[jira] [Commented] (NIFI-13560) Refactor Parameter Provider Value Storage and Retrieval

Mon, 22 Jul 2024 14:24:36 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-13560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17867883#comment-17867883
 ] 

Joe Witt commented on NIFI-13560:
---------------------------------

Good stuff here David and great write-up.  Thanks!

> Refactor Parameter Provider Value Storage and Retrieval
> -------------------------------------------------------
>
>                 Key: NIFI-13560
>                 URL: https://issues.apache.org/jira/browse/NIFI-13560
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The Parameter Provider interface supports extensible integration with various 
> services for storing and retrieving sensitive values. The current 
> implementation integrates with Parameter Contexts, storing fetched values in 
> the persistent flow configuration, with configurable sensitive status. For 
> sensitive values, the framework encrypts values using the configured 
> sensitive properties key and sensitive properties algorithm.
> Although framework encryption provides a measure of protection for sensitive 
> values, persistent storage in the flow configuration effectively changes the 
> security posture for centralized management of secrets. This approach 
> provides some resilience in the event of communications issues with an 
> external secrets storage provider, but changing the security posture is a 
> more serious concern. To provide some protection against communication 
> issues, the framework should implement memory-based caching of fetched 
> parameter values, which should remain available for the duration of the 
> application process.
> The current user experience should remain the same, requiring user 
> interaction to fetch new parameter values while the system is running. 
> However, the framework should fetch current parameter values when starting, 
> based on storing a reference in the linked Parameter Context. This strategy 
> follows a common implementation pattern in other applications and frameworks, 
> preserving control over access to secrets at the system of record.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to