Your Flow Credentials File Is Encrypted Using A System-generated Key

筆者は長くSREをやってきたのですが、運用を簡単にするツールをごそごそするのが大好きです。今回は、IoTクラスタで有名なNode-REDを紹介しようと思います。SRE業界ではまだ無名なはずです。

Jan 15, 2018  The credentials file (flowscred.json) is encrypted by default to ensure its contents cannot be easily read. Node-RED generates a random key for the encryption if you do not provide one in your settings file. If the second instance of Node-RED doesn't have the same encryption key, it won't be able to decrypt the file. Aug 19, 2019  This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk.

May 15, 2019  Your flow credentials file is encrypted using a system-generated key. If the system-generated key is lost for any reason, your credentials. File will not be recoverable, you will have to delete it and re-enter. Your credentials. You should set your own key using the 'credentialSecret' option in. Dec 25, 2018  Your flow credentials file is encrypted using a system-generated key. If the system-generated key is lost for any reason, your credentials file will not be recoverable, you will have to delete it and re-enter your credentials. You should set your own key using the 'credentialSecret' option in your settings file. This guide covers concepts, configuration, and usage procedures for working with OpenID Connect 1.0 and ForgeRock Access Management. This guide is written for anyone using OpenID Connect 1.0 with Access Management to manage and federate access to web applications and web-based resources.

May 29, 2019  You can still access the file from your project’s console and use a command line editor like nano or vim to edit the file. If you care to share your project name someone could take a. Your flow credentials file is encrypted using a system-generated key. If the system-generated key is lost for any reason, your credentials file will not be recoverable, you will have to delete it and re-enter your credentials. You should set your own key using the 'credentialSecret' option in your settings file.

筆者が最近お気に入りのOracleのAutonomous Databaseは動作中のスケールアップダウンができるとか使わないときは止めておけるとか、便利な機能がついてます。問題は、私が作業を終わらせてからちゃんとCPU数を減らしたりする操作をわすれることです。はい、よく忘れるのでツールでカバーするのです。

会社についたら、Oracle Cloudにサインインして操作して、帰りにまた操作するなんて多分無理なので、一発操作の仕組みを作ることにしました。CLIでシェルスクリプトを書けばいいのですが、他人にも簡単に使ってもらいたいということでNode-REDでグラフィカルにブラウザ操作できるようにします。

今回はDocker上に構築しています。将来的にはOKE上に管理用コンテナとして転がしておこうと思います。手元のMacbook Proに設定する方法もあったのですが、長く使っていて環境がごちゃごちゃのためoci cliがうまくセットアップできなかったので、Docker container上に構築しました。

Node-REDに似たものに、Apache NiFiなどがあります。データフロー開発で高速に簡単なツールを作ることができますので、SREのかたには有効活用していただきたいと思います。コマンドやAPI戻り値のjsonを解析して必要なものを取り出して別の処理にかける、みたいなことが簡単にできるのがメリットです。まずはNode-REDでいじりまわして、やり方がわかったらjqなどのコマンドでスクリプト化するのが良いのではないのでしょうか。

簡単セットアップ

以下から、git cloneして、make buildimage ; make createcontainer すれば使えるはずです。
最初にmake attach してからOCI CLIのセットアップをしてください。

Your Flow Credentials File Is Encrypted Using A System-generated Key West

Docker Containerのセットアップ(手動)

DockerいりローカルPCで実行

Docker内で実行 ※あとでDockerfile化します。

OCI_CLIのセットアップ

こちらの手順書に従って設定します。

Node-REDのセットアップ(手動:Docker内)

Docker内のコマンドラインから設定していきます。

これでNode-REDが動き出しました。

個人用備忘録 操作メモ。これから自動起動を仕込みます。

動作確認

Your Flow Credentials File Is Encrypted Using A System-generated Keys

localhostの1880に、dockerの1880をバインドしてあるので、 以下URLをブラウザで叩きます。

コンソール画面が出てきたら、簡単なフローを書きましょう。Execノードで oci compute shape list を実行するサンプルです。コマンドの戻り値をdebugノードで表示しているので、右下にcompute shape名がずらっと出てきました。

あとはこの調子で、コマンドを書き換えれば操作をtimestampノードからボタン化したり定期実行ができるようになります。

Exec nodeはこんな感じです。ociコマンドがpyenvで動いているので、場所を指定してあげます。

+Append msg.payloadはチェックボックスを外しましょう。

あとは、コマンドの部分を書き換えてあげて、timestampノードを定期実行か特定の時間に実行してあげればボタン操作でも定期実行でも簡単に設定ができます。実際には何らかの外部アクションを元に動かすのが良いでしょう。

Target: 0.15

Currently credentials are passed to the storage API in the clear so unless the storage mechanism does anything specific, they get stored in the clear.

With a move to add version control backing to node-red, the very real prospect emerges of credentials being stored, in the clear, in version control. That is highly undesirable.

We cannot escape the fact that we need to store credential information in a retrievable way; hashing is not an option.

Your flow credentials file is encrypted using a system-generated key lock

This feature is to enable encryption of credentials by default - a user has to explicitly disable encryption if they do not want it to apply.

The encryption scheme requires a key to encrypt/decrypt the content.

/generate-ssh-key-in-ubuntu.html. A user is able to provide their own key via the credentialSecret property in the settings file. But most users will not do that the first time they run node-red after upgrading to this release. In which case, the runtime will auto-generate a key and store it in runtime settings. The credentials will then get encrypted with that key the next time flows are deployed.

If a user then provides their own credentialSecret property in the settings.js file, the runtime will migrate from the generated key to the user provided key the next time flows are deployed.

If a user changes credentialSecret at any point, the runtime will no longer be able to decrypt the credentials and they will be lost.

The credentials passed over the Storage API will be the encrypted set. An unencrypted credential object looks like this:

Your Flow Credentials File Is Encrypted Using A System-generated Keyboard

After encryption, it looks like this:

By keeping it a valid JSON object underlying storage implementations should not be affected by the change.

Encryption scheme

Decryption scheme

Your Flow Credentials File Is Encrypted Using A System-generated Key Lock

FAQ

The credentials file (flows_cred.json) is encrypted by default to ensure its contents cannot be easily read.

Node-RED generates a random key for the encryption if you do not provide one in your settings file. If the second instance of Node-RED doesn't have the same encryption key, it won't be able to decrypt the file.

Here are the steps you need to resolve this.

  1. edit your settings.js file and add a credentialSecret property with a whatever string value you want. If you want to disable encryption, set its value to false.

  2. Restart Node-RED and deploy a change - this will trigger Node-RED to re-encrypt your credentials with your chosen key (or disabling encryption if set to false).

  3. You can then copy your flow/credential file to a second instance, just make sure you give it the same credentialSecret value in its settings file.

Note that once you set credentialSecret you cannot change its value.