[jira] [Created] (NIFI-15512) Async Parameter Update Endpoint Incorrectly Rejects Sensitive Parameters with Asset References

Mon, 26 Jan 2026 14:44:10 -0800 

Daniel Chaffelson created NIFI-15512:
----------------------------------------

             Summary: Async Parameter Update Endpoint Incorrectly Rejects 
Sensitive Parameters with Asset References
                 Key: NIFI-15512
                 URL: https://issues.apache.org/jira/browse/NIFI-15512
             Project: Apache NiFi
          Issue Type: Bug
          Components: Core Framework
    Affects Versions: 2.7.2
            Reporter: Daniel Chaffelson


When updating a Parameter Context to link an asset (e.g., certificate, private 
key) to a sensitive parameter, the two NiFi REST API endpoints behave 
inconsistently:
||Endpoint||Method||Behavior||
|/parameter-contexts/\{id}|PUT|Accepts sensitive + asset|
|/parameter-contexts/\{id}/update-requests|POST|Rejects sensitive + asset|
 
Error Message (from async endpoint)
HTTP 400 Bad Request
Request contains a sensitive Parameter (TLS Certificate) with references to an 
Assets. 
Sensitive parameters may not reference Assets.
h3. Evidence

Direct PUT (works):
 
 
curl -X PUT "$NIFI_URL/parameter-contexts/$CONTEXT_ID" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "revision": \{...},
    "component": {
      "id": "'$CONTEXT_ID'",
      "parameters": [{
        "parameter": {
          "name": "TLS Certificate",
          "sensitive": true,
          "referencedAssets": [{"id": "...", "name": "cert.pem"}]
        }
      }]
    }
  }'
# Result: 200 OK - parameter created successfully
 
Async update-requests (fails):
{{curl -X POST "$NIFI_URL/parameter-contexts/$CONTEXT_ID/update-requests" 
\}}{{{}  # Same body as above{}}}{{{}# Result: 400 Bad Request - "Sensitive 
parameters may not reference Assets"{}}}
h3. Impact
 * The async endpoint is the recommended/safer approach (handles running 
processors gracefully)

 * Libraries like nipyapi use the async endpoint by default

 * Users must fall back to direct PUT or raw curl as a workaround

h3. Tested Version

NiFi 2.7.2 (open-source Docker image)
h3. Workaround

Use the direct PUT /parameter-contexts/\{id} endpoint instead of POST 
/parameter-contexts/\{id}/update-requests. Note: Direct PUT will fail if 
processors are running and referencing the parameter.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to