Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/2785
I discussed with @pvillard31 and we are going to hold off on merging this
for right now. Here is what I wrote on the Jira:
> Pierre Villard can you describe the use case where you feel VR EL support
is necessary for these fields? I am guessing you want to be able to specify a
keystore and truststore path in the VR and allow an SSLContextService to
reference it. I have a couple concerns with this approach:
>
> It allows any user with variable permissions to see the path to the
keystore and truststore. In the current setup, the controller service can be
deployed with literal paths by an administrator/trusted user, and the service
can be referenced by dependent components without exposing the actual file
system paths to a less-trusted user (given the proper absence of permissions on
the controller service). Currently, a user who does not have view permission to
the StandardSSLContextService cannot see the explicit path at all, even if they
have view permission to the referencing InvokeHTTP processor (for example). In
this new scenario, they would be able to see the explicit path in the Variables
window, and see the UUID of the referencing SSLCS (see
https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#unauthorized-referencing-components)
> It allows the keystore and truststore path to change without visibility
on the configuration dialog. Given EL evaluation, the processor will evaluate
not only VR-specific variables, but also system properties and OS-level
environment variables. This means that a malicious or incidental occurrence
could change the path used to locate the keystore and truststore without the
NiFi user being aware
> The original work that introduced the unit tests you reference was done
in NIFI-4274 because of a Stack Overflow question where the documentation
(which said EL was not supported) and the behavior (incorrectly evaluating EL)
did not match.
>
> I appreciate the work you put into this PR. If you have a specific use
case that really requires this behavior, let's discuss it. If this is just to
bring these properties inline with the baseline EL evaluation, I would ask that
we do not implement this at this time.
>
> There is some ongoing work/discussion about how to handle the sensitive
properties in conjunction with the VR, Registry, flow versioning, setting from
external sources, etc. and I believe it requires a cohesive approach with
substantial threat modeling to avoid introducing serious issues into NiFi. We
have traditionally held to a "secure but severe" policy where some features are
absent because of the strict principle that "sensitive properties are always
protected/blocked". It may be time to re-evaluate that, but introducing these
changes piecemeal is dangerous in my opinion.
---
