[
https://issues.apache.org/jira/browse/NIFI-15512?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Chaffelson updated NIFI-15512:
-------------------------------------
Description:
When updating a Parameter Context to link an asset (e.g., certificate, private
key) to a sensitive parameter, the two NiFi REST API endpoints behave
inconsistently:
||Endpoint||Method||Behavior||
|/parameter-contexts/\{id}|PUT|Accepts sensitive + asset|
|/parameter-contexts/\{id}/update-requests|POST|Rejects sensitive + asset|
Error Message (from async endpoint)
HTTP 400 Bad Request
Request contains a sensitive Parameter (TLS Certificate) with references to an
Assets.
Sensitive parameters may not reference Assets.
h3. Evidence
Direct PUT (works):
curl -X PUT "$NIFI_URL/parameter-contexts/$CONTEXT_ID" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '
{ "revision": \\{...}
,
"component": {
"id": "'$CONTEXT_ID'",
"parameters": [{
"parameter": {
"name": "TLS Certificate",
"sensitive": true,
"referencedAssets": [
{"id": "...", "name": "cert.pem"}
]
}
}]
}
}'
# Result: 200 OK - parameter created successfully
Async update-requests (fails):
{{curl -X POST "$NIFI_URL/parameter-contexts/$CONTEXT_ID/update-requests"-
}}{{{} # Same body as above{}}}{{{}# Result: 400 Bad Request "Sensitive
parameters may not reference Assets"{}}}
h3. Impact
* The async endpoint is the recommended/safer approach (handles running
processors gracefully)
* Libraries like nipyapi use the async endpoint by default
* Users must fall back to direct PUT or raw curl as a workaround
* Assets in sensitive Parameters do actually work - I can put a cert into a
sensitive Parameter and a Processor will use it
h3. Tested Version
NiFi 2.7.2 (open-source Docker image)
h3. Workaround
Use the direct PUT /parameter-contexts/\{id} endpoint instead of POST
/parameter-contexts/\{id}/update-requests. Note: Direct PUT will fail if
processors are running and referencing the parameter.
was:
When updating a Parameter Context to link an asset (e.g., certificate, private
key) to a sensitive parameter, the two NiFi REST API endpoints behave
inconsistently:
||Endpoint||Method||Behavior||
|/parameter-contexts/\{id}|PUT|Accepts sensitive + asset|
|/parameter-contexts/\{id}/update-requests|POST|Rejects sensitive + asset|
Error Message (from async endpoint)
HTTP 400 Bad Request
Request contains a sensitive Parameter (TLS Certificate) with references to an
Assets.
Sensitive parameters may not reference Assets.
h3. Evidence
Direct PUT (works):
curl -X PUT "$NIFI_URL/parameter-contexts/$CONTEXT_ID" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"revision": \{...},
"component": {
"id": "'$CONTEXT_ID'",
"parameters": [{
"parameter": {
"name": "TLS Certificate",
"sensitive": true,
"referencedAssets": [{"id": "...", "name": "cert.pem"}]
}
}]
}
}'
# Result: 200 OK - parameter created successfully
Async update-requests (fails):
{{curl -X POST "$NIFI_URL/parameter-contexts/$CONTEXT_ID/update-requests"
\}}{{{} # Same body as above{}}}{{{}# Result: 400 Bad Request - "Sensitive
parameters may not reference Assets"{}}}
h3. Impact
* The async endpoint is the recommended/safer approach (handles running
processors gracefully)
* Libraries like nipyapi use the async endpoint by default
* Users must fall back to direct PUT or raw curl as a workaround
h3. Tested Version
NiFi 2.7.2 (open-source Docker image)
h3. Workaround
Use the direct PUT /parameter-contexts/\{id} endpoint instead of POST
/parameter-contexts/\{id}/update-requests. Note: Direct PUT will fail if
processors are running and referencing the parameter.
> Async Parameter Update Endpoint Incorrectly Rejects Sensitive Parameters with
> Asset References
> ----------------------------------------------------------------------------------------------
>
> Key: NIFI-15512
> URL: https://issues.apache.org/jira/browse/NIFI-15512
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 2.7.2
> Reporter: Daniel Chaffelson
> Priority: Minor
>
> When updating a Parameter Context to link an asset (e.g., certificate,
> private key) to a sensitive parameter, the two NiFi REST API endpoints behave
> inconsistently:
> ||Endpoint||Method||Behavior||
> |/parameter-contexts/\{id}|PUT|Accepts sensitive + asset|
> |/parameter-contexts/\{id}/update-requests|POST|Rejects sensitive + asset|
>
> Error Message (from async endpoint)
> HTTP 400 Bad Request
> Request contains a sensitive Parameter (TLS Certificate) with references to
> an Assets.
> Sensitive parameters may not reference Assets.
> h3. Evidence
> Direct PUT (works):
>
>
> curl -X PUT "$NIFI_URL/parameter-contexts/$CONTEXT_ID" \
> -H "Authorization: Bearer $TOKEN" \
> -H "Content-Type: application/json" \
> -d '
> { "revision": \\{...}
> ,
> "component": {
> "id": "'$CONTEXT_ID'",
> "parameters": [{
> "parameter": {
> "name": "TLS Certificate",
> "sensitive": true,
> "referencedAssets": [
> {"id": "...", "name": "cert.pem"}
> ]
> }
> }]
> }
> }'
> # Result: 200 OK - parameter created successfully
>
> Async update-requests (fails):
> {{curl -X POST "$NIFI_URL/parameter-contexts/$CONTEXT_ID/update-requests"-
> }}{{{} # Same body as above{}}}{{{}# Result: 400 Bad Request "Sensitive
> parameters may not reference Assets"{}}}
> h3. Impact
> * The async endpoint is the recommended/safer approach (handles running
> processors gracefully)
> * Libraries like nipyapi use the async endpoint by default
> * Users must fall back to direct PUT or raw curl as a workaround
> * Assets in sensitive Parameters do actually work - I can put a cert into a
> sensitive Parameter and a Processor will use it
> h3. Tested Version
> NiFi 2.7.2 (open-source Docker image)
> h3. Workaround
> Use the direct PUT /parameter-contexts/\{id} endpoint instead of POST
> /parameter-contexts/\{id}/update-requests. Note: Direct PUT will fail if
> processors are running and referencing the parameter.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
