Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/3020#discussion_r219712821
--- Diff:
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java
---
@@ -177,19 +180,22 @@
.name("Username")
.description("Username required to access the URL")
.required(false)
+
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
.addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
.build();
public static final PropertyDescriptor PASSWORD = new
PropertyDescriptor.Builder()
.name("Password")
.description("Password required to access the URL")
.required(false)
.sensitive(true)
+
.expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY)
--- End diff --
Our policy so far has been that passwords do not support expression
language, for a couple reasons:
1. How to evaluate if a password `abc${def}` should be interpreted as `abc`
+ *the value of(`def`)* or the literal string `abc${def}`
1. The variable registry is not designed to store sensitive values
securely, so if a password is stored here, it can be accessed by an
unauthorized user
---
