gresockj commented on pull request #5410: URL: https://github.com/apache/nifi/pull/5410#issuecomment-938246704
> @gresockj When attempting to verify this with a configured `bootstrap-aws.conf` and a protected property configured in `nifi.properties`, NiFi reported the following exception at startup: > > ``` > java.lang.IllegalArgumentException: There was an issue decrypting protected properties > at org.apache.nifi.NiFi.initializeProperties(NiFi.java:374) > at org.apache.nifi.NiFi.convertArgumentsToValidatedNiFiProperties(NiFi.java:342) > at org.apache.nifi.NiFi.convertArgumentsToValidatedNiFiProperties(NiFi.java:338) > at org.apache.nifi.NiFi.main(NiFi.java:330) > Caused by: org.apache.nifi.properties.SensitivePropertyProtectionException: AWS KMS Key [] Validation Failed > at org.apache.nifi.properties.AwsKmsSensitivePropertyProvider.validate(AwsKmsSensitivePropertyProvider.java:77) > at org.apache.nifi.properties.AwsKmsSensitivePropertyProvider.validate(AwsKmsSensitivePropertyProvider.java:34) > at org.apache.nifi.properties.ClientBasedEncodedSensitivePropertyProvider.<init>(ClientBasedEncodedSensitivePropertyProvider.java:42) > at org.apache.nifi.properties.AwsKmsSensitivePropertyProvider.<init>(AwsKmsSensitivePropertyProvider.java:38) > at org.apache.nifi.properties.StandardSensitivePropertyProviderFactory.lambda$getProvider$7(StandardSensitivePropertyProviderFactory.java:138) > at java.util.HashMap.computeIfAbsent(HashMap.java:1127) > at org.apache.nifi.properties.StandardSensitivePropertyProviderFactory.getProvider(StandardSensitivePropertyProviderFactory.java:134) > at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) > at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) > at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) > at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) > at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) > at org.apache.nifi.properties.StandardSensitivePropertyProviderFactory.getSupportedSensitivePropertyProviders(StandardSensitivePropertyProviderFactory.java:175) > at org.apache.nifi.properties.NiFiPropertiesLoader.load(NiFiPropertiesLoader.java:173) > ``` > > The `bootstrap-aws.conf` does not have a value configured for `aws.kms.key.id` since this is using AWS Secrets Manager. > > The problem appears to be that the `AwsKmsClientProvider` instantiates a `KmsClient`, but validation fails in `AwsKmsSensitivePropertyProvider` because the KMS Key Identifier is not configured. > > The Azure Key Vault Key and Azure Key Vault Secrets SPP implementations have a similar challenge given that they share the same bootstrap configuration. PR #5435 adding Azure Key Vault Secret SPP addresses this issue with a method named `isMissingProperties()` in the parent `AzureClientProvider`. Implementing classes provided required property names, which determine whether or not the Client will be initialized. This in turns drives how the SPP responds to `isSupported()`. Taking a similar approach here in `AbstractAwsClientProvider` should resolve the problem. Ah, good catch. I believe I forgot to remove the `aws.kms.key.id` from my existing configuration during testing. The implementation ended up being so similar to #5435 that I believe whichever of these two PRs land second could possibly refactor out some of the common logic between these two client providers. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
