We have developed integrations with Hashicorp Consul and Vault, partly to deal
with this same use-case. I'm happy to open source these if there is an
interest.
On Fri, 28 Aug 2020, at 17:25, oliver twix wrote:
> I would be great I think.
>
> Le ven. 28 août 2020 à 17:20, Bryan Bende a écrit :
I would be great I think.
Le ven. 28 août 2020 à 17:20, Bryan Bende a écrit :
> The reason for requiring the FS permissions on the HDFS processors is
> because you can provide a core-site.xml with file:/// as the default FS and
> then use ListHDFS/FetchHDFS/PutHDFS to essentially do the same thi
The reason for requiring the FS permissions on the HDFS processors is
because you can provide a core-site.xml with file:/// as the default FS and
then use ListHDFS/FetchHDFS/PutHDFS to essentially do the same thing as
ListFile/FetchFile/PutFile.
A possible consideration would be to remove the requ
Hello, thank you for your quick answers and sorry for my late reply.
In the context of preparing platform security audit, I am trying to
identify possible threats over our NIFI clusters.
@Mark, I didn't know about NIFI_ALLOW_EXPLICIT_KEYTAB parameter. Good to
know; it will limit a semi-friendly u
in short this case has been really deeply considered and it is a very
common usage pattern. We offer a set of policies/controls that let it be
well restricted and locked down. But if a user is given too many accesses
then yes they can be malicious.
Thanks
On Thu, Jul 30, 2020 at 9:13 AM Andy
If your concern is the malicious insider using FetchHDFS to read the keytab as
data from the filesystem, the *HDFS processors are marked as Restricted and
require an additional explicit permission to be granted for users to configure
them. At a file system interaction level, the NiFi Java proces
Olivier,
As Joe mentioned, it may help to further explain the exact scenario that you
are concerned about.
But what I *think* you are concerned about is the following scenario:
- You have several different users developing flows in NiFi.
- You want the ability to give User A (and only User A) ac
Hello
Can you more fully explain the scenario you have in mind and what an
intentionally malicious user might do?
Thanks
On Thu, Jul 30, 2020 at 6:54 AM oliver twix
wrote:
> Hello,
> Getting deeper on using nifi in multitenant use cases, I am facing a
> security question: our nifi users must b
Hello,
Getting deeper on using nifi in multitenant use cases, I am facing a
security question: our nifi users must be able to interact with hdfs not
sharing their credentials (keytabs).
>From what understood, keytabCredentialsService enable a way to give a
policy based control over keytabs access.