[
https://issues.apache.org/jira/browse/NIFI-3050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15672647#comment-15672647
]
Joseph Witt commented on NIFI-3050:
-----------------------------------
Let's define what it means for a component to be considered "Restricted".
Proposed definition:
A Restricted component is one that can be utilized to execute custom code
provided by the operator through the NiFi REST API or one which can be used to
obtain or alter data on the system nifi is executing on using the credentials
NiFi is executing as. These components could be used by an otherwise
authorized user of the system which could go beyond the intended use of these
components and could expose data about the internals of the NiFi process or the
system NiFi is operating on which should be considered privileged tasks that
need to be specially limited.
...maybe not a great definition. But with that viewpoint in mind
I don't think SSLContextService meets that criteria.
I do think SiteToSiteProvenanceReportingTask does though as it would allow the
user to access to raw provenance data outside the normal REST API controlled
authorization model.
For each component we tag as restricted we should document as part of the
annotation the 'why' of it being restricted so that we can provide that
information through documentation and the UI.
For example GetFile should be @Restricted("It can be used to obtain the
contents of any file accessible to the NiFi process on the system.")
> Restrict dangerous processors to special permission
> ---------------------------------------------------
>
> Key: NIFI-3050
> URL: https://issues.apache.org/jira/browse/NIFI-3050
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Core Framework
> Affects Versions: 1.0.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Blocker
> Labels: security
> Fix For: 1.1.0
>
>
> As evidenced by [NIFI-3045] and other discoveries (e.g. using an
> {{ExecuteScript}} processor to iterate over a {{NiFiProperties}} instance
> after the application has already decrypted the sensitive properties from the
> {{nifi.properties}} file on disk, using a {{GetFile}} processor to retrieve
> {{/etc/passwd}}, etc.) NiFi is a powerful tool which can allow unauthorized
> users to perform malicious actions. While no tool as versatile as NiFi will
> ever be completely immune to insider threat, to further restrict the
> potential for abuse, certain processors should be designated as
> {{restricted}}, and these processors can only be added to the canvas or
> modified by users who, along with the proper permission to modify the canvas,
> have a special permission to interact with these "dangerous" processors.
> From the [Security Feature
> Roadmap|https://cwiki.apache.org/confluence/display/NIFI/Security+Feature+Roadmap]:
> {quote}
> Dangerous Processors
> * Processors which can directly affect behavior/configuration of NiFi/other
> services
> - {{GetFile}}
> - {{PutFile}}
> - {{ListFile}}
> - {{FetchFile}}
> - {{ExecuteScript}}
> - {{InvokeScriptedProcessor}}
> - {{ExecuteProcess}}
> - {{ExecuteStreamCommand}}
> * These processors should only be creatable/editable by users with special
> access control policy
> * Marked by {{@Restricted}} annotation on processor class
> * All flowfiles originating/passing through these processors have special
> attribute/protection
> * Perhaps *File processors can access a certain location by default but
> cannot access the root filesystem without special user permission?
> {quote}
> [~mcgilman] and I should have a PR for this tomorrow.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
