Pierre Villard created NIP-33:
---------------------------------

             Summary: Allow Secrets to be Referenced by Non-Sensitive Connector 
Properties
                 Key: NIP-33
                 URL: https://issues.apache.org/jira/browse/NIP-33
             Project: NiFi Improvement Proposal
          Issue Type: Improvement
            Reporter: Pierre Villard


Connectors let users configure an entire flow through a small set of typed 
properties. Properties declared with {{PropertyType.SECRET}} can be backed by a 
value from a Secrets Manager (resolved through a {{{}SecretReference{}}}), 
while all other property types must be given an explicit literal value. Today 
the framework strictly forbids a {{SECRET_REFERENCE}} on any non-{{{}SECRET{}}} 
property.

However, users may want to store sensitive and non-sensitive information in the 
same place. A common example is a database connection: users want to store both 
the *username* and the *password* as secrets and reference both from the 
connector, so that the entire credential lives in one managed, rotatable, 
access-controlled place. The username property is not sensitive, so it cannot 
reference a secret today, forcing users to split a single credential across two 
management models (a managed secret for the password, a hand-entered literal 
for the username).

The proposal touches the following all changes are additive):
 * *{{nifi-api}}* - a new enum and a new {{default}} method on the {{Secret}} 
interface (extension/public API).
 * *NiFi Configuration Files* - one new optional property in 
{{{}nifi.properties{}}}.
 * *{{nifi-web-api}}* - an additional optional field on the secret-listing DTO 
so REST clients (configuration UIs) can identify which secrets are eligible for 
non-sensitive properties.
 * *Framework internals* ({{{}nifi-framework-components{}}}, 
{{{}nifi-framework-core{}}}) — populate the classification when adapting a 
parameter into a secret, and relax the connector property reference-validation 
gate accordingly. These are not public interfaces.
 * *Reference implementation* - the AWS Secrets Manager parameter provider, 
which already forwards source tags onto the parameters it produces, is used to 
demonstrate the feature end-to-end.

The proposal is fully backward compatible and does *not* require a new major 
version.
 * The new {{Secret}} method is a {{default}} returning the existing-behaviour 
value ({{{}RESTRICTED{}}}), so all current {{Secret}} implementations compile 
and behave unchanged.
 * The new {{nifi.properties}} value has {*}no default{*}. When it is unset, 
every secret is {{RESTRICTED}} and behaviour is identical to today. The feature 
is strictly opt-in per deployment.
 * The validation change only ever {*}permits more{*}: a {{RESTRICTED}} secret 
on a non-sensitive property is rejected exactly as today, and a secret 
reference on a sensitive property is unaffected. No previously valid 
configuration becomes invalid.
 * The REST DTO change is an additive optional field.

A secret is assigned one of two protection classifications:
{code:java}
package org.apache.nifi.components.connector;

public enum PropertyProtectionType {
    /** The secret may only be referenced by sensitive (SECRET) properties. 
Default. */
    RESTRICTED,
    /** The secret owner has authorised it for use by any property, including 
non-sensitive ones. */
    UNRESTRICTED
}
{code}
The {{Secret}} interface exposes the classification through a default method so 
existing implementations are unaffected:
{code:java}
public interface Secret {
    // ...existing methods...

    default PropertyProtectionType getPropertyProtectionType() {
        return PropertyProtectionType.RESTRICTED;
    }
}
{code}
The classification originates from the {*}owner of the secret{*}, expressed as 
a tag on the secret in the backing system (e.g. an AWS Secrets Manager resource 
tag). The tag _name_ is configured per deployment through a new optional 
property:
{code:java}
# No default. When unset, all secrets are RESTRICTED (current behaviour).
nifi.secrets.manager.unrestricted.tag.name= {code}
A deployment chooses its own convention. A secret is classified UNRESTRICTED if 
the backing parameter carries a tag whose key equals the configured name and 
whose value equals true (case-insensitive). Presence of the tag alone is 
insufficient. This lets an owner set the value to false to keep a secret 
restricted explicitly. If the property is unset, classification is never 
evaluated and all secrets remain RESTRICTED.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to