[
https://issues.apache.org/jira/browse/NIFI-8889?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann resolved NIFI-8889.
------------------------------------
Fix Version/s: 1.15.0
Assignee: David Handermann
Resolution: Fixed
> Suppress user details service password in application log
> ---------------------------------------------------------
>
> Key: NIFI-8889
> URL: https://issues.apache.org/jira/browse/NIFI-8889
> Project: Apache NiFi
> Issue Type: Improvement
> Components: NiFi Registry
> Reporter: Andy LoPresto
> Assignee: David Handermann
> Priority: Major
> Labels: logging, password, security
> Fix For: 1.15.0
>
>
> During application startup, the NiFi Registry prints a generated password to
> the {{$NIFI_REG_HOME/logs/nifi-registry-app.log}} file. This is (I believe)
> done by the
> {{org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration}}
> class (relevant decompiled source code below). I'm not sure what this
> password is used for, but we should change the logging severity settings for
> this class to suppress that message by default, and investigate why this is
> occurring in the first place.
> Example log output:
> {code}
> 2018-07-02 18:22:53,334 INFO [main]
> o.s.b.a.s.s.UserDetailsServiceAutoConfiguration
> Using generated security password: 0eacc3b6-a307-4592-a76e-2e056f327542
> {code}
> Decompiled source code:
> {code}
> private String getOrDeducePassword(User user, PasswordEncoder encoder) {
> String password = user.getPassword();
> if (user.isPasswordGenerated()) {
> logger.info(String.format("%n%nUsing generated security password:
> %s%n", user.getPassword()));
> }
> return encoder == null &&
> !PASSWORD_ALGORITHM_PATTERN.matcher(password).matches() ? "{noop}" + password
> : password;
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
