Updating a flow with sensitive properties

If the Sensitive Properties Key (nifi.sensitive.props.key) is changing from the source cluster to the destination cluster, you must update the flow.xml.gz file prior to copying it to each node.

When a value is set for nifi.sensitive.props.key, the specified key is used to encrypt sensitive properties in the flow (password fields in components for example). You can use the Encrypt-Config tool in the NiFi Toolkit to migrate the key and update the flow.xml.gz. Encrypt-Config performs the following actions:

  • Reads the existing flow.xml.gz and decrypts the sensitive values using the current key.

  • Encrypts all the sensitive values with a specified new key.

  • Updates the existing nifi.properties and flow.xml.gz files or creates new versions of them.

See Using the Apache NiFi Toolkit for complete information on Encrypt-Config.

Here is an example Encrypt-Config tool command:


$ ./nifi-toolkit-<version>/bin/encrypt-config.sh
-f /path/to/nifi_source/flow.xml.gz
-g /path/to/create/updated/flow.xml.gz
-s <new-password>
-n /path/to/nifi_source/nifi.properties
-o /path/to/create/updated/nifi.properties
-x

Where:

  • -f specifies the source flow.xml.gz

  • -g specifies the destination flow.xml.gz

  • -s specifies the new sensitive properties key

  • -n specifies the source nifi.properties

  • -o specifies the destination nifi.properties

  • -x tells the Encrypt-Config tool to only process the sensitive properties

If values in nifi.properties have been encrypted using the Encrypt Configuration Master Key Password property in Ambari (equivalent to the nifi.master.key.password property in CFM), add the -b option:


$ ./nifi-toolkit-<version>/bin/encrypt-config.sh
-b /path/to/nifi_source/bootstrap.conf
-f /path/to/nifi_source/flow.xml.gz
-g /path/to/create/updated/flow.xml.gz
-s <new-password>
-n /path/to/nifi_source/nifi.properties
-o /path/to/create/updated/nifi.properties
-x

Where:

  • -b specifies the source NiFi bootstrap.conf