[
https://issues.apache.org/jira/browse/NIFI-3162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Koji Kawamura updated NIFI-3162:
--------------------------------
Description:
Since NiFi 1.0.0, several configurations have been added to RemoteProcessGroup
such as Transport Protocol and Proxy settings.
Currently, configuration updates against these new settings are not audited.
In addition to these RemoteProcessGroup settings, RemoteProcessGroupPort will
have new configurations by NIFI-1202.
This JIRA ticket tracks the work of adding audit events for these new settings.
h3. Investigate current behavior
In order to fix properly, I've tested to know what works and what doesn't. Here
is the result of current behavior (measured with 1.2.0-SNAPSHOT, but it should
be the same for versions after 1.0).
|| Operation performed || Created Audit Type || Audited Operation || Need fix?
||
| Create RPG | RPG | Add | No |
| Enable transmission | RPG | Start | No |
| Disable transmission | RPG | Stop | No |
| Delete RPG | RPG? | Remove? | Different issue |
| Edit RPG config | RPG | Configure | Yes fix-1 |
| Enable/Disable individual remote port | (none) | (none) | Yes fix-2 |
| Edit individual remote port config | (none) | (none) | Yes fix-3 |
h3. Fix-1: Edit RPG config
Currently, this is partially audited for 'Communications Timeout' and 'Yield
Duration'.
We need to track edit for these as well: Transport Protocol, HTTP Proxy Server
Hostname, Port, User, Password
h3. Fix-2: Enable/Disable individual remote port
>From 'Remote ports' context menu of a RPG, each remote port can be
>enabled/disabled individually. Currently this operation is not audited.
There're two ways to fix this, one is using the existing REMOTE_PROCESS_GROUP
table in the nifi-flow-audit h2 database. Use 'Configure' Operation type with
'Name=<input/output port name>.transmission' and 'Value=enabled/disabled'.
Another way is to create a REMOTE_PROCESS_GROUP_PORT table, but this requires
some additional migration code to create the table.
I think the former approach is reasonable.
h3. Fix-3: Edit individual remote port config
Currently, user can configure 'Concurrent Tasks' and 'Compressed', but no audit
event is created for these operations. Same as Fix-2, we might be able to use
existing REMOTE_PROCESS_GROUP table, using 'Configure' Operation type with
'Name=<input/output port name>.<property name>' dot notation and
'Value=<property value>'.
h3. NiFi history shows audit record as 'Not authorized' if the component has
been removed
Once the target component (i.e RemoteProcessGroup) is removed from a flow, its
audit records as shown as 'Not authorized'. This can be problematic since user
won't be able to know who deleted the component. Created NIFI-3445 for tracking
this issue separately.
was:
Since NiFi 1.0.0, several configurations have been added to RemoteProcessGroup
such as Transport Protocol and Proxy settings.
Currently, configuration updates against these new settings are not audited.
In addition to these RemoteProcessGroup settings, RemoteProcessGroupPort will
have new configurations by NIFI-1202.
This JIRA ticket tracks the work of adding audit events for these new settings.
h3. Investigate current behavior
In order to fix properly, I've tested to know what works and what doesn't. Here
is the result of current behavior (measured with 1.2.0-SNAPSHOT, but it should
be the same for versions after 1.0).
|| Operation performed || Created Audit Type || Audited Operation || Need fix?
||
| Create RPG | RPG | Add | No |
| Enable transmission | RPG | Start | No |
| Disable transmission | RPG | Stop | No |
| Delete RPG | RPG? | Remove? | Different issue |
| Edit RPG config | RPG | Configure | Yes fix-1 |
| Enable/Disable individual remote port | (none) | (none) | Yes fix-2 |
| Edit individual remote port config | (none) | (none) | Yes fix-3 |
h3. Fix-1: Edit RPG config
Currently, this is partially audited for 'Communications Timeout' and 'Yield
Duration'.
We need to track edit for these as well: Transport Protocol, HTTP Proxy Server
Hostname, Port, User, Password
h3. Fix-2: Enable/Disable individual remote port
>From 'Remote ports' context menu of a RPG, each remote port can be
>enabled/disabled individually. Currently this operation is not audited.
There're two ways to fix this, one is using the existing REMOTE_PROCESS_GROUP
table in the nifi-flow-audit h2 database. Use 'Configure' Operation type with
'Name=<input/output port name>.transmission' and 'Value=enabled/disabled'.
Another way is to create a REMOTE_PROCESS_GROUP_PORT table, but this requires
some additional migration code to create the table.
I think the former approach is reasonable.
h3. Fix-3: Edit individual remote port config
Currently, user can configure 'Concurrent Tasks' and 'Compressed', but no audit
event is created for these operations. Same as Fix-2, we might be able to use
existing REMOTE_PROCESS_GROUP table, using 'Configure' Operation type with
'Name=<input/output port name>.<property name>' dot notation and
'Value=<property value>'.
h3. NiFi history shows audit record as 'Not authorized' if the component has
been removed
Once the target component (i.e RemoteProcessGroup) is removed from a flow, its
audit records as shown as 'Not authorized'. This can be problematic since user
won't be able to know who deleted the component.
> RPG proxy and Remote Group Port configuration changes should be audited
> -----------------------------------------------------------------------
>
> Key: NIFI-3162
> URL: https://issues.apache.org/jira/browse/NIFI-3162
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.0.0
> Reporter: Koji Kawamura
> Assignee: Koji Kawamura
>
> Since NiFi 1.0.0, several configurations have been added to
> RemoteProcessGroup such as Transport Protocol and Proxy settings.
> Currently, configuration updates against these new settings are not audited.
> In addition to these RemoteProcessGroup settings, RemoteProcessGroupPort
> will have new configurations by NIFI-1202.
> This JIRA ticket tracks the work of adding audit events for these new
> settings.
> h3. Investigate current behavior
> In order to fix properly, I've tested to know what works and what doesn't.
> Here is the result of current behavior (measured with 1.2.0-SNAPSHOT, but it
> should be the same for versions after 1.0).
> || Operation performed || Created Audit Type || Audited Operation || Need
> fix? ||
> | Create RPG | RPG | Add | No |
> | Enable transmission | RPG | Start | No |
> | Disable transmission | RPG | Stop | No |
> | Delete RPG | RPG? | Remove? | Different issue |
> | Edit RPG config | RPG | Configure | Yes fix-1 |
> | Enable/Disable individual remote port | (none) | (none) | Yes fix-2 |
> | Edit individual remote port config | (none) | (none) | Yes fix-3 |
> h3. Fix-1: Edit RPG config
> Currently, this is partially audited for 'Communications Timeout' and 'Yield
> Duration'.
> We need to track edit for these as well: Transport Protocol, HTTP Proxy
> Server Hostname, Port, User, Password
> h3. Fix-2: Enable/Disable individual remote port
> From 'Remote ports' context menu of a RPG, each remote port can be
> enabled/disabled individually. Currently this operation is not audited.
> There're two ways to fix this, one is using the existing REMOTE_PROCESS_GROUP
> table in the nifi-flow-audit h2 database. Use 'Configure' Operation type with
> 'Name=<input/output port name>.transmission' and 'Value=enabled/disabled'.
> Another way is to create a REMOTE_PROCESS_GROUP_PORT table, but this requires
> some additional migration code to create the table.
> I think the former approach is reasonable.
> h3. Fix-3: Edit individual remote port config
> Currently, user can configure 'Concurrent Tasks' and 'Compressed', but no
> audit event is created for these operations. Same as Fix-2, we might be able
> to use existing REMOTE_PROCESS_GROUP table, using 'Configure' Operation type
> with 'Name=<input/output port name>.<property name>' dot notation and
> 'Value=<property value>'.
> h3. NiFi history shows audit record as 'Not authorized' if the component has
> been removed
> Once the target component (i.e RemoteProcessGroup) is removed from a flow,
> its audit records as shown as 'Not authorized'. This can be problematic since
> user won't be able to know who deleted the component. Created NIFI-3445 for
> tracking this issue separately.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
