[
https://issues.apache.org/jira/browse/NIFI-3162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15856820#comment-15856820
]
ASF GitHub Bot commented on NIFI-3162:
--------------------------------------
Github user asfgit closed the pull request at:
https://github.com/apache/nifi/pull/1476
> RPG proxy and Remote Group Port configuration changes should be audited
> -----------------------------------------------------------------------
>
> Key: NIFI-3162
> URL: https://issues.apache.org/jira/browse/NIFI-3162
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.0.0
> Reporter: Koji Kawamura
> Assignee: Koji Kawamura
>
> Since NiFi 1.0.0, several configurations have been added to
> RemoteProcessGroup such as Transport Protocol and Proxy settings.
> Currently, configuration updates against these new settings are not audited.
> In addition to these RemoteProcessGroup settings, RemoteProcessGroupPort
> will have new configurations by NIFI-1202.
> This JIRA ticket tracks the work of adding audit events for these new
> settings.
> h3. Investigate current behavior
> In order to fix properly, I've tested to know what works and what doesn't.
> Here is the result of current behavior (measured with 1.2.0-SNAPSHOT, but it
> should be the same for versions after 1.0).
> || Operation performed || Created Audit Type || Audited Operation || Need
> fix? ||
> | Create RPG | RPG | Add | No |
> | Enable transmission | RPG | Start | No |
> | Disable transmission | RPG | Stop | No |
> | Delete RPG | RPG? | Remove? | Different issue |
> | Edit RPG config | RPG | Configure | Yes fix-1 |
> | Enable/Disable individual remote port | (none) | (none) | Yes fix-2 |
> | Edit individual remote port config | (none) | (none) | Yes fix-3 |
> h3. Fix-1: Edit RPG config
> Currently, this is partially audited for 'Communications Timeout' and 'Yield
> Duration'.
> We need to track edit for these as well: Transport Protocol, HTTP Proxy
> Server Hostname, Port, User, Password
> h3. Fix-2: Enable/Disable individual remote port
> From 'Remote ports' context menu of a RPG, each remote port can be
> enabled/disabled individually. Currently this operation is not audited.
> There're two ways to fix this, one is using the existing REMOTE_PROCESS_GROUP
> table in the nifi-flow-audit h2 database. Use 'Configure' Operation type with
> 'Name=<input/output port name>.transmission' and 'Value=enabled/disabled'.
> Another way is to create a REMOTE_PROCESS_GROUP_PORT table, but this requires
> some additional migration code to create the table.
> I think the former approach is reasonable.
> h3. Fix-3: Edit individual remote port config
> Currently, user can configure 'Concurrent Tasks' and 'Compressed', but no
> audit event is created for these operations. Same as Fix-2, we might be able
> to use existing REMOTE_PROCESS_GROUP table, using 'Configure' Operation type
> with 'Name=<input/output port name>.<property name>' dot notation and
> 'Value=<property value>'.
> h3. NiFi history shows audit record as 'Not authorized' if the component has
> been removed
> Once the target component (i.e RemoteProcessGroup) is removed from a flow,
> its audit records as shown as 'Not authorized'. This can be problematic since
> user won't be able to know who deleted the component. Created NIFI-3445 for
> tracking this issue separately.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
