[
https://issues.apache.org/jira/browse/NIFI-3050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15680338#comment-15680338
]
Andy LoPresto commented on NIFI-3050:
-------------------------------------
I commented on [PR 1247|https://github.com/apache/nifi/pull/1247] with my
feedback on the proposed solution. I really like it and had some minor
suggestions to improve user experience, including:
* increased visibility of restricted icon/textual indicators on existing
components on canvas
* searchability of restricted processors in Add Processor dialog
* increased visibility of restricted information in component documentation
(currently, only present at the bottom of the documentation page). I think a
large icon or other indicator at the top of the documentation, which could link
to the additional description or explanation of risk at the bottom, would be
valuable
* an auto-generated canonical list of restricted processors, controller
services, and reporting tasks should be created at build time and populated
into the documentation (and available on the main documentation site) to be
quickly enumerated
I did positively verify the behavior of the proposed solution and just wanted
to bring the discussion of these enhancements back to the main conversation to
get commentary. I noted in the PR review that I am ok merging the current work
as it satisfies the Jira and filing these enhancements separately as a minor
issue if necessary for time constraints on the vote.
> Restrict dangerous processors to special permission
> ---------------------------------------------------
>
> Key: NIFI-3050
> URL: https://issues.apache.org/jira/browse/NIFI-3050
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Core Framework
> Affects Versions: 1.0.0
> Reporter: Andy LoPresto
> Assignee: Matt Gilman
> Priority: Blocker
> Labels: security
> Fix For: 1.1.0
>
>
> As evidenced by [NIFI-3045] and other discoveries (e.g. using an
> {{ExecuteScript}} processor to iterate over a {{NiFiProperties}} instance
> after the application has already decrypted the sensitive properties from the
> {{nifi.properties}} file on disk, using a {{GetFile}} processor to retrieve
> {{/etc/passwd}}, etc.) NiFi is a powerful tool which can allow unauthorized
> users to perform malicious actions. While no tool as versatile as NiFi will
> ever be completely immune to insider threat, to further restrict the
> potential for abuse, certain processors should be designated as
> {{restricted}}, and these processors can only be added to the canvas or
> modified by users who, along with the proper permission to modify the canvas,
> have a special permission to interact with these "dangerous" processors.
> From the [Security Feature
> Roadmap|https://cwiki.apache.org/confluence/display/NIFI/Security+Feature+Roadmap]:
> {quote}
> Dangerous Processors
> * Processors which can directly affect behavior/configuration of NiFi/other
> services
> - {{GetFile}}
> - {{PutFile}}
> - {{ListFile}}
> - {{FetchFile}}
> - {{ExecuteScript}}
> - {{InvokeScriptedProcessor}}
> - {{ExecuteProcess}}
> - {{ExecuteStreamCommand}}
> * These processors should only be creatable/editable by users with special
> access control policy
> * Marked by {{@Restricted}} annotation on processor class
> * All flowfiles originating/passing through these processors have special
> attribute/protection
> * Perhaps *File processors can access a certain location by default but
> cannot access the root filesystem without special user permission?
> {quote}
> [~mcgilman] and I should have a PR for this tomorrow.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
