Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIFI-10235 Set Replay ContentClaim Length from Content Repository #6228

Closed
wants to merge 1 commit into from
Closed

NIFI-10235 Set Replay ContentClaim Length from Content Repository #6228

wants to merge 1 commit into from

Conversation

exceptionfactory
Copy link
Contributor

@exceptionfactory exceptionfactory commented Jul 20, 2022
edited

Summary

NIFI-10235 Changes the behavior of Provenance Replay handling to resolve issues when running with encrypted repositories enabled.

When running with encrypted repositories, the content stored in the repository is larger than the file size itself, since it contains an encryption metadata header. This difference in size causes Provenance Replays to fail due to setting the replay ContentClaim length based on the previous file size. Changing the approach to set the ContentClaim length based on the ContentClaim size that the Content Repository reports allows replays to function as expected.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using mvn clean install -P contrib-check
    • JDK 8
    • JDK 11
    • JDK 17

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

@exceptionfactory
NIFI-10235 Set Replay ContentClaim Length based on Content Repository
e5ae494 
- Changed Replay ContentClaim Length from previous file size to Content Repository size returned for ContentClaim
- Corrected Replay handling for Encrypted Repositories since the ContentClaim Length is larger than the File Size when encrypted
@NissimShiman
Copy link
Contributor

@exceptionfactory Working to recreate setup before and after fix...

When trying instructions for creating storetype of type BCFKS https://exceptionfactory.com/posts/2021/11/10/configuring-apache-nifi-repository-encryption (under SECRET KEY GENERATION) the
keytool -genseckey
followed by the
keytool -list
command
has output saying that there is an invalid MAC

This is not a blocker on this (as ticket was done with PKCS12), but I noticed you were the author of that article so maybe that could be looked into at some later time (and by the way, thank you for your very informative articles in general :) )

@exceptionfactory
Copy link
Contributor Author

exceptionfactory commented Aug 3, 2022
edited

When trying instructions for creating storetype of type BCFKS https://exceptionfactory.com/posts/2021/11/10/configuring-apache-nifi-repository-encryption (under SECRET KEY GENERATION) the keytool -genseckey followed by the keytool -list command has output saying that there is an invalid MAC

Thanks for the feedback @NissimShiman!

When verifying the BCFKS keystore, it is necessary to provide the store password in the command. The example has the word PLACEHOLDER, which must be changed to the actual password.

I am still evaluating the issues associated with encrypted repositories. The current version of this pull request resolves the problem for simple use scenarios, but there is an additional issue related to content claim length determination when the framework writes multiple FlowFiles to a single resource. I am planning to update the pull request as soon as I have a working solution.

@exceptionfactory exceptionfactory marked this pull request as draft August 3, 2022 15:23
@NissimShiman
Copy link
Contributor

@exceptionfactory The initial fix works as I was able to verify (using a pkcs12 keystore) that trying to replay a SEND for InvokeHTTP (to ListenHTTP) did not work before the fix, but does work after this fix.

I see where the code is now looking at ContentClaim size to get a more accurate size. Very nice diagnosis.

LGTM +1,
but I'll plan to circle back if/when additional work is done.

The BCFKS issue is even when using a real password (and doesn't occur when following the instructions for PKCS12 keys - found in the first link of the SECRET KEY GENERATION section), so I am not sure what it happening with that.

Error is:
keytool error: java.io.IOException: BCKFS KeyStore corrupted: MAC calculation failed

using java:
openjdk version 1.8.0_332

@exceptionfactory
Copy link
Contributor Author

Thanks again for the feedback on this @NissimShiman, closing for now and will reopen pending a more comprehensive solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@exceptionfactory @NissimShiman