Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

NIFI Sensitive Property doesn't appear to work in v1.4.0?

Solved Go to solution

NIFI Sensitive Property doesn't appear to work in v1.4.0?

New Contributor

To whom it may concern:

I am attempting to encrypt sensitive processor properties with the following snippet from my nifi.properties file:

nifi.sensitive.props.key=1756eb0b-4eb3-46d6-98a4-a350b46c7459
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=my_secret

I restarted Nifi but the value of the my_secret attribute remains unencrypted in flow.xml.gz. I've modified the value of my_secret several times but it is still saved in cleartext.

Any help with this would be greatly appreciated.

In addition, does anyone know what the value of "BC" means for the

nifi.sensitive.props.provider key? Equivalently, anyone know where I can get a list of default sensitive properties?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: NIFI Sensitive Property doesn't appear to work in v1.4.0?

Master Guru

@Sonny Chee

The "nifi.sensitive.props.additional.keys" property in the nifi.properties file allows you to specify additional properties from the nifi.properties file for encryption. Only processors properties that have been specifically coded as sensitive will be encrypted. Users can not define additional processor properties themselves for encryption.

Sorry that the documentation is a bit confusing on this property.

As far as "BC" goes, it stands for Bouncy Castle.

https://www.bouncycastle.org/

Thank you,

Matt

5 REPLIES 5

Re: NIFI Sensitive Property doesn't appear to work in v1.4.0?

Master Guru

@Sonny Chee

The "nifi.sensitive.props.additional.keys" property in the nifi.properties file allows you to specify additional properties from the nifi.properties file for encryption. Only processors properties that have been specifically coded as sensitive will be encrypted. Users can not define additional processor properties themselves for encryption.

Sorry that the documentation is a bit confusing on this property.

As far as "BC" goes, it stands for Bouncy Castle.

https://www.bouncycastle.org/

Thank you,

Matt

Re: NIFI Sensitive Property doesn't appear to work in v1.4.0?

Master Guru

@Sonny Chee

Processor obscure sensitive property values. In addition, those sensitive property values are encrypted when stored in the flow.xml.gz file.

I cannot think of how those sensitive properties would even get in to the nifi logs, flowfile repo, content repo, or provenance repo. Sensitive properties are generally defined for password property fields. They are used in facilitating a connection and can see no reason why they would ever be written to the content or attributes of a FlowFile.

Is this what you were concerned about.

Thanks,

Matt

Tip: Avoid responding to an answer with another answer. Instead just add a comment to the answer you want follow-up on.

Once you find an answer that addresses your original question, please click the "accept" link below the answer.

Re: NIFI Sensitive Property doesn't appear to work in v1.4.0?

New Contributor

@Matt Clarke

Yes, my requirement is to encrypt passwords at rest.

I notice that property values also appear in the database_repository/ files as well...


Re: NIFI Sensitive Property doesn't appear to work in v1.4.0?

Master Guru

@Sonny Chee

I am assuming you are referring to the H2 Binary DB file nifi-flow-audit.h2.db?

In that case, properties coded as sensitive are not persisted to the H2 database. NiFi writes literally " ******** " to the H2 DB for these sensitive property values.

Thanks,

Matt

Re: NIFI Sensitive Property doesn't appear to work in v1.4.0?

New Contributor

Thanks for the detailed response, @Matt Clarke.

In addition to flow.xml.gz, can I assume that sensitive properties will be encrypted in all locations (logs, repositories)?

Don't have an account?
Coming from Hortonworks? Activate your account here