Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/2936
Hi @lukepfarrar , we have a policy of not evaluating EL in password fields.
Here is [an example of that review
process](https://github.com/apache/nifi/pull/3020#discussion_r219712821) and
the reasoning behind it on another PR.
> Our policy so far has been that passwords do not support expression
language, for a couple reasons:
> 1. How to evaluate if a password `abc${def}` should be interpreted as
`abc` + *the value of(`def`)* or the literal string `abc${def}`
> 1. The variable registry is not designed to store sensitive values
securely, so if a password is stored here, it can be accessed by an
unauthorized user
---
