Hello, I am looking for some guidance on managing sensitive property values for things such as credentials in a DBCPConnectionPool within the NiFi Registry Development Life Cycle.
Currently we have rolled our own deployment tool in which we manage configuration files per environment (Dev, QA, Prod, etc) and use the NiFi API to deploy our Process Group and all the environment-specific properties. We are looking to make the switch to using NiFi Registry instead of our own tool but I don’t see a way to properly manage secrets. I believe we could use the Variable Registry but I have a few concerns with that approach: 1. Not all Processors and Controller Services support Expression Language so we may have limitations with referencing properties and secrets inside the Variable Registry. 2. There is no way (that I can tell) to mark a Variable as “sensitive” so that it is write-only and not readable by other NiFi users after being set. 3. Are “sensitive” properties encrypted at rest inside flow.xml..gz? If so, then we also lose encryption-at-rest if we use Variable Registry. I’m certain that every other NiFi Registry user will run into this same issues so I am curious what others have done and what security trade-offs they have made to continue on with the efficiency of using NiFi Registry. Thanks, Jon
