Joe Witt created NIFI-8220:
------------------------------
Summary: Establish a secure by default configuration for NiFi
Key: NIFI-8220
URL: https://issues.apache.org/jira/browse/NIFI-8220
Project: Apache NiFi
Issue Type: Epic
Components: Tools and Build
Reporter: Joe Witt
Assignee: Joe Witt
Fix For: 1.14.0
Inspired by this tweet
https://twitter.com/_escctrl_/status/1359280656174510081?s=21 and the resulting
discussion here
https://lists.apache.org/thread.html/rc590f21807192a0dce18293c2d5b47392a6fd8a1ef26d77fbd6ee695%40%3Cdev.nifi.apache.org%3E
It is time to change our config model. It was also setup to be easy to use.
We've seen these silly setups on the Internet before but has gotten ridiculous.
We need to take action.
Will create a set of one or more JIRAs to roughly do the following.
1. Disable HTTP by default. If a user wants to enable to it for whatever
reason then also make them enable a new property which says something to the
effect of 'allow completely non secure access to the entire nifi instance - not
recommended'
2. Enable HTTPS with one way authentication by default which would be the
client authenticating the server whereby the server has a server cert. We
could either make that cert a self-signed (and thus not trusted by client's by
default) cert or give a way for the user to run through command line process to
make a legit cert.
3. If not already configured with an authorization provider supply and out of
the box provider which supports only a single auto generated at first startup
user/password enabling access to the NiFi system.
4. Disable all restricted processors by default. Require the user to
explicitly enable them.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
