We have a problem with nifi-toolkit. When init encrypt-config.sh, in nifi-registry.properties doesn't have encrypted password for nifi.registry.db.password.
$ ./nifi-toolkit-1.19.1/bin/encrypt-config.sh --nifiRegistry -b nifi-registry-1.19.1/conf/bootstrap.conf -r nifi-registry-1.19.1/conf/nifi-registry.properties -a nifi-registry-1.19.1/conf/authorizers.xml -p adminpassword
How resolves this problem?
Steps for reproduce the similar problem:
Version postrges – postgres:13.9
- Download nifi-registry and nifi-toolkit and unzip these files.
https://www.apache.org/dyn/closer.lua?path=/nifi/1.19.1/nifi-registry-1.19.1-bin.zip
https://dlcdn.apache.org/nifi/1.19.1/nifi-toolkit-1.19.1-bin.zip
- Edit nifi-registry-1.19.1/conf/nifi-registry.properties for connect to postgres DB.
nifi.registry.db.directory=./database
nifi.registry.db.url.append=;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE
nifi.registry.db.url=jdbc:postgresql://localhost:5432/nifireg
nifi.registry.db.driver.class=org.postgresql.Driver
nifi.registry.db.driver.directory=./conf/postgresql-42.5.1.jar
nifi.registry.db.username=postgres
nifi.registry.db.password=postgres
nifi.registry.db.maxConnections=5
nifi.registry.db.sql.debug=false
- Create a database and a database user and grant privileges in postrges
postgres=# CREATE DATABASE nifireg;
postgres=# CREATE USER postgres WITH PASSWORD postgres;
postgres=# GRANT ALL PRIVILEGES ON DATABASE nifireg to postgres;
- Update the H2 database file name to be nifi-registry.mv.db.
$ mv nifi-registry-1.19.1/database/nifi-registry-primary.mv.db nifi-registry-1.19.1/database/nifi-registry.mv.db
- Start the Registry and check.
$ nifi-registry-1.19.1/bin/nifi-registry.sh start
$ nifi-registry-1.19.1/bin/nifi-registry.sh status
- Init command for encryption.
$ ./nifi-toolkit-1.19.1/bin/encrypt-config.sh --nifiRegistry -b nifi-registry-1.19.1/conf/bootstrap.conf -r nifi-registry-1.19.1/conf/nifi-registry.properties -a nifi-registry-1.19.1/conf/authorizers.xml -p adminpassword
Config nifi-registry.properties:
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# web properties
nifi.registry.web.war.directory=./lib
nifi.registry.web.http.host=
nifi.registry.web.http.port=18080
nifi.registry.web.https.host=
nifi.registry.web.https.port=
nifi.registry.web.https.application.protocols=http/1.1
nifi.registry.web.jetty.working.directory=./work/jetty
nifi.registry.web.jetty.threads=200
nifi.registry.web.should.send.server.version=true
# security properties
nifi.registry.security.keystore=
nifi.registry.security.keystoreType=
nifi.registry.security.keystorePasswd=
nifi.registry.security.keyPasswd=
nifi.registry.security.truststore=
nifi.registry.security.truststoreType=
nifi.registry.security.truststorePasswd=
nifi.registry.security.needClientAuth=
nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml
nifi.registry.security.authorizer=managed-authorizer
nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml
nifi.registry.security.identity.provider=
# sensitive property protection properties
# nifi.registry.sensitive.props.additional.keys=
# providers properties
nifi.registry.providers.configuration.file=./conf/providers.xml
# registry alias properties
nifi.registry.registry.alias.configuration.file=./conf/registry-aliases.xml
# extensions working dir
nifi.registry.extensions.working.directory=./work/extensions
# legacy database properties, used to migrate data from original DB to new DB below
# NOTE: Users upgrading from 0.1.0 should leave these populated, but new installs after 0.1.0 should leave these empty
nifi.registry.db.directory=./database
nifi.registry.db.url.append=;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE
nifi.registry.db.url=jdbc:postgresql://localhost:5432/nifireg
nifi.registry.db.driver.class=org.postgresql.Driver
nifi.registry.db.driver.directory=./conf/postgresql-42.5.1.jar
nifi.registry.db.username=postgres
nifi.registry.db.password=postgres
nifi.registry.db.maxConnections=5
nifi.registry.db.sql.debug=false
# extension directories
# Each property beginning with "nifi.registry.extension.dir." will be treated as location for an extension,
# and a class loader will be created for each location, with the system class loader as the parent
#
\#nifi.registry.extension.dir.1=/path/to/extension1
\#nifi.registry.extension.dir.2=/path/to/extension2
nifi.registry.extension.dir.aws=./ext/aws/lib
# Identity Mapping Properties
# These properties allow normalizing user identities such that identities coming from different identity providers
# (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. The following example demonstrates normalizing
# DNs from certificates and principals from Kerberos into a common identity string:
#
# nifi.registry.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$
# nifi.registry.security.identity.mapping.value.dn=$1@$2
# nifi.registry.security.identity.mapping.transform.dn=NONE
# nifi.registry.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$
# nifi.registry.security.identity.mapping.value.kerb=$1@$2
# nifi.registry.security.identity.mapping.transform.kerb=UPPER
# Group Mapping Properties
# These properties allow normalizing group names coming from external sources like LDAP. The following example
# lowercases any group name.
#
# nifi.registry.security.group.mapping.pattern.anygroup=^(.\*)$
# nifi.registry.security.group.mapping.value.anygroup=$1
# nifi.registry.security.group.mapping.transform.anygroup=LOWER
# kerberos properties
nifi.registry.kerberos.krb5.file=
nifi.registry.kerberos.spnego.principal=
nifi.registry.kerberos.spnego.keytab.location=
nifi.registry.kerberos.spnego.authentication.expiration=12 hours
# OIDC
nifi.registry.security.user.oidc.discovery.url=
nifi.registry.security.user.oidc.connect.timeout=
nifi.registry.security.user.oidc.read.timeout=
nifi.registry.security.user.oidc.client.id=
nifi.registry.security.user.oidc.client.secret=
nifi.registry.security.user.oidc.preferred.jwsalgorithm=
# revision management
# This feature should remain disabled until a future NiFi release that supports the revision API changes
nifi.registry.revisions.enabled=false
We found a solution.
We set a property nifi.registry.sensitive.props.additional.keys=nifi.registry.db.password in nifi-registry.properties, and nifi.registry.db.password encrypted.
More about nifi.registry.sensitive.props.additional.keys - https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#encrypted-passwords-in-configuration-files:~:text=values%20in%20the-,nifi.registry.sensitive.props.additional.keys,-property.