0

When i enter access key and secret key for AWSCredentialsProviderControllerService, and try to commit changes, No option for Commit local changes on Nifi appearing, it means unable to commit changes for new access key and secret key Please help here..

If saving sensitive properties like access/secret key not possible, then how access and secret key be stored without using credential file

enter image description here

enter image description here

Krzysztof Madej
  • 32,704
  • 10
  • 78
  • 107
Samjas Subair
  • 11
  • 3

1 Answers1

1

The values of sensitive properties are purposely not saved to registry so that they remain protected within the nifi instance where they are used. So a local change is not registered when you modify those values since they won't be sent to registry.

Bryan Bende
  • 18,320
  • 1
  • 28
  • 39
  • Your question was why can't you commit the changes to registry, which I explained why. You can just enter the values of the access key and secret key once in dev and once in prod and then it will remain after that. – Bryan Bende Oct 23 '20 at 14:49
  • You could also use parameter contexts to add a level of indirection – Bryan Bende Oct 23 '20 at 14:50
  • We are currently set path of properties which contains secret/access key for Credentials File for AWSCredentialsProviderControlerService . Issue, is we are changing properties path for prod and non prod each time we run nifi workflow. trying to come up no change on Configuration on Credential File path, so that access/secret key would be read regardless of prod and non prod. Since credential file wont support Nifi Expresion language, trying to make use of ACCESS KEY/SECRET properties ${ENV:equalsIgnoreCase("prod"):ifElse(${ACESS_PROD},${ACESS_NONPROD})} so unable to implement this change – Samjas Subair Oct 23 '20 at 14:52
  • You can use parameters instead of expression language, all properties can reference a parameter using a different syntax #{credential.file.path} then in dev nifi you have parameter context with credential.file.path to dev file and in prod nifi you have credential.file.path pointing to prod file. – Bryan Bende Oct 23 '20 at 15:17
  • https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#Parameters – Bryan Bende Oct 23 '20 at 15:18
  • we are using nifi version 1.6.0(/opt/apps/nifi/nifi-1.6.0) I don't see an option to add parameters at all. No Parameter Context Manger from the hamburger menu. Why parameters are not available for Nifi. I am trying to add parameters, but no option from Nifi UI – Samjas Subair Oct 23 '20 at 15:27
  • Added in 1.10.0... 1.6.0 is 2.5 years old :) – Bryan Bende Oct 23 '20 at 15:33
  • Oh yeah 1.6 is too old, since nifi is already in prod with 1.6, its hard to upgrade quickly to latest version. It has to go thru management approvals. Within this version(1.6), without using parameters, is there any way to handle access/secret key without changing properties file for credential file for each prod and non prod. – Samjas Subair Oct 23 '20 at 15:40
  • The only thing I can think of is to make the credential file path and name always be the same on both systems, for example make it "/opt/apps/nifi/conf/aws,cred" on both systems – Bryan Bende Oct 23 '20 at 17:06
  • I still don't follow why you can't use the specific properties for Access Key and Secret Key instead of the credential file – Bryan Bende Oct 23 '20 at 17:07
  • i used Access Key as ${ENVIRONMENT:equalsIgnoreCase("prod"):ifElse(${ACCESSS_KEY_PROD},${ACCESSS_KEY_NON_PROD})} and Secret Key as ${ENVIRONMENT:equalsIgnoreCase("prod"):ifElse(${SECRET_KEY_PROD},${SECRET_KEY_NON_PROD})} Since access key and secret key(sensitivie properties) not able to save and commit, hence cannot use it, here i have posted in more detail - https://stackoverflow.com/questions/64502761/nifi-how-to-read-access-secret-key-for-awscredentialsprovidercontrolerservice-i – Samjas Subair Oct 23 '20 at 18:21
  • It doesn't make sense, there should only be one variable for each - ${ACCESS_KEY} and ${SECRET_KEY}, in prod nifi those are set to prod values, in dev nifi those are set to dev values – Bryan Bende Oct 23 '20 at 18:42