[
https://issues.apache.org/jira/browse/NIFI-15306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18044227#comment-18044227
]
Chris Sampson commented on NIFI-15306:
--------------------------------------
For the concern about property values being output to the UI/logs,
users/administrators are encouraged to use Property Providers for sensitive (or
environment specific) protest cakes, which would mean the output value simply
prints the property name rather than the actual value.
> Property migration does not happen when creating Reporting Tasks and global
> Controller Services via NiFi Toolkit
> ----------------------------------------------------------------------------------------------------------------
>
> Key: NIFI-15306
> URL: https://issues.apache.org/jira/browse/NIFI-15306
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 2.7.0
> Reporter: Chris Sampson
> Priority: Major
>
> Several properties in Site-to-Site Reporting Tasks and Controller Services
> (e.g. {{StandardSSLControllerService}}) have recently been renamed as part of
> an effort to harminise property descriptor names with their display names.
> A set of property migrations have been included as part of this using the
> {{migrateProperties}} framework method. However, it seems that these methods
> are not being called for global-level components such as Reporting Tasks and
> Controller Services when they are created via the NiFi API (e.g. using
> Toolkit's {{create-reporting-task}} method) with a JSON definition that has
> not been updated to match the renamed properties.
> For example:
> {code:json}
> {
> "component": {
> "name": "Registry Client SSL Context Service",
> "type": "org.apache.nifi.ssl.StandardSSLContextService",
> "properties": {
> "Keystore Filename": "keystore.p12",
> "Keystore Password": "my password",
> "key-password": "my password",
> "Keystore Type": "PKCS12",
> "Truststore Filename": "trust.p12",
> "Truststore Password": "another password",
> "Truststore Type": "PKCS12",
> "SSL Protocol": "TLS"
> }
> }
> }
> {code}
> Results in 2 unknown properties of {{key-password}} and {{SSL Protocol}}
> being present in the created Controller Service, with the component being
> invalid and throwing errors such as:
> {quote}
> 'key-password' not valid with value 'my password', property does not exist
> {quote}
> Similarly, for:
> {code:json}
> {
> "component": {
> "name": "s2s Bulletin Report",
> "type": "org.apache.nifi.reporting.SiteToSiteBulletinReportingTask",
> "properties": {
> "Destination URL": "https://nifi:8443/nifi";,
> "Input Port Name": "BulletinData",
> "SSL Context Service": "{uuid}",
> "Instance URL": "https://${hostname(true)}:8443/nifi",
> "record-writer": "{uuid}"
> }
> }
> }
> {code}
> Creates an invalid Reporting Task due to:
> {quote}
> 'record-writer' not valid with value '{uuid}', property does not exist
> {quote}
> This makes the changes to these properties a breaking change for anyone with
> existing component definitions to be installed into a NiFi cluster.
> Additionally, the reporting of the property values has the potential to leak
> sensitive details, such as key passwords (NiFi doesn't recognise
> {{key-password}} any longer, so doesn't realise it's a sensitive value, and
> so reports the value in the component validation error).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
