Encrypting Configuration Properties
By default, a new Kylo installation does not have any of its configuration properties encrypted. Once you have started Kylo for the first time, the easiest way to derive encrypted versions of property values is to post values to the Kylo services/encrypt endpoint to have it generate an encrypted form for you. You could then paste the encrypted value back into your properties file and mark it as encrypted by prepending the values with {cipher}. For instance, if you wanted to encrypt the Hive datasource password specified in application.properties (assuming the password is “mypassword”), you can get its encrypted form using the curl command like this:
$ curl -u dladmin:thinkbig -H "Content-Type: text/plain; charset=UTF-8" localhost:8400/proxy/v1/feedmgr/util/encrypt –d mypassword
29fcf1534a84700c68f5c79520ecf8911379c8b5ef4427a696d845cc809b4af0
You then copy that value and replace the clear text password string in the properties file with the encrypted value:
hive.datasource.password={cipher}29fcf1534a84700c68f5c79520ecf8911379c8b5ef4427a696d845cc809b4af0
注意
官网给的案例测试是返回401错误
{"timestamp":1544088258333,"status":401,"error":"Unauthorized","message":"Full authentication is required to access this resource","path":"/encrypt"}curl: (6) Could not resolve host: xn--d-5gn; Name or service not known
curl: (6) Could not resolve host: mypassword; Name or service not known
查api发现:
curl -X POST --header 'Content-Type: text/plain' --header 'Accept: application/json' -d 'kylo' 'http://10.88.88.122:8400/proxy/v1/feedmgr/util/encrypt'
正确的请求方式
[root@kylo3 ~]# curl -X POST -u dladmin:thinkbig --header 'Content-Type: text/plain' --header 'Accept: application/json' -d 'kylo' 'http://10.88.88.122:8400/proxy/v1/feedmgr/util/encrypt'
{cipher}888909e4cd4a2fb11a14c0e5ff0aebe10784ff8489405fd85549ec81b373be0c[root@kylo3 ~]#
在API给到的请求的基础上加上登录信息就可以了;
-d dladmin:thinkbig
脚本
#!/bin/bash
curl -X POST -u dladmin:thinkbig --header 'Content-Type: text/plain' --header 'Accept: application/json' -d '$1' 'http://localhost:8400/proxy/v1/feedmgr/util/encrypt'
echo ""
echo ""
使用:
[root@kylo-1 kylo-1]# ./encry.sh hive
{cipher}25314bc577db3b570810c0c9db3f13623773d9027412e8cf6048870e0755f310
[root@kylo-1 kylo-1]#
The benefit of this approach is that you will be getting a value that is guaranteed to work with the encryption settings of the server where that configuration value is being used. Once you have replaced all properties you wish to have encrypted in the properties files, you can restart the Kylo services to use them.
Copy the encryption key file to the folder
cp /opt/kylo/encrypt.key /opt/nifi/ext-config
Change the ownership and permissions of the key file to ensure only nifi can read it
chown nifi /opt/nifi/ext-config/encrypt.key
chmod 400 /opt/nifi/ext-config/encrypt.key
Edit the /opt/nifi/current/bin/nifi-env.sh file and add the ENCRYPT_KEY variable with the key value
export ENCRYPT_KEY="$(< /opt/nifi/ext-config/encrypt.key)"
