You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nifi.apache.org by Mark Bean <ma...@gmail.com> on 2020/01/30 21:34:15 UTC

Parameters, Registry and sensitive values

When storing a version controlled process group in the NiFi Registry, the
relevant Parameter Context will get stored as well. Similarly, when a
different NiFi instance instantiates that process group from the Registry,
the instance creates the Parameter Context so it can be used by the
process group.

However, if there are parameters in the context with values marked as
sensitive, then those values are 1) not stored in NiFi Registry and
therefore 2) no value is available on any instance pulling the process
group from the Registry.

Is there work being done to bridge this gap? Are there any recommendations
on how to supply the sensitive values?

Thanks,
Mark

Re: Parameters, Registry and sensitive values

Posted by Joe Witt <jo...@gmail.com>.

i agree nothing is stored in the registry for sensitive params.  i was
talking about in nifi.   this is consistent with behavior we had before
param contexts existed.

On Thu, Jan 30, 2020 at 5:29 PM Mark Bean <ma...@gmail.com> wrote:

> Joe,
>
> You said "... and then all params, _sensitive or otherwise_ set". This is
> not what I observed.
>
> I version controlled a Process Group configured with a Parameter Context
> containing one non-sensitive parameter value and one sensitive property
> value. Then, I instantiated that version controlled Process Group on a
> separate NiFi instance. Only the non-sensitive parameter value was
> included. The sensitive parameter value says "No value set".
>
> Further, when I look at what is stored in the Registry, I can confirm the
> value for the sensitive parameter is not present. I looked down in the
> flow_storage directory at the 2.snapshot file corresponding to the flow in
> question. It has:
>
> "parameterContexts" : {
>   "sample PC" : {
>     "name" : "sample PC",
>     "parameters" : [ {
>       "description" : "",
>       "name" : "regularParam",
>       "sensitive" : false,
>       "value" : "test1"
>     }, {
>       "description" : "",
>       "name" : "sensitiveParam",
>       "sensitive" : true
>     } ]
>   }
>
> Note that there is no "value" for "sensitiveParam"; there is only a "value"
> for the non-sensitive parameter.
>
> Both NiFi instances are version 1.10. NiFi registry is version 0.5.0.
>
> -Mark
>
>
> On Thu, Jan 30, 2020 at 4:51 PM Joe Witt <jo...@gmail.com> wrote:
>
> > The initial import of a versioned flow and associated parameter context
> > requires setting of sensitive values.  This does however provide for
> rather
> > simple configuration of a programmatically pushed flow to an instance and
> > then all params, sensitive or otherwise set, and the flow run.  As well
> as
> > easy subsequent updates.
> >
> >
> >   There is no work in the apache nifi community I am aware of to provide
> a
> > central secrets storage solution.
> >
> > Thanks
> >
> > On Thu, Jan 30, 2020 at 4:34 PM Mark Bean <ma...@gmail.com> wrote:
> >
> > > When storing a version controlled process group in the NiFi Registry,
> the
> > > relevant Parameter Context will get stored as well. Similarly, when a
> > > different NiFi instance instantiates that process group from the
> > Registry,
> > > the instance creates the Parameter Context so it can be used by the
> > > process group.
> > >
> > > However, if there are parameters in the context with values marked as
> > > sensitive, then those values are 1) not stored in NiFi Registry and
> > > therefore 2) no value is available on any instance pulling the process
> > > group from the Registry.
> > >
> > > Is there work being done to bridge this gap? Are there any
> > recommendations
> > > on how to supply the sensitive values?
> > >
> > > Thanks,
> > > Mark
> > >
> >
>

Re: Parameters, Registry and sensitive values

Posted by Mark Bean <ma...@gmail.com>.

Joe,

You said "... and then all params, _sensitive or otherwise_ set". This is
not what I observed.

I version controlled a Process Group configured with a Parameter Context
containing one non-sensitive parameter value and one sensitive property
value. Then, I instantiated that version controlled Process Group on a
separate NiFi instance. Only the non-sensitive parameter value was
included. The sensitive parameter value says "No value set".

Further, when I look at what is stored in the Registry, I can confirm the
value for the sensitive parameter is not present. I looked down in the
flow_storage directory at the 2.snapshot file corresponding to the flow in
question. It has:

"parameterContexts" : {
  "sample PC" : {
    "name" : "sample PC",
    "parameters" : [ {
      "description" : "",
      "name" : "regularParam",
      "sensitive" : false,
      "value" : "test1"
    }, {
      "description" : "",
      "name" : "sensitiveParam",
      "sensitive" : true
    } ]
  }

Note that there is no "value" for "sensitiveParam"; there is only a "value"
for the non-sensitive parameter.

Both NiFi instances are version 1.10. NiFi registry is version 0.5.0.

-Mark

On Thu, Jan 30, 2020 at 4:51 PM Joe Witt <jo...@gmail.com> wrote:

> The initial import of a versioned flow and associated parameter context
> requires setting of sensitive values.  This does however provide for rather
> simple configuration of a programmatically pushed flow to an instance and
> then all params, sensitive or otherwise set, and the flow run.  As well as
> easy subsequent updates.
>
>
>   There is no work in the apache nifi community I am aware of to provide a
> central secrets storage solution.
>
> Thanks
>
> On Thu, Jan 30, 2020 at 4:34 PM Mark Bean <ma...@gmail.com> wrote:
>
> > When storing a version controlled process group in the NiFi Registry, the
> > relevant Parameter Context will get stored as well. Similarly, when a
> > different NiFi instance instantiates that process group from the
> Registry,
> > the instance creates the Parameter Context so it can be used by the
> > process group.
> >
> > However, if there are parameters in the context with values marked as
> > sensitive, then those values are 1) not stored in NiFi Registry and
> > therefore 2) no value is available on any instance pulling the process
> > group from the Registry.
> >
> > Is there work being done to bridge this gap? Are there any
> recommendations
> > on how to supply the sensitive values?
> >
> > Thanks,
> > Mark
> >
>

Re: Parameters, Registry and sensitive values

Posted by Joe Witt <jo...@gmail.com>.

The initial import of a versioned flow and associated parameter context
requires setting of sensitive values.  This does however provide for rather
simple configuration of a programmatically pushed flow to an instance and
then all params, sensitive or otherwise set, and the flow run.  As well as
easy subsequent updates.

  There is no work in the apache nifi community I am aware of to provide a
central secrets storage solution.

Thanks

On Thu, Jan 30, 2020 at 4:34 PM Mark Bean <ma...@gmail.com> wrote:

> When storing a version controlled process group in the NiFi Registry, the
> relevant Parameter Context will get stored as well. Similarly, when a
> different NiFi instance instantiates that process group from the Registry,
> the instance creates the Parameter Context so it can be used by the
> process group.
>
> However, if there are parameters in the context with values marked as
> sensitive, then those values are 1) not stored in NiFi Registry and
> therefore 2) no value is available on any instance pulling the process
> group from the Registry.
>
> Is there work being done to bridge this gap? Are there any recommendations
> on how to supply the sensitive values?
>
> Thanks,
> Mark
>