Nifi 加密变量/属性文件 [英] Nifi encrypt variables/properties files

问题描述

Nifi 自定义属性(每个环境的属性文件)看起来是定义环境特定路径和凭据的完美方式.唯一的问题是如何将敏感信息保存在那里?有 Nifi 加密配置工具 详细描述此处.

Nifi custom properties (per-environment property files) looks to be a perfect way to define an environment specific paths and credentials. The only issue is how to keep sensitive information there? There is Nifi Encrypt-Config Tool described in more details here.

是 Nifi 加密-除了nifi.properties?

据我所知，它只加密 nifi.properties.这很重要，因为使用 Nifi Docker Image 我只能定义 nifi.variable.registry.properties (NIFI_VARIABLE_REGISTRY_PROPERTIES env var) 无法修改 nifi.properties.

As far as I understood, it encrypts only nifi.properties. It's important, because with Nifi Docker Image I can define only nifi.variable.registry.properties (NIFI_VARIABLE_REGISTRY_PROPERTIES env var) without ability to modify nifi.properties.

推荐答案

NiFi encrypt-config 工具与以下配置文件交互:

The NiFi encrypt-config tool interacts with the following configuration files:

• nifi.properties
• login-identity-providers.xml
• authorizers.xml
• bootstrap.conf
• flow.xml.gz

它不处理任何链接的自定义变量定义文件，并且没有机制可以正确保护和存储敏感变量.由于这个原因，变量根本不支持任何敏感值.

It does not handle any linked custom variable definition files, and there is no mechanism for sensitive variables to be properly secured and stored. Variables do not support any sensitive values at all for this reason.

变量在现代版本的 NiFi 中被视为弃用——仍然支持但不鼓励使用它们——和 参数是在版本 1.10.0 中引入作为现代解决方案.参数确实支持敏感值，并且可以从框架级别的每个属性描述符访问，而不是在每个字段的基础上，这取决于开发人员支持它们的明确决定.您应该优先考虑用于存储流定义中所需的敏感值的参数.

Variables are treated as deprecated in modern versions of NiFi -- still supported but their use is discouraged -- and parameters were introduced in version 1.10.0 as a modern solution. Parameters do support sensitive values and are accessible from every property descriptor at the framework level rather than on a per-field basis depending on the developer's explicit decision to support them. You should prioritize parameters for the storage of sensitive values needed in your flow definitions.

根据您的威胁模型，您可能有不太可靠但可接受的替代方案:

Depending on your threat model, you may have less robust but acceptable alternatives:

• 如果您接受环境变量的安全级别，则可以直接填充这些变量，它们将在任何支持 表达式语言，同NiFi变量"
• 您可以通过自定义 Docker 映像、启动脚本等编辑 nifi.properties 文件.该文件中任何修改或添加的属性都可以通过添加它们的密钥(属性密钥描述符，而不是加密密钥)作为该文件中 nifi.sensitive.props.additional.keys 的逗号分隔列表.这些属性也将受到工具包的保护，并在 NiFi 应用程序启动期间在内存中解密.但是，nifi.properties 旨在保存框架级配置值，而不是组件级属性.

• If you accept the security level of environment variables, you can populate these directly and they will be referenced in any properties which support Expression Language, the same as "NiFi variables"
• You can edit the nifi.properties file through a custom Docker image, startup scripts, etc. Any modified or added properties in that file can be encrypted by adding their key (property key descriptor, not cryptographic key) as a comma-delimited list to nifi.sensitive.props.additional.keys in that file. These properties will also be protected by the toolkit and decrypted in memory during NiFi application startup. However, nifi.properties is meant to hold framework-level configuration values, not component-level properties.

这篇关于Nifi 加密变量/属性文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！