[
https://issues.apache.org/jira/browse/NIFI-8638?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17362306#comment-17362306
]
Jul Tomten commented on NIFI-8638:
----------------------------------
Dear Mark,
I agree that it should at least show the "Go To" arrow instead of the "Convert
to Parameter" arrow.
In the processor it would be nice to see the #\{mypassword} or which parameter
it's refering.
I saw in some other thread that there is a discussion about how to handle the
sensitive parameters and what they protect.
I think there should be a policy allowing to view the sensitive properties and
the reason for that is troubleshooting. If you use the InvokeHHttp processor
and get a http 401 you want to check the password. A 401 may be casused by
wrong password, missing user account, locked user account, expired useraccount
and many more.
We use keepass [https://keepass.info/] for storing sensitive passwords. Next to
the password field there is a button with three dots "show/hide password using
asterisk". By default passwords are displayed with asterisks and clicking the
button displays the password in clear text. In NiFi a similar feture with a
button "display sensitve" next to the sensisitve property would makse sense but
only users with policy "display sensitve" may use the button.
policy "display sensitve" must be on levels global, process group, process
context, individual processor
Today you can with a little effort get hold of the sensitive properties anyway.
Only do this if you know what you are doing it may be a security risk.
Build two flows in NiFi.
flow 1
InvokeHttp processor that call flow2 using basic authentication.
flow 2
HandleHttpRequest processor - "Paramters to Attributes List" Authorization
ReplaceText processor - "Replacement Value"
password=$\{http.headers.Authorization:substringAfter('
'):base64Decode():substringAfter(':')
Always Replace, Entire text, All
Before the space ' 'is the baisc auth header, before the colon ':' is the
username
After execution - the password is in the flowfile payload and can be seen in
the provenance viewer.
I'm new to NiFi so maybe I missed something.
> Sensitive Properties referencing Parameters should show that in UI
> ------------------------------------------------------------------
>
> Key: NIFI-8638
> URL: https://issues.apache.org/jira/browse/NIFI-8638
> Project: Apache NiFi
> Issue Type: Bug
> Components: Extensions
> Affects Versions: 1.13.2
> Environment: Linux RedHat
> java 11 sapmachine-jdk-11.0.10_linux-x64_bin.tar.gz
> Reporter: Jul Tomten
> Priority: Major
> Labels: context, property, sensitive
> Original Estimate: 8h
> Remaining Estimate: 8h
>
> An issue with passowords for the getJMS and InvokeHTTP processors - I want
> to store the passwords in the "context properties" and reference from the
> processor but it doesn't work. I'm on NiFi 1.13.2. I enter for
> example #\{mypassword}
> in the password value field in the processor BasicAuthenticationUsername and
> it works setting that but after activating and reopening the value field
> reads "sensitive value set" and the little arrow to the right is pointing up
> (arrow indicating parameter is not yet stored in context). Expected is that
> the arrow point to the right (indicating that the value is fetched from the
> context). The password in the context properties isn't used when testing and
> login fails.
> To make it run it is necessary to set the password in the processor instead
> fo referencing with #\{mypassword}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
