apache nifi 1.15.0 startup failure caused by sensitive property

11/24/2021

The answer on many forums is to simply "create the key". However, this also requires further maintenance because then the flow.xml.gz file cannot be easily migrated between deployments. I do not experience this on previous versions (v1.12.0 & 1.13.0).

Any thoughts on mitigating this issue?

Error: 
ERROR [main] o.a.nifi.properties.NiFiPropertiesLoader Clustered Configuration Found: Shared Sensitive Properties Key [nifi.sensitive.props.key] required for cluster nodes

ERROR [main] org.apache.nifi.NiFi Failure to launch NiFi due to java.lang.IllegalArgumentException: There was an issue decrypting protected properties

Similar question: https://stackoverflow.com/questions/69217062/docker-nifi-1-14-0-startup-failure-caused-by-org-apache-nifi-properties

-- kp-a
apache-nifi
kubernetes

2 Answers

11/25/2021

Create the key.

Don't let NiFi generate a random one, supply it from your deployment code along with all the other settings that go into nifi.properties. If you have the same key, you can copy/migrate the flow.xml.gz and share it within clusters. This also works with an encrypted key if you provide the decryption hex key in bootstrap.conf when deploying.

The latest NiFi version has support for Hashicorp vaults. That might allow you to obtain the correct keys at runtime and share them among cluster nodes.

If you want to work without a key, you will need to use NiFi 1.13.2 or older. From the admin guide:

Starting with version 1.14.0, NiFi requires a value for 'nifi.sensitive.props.key' in nifi.properties.

The following command can be used to read an existing flow.xml.gz configuration and set a new sensitive properties key in nifi.properties:

$ ./bin/nifi.sh set-sensitive-properties-key sensitivePropertiesKey

The minimum required length for a new sensitive properties key is 12 characters.

-- Cyrus
Source: StackOverflow

11/28/2021

Ignore this error.

Create a new deployment, either import the flow file via the GUI or copy and paste the XML flow file, then restart the deployment.

In my testing, I have not seen any evidence that the sensitive key property is required.

-- kp-a
Source: StackOverflow