kylo encrypting文檔

Encrypting Configuration Properties
By default, a new Kylo installation does not have any of its configuration properties encrypted. Once you have started Kylo for the first time, the easiest way to derive encrypted versions of property values is to post values to the Kylo services/encrypt endpoint to have it generate an encrypted form for you. You could then paste the encrypted value back into your properties file and mark it as encrypted by prepending the values with {cipher}. For instance, if you wanted to encrypt the Hive datasource password specified in application.properties (assuming the password is “mypassword”), you can get its encrypted form using the curl command like this:

$ curl -u dladmin:thinkbig -H "Content-Type: text/plain; charset=UTF-8" localhost:8400/proxy/v1/feedmgr/util/encrypt –d mypassword
29fcf1534a84700c68f5c79520ecf8911379c8b5ef4427a696d845cc809b4af0

You then copy that value and replace the clear text password string in the properties file with the encrypted value:

hive.datasource.password={cipher}29fcf1534a84700c68f5c79520ecf8911379c8b5ef4427a696d845cc809b4af0

注意

官網(wǎng)給的案例測(cè)試是返回401錯(cuò)誤

{"timestamp":1544088258333,"status":401,"error":"Unauthorized","message":"Full authentication is required to access this resource","path":"/encrypt"}curl: (6) Could not resolve host: xn--d-5gn; Name or service not known
curl: (6) Could not resolve host: mypassword; Name or service not known

查api發(fā)現(xiàn)：

curl -X POST --header 'Content-Type: text/plain' --header 'Accept: application/json' -d 'kylo' 'http://10.88.88.122:8400/proxy/v1/feedmgr/util/encrypt'

正確的請(qǐng)求方式

[root@kylo3 ~]# curl -X POST -u dladmin:thinkbig --header 'Content-Type: text/plain' --header 'Accept: application/json' -d 'kylo' 'http://10.88.88.122:8400/proxy/v1/feedmgr/util/encrypt'

{cipher}888909e4cd4a2fb11a14c0e5ff0aebe10784ff8489405fd85549ec81b373be0c[root@kylo3 ~]# 

在API給到的請(qǐng)求的基礎(chǔ)上加上登錄信息就可以了朽合；

-d dladmin:thinkbig

腳本

#!/bin/bash

curl -X POST -u dladmin:thinkbig --header 'Content-Type: text/plain' --header 'Accept: application/json' -d '$1' 'http://localhost:8400/proxy/v1/feedmgr/util/encrypt'
echo ""
echo ""

使用：

[root@kylo-1 kylo-1]# ./encry.sh  hive
{cipher}25314bc577db3b570810c0c9db3f13623773d9027412e8cf6048870e0755f310

[root@kylo-1 kylo-1]# 

The benefit of this approach is that you will be getting a value that is guaranteed to work with the encryption settings of the server where that configuration value is being used. Once you have replaced all properties you wish to have encrypted in the properties files, you can restart the Kylo services to use them.

文檔

Copy the encryption key file to the folder

cp /opt/kylo/encrypt.key /opt/nifi/ext-config

Change the ownership and permissions of the key file to ensure only nifi can read it

chown nifi /opt/nifi/ext-config/encrypt.key
chmod 400 /opt/nifi/ext-config/encrypt.key

Edit the /opt/nifi/current/bin/nifi-env.sh file and add the ENCRYPT_KEY variable with the key value

export ENCRYPT_KEY="$(< /opt/nifi/ext-config/encrypt.key)"