joewitt commented on PR #8978: URL: https://github.com/apache/nifi/pull/8978#issuecomment-2177243428
full clean build with contrib check looks good. Full run of all integration tests look good. Scanning through the code changes looks good. This makes me think of our sensitive properties key construct in general. We should formalize that the purpose of that is simply to help protect accidental distribution of sensitive values outside the bounds of a given nifi cluster. The better answer and one we didn't have then that we do now is the usage of real vault stored parameters which thanks to parameter contexts and now be handled correctly. It seems worthwhile to formalize and push to that answer and reduce usage of otherwise locally protected sensitive values. I suppose we cache locally such vault values today. We should not. They should be retrieved on-deman/in memory only and we keep the protection of them as a function of the vault and the applications permission to access them. Nothing to do with our sensitive key. This also feels like it helps us make big progress https://issues.apache.org/jira/browse/NIFI-13080 on this one at some point. ANyway long way of saying this is really wonderful to get this cleaned up. A good step on continuing to make nifi more secure, more maintainable, and allows us to amplify and mature features like vault based parameter providers that we did not have when we made decisions that led to this stuff. Thanks! I'm +1 but lets see if other input arrives. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
