[
https://issues.apache.org/jira/browse/NIFI-3162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15855104#comment-15855104
]
ASF GitHub Bot commented on NIFI-3162:
--------------------------------------
GitHub user ijokarumawak opened a pull request:
https://github.com/apache/nifi/pull/1476
NIFI-3162: Audit RPG and RPG port config changes
- Added configure audits for Transport Protocol, HTTP Proxy Server Host,
Port, User and Password in RemoteProcessGroup configuration
- Added configure audits for enabling/disabling individual remote port
- Added configure audits for Concurrent Tasks and Compressed in Remote
Port configuration
Thank you for submitting a contribution to Apache NiFi.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [x] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number
you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [x] Has your PR been rebased against the latest commit within the target
branch (typically master)?
- [x] Is your initial contribution a single, squashed commit?
### For code changes:
- [x] Have you ensured that the full suite of tests is executed via mvn
-Pcontrib-check clean install at the root nifi folder?
- [x] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the LICENSE file, including the main
LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main
NOTICE file found under nifi-assembly?
- [ ] If adding new Properties, have you added .displayName in addition to
.name (programmatic access) for each of the new properties?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in
which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check travis-ci for build
issues and submit an update to your PR as soon as possible.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/ijokarumawak/nifi nifi-3162
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/1476.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1476
----
commit 5ec7c64706c5891e56d92ea5dac9b9120bfc426b
Author: Koji Kawamura <ijokaruma...@apache.org>
Date: 2017-02-07T01:11:30Z
NIFI-3162: Audit RPG and RPG port config changes
- Added configure audits for Transport Protocol, HTTP Proxy Server Host,
Port, User and Password in RemoteProcessGroup configuration
- Added configure audits for enabling/disabling individual remote port
- Added configure audits for Concurrent Tasks and Compressed in Remote
Port configuration
----
> RPG proxy and Remote Group Port configuration changes should be audited
> -----------------------------------------------------------------------
>
> Key: NIFI-3162
> URL: https://issues.apache.org/jira/browse/NIFI-3162
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.0.0
> Reporter: Koji Kawamura
> Assignee: Koji Kawamura
>
> Since NiFi 1.0.0, several configurations have been added to
> RemoteProcessGroup such as Transport Protocol and Proxy settings.
> Currently, configuration updates against these new settings are not audited.
> In addition to these RemoteProcessGroup settings, RemoteProcessGroupPort
> will have new configurations by NIFI-1202.
> This JIRA ticket tracks the work of adding audit events for these new
> settings.
> h3. Investigate current behavior
> In order to fix properly, I've tested to know what works and what doesn't.
> Here is the result of current behavior (measured with 1.2.0-SNAPSHOT, but it
> should be the same for versions after 1.0).
> || Operation performed || Created Audit Type || Audited Operation || Need
> fix? ||
> | Create RPG | RPG | Add | No |
> | Enable transmission | RPG | Start | No |
> | Disable transmission | RPG | Stop | No |
> | Delete RPG | RPG? | Remove? | Different issue |
> | Edit RPG config | RPG | Configure | Yes fix-1 |
> | Enable/Disable individual remote port | (none) | (none) | Yes fix-2 |
> | Edit individual remote port config | (none) | (none) | Yes fix-3 |
> h3. Fix-1: Edit RPG config
> Currently, this is partially audited for 'Communications Timeout' and 'Yield
> Duration'.
> We need to track edit for these as well: Transport Protocol, HTTP Proxy
> Server Hostname, Port, User, Password
> h3. Fix-2: Enable/Disable individual remote port
> From 'Remote ports' context menu of a RPG, each remote port can be
> enabled/disabled individually. Currently this operation is not audited.
> There're two ways to fix this, one is using the existing REMOTE_PROCESS_GROUP
> table in the nifi-flow-audit h2 database. Use 'Configure' Operation type with
> 'Name=<input/output port name>.transmission' and 'Value=enabled/disabled'.
> Another way is to create a REMOTE_PROCESS_GROUP_PORT table, but this requires
> some additional migration code to create the table.
> I think the former approach is reasonable.
> h3. Fix-3: Edit individual remote port config
> Currently, user can configure 'Concurrent Tasks' and 'Compressed', but no
> audit event is created for these operations. Same as Fix-2, we might be able
> to use existing REMOTE_PROCESS_GROUP table, using 'Configure' Operation type
> with 'Name=<input/output port name>.<property name>' dot notation and
> 'Value=<property value>'.
> h3. NiFi history shows audit record as 'Not authorized' if the component has
> been removed
> Once the target component (i.e RemoteProcessGroup) is removed from a flow,
> its audit records as shown as 'Not authorized'. This can be problematic since
> user won't be able to know who deleted the component.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
