You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nifi.apache.org by Jorge Machado <jo...@me.com> on 2018/04/25 08:44:27 UTC

Pushing flows to Registry with Sensitive Information

Hi Guys, 

so I was playing with the registry and If I pushed a Processor that has sensitive information like a password it will be discarded when pulling it from the Registry, which is fine.

Now comes the but. But if I put a variable there IMHO I think it should save it on the registry.

What do you think ? 

Jorge

Re: Pushing flows to Registry with Sensitive Information

Posted by Bryan Bende <bb...@gmail.com>.

Jorge,

Currently variables are not meant to store sensitive information, the
reason has to do with how users access variables...

The way a user accesses a variable is via expression language, and
since EL is just free from text entered into a property descriptor, it
is impossible to restrict which users can access a variable. Imagine a
multi-tenant environment with many teams, say there is variable
"db.password" at the root group... anyone anywhere in the dataflow can
create an UpdateAttribute processor and set foo = ${db.password} and
now they can list the queue and look at the attribute foo and get the
password.

When a flow is saved to registry, all sensitive properties are cleared
out (they shouldn't be variables anyway based on above). When the flow
is imported to the next environment, there is a one-time operation
required to go in and set those values specific for the given
environment. Setting these values will not trigger a local change for
version control, and they will also be retained across updates, so it
is really a one-time setup on import and then never worry about it
again when upgrading to a new versions.

There is probably some room for improvement around the UX of how the
sensitive variables are set during first import. Right now you have to
manually go through and find them and set them, but this could be
presented in a better way to automatically show all the sensitive
properties that need to be filled in.

Hope this helps.

-Bryan

On Wed, Apr 25, 2018 at 4:44 AM, Jorge Machado <jo...@me.com> wrote:
> Hi Guys,
>
> so I was playing with the registry and If I pushed a Processor that has sensitive information like a password it will be discarded when pulling it from the Registry, which is fine.
>
> Now comes the but. But if I put a variable there IMHO I think it should save it on the registry.
>
> What do you think ?
>
> Jorge
>
>
>
>
>