Updating a flow with sensitive properties
If the Sensitive Properties Key (nifi.sensitive.props.key
) is changing
from the source cluster to the destination cluster, you must update the
flow.xml.gz file prior to copying it to each node.
When a value is set for nifi.sensitive.props.key
, the specified key
is used to encrypt sensitive properties in the flow (password fields in components for
example). You can use the Encrypt-Config tool in the NiFi Toolkit to migrate the key and
update the flow.xml.gz. Encrypt-Config performs the following
actions:
-
Reads the existing flow.xml.gz and decrypts the sensitive values using the current key.
-
Encrypts all the sensitive values with a specified new key.
-
Updates the existing nifi.properties and flow.xml.gz files or creates new versions of them.
See Using the Apache NiFi Toolkit for complete information on Encrypt-Config.
Here is an example Encrypt-Config tool command:
$ ./nifi-toolkit-<version>/bin/encrypt-config.sh
-f /path/to/nifi_source/flow.xml.gz
-g /path/to/create/updated/flow.xml.gz
-s <new-password>
-n /path/to/nifi_source/nifi.properties
-o /path/to/create/updated/nifi.properties
-x
Where:
-
-f
specifies the source flow.xml.gz -
-g
specifies the destination flow.xml.gz -
-s
specifies the new sensitive properties key -
-n
specifies the source nifi.properties -
-o
specifies the destination nifi.properties -
-x
tells the Encrypt-Config tool to only process the sensitive properties
If values in nifi.properties have been encrypted using the
Encrypt Configuration Master Key Password property in Ambari (equivalent to the
nifi.master.key.password
property in CFM), add the -b
option:
$ ./nifi-toolkit-<version>/bin/encrypt-config.sh
-b /path/to/nifi_source/bootstrap.conf
-f /path/to/nifi_source/flow.xml.gz
-g /path/to/create/updated/flow.xml.gz
-s <new-password>
-n /path/to/nifi_source/nifi.properties
-o /path/to/create/updated/nifi.properties
-x
Where:
-
-b specifies the source NiFi bootstrap.conf