David Handermann created NIFI-13560:
---------------------------------------
Summary: Refactor Parameter Provider Value Storage and Retrieval
Key: NIFI-13560
URL: https://issues.apache.org/jira/browse/NIFI-13560
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Reporter: David Handermann
Assignee: David Handermann
The Parameter Provider interface supports extensible integration with various
services for storing and retrieving sensitive values. The current
implementation integrates with Parameter Contexts, storing fetched values in
the persistent flow configuration, with configurable sensitive status. For
sensitive values, the framework encrypts values using the configured sensitive
properties key and sensitive properties algorithm.
Although framework encryption provides a measure of protection for sensitive
values, persistent storage in the flow configuration effectively changes the
security posture for centralized management of secrets. This approach provides
some resilience in the event of communications issues with an external secrets
storage provider, but changing the security posture is a more serious concern.
To provide some protection against communication issues, the framework should
implement memory-based caching of fetched parameter values, which should remain
available for the duration of the application process.
The current user experience should remain the same, requiring user interaction
to fetch new parameter values while the system is running. However, the
framework should fetch current parameter values when starting, based on storing
a reference in the linked Parameter Context. This strategy follows a common
implementation pattern in other applications and frameworks, preserving control
over access to secrets at the system of record.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
