As evidenced by
NIFI-3045 and other discoveries (e.g. using an ExecuteScript processor to iterate over a NiFiProperties instance after the application has already decrypted the sensitive properties from the nifi.properties file on disk, using a GetFile processor to retrieve /etc/passwd, etc.) NiFi is a powerful tool which can allow unauthorized users to perform malicious actions. While no tool as versatile as NiFi will ever be completely immune to insider threat, to further restrict the potential for abuse, certain processors should be designated as restricted, and these processors can only be added to the canvas or modified by users who, along with the proper permission to modify the canvas, have a special permission to interact with these "dangerous" processors.
From the Security Feature Roadmap:
- Processors which can directly affect behavior/configuration of NiFi/other services
- These processors should only be creatable/editable by users with special access control policy
- Marked by @Restricted annotation on processor class
- All flowfiles originating/passing through these processors have special attribute/protection
- Perhaps *File processors can access a certain location by default but cannot access the root filesystem without special user permission?
Matt Gilman and I should have a PR for this tomorrow.