Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/2785 I discussed with @pvillard31 and we are going to hold off on merging this for right now. Here is what I wrote on the Jira: > Pierre Villard can you describe the use case where you feel VR EL support is necessary for these fields? I am guessing you want to be able to specify a keystore and truststore path in the VR and allow an SSLContextService to reference it. I have a couple concerns with this approach: > > It allows any user with variable permissions to see the path to the keystore and truststore. In the current setup, the controller service can be deployed with literal paths by an administrator/trusted user, and the service can be referenced by dependent components without exposing the actual file system paths to a less-trusted user (given the proper absence of permissions on the controller service). Currently, a user who does not have view permission to the StandardSSLContextService cannot see the explicit path at all, even if they have view permission to the referencing InvokeHTTP processor (for example). In this new scenario, they would be able to see the explicit path in the Variables window, and see the UUID of the referencing SSLCS (see https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#unauthorized-referencing-components) > It allows the keystore and truststore path to change without visibility on the configuration dialog. Given EL evaluation, the processor will evaluate not only VR-specific variables, but also system properties and OS-level environment variables. This means that a malicious or incidental occurrence could change the path used to locate the keystore and truststore without the NiFi user being aware > The original work that introduced the unit tests you reference was done in NIFI-4274 because of a Stack Overflow question where the documentation (which said EL was not supported) and the behavior (incorrectly evaluating EL) did not match. > > I appreciate the work you put into this PR. If you have a specific use case that really requires this behavior, let's discuss it. If this is just to bring these properties inline with the baseline EL evaluation, I would ask that we do not implement this at this time. > > There is some ongoing work/discussion about how to handle the sensitive properties in conjunction with the VR, Registry, flow versioning, setting from external sources, etc. and I believe it requires a cohesive approach with substantial threat modeling to avoid introducing serious issues into NiFi. We have traditionally held to a "secure but severe" policy where some features are absent because of the strict principle that "sensitive properties are always protected/blocked". It may be time to re-evaluate that, but introducing these changes piecemeal is dangerous in my opinion.
---