[jira] [Created] (NIFI-3050) Restrict dangerous processors to special permission

Wed, 16 Nov 2016 19:01:15 -0800 

Andy LoPresto created NIFI-3050:
-----------------------------------

             Summary: Restrict dangerous processors to special permission
                 Key: NIFI-3050
                 URL: https://issues.apache.org/jira/browse/NIFI-3050
             Project: Apache NiFi
          Issue Type: New Feature
          Components: Core Framework
    Affects Versions: 1.0.0
            Reporter: Andy LoPresto
            Assignee: Andy LoPresto
            Priority: Blocker
             Fix For: 1.1.0


As evidenced by [NIFI-3045] and other discoveries (e.g. using an 
{{ExecuteScript}} processor to iterate over a {{NiFiProperties}} instance after 
the application has already decrypted the sensitive properties from the 
{{nifi.properties}} file on disk, using a {{GetFile}} processor to retrieve 
{{/etc/passwd}}, etc.) NiFi is a powerful tool which can allow unauthorized 
users to perform malicious actions. While no tool as versatile as NiFi will 
ever be completely immune to insider threat, to further restrict the potential 
for abuse, certain processors should be designated as {{restricted}}, and these 
processors can only be added to the canvas or modified by users who, along with 
the proper permission to modify the canvas, have a special permission to 
interact with these "dangerous" processors. 

>From the [Security Feature 
>Roadmap|https://cwiki.apache.org/confluence/display/NIFI/Security+Feature+Roadmap]:

{quote}
Dangerous Processors
* Processors which can directly affect behavior/configuration of NiFi/other 
services
- {{GetFile}}
- {{PutFile}}
- {{ListFile}}
- {{FetchFile}}
- {{ExecuteScript}}
- {{InvokeScriptedProcessor}}
- {{ExecuteProcess}}
- {{ExecuteStreamCommand}}
* These processors should only be creatable/editable by users with special 
access control policy
* Marked by {{@Restricted}} annotation on processor class
* All flowfiles originating/passing through these processors have special 
attribute/protection
* Perhaps *File processors can access a certain location by default but cannot 
access the root filesystem without special user permission?
{quote}

[~mcgilman] and I should have a PR for this tomorrow. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to