Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-3050

Restrict dangerous processors to special permission

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.0.0
    • Fix Version/s: 1.1.0
    • Component/s: Core Framework
    • Labels:

      Description

      As evidenced by NIFI-3045 and other discoveries (e.g. using an ExecuteScript processor to iterate over a NiFiProperties instance after the application has already decrypted the sensitive properties from the nifi.properties file on disk, using a GetFile processor to retrieve /etc/passwd, etc.) NiFi is a powerful tool which can allow unauthorized users to perform malicious actions. While no tool as versatile as NiFi will ever be completely immune to insider threat, to further restrict the potential for abuse, certain processors should be designated as restricted, and these processors can only be added to the canvas or modified by users who, along with the proper permission to modify the canvas, have a special permission to interact with these "dangerous" processors.

      From the Security Feature Roadmap:

      Dangerous Processors

      • Processors which can directly affect behavior/configuration of NiFi/other services
      • GetFile
      • PutFile
      • ListFile
      • FetchFile
      • ExecuteScript
      • InvokeScriptedProcessor
      • ExecuteProcess
      • ExecuteStreamCommand
      • These processors should only be creatable/editable by users with special access control policy
      • Marked by @Restricted annotation on processor class
      • All flowfiles originating/passing through these processors have special attribute/protection
      • Perhaps *File processors can access a certain location by default but cannot access the root filesystem without special user permission?

      Matt Gilman and I should have a PR for this tomorrow.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mcgilman Matt Gilman
                Reporter:
                alopresto Andy LoPresto
              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: