[ https://issues.apache.org/jira/browse/NIFI-8638?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17362306#comment-17362306 ]
Jul Tomten edited comment on NIFI-8638 at 6/12/21, 11:43 AM: ------------------------------------------------------------- Dear Mark, I agree that it should at least show the "Go To" arrow instead of the "Convert to Parameter" arrow. In the processor it would be nice to see the #\{mypassword} or which parameter it's refering. I saw in some other thread that there is a discussion about how to handle the sensitive parameters and what they protect. I think there should be a policy allowing to view the sensitive properties and the reason for that is troubleshooting. If you use the InvokeHHttp processor and get a http 401 you want to check the password. A 401 may be casused by wrong password, missing user account, locked user account, expired useraccount and many more. We use keepass [https://keepass.info/] for storing sensitive passwords. Next to the password field there is a button with three dots "show/hide password using asterisk". By default passwords are displayed with asterisks and clicking the button displays the password in clear text. In NiFi a similar feture with a button "display sensitve" next to the sensisitve property would makse sense but only users with policy "display sensitve" may use the button. policy "display sensitve" must be on levels global, process group, process context, individual processor Today you can with a little effort get hold of the sensitive properties anyway. Only do this if you know what you are doing it may be a security risk. Build two flows in NiFi. flow 1 InvokeHttp processor that call flow2 using basic authentication. flow 2 HandleHttpRequest processor - "Paramters to Attributes List" Authorization ReplaceText processor - "Replacement Value" password=$\{http.headers.Authorization:substringAfter(' '):base64Decode():substringAfter(':') Always Replace, Entire text, All Before the space ' 'is the baisc auth header and after the username:password, before the colon ':' is the username and after the password base64 encoded After execution - the password is in the flowfile payload and can be seen in the provenance viewer. I'm new to NiFi so maybe I missed something. was (Author: tomten1970): Dear Mark, I agree that it should at least show the "Go To" arrow instead of the "Convert to Parameter" arrow. In the processor it would be nice to see the #\{mypassword} or which parameter it's refering. I saw in some other thread that there is a discussion about how to handle the sensitive parameters and what they protect. I think there should be a policy allowing to view the sensitive properties and the reason for that is troubleshooting. If you use the InvokeHHttp processor and get a http 401 you want to check the password. A 401 may be casused by wrong password, missing user account, locked user account, expired useraccount and many more. We use keepass [https://keepass.info/] for storing sensitive passwords. Next to the password field there is a button with three dots "show/hide password using asterisk". By default passwords are displayed with asterisks and clicking the button displays the password in clear text. In NiFi a similar feture with a button "display sensitve" next to the sensisitve property would makse sense but only users with policy "display sensitve" may use the button. policy "display sensitve" must be on levels global, process group, process context, individual processor Today you can with a little effort get hold of the sensitive properties anyway. Only do this if you know what you are doing it may be a security risk. Build two flows in NiFi. flow 1 InvokeHttp processor that call flow2 using basic authentication. flow 2 HandleHttpRequest processor - "Paramters to Attributes List" Authorization ReplaceText processor - "Replacement Value" password=$\{http.headers.Authorization:substringAfter(' '):base64Decode():substringAfter(':') Always Replace, Entire text, All Before the space ' 'is the baisc auth header and after the username:password, before the colon ':' is the username and after the password in bas64 encoded form After execution - the password is in the flowfile payload and can be seen in the provenance viewer. I'm new to NiFi so maybe I missed something. > Sensitive Properties referencing Parameters should show that in UI > ------------------------------------------------------------------ > > Key: NIFI-8638 > URL: https://issues.apache.org/jira/browse/NIFI-8638 > Project: Apache NiFi > Issue Type: Bug > Components: Extensions > Affects Versions: 1.13.2 > Environment: Linux RedHat > java 11 sapmachine-jdk-11.0.10_linux-x64_bin.tar.gz > Reporter: Jul Tomten > Priority: Major > Labels: context, property, sensitive > Original Estimate: 8h > Remaining Estimate: 8h > > An issue with passowords for the getJMS and InvokeHTTP processors - I want > to store the passwords in the "context properties" and reference from the > processor but it doesn't work. I'm on NiFi 1.13.2. I enter for > example #\{mypassword} > in the password value field in the processor BasicAuthenticationUsername and > it works setting that but after activating and reopening the value field > reads "sensitive value set" and the little arrow to the right is pointing up > (arrow indicating parameter is not yet stored in context). Expected is that > the arrow point to the right (indicating that the value is fetched from the > context). The password in the context properties isn't used when testing and > login fails. > To make it run it is necessary to set the password in the processor instead > fo referencing with #\{mypassword}. -- This message was sent by Atlassian Jira (v8.3.4#803005)