Michael, For the authorization use case, I recommend against using the reporting task and instead using the built in endpoint for metrics (see https://issues.apache.org/jira/browse/NIFI-7273 for more details). The NiFi REST API (to include that endpoint) is subject to the authentication and authorization policies configured for the NiFi instance.
Regards, Matt On Tue, Nov 22, 2022 at 9:51 AM Garland, Michael R <michael.r.garl...@lmco.com> wrote: > > Hi, > > > > I’ve noticed that whilst the PrometheusReportingTask can be configured for > client authentication, there is no means to authorise connections to the > /metrics endpoint. Given the /metrics endpoint can expose processor group > and processor names, which could be sensitive in nature, should exposing > endpoints like this also be authorised, for example by using the global > access policies functionality? > > > > This strikes me as being something that is maybe niche, but nevertheless > without authorisation, could undermine the security aspects of NiFi by > providing access to information to say an insider threat (valid client > certificate, but not authorised). > > > > Would be interested to know other’s thoughts on this? > > > > Michael
