[
https://issues.apache.org/jira/browse/NIP-24?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann resolved NIP-24.
---------------------------------
Resolution: Fixed
> Deprecate Restricted Annotation for Removal
> -------------------------------------------
>
> Key: NIP-24
> URL: https://issues.apache.org/jira/browse/NIP-24
> Project: NiFi Improvement Proposal
> Issue Type: Improvement
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
>
> h2. Motivation
> Apache NiFi 1.1.0 introduced the Restricted annotation in 2016 as a strategy
> for identifying components that had the potential to perform dangerous
> actions. Such actions included reading sensitive files, altering application
> configuration, and running arbitrary code. Although the goal remains
> understandable, the enforcement of the Restricted annotation and associated
> Required Permissions has never fulfilled the implied security promises.
> Required Permissions such as execute code present clearer grants of
> authority, implying the potential to run anything as the system user running
> the NiFi process. Other permissions have more subtle dangers, such as writing
> to the file system, or accessing remote resources. The flexibility of Apache
> NiFi differentiates it from traditional web applications, often leading to
> either misapplication of more common security guidelines, or misunderstanding
> of the threat model associated with granting various Required Permissions on
> Restricted components.
> Aligning supportable authorization with a security boundary at the level of
> the NiFi application provides a more understandable and more maintainable
> path forward. Deprecating the Restricted annotation is a key part of
> providing clear security expectations.
> h2. Scope
> The scope of deprecation includes the Restricted annotation in the Apache
> NiFi API, along with the Restriction and Required Permission interfaces.
> These interfaces should be marked as deprecated for removal in a subsequent
> major release version.
> After initial deprecation and release of a new Apache NiFi API, framework
> authorization changes should be evaluated for future implementation. Changes
> include methods that return the Restricted status of annotated components,
> and authorization processing that evaluates user privileges against Required
> Permissions.
> h2. Description
> The implementation consists of adding the Deprecated annotation, with
> forRemoval enabled, to the Restricted annotation, Restriction interface, and
> RequiredPermission interface, in the Apache NiFi API.
> After adding the Deprecated annotation and releasing at least one minor
> revision of the Apache NiFi API, changing the authorization implementation
> can be considered. At least one minor revision of the Apache NiFi application
> should be released with the new Apache NiFi API to provide a bridge version.
> Following initial releases with Deprecated status, the Apache NiFi framework
> should be updated to remove authorization checking for the Restricted
> annotation, and Apache NiFi extensions should be updated to remove the
> annotation from component classes.
> Removal of the Restricted annotation and supporting interfaces should be
> scheduled as part of the next major release version.
> h2. Compatibility
> Initial deprecation in the Apache NiFi API should have no impact on
> compatibility within the same minor version. Removal of the Restricted
> annotation and supporting interfaces must be associated with a new major
> version release of the Apache NiFi API.
> h2. Verification
> Deprecated annotations and comments can be reviewed and approved following
> standard pull request handling processes.
> h2. Alternatives
> Although technical solutions could be considered, going to extreme lengths to
> evaluate and block dangerous operations is not a maintainable strategy. The
> Java Security Manager is one of the closest possible options that could have
> provided operational enforcement, but its inherent complexity led to its
> deprecation under JEP 411 for Java 17.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
