key /runtime/root.key -out /runtime/root.crt |
There was a problem hiding this comment.
Change "Data in Motion" to "Apache NiFi" on these two lines.
| @@ -353,14 +353,13 @@ private static String loadFormattedKey(String[] args) { | |||
| if (parsedArgs.contains(KEY_FILE_FLAG)) { | |||
| key = getKeyFromKeyFileAndPrune(parsedArgs); | |||
| // Format the key (check hex validity and remove spaces) | |||
| key = formatHexKey(key); | |||
|
|
|||
| // key = formatHexKey(key); | |||
There was a problem hiding this comment.
Remove commented lines if not necessary.
There was a problem hiding this comment.
Removed, thanks for catching that.
| @@ -1720,9 +1720,9 @@ For each Node, the minimum properties to configure are as follows: | |||
| thread pool will never have fewer than this number of threads. It will grow as needed up to the maximum value set by the `nifi.cluster.node.protocol.max.threads` | |||
| property. | |||
| ** `nifi.cluster.node.protocol.max.threads` - The maximum number of threads that should be used to communicate with other nodes in the cluster. This property | |||
| defaults to `50`. A thread pool is used for replication requests to all nodes, and the thread pool will have a "core" size that is configured by the | |||
There was a problem hiding this comment.
Could you revert all the unnecessary changes on the documentation?
There was a problem hiding this comment.
Oof, yeah. I would blame my tools if I could. Thanks for the catch.
.../main/java/org/apache/nifi/properties/sensitive/gcp/kms/GCPKMSSensitivePropertyProvider.java
Show resolved
Hide resolved
natural
force-pushed
the
nifi-6363-draft
branch
from
0740d97
to
54a1100
Compare
natural
changed the title
NIFI-6325 Adds support for AWS KMS Sensitive Property Provider.
natural
force-pushed
the
nifi-6363-draft
branch
from
92fda89
to
63d998b
Compare
|
Resubmitting in #3916. |
Description of PR
The code in this change-set provides the following:
This PR replaces #3542.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
For all changes:
Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
Has your PR been rebased against the latest commit within the target branch (typically
master)?Is your initial contribution a single, squashed commit? Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not
squashor use--forcewhen pushing to allow for clean monitoring of changes.For code changes:
mvn -Pcontrib-check clean installat the rootnififolder?LICENSEfile, including the mainLICENSEfile undernifi-assembly?NOTICEfile, including the mainNOTICEfile found undernifi-assembly?.displayNamein addition to .name (programmatic access) for each of the new properties?For documentation related changes:
Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.