kylo暗号化属性値

3589 ワード

kylo encryptingドキュメント
Encrypting Configuration Properties By default, a new Kylo installation does not have any of its configuration properties encrypted. Once you have started Kylo for the first time, the easiest way to derive encrypted versions of property values is to post values to the Kylo services/encrypt endpoint to have it generate an encrypted form for you. You could then paste the encrypted value back into your properties file and mark it as encrypted by prepending the values with {cipher}. For instance, if you wanted to encrypt the Hive datasource password specified in application.properties (assuming the password is “mypassword”), you can get its encrypted form using the curl command like this:
$ curl -u dladmin:thinkbig -H "Content-Type: text/plain; charset=UTF-8" localhost:8400/proxy/v1/feedmgr/util/encrypt –d mypassword
29fcf1534a84700c68f5c79520ecf8911379c8b5ef4427a696d845cc809b4af0

You then copy that value and replace the clear text password string in the properties file with the encrypted value:
hive.datasource.password={cipher}29fcf1534a84700c68f5c79520ecf8911379c8b5ef4427a696d845cc809b4af0


に注意
公式サイトのケーススタディは401エラーを返します
{"timestamp":1544088258333,"status":401,"error":"Unauthorized","message":"Full authentication is required to access this resource","path":"/encrypt"}curl: (6) Could not resolve host: xn--d-5gn; Name or service not known
curl: (6) Could not resolve host: mypassword; Name or service not known


検索apiの発見:
curl -X POST --header 'Content-Type: text/plain' --header 'Accept: application/json' -d 'kylo' 'http://10.88.88.122:8400/proxy/v1/feedmgr/util/encrypt'


正しい要求方式
[root@kylo3 ~]# curl -X POST -u dladmin:thinkbig --header 'Content-Type: text/plain' --header 'Accept: application/json' -d 'kylo' 'http://10.88.88.122:8400/proxy/v1/feedmgr/util/encrypt'

{cipher}888909e4cd4a2fb11a14c0e5ff0aebe10784ff8489405fd85549ec81b373be0c[root@kylo3 ~]# 


APIからのリクエストにログイン情報を加えればよい.
-d dladmin:thinkbig

スクリプト#スクリプト#
#!/bin/bash

curl -X POST -u dladmin:thinkbig --header 'Content-Type: text/plain' --header 'Accept: application/json' -d '$1' 'http://localhost:8400/proxy/v1/feedmgr/util/encrypt'
echo ""
echo ""

次の操作を行います.
[root@kylo-1 kylo-1]# ./encry.sh  hive
{cipher}25314bc577db3b570810c0c9db3f13623773d9027412e8cf6048870e0755f310

[root@kylo-1 kylo-1]# 


The benefit of this approach is that you will be getting a value that is guaranteed to work with the encryption settings of the server where that configuration value is being used. Once you have replaced all properties you wish to have encrypted in the properties files, you can restart the Kylo services to use them.
ドキュメント
Copy the encryption key file to the folder
cp /opt/kylo/encrypt.key /opt/nifi/ext-config

Change the ownership and permissions of the key file to ensure only nifi can read it
chown nifi /opt/nifi/ext-config/encrypt.key
chmod 400 /opt/nifi/ext-config/encrypt.key

Edit the/opt/nifi/current/bin/nifi-env.sh file and add the ENCRYPT_KEY variable with the key value
export ENCRYPT_KEY="$(< /opt/nifi/ext-config/encrypt.key)"