David Handermann created NIP-24:
-----------------------------------
Summary: Deprecate Restricted Annotation for Removal
Key: NIP-24
URL: https://issues.apache.org/jira/browse/NIP-24
Project: NiFi Improvement Proposal
Issue Type: Improvement
Reporter: David Handermann
Assignee: David Handermann
h2. Motivation
Apache NiFi 1.1.0 introduced the Restricted annotation in 2016 as a strategy
for identifying components that had the potential to perform dangerous actions.
Such actions included reading sensitive files, altering application
configuration, and running arbitrary code. Although the goal remains
understandable, the enforcement of the Restricted annotation and associated
Required Permissions has never fulfilled the implied security promises.
Required Permissions such as execute code present clearer grants of authority,
implying the potential to run anything as the system user running the NiFi
process. Other permissions have more subtle dangers, such as writing to the
file system, or accessing remote resources. The flexibility of Apache NiFi
differentiates it from traditional web applications, often leading to either
misapplication of more common security guidelines, or misunderstanding of the
threat model associated with granting various Required Permissions on
Restricted components.
Aligning supportable authorization with a security boundary at the level of the
NiFi application provides a more understandable and more maintainable path
forward. Deprecating the Restricted annotation is a key part of providing clear
security expectations.
h2. Scope
The scope of deprecation includes the Restricted annotation in the Apache NiFi
API, along with the Restriction and Required Permission interfaces. These
interfaces should be marked as deprecated for removal in a subsequent major
release version.
After initial deprecation and release of a new Apache NiFi API, framework
authorization changes should be evaluated for future implementation. Changes
include methods that return the Restricted status of annotated components, and
authorization processing that evaluates user privileges against Required
Permissions.
h2. Description
The implementation consists of adding the Deprecated annotation, with
forRemoval enabled, to the Restricted annotation, Restriction interface, and
RequiredPermission interface, in the Apache NiFi API.
After adding the Deprecated annotation and releasing at least one minor
revision of the Apache NiFi API, changing the authorization implementation can
be considered. At least one minor revision of the Apache NiFi application
should be released with the new Apache NiFi API to provide a bridge version.
Following initial releases with Deprecated status, the Apache NiFi framework
should be updated to remove authorization checking for the Restricted
annotation, and Apache NiFi extensions should be updated to remove the
annotation from component classes.
Removal of the Restricted annotation and supporting interfaces should be
scheduled as part of the next major release version.
h2. Compatibility
Initial deprecation in the Apache NiFi API should have no impact on
compatibility within the same minor version. Removal of the Restricted
annotation and supporting interfaces must be associated with a new major
version release of the Apache NiFi API.
h2. Verification
Deprecated annotations and comments can be reviewed and approved following
standard pull request handling processes.
h2. Alternatives
Although technical solutions could be considered, going to extreme lengths to
evaluate and block dangerous operations is not a maintainable strategy. The
Java Security Manager is one of the closest possible options that could have
provided operational enforcement, but its inherent complexity led to its
deprecation under JEP 411 for Java 17.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
