You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Jo...@swisscom.com on 2022/04/28 10:03:52 UTC
Add dynamic sensitive property to processor
Hi guys,
I’m about in the process of migrate away from variables to parameter contexts. I have a groovy script (ExecuteScript 1.15.3 processor) where I would like to pass some sensitive and non-sensitive parameters to dynamically added properties – added via “+” button on top right corner. Example below. Now I’m struggling to add a dynamic sensitive property to my processor. Is there a good reason that dynamic added properties are always non-sensitive? Or shall I fill a jira ticket feature request? As you can see, I can’t change the property “NiFiPassword” to a parameter – I’m getting an error.
Cheers Josef
[Graphical user interface, application, table Description automatically generated]
[A screenshot of a computer Description automatically generated with medium confidence]
Re: Add dynamic sensitive property to processor
Posted by Jo...@swisscom.com.
An additional comment David to the sensitive parameters which probably hasn’t been mentioned yet.
We have to set a HTTP body with a username & password to login into a REST API, today we can’t mix sensitive and non-sensitive parameters in the “Replacement Value” property of the ReplaceText processor. Are there any plans to support such a scenario future? Means to allow both types of parameters within one single property?
Cheers Josef
From: "Zahner Josef, GSB-LR-TRW-LI" <Jo...@swisscom.com>
Date: Thursday, 28 April 2022 at 16:37
To: "users@nifi.apache.org" <us...@nifi.apache.org>
Subject: Re: Add dynamic sensitive property to processor
Thanks a lot David & Brian, that explains the actual behavior.
So it seems I either have to change my groovy script or wait for a future NiFi release.
Cheers Josef
From: David Handermann <ex...@apache.org>
Reply to: "users@nifi.apache.org" <us...@nifi.apache.org>
Date: Thursday, 28 April 2022 at 14:55
To: "users@nifi.apache.org" <us...@nifi.apache.org>
Subject: Re: Add dynamic sensitive property to processor
Following up on Bryan's comments, I am currently working on implementing support for sensitive dynamic properties at the framework level. See the following Jira issue for a summary:
https://issues.apache.org/jira/browse/NIFI-9957
Mark Payne wrote up an excellent feature proposal describing the approach:
https://cwiki.apache.org/confluence/display/NIFI/Support+Sensitive+Dynamic+Properties
As mentioned in the proposal, each component will need to declare support for sensitive dynamic properties to ensure appropriate security of sensitive values.
Regards,
David Handermann
On Thu, Apr 28, 2022 at 7:47 AM Bryan Bende <bb...@gmail.com>> wrote:
When a component supports dynamic properties, it is currently the responsibility of the component to define the PropertyDescriptor for the dynamic property, which lets the component define how the dynamic properties will be used. So the concept of the "SENSITIVE." prefix is a specific approach implemented in DBCPConnectionPool, other components would need to implement the same approach, or could choose to make all their dynamic properties sensitive, or none, or whatever the component wants. In general we'd probably like for this to be a first class concept in the framework, but right now each component would need to be enhanced to follow this pattern.
On Thu, Apr 28, 2022 at 7:50 AM <Jo...@swisscom.com>> wrote:
Additional comment, for me it seems that the SENSITIVE.yourproperty part is a special feature of DBCPConnectionPool (https://issues.apache.org/jira/browse/NIFI-8047 since NiFi 1.13.0) and is not generally available.
Any other comments on this?
Cheers Josef
From: "Zahner Josef, GSB-LR-TRW-LI" <Jo...@swisscom.com>>
Date: Thursday, 28 April 2022 at 13:26
To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Subject: Re: Add dynamic sensitive property to processor
Hi Isha
I tried it (hopefully) exactly as you suggested:
[cid:image001.png@01D85F0B.A4CEE0D0]
But I still get the same error (parameter does not match the sensitivity of the property) like before in my initial e-mail. Shall I get a different UI dialogue or any other difference when adding the SENSITIVE.yourprop part?
Cheers Josef
From: Isha Lamboo <is...@virtualsciences.nl>>
Reply to: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Date: Thursday, 28 April 2022 at 12:16
To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Subject: RE: Add dynamic sensitive property to processor
Hi Josef,
If you name the property SENSITIVE.yourproperty, it will be treated as sensitive.
I’ve run into that issue with parameters for JDBC drivers before, where each driver has a different property for the SSL keystore passwords.
If you enter for example: SENSITIVE.trustStorePassword as the property, you are then allowed to enter a sensitive parameter.
Regards,
Isha
Van: Josef.Zahner1@swisscom.com<ma...@swisscom.com> <Jo...@swisscom.com>>
Verzonden: donderdag 28 april 2022 12:04
Aan: users@nifi.apache.org<ma...@nifi.apache.org>
Onderwerp: Add dynamic sensitive property to processor
Hi guys,
I’m about in the process of migrate away from variables to parameter contexts. I have a groovy script (ExecuteScript 1.15.3 processor) where I would like to pass some sensitive and non-sensitive parameters to dynamically added properties – added via “+” button on top right corner. Example below. Now I’m struggling to add a dynamic sensitive property to my processor. Is there a good reason that dynamic added properties are always non-sensitive? Or shall I fill a jira ticket feature request? As you can see, I can’t change the property “NiFiPassword” to a parameter – I’m getting an error.
Cheers Josef
[Graphical user interface, application, table Description automatically generated]
[A screenshot of a computer Description automatically generated with medium confidence]
Re: Add dynamic sensitive property to processor
Posted by Jo...@swisscom.com.
Thanks a lot David & Brian, that explains the actual behavior.
So it seems I either have to change my groovy script or wait for a future NiFi release.
Cheers Josef
From: David Handermann <ex...@apache.org>
Reply to: "users@nifi.apache.org" <us...@nifi.apache.org>
Date: Thursday, 28 April 2022 at 14:55
To: "users@nifi.apache.org" <us...@nifi.apache.org>
Subject: Re: Add dynamic sensitive property to processor
Following up on Bryan's comments, I am currently working on implementing support for sensitive dynamic properties at the framework level. See the following Jira issue for a summary:
https://issues.apache.org/jira/browse/NIFI-9957
Mark Payne wrote up an excellent feature proposal describing the approach:
https://cwiki.apache.org/confluence/display/NIFI/Support+Sensitive+Dynamic+Properties
As mentioned in the proposal, each component will need to declare support for sensitive dynamic properties to ensure appropriate security of sensitive values.
Regards,
David Handermann
On Thu, Apr 28, 2022 at 7:47 AM Bryan Bende <bb...@gmail.com>> wrote:
When a component supports dynamic properties, it is currently the responsibility of the component to define the PropertyDescriptor for the dynamic property, which lets the component define how the dynamic properties will be used. So the concept of the "SENSITIVE." prefix is a specific approach implemented in DBCPConnectionPool, other components would need to implement the same approach, or could choose to make all their dynamic properties sensitive, or none, or whatever the component wants. In general we'd probably like for this to be a first class concept in the framework, but right now each component would need to be enhanced to follow this pattern.
On Thu, Apr 28, 2022 at 7:50 AM <Jo...@swisscom.com>> wrote:
Additional comment, for me it seems that the SENSITIVE.yourproperty part is a special feature of DBCPConnectionPool (https://issues.apache.org/jira/browse/NIFI-8047 since NiFi 1.13.0) and is not generally available.
Any other comments on this?
Cheers Josef
From: "Zahner Josef, GSB-LR-TRW-LI" <Jo...@swisscom.com>>
Date: Thursday, 28 April 2022 at 13:26
To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Subject: Re: Add dynamic sensitive property to processor
Hi Isha
I tried it (hopefully) exactly as you suggested:
[cid:image001.png@01D85B1E.49453B10]
But I still get the same error (parameter does not match the sensitivity of the property) like before in my initial e-mail. Shall I get a different UI dialogue or any other difference when adding the SENSITIVE.yourprop part?
Cheers Josef
From: Isha Lamboo <is...@virtualsciences.nl>>
Reply to: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Date: Thursday, 28 April 2022 at 12:16
To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Subject: RE: Add dynamic sensitive property to processor
Hi Josef,
If you name the property SENSITIVE.yourproperty, it will be treated as sensitive.
I’ve run into that issue with parameters for JDBC drivers before, where each driver has a different property for the SSL keystore passwords.
If you enter for example: SENSITIVE.trustStorePassword as the property, you are then allowed to enter a sensitive parameter.
Regards,
Isha
Van: Josef.Zahner1@swisscom.com<ma...@swisscom.com> <Jo...@swisscom.com>>
Verzonden: donderdag 28 april 2022 12:04
Aan: users@nifi.apache.org<ma...@nifi.apache.org>
Onderwerp: Add dynamic sensitive property to processor
Hi guys,
I’m about in the process of migrate away from variables to parameter contexts. I have a groovy script (ExecuteScript 1.15.3 processor) where I would like to pass some sensitive and non-sensitive parameters to dynamically added properties – added via “+” button on top right corner. Example below. Now I’m struggling to add a dynamic sensitive property to my processor. Is there a good reason that dynamic added properties are always non-sensitive? Or shall I fill a jira ticket feature request? As you can see, I can’t change the property “NiFiPassword” to a parameter – I’m getting an error.
Cheers Josef
[Graphical user interface, application, table Description automatically generated]
[A screenshot of a computer Description automatically generated with medium confidence]
Re: Add dynamic sensitive property to processor
Posted by David Handermann <ex...@apache.org>.
Following up on Bryan's comments, I am currently working on implementing
support for sensitive dynamic properties at the framework level. See the
following Jira issue for a summary:
https://issues.apache.org/jira/browse/NIFI-9957
Mark Payne wrote up an excellent feature proposal describing the approach:
https://cwiki.apache.org/confluence/display/NIFI/Support+Sensitive+Dynamic+Properties
As mentioned in the proposal, each component will need to declare support
for sensitive dynamic properties to ensure appropriate security of
sensitive values.
Regards,
David Handermann
On Thu, Apr 28, 2022 at 7:47 AM Bryan Bende <bb...@gmail.com> wrote:
> When a component supports dynamic properties, it is currently the
> responsibility of the component to define the PropertyDescriptor for the
> dynamic property, which lets the component define how the dynamic
> properties will be used. So the concept of the "SENSITIVE." prefix is a
> specific approach implemented in DBCPConnectionPool, other components would
> need to implement the same approach, or could choose to make all their
> dynamic properties sensitive, or none, or whatever the component wants. In
> general we'd probably like for this to be a first class concept in the
> framework, but right now each component would need to be enhanced to follow
> this pattern.
>
> On Thu, Apr 28, 2022 at 7:50 AM <Jo...@swisscom.com> wrote:
>
>> Additional comment, for me it seems that the SENSITIVE.yourproperty part
>> is a special feature of DBCPConnectionPool (
>> https://issues.apache.org/jira/browse/NIFI-8047 since NiFi 1.13.0) and
>> is not generally available.
>>
>>
>>
>> Any other comments on this?
>>
>>
>>
>> Cheers Josef
>>
>>
>>
>>
>>
>> *From: *"Zahner Josef, GSB-LR-TRW-LI" <Jo...@swisscom.com>
>> *Date: *Thursday, 28 April 2022 at 13:26
>> *To: *"users@nifi.apache.org" <us...@nifi.apache.org>
>> *Subject: *Re: Add dynamic sensitive property to processor
>>
>>
>>
>> Hi Isha
>>
>>
>>
>> I tried it (hopefully) exactly as you suggested:
>>
>>
>>
>>
>>
>> But I still get the same error (parameter does not match the sensitivity
>> of the property) like before in my initial e-mail. Shall I get a different
>> UI dialogue or any other difference when adding the SENSITIVE.yourprop part?
>>
>>
>>
>> Cheers Josef
>>
>>
>>
>>
>>
>> *From: *Isha Lamboo <is...@virtualsciences.nl>
>> *Reply to: *"users@nifi.apache.org" <us...@nifi.apache.org>
>> *Date: *Thursday, 28 April 2022 at 12:16
>> *To: *"users@nifi.apache.org" <us...@nifi.apache.org>
>> *Subject: *RE: Add dynamic sensitive property to processor
>>
>>
>>
>> Hi Josef,
>>
>>
>>
>> If you name the property SENSITIVE.yourproperty, it will be treated as
>> sensitive.
>>
>>
>>
>> I’ve run into that issue with parameters for JDBC drivers before, where
>> each driver has a different property for the SSL keystore passwords.
>>
>> If you enter for example: SENSITIVE.trustStorePassword as the property,
>> you are then allowed to enter a sensitive parameter.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Isha
>>
>>
>>
>> *Van:* Josef.Zahner1@swisscom.com <Jo...@swisscom.com>
>> *Verzonden:* donderdag 28 april 2022 12:04
>> *Aan:* users@nifi.apache.org
>> *Onderwerp:* Add dynamic sensitive property to processor
>>
>>
>>
>> Hi guys,
>>
>>
>>
>> I’m about in the process of migrate away from variables to parameter
>> contexts. I have a groovy script (ExecuteScript 1.15.3 processor) where I
>> would like to pass some sensitive and non-sensitive parameters to
>> dynamically added properties – added via “+” button on top right corner.
>> Example below. Now I’m struggling to *add a dynamic sensitive* *property*
>> to my processor. Is there a good reason that dynamic added properties are
>> always non-sensitive? Or shall I fill a jira ticket feature request? As you
>> can see, I can’t change the property “NiFiPassword” to a parameter – I’m
>> getting an error.
>>
>>
>>
>> Cheers Josef
>>
>>
>>
>>
>>
>>
>>
>> [image: Graphical user interface, application, table Description
>> automatically generated]
>>
>>
>>
>> [image: A screenshot of a computer Description automatically generated
>> with medium confidence]
>>
>
Re: Add dynamic sensitive property to processor
Posted by Bryan Bende <bb...@gmail.com>.
When a component supports dynamic properties, it is currently the
responsibility of the component to define the PropertyDescriptor for the
dynamic property, which lets the component define how the dynamic
properties will be used. So the concept of the "SENSITIVE." prefix is a
specific approach implemented in DBCPConnectionPool, other components would
need to implement the same approach, or could choose to make all their
dynamic properties sensitive, or none, or whatever the component wants. In
general we'd probably like for this to be a first class concept in the
framework, but right now each component would need to be enhanced to follow
this pattern.
On Thu, Apr 28, 2022 at 7:50 AM <Jo...@swisscom.com> wrote:
> Additional comment, for me it seems that the SENSITIVE.yourproperty part
> is a special feature of DBCPConnectionPool (
> https://issues.apache.org/jira/browse/NIFI-8047 since NiFi 1.13.0) and is
> not generally available.
>
>
>
> Any other comments on this?
>
>
>
> Cheers Josef
>
>
>
>
>
> *From: *"Zahner Josef, GSB-LR-TRW-LI" <Jo...@swisscom.com>
> *Date: *Thursday, 28 April 2022 at 13:26
> *To: *"users@nifi.apache.org" <us...@nifi.apache.org>
> *Subject: *Re: Add dynamic sensitive property to processor
>
>
>
> Hi Isha
>
>
>
> I tried it (hopefully) exactly as you suggested:
>
>
>
>
>
> But I still get the same error (parameter does not match the sensitivity
> of the property) like before in my initial e-mail. Shall I get a different
> UI dialogue or any other difference when adding the SENSITIVE.yourprop part?
>
>
>
> Cheers Josef
>
>
>
>
>
> *From: *Isha Lamboo <is...@virtualsciences.nl>
> *Reply to: *"users@nifi.apache.org" <us...@nifi.apache.org>
> *Date: *Thursday, 28 April 2022 at 12:16
> *To: *"users@nifi.apache.org" <us...@nifi.apache.org>
> *Subject: *RE: Add dynamic sensitive property to processor
>
>
>
> Hi Josef,
>
>
>
> If you name the property SENSITIVE.yourproperty, it will be treated as
> sensitive.
>
>
>
> I’ve run into that issue with parameters for JDBC drivers before, where
> each driver has a different property for the SSL keystore passwords.
>
> If you enter for example: SENSITIVE.trustStorePassword as the property,
> you are then allowed to enter a sensitive parameter.
>
>
>
> Regards,
>
>
>
> Isha
>
>
>
> *Van:* Josef.Zahner1@swisscom.com <Jo...@swisscom.com>
> *Verzonden:* donderdag 28 april 2022 12:04
> *Aan:* users@nifi.apache.org
> *Onderwerp:* Add dynamic sensitive property to processor
>
>
>
> Hi guys,
>
>
>
> I’m about in the process of migrate away from variables to parameter
> contexts. I have a groovy script (ExecuteScript 1.15.3 processor) where I
> would like to pass some sensitive and non-sensitive parameters to
> dynamically added properties – added via “+” button on top right corner.
> Example below. Now I’m struggling to *add a dynamic sensitive* *property*
> to my processor. Is there a good reason that dynamic added properties are
> always non-sensitive? Or shall I fill a jira ticket feature request? As you
> can see, I can’t change the property “NiFiPassword” to a parameter – I’m
> getting an error.
>
>
>
> Cheers Josef
>
>
>
>
>
>
>
> [image: Graphical user interface, application, table Description
> automatically generated]
>
>
>
> [image: A screenshot of a computer Description automatically generated
> with medium confidence]
>
Re: Add dynamic sensitive property to processor
Posted by Jo...@swisscom.com.
Additional comment, for me it seems that the SENSITIVE.yourproperty part is a special feature of DBCPConnectionPool (https://issues.apache.org/jira/browse/NIFI-8047 since NiFi 1.13.0) and is not generally available.
Any other comments on this?
Cheers Josef
From: "Zahner Josef, GSB-LR-TRW-LI" <Jo...@swisscom.com>
Date: Thursday, 28 April 2022 at 13:26
To: "users@nifi.apache.org" <us...@nifi.apache.org>
Subject: Re: Add dynamic sensitive property to processor
Hi Isha
I tried it (hopefully) exactly as you suggested:
[cid:image001.png@01D85B06.F231C8F0]
But I still get the same error (parameter does not match the sensitivity of the property) like before in my initial e-mail. Shall I get a different UI dialogue or any other difference when adding the SENSITIVE.yourprop part?
Cheers Josef
From: Isha Lamboo <is...@virtualsciences.nl>
Reply to: "users@nifi.apache.org" <us...@nifi.apache.org>
Date: Thursday, 28 April 2022 at 12:16
To: "users@nifi.apache.org" <us...@nifi.apache.org>
Subject: RE: Add dynamic sensitive property to processor
Hi Josef,
If you name the property SENSITIVE.yourproperty, it will be treated as sensitive.
I’ve run into that issue with parameters for JDBC drivers before, where each driver has a different property for the SSL keystore passwords.
If you enter for example: SENSITIVE.trustStorePassword as the property, you are then allowed to enter a sensitive parameter.
Regards,
Isha
Van: Josef.Zahner1@swisscom.com <Jo...@swisscom.com>
Verzonden: donderdag 28 april 2022 12:04
Aan: users@nifi.apache.org
Onderwerp: Add dynamic sensitive property to processor
Hi guys,
I’m about in the process of migrate away from variables to parameter contexts. I have a groovy script (ExecuteScript 1.15.3 processor) where I would like to pass some sensitive and non-sensitive parameters to dynamically added properties – added via “+” button on top right corner. Example below. Now I’m struggling to add a dynamic sensitive property to my processor. Is there a good reason that dynamic added properties are always non-sensitive? Or shall I fill a jira ticket feature request? As you can see, I can’t change the property “NiFiPassword” to a parameter – I’m getting an error.
Cheers Josef
[Graphical user interface, application, table Description automatically generated]
[A screenshot of a computer Description automatically generated with medium confidence]
Re: Add dynamic sensitive property to processor
Posted by Jo...@swisscom.com.
Hi Isha
I tried it (hopefully) exactly as you suggested:
[cid:image001.png@01D85B03.9BC18490]
But I still get the same error (parameter does not match the sensitivity of the property) like before in my initial e-mail. Shall I get a different UI dialogue or any other difference when adding the SENSITIVE.yourprop part?
Cheers Josef
From: Isha Lamboo <is...@virtualsciences.nl>
Reply to: "users@nifi.apache.org" <us...@nifi.apache.org>
Date: Thursday, 28 April 2022 at 12:16
To: "users@nifi.apache.org" <us...@nifi.apache.org>
Subject: RE: Add dynamic sensitive property to processor
Hi Josef,
If you name the property SENSITIVE.yourproperty, it will be treated as sensitive.
I’ve run into that issue with parameters for JDBC drivers before, where each driver has a different property for the SSL keystore passwords.
If you enter for example: SENSITIVE.trustStorePassword as the property, you are then allowed to enter a sensitive parameter.
Regards,
Isha
Van: Josef.Zahner1@swisscom.com <Jo...@swisscom.com>
Verzonden: donderdag 28 april 2022 12:04
Aan: users@nifi.apache.org
Onderwerp: Add dynamic sensitive property to processor
Hi guys,
I’m about in the process of migrate away from variables to parameter contexts. I have a groovy script (ExecuteScript 1.15.3 processor) where I would like to pass some sensitive and non-sensitive parameters to dynamically added properties – added via “+” button on top right corner. Example below. Now I’m struggling to add a dynamic sensitive property to my processor. Is there a good reason that dynamic added properties are always non-sensitive? Or shall I fill a jira ticket feature request? As you can see, I can’t change the property “NiFiPassword” to a parameter – I’m getting an error.
Cheers Josef
[Graphical user interface, application, table Description automatically generated]
[A screenshot of a computer Description automatically generated with medium confidence]
RE: Add dynamic sensitive property to processor
Posted by Isha Lamboo <is...@virtualsciences.nl>.
Hi Josef,
If you name the property SENSITIVE.yourproperty, it will be treated as sensitive.
I’ve run into that issue with parameters for JDBC drivers before, where each driver has a different property for the SSL keystore passwords.
If you enter for example: SENSITIVE.trustStorePassword as the property, you are then allowed to enter a sensitive parameter.
Regards,
Isha
Van: Josef.Zahner1@swisscom.com <Jo...@swisscom.com>
Verzonden: donderdag 28 april 2022 12:04
Aan: users@nifi.apache.org
Onderwerp: Add dynamic sensitive property to processor
Hi guys,
I’m about in the process of migrate away from variables to parameter contexts. I have a groovy script (ExecuteScript 1.15.3 processor) where I would like to pass some sensitive and non-sensitive parameters to dynamically added properties – added via “+” button on top right corner. Example below. Now I’m struggling to add a dynamic sensitive property to my processor. Is there a good reason that dynamic added properties are always non-sensitive? Or shall I fill a jira ticket feature request? As you can see, I can’t change the property “NiFiPassword” to a parameter – I’m getting an error.
Cheers Josef
[Graphical user interface, application, table Description automatically generated]
[A screenshot of a computer Description automatically generated with medium confidence]