[
https://issues.apache.org/jira/browse/NIFI-15512?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18056060#comment-18056060
]
ASF subversion and git services commented on NIFI-15512:
--------------------------------------------------------
Commit a1a00a3346ebe0f1e7cd48f15cd180817242dfc2 in nifi's branch
refs/heads/main from Pierre Villard
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=a1a00a3346 ]
NIFI-15512 Added Parameter Context Validation for synchronous updates (#10840)
Signed-off-by: David Handermann <[email protected]>
> Async Parameter Update Endpoint Incorrectly Rejects Sensitive Parameters with
> Asset References
> ----------------------------------------------------------------------------------------------
>
> Key: NIFI-15512
> URL: https://issues.apache.org/jira/browse/NIFI-15512
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 2.7.2
> Reporter: Daniel Chaffelson
> Assignee: Pierre Villard
> Priority: Minor
> Time Spent: 50m
> Remaining Estimate: 0h
>
> When updating a Parameter Context to link an asset (e.g., certificate,
> private key) to a sensitive parameter, the two NiFi REST API endpoints behave
> inconsistently:
> ||Endpoint||Method||Behavior||
> |/parameter-contexts/\{id}|PUT|Accepts sensitive + asset|
> |/parameter-contexts/\{id}/update-requests|POST|Rejects sensitive + asset|
>
> Error Message (from async endpoint)
> HTTP 400 Bad Request
> Request contains a sensitive Parameter (TLS Certificate) with references to
> an Assets.
> Sensitive parameters may not reference Assets.
> h3. Evidence
> Direct PUT (works):
>
>
> curl -X PUT "$NIFI_URL/parameter-contexts/$CONTEXT_ID" \
> -H "Authorization: Bearer $TOKEN" \
> -H "Content-Type: application/json" \
> -d '
> { "revision": \\{...}
> ,
> "component": {
> "id": "'$CONTEXT_ID'",
> "parameters": [{
> "parameter": {
> "name": "TLS Certificate",
> "sensitive": true,
> "referencedAssets": [
> {"id": "...", "name": "cert.pem"}
> ]
> }
> }]
> }
> }'
> # Result: 200 OK - parameter created successfully
>
> Async update-requests (fails):
> {{curl -X POST "$NIFI_URL/parameter-contexts/$CONTEXT_ID/update-requests"-
> }}{{{} # Same body as above{}}}{{{}# Result: 400 Bad Request "Sensitive
> parameters may not reference Assets"{}}}
> h3. Impact
> * The async endpoint is the recommended/safer approach (handles running
> processors gracefully)
> * Libraries like nipyapi use the async endpoint by default
> * Users must fall back to direct PUT or raw curl as a workaround
> * Assets in sensitive Parameters do actually work - I can put a cert into a
> sensitive Parameter and a Processor will use it
> h3. Tested Version
> NiFi 2.7.2 (open-source Docker image)
> h3. Workaround
> Use the direct PUT /parameter-contexts/\{id} endpoint instead of POST
> /parameter-contexts/\{id}/update-requests. Note: Direct PUT will fail if
> processors are running and referencing the parameter.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
