i agree nothing is stored in the registry for sensitive params. i was talking about in nifi. this is consistent with behavior we had before param contexts existed.
On Thu, Jan 30, 2020 at 5:29 PM Mark Bean <[email protected]> wrote: > Joe, > > You said "... and then all params, _sensitive or otherwise_ set". This is > not what I observed. > > I version controlled a Process Group configured with a Parameter Context > containing one non-sensitive parameter value and one sensitive property > value. Then, I instantiated that version controlled Process Group on a > separate NiFi instance. Only the non-sensitive parameter value was > included. The sensitive parameter value says "No value set". > > Further, when I look at what is stored in the Registry, I can confirm the > value for the sensitive parameter is not present. I looked down in the > flow_storage directory at the 2.snapshot file corresponding to the flow in > question. It has: > > "parameterContexts" : { > "sample PC" : { > "name" : "sample PC", > "parameters" : [ { > "description" : "", > "name" : "regularParam", > "sensitive" : false, > "value" : "test1" > }, { > "description" : "", > "name" : "sensitiveParam", > "sensitive" : true > } ] > } > > Note that there is no "value" for "sensitiveParam"; there is only a "value" > for the non-sensitive parameter. > > Both NiFi instances are version 1.10. NiFi registry is version 0.5.0. > > -Mark > > > On Thu, Jan 30, 2020 at 4:51 PM Joe Witt <[email protected]> wrote: > > > The initial import of a versioned flow and associated parameter context > > requires setting of sensitive values. This does however provide for > rather > > simple configuration of a programmatically pushed flow to an instance and > > then all params, sensitive or otherwise set, and the flow run. As well > as > > easy subsequent updates. > > > > > > There is no work in the apache nifi community I am aware of to provide > a > > central secrets storage solution. > > > > Thanks > > > > On Thu, Jan 30, 2020 at 4:34 PM Mark Bean <[email protected]> wrote: > > > > > When storing a version controlled process group in the NiFi Registry, > the > > > relevant Parameter Context will get stored as well. Similarly, when a > > > different NiFi instance instantiates that process group from the > > Registry, > > > the instance creates the Parameter Context so it can be used by the > > > process group. > > > > > > However, if there are parameters in the context with values marked as > > > sensitive, then those values are 1) not stored in NiFi Registry and > > > therefore 2) no value is available on any instance pulling the process > > > group from the Registry. > > > > > > Is there work being done to bridge this gap? Are there any > > recommendations > > > on how to supply the sensitive values? > > > > > > Thanks, > > > Mark > > > > > >
