Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-7310

Improve experience configuring Authorization header for HTTP processors

    XMLWordPrintableJSON

Details

    Description

      As discussed in the Apache NiFi slack room (see transcript below), the InvokeHTTP processor (among others) often requires an Authorization HTTP header [1] to successfully make a request to an external service. This header includes an authorization type (e.g. Basic, Bearer, Digest, Negotiate, OAuth, etc.) [2] and the credentials (e.g. the plaintext or Base64-encoded username & password, a JWT token, etc.) [3].

      While the JWT value (for example) can be supplied with a parameter, the limitations on sensitive parameters make this process more difficult – non-sensitive parameters are stored in plaintext and synced with flow versioning to an unsecured persistence layer, while sensitive parameters are prohibited from any modification in property descriptor fields (i.e. one cannot prepend "Bearer: #{jwtSensitiveParam}" as one could with "Other-prefix: #{nonSensitiveParam}").

      One option is to make the Authorization header a permanent, non-required property descriptor in the component rather than being added only via a dynamic property. The value (credentials) could be a sensitive parameter and the type could be determined dynamically by evaluating the value, or a sibling property of Authorization Type could be selected from a drop-down of AllowableType entries to improve user experience and validation.

      Martin Ebert 12:34
      I have a problem. I can synchronize the registry nicely automated with Github. So far so good. But now I need certain keys e.g. Bearer Token. I store them in the parameter Context. To use them in Invoke HTTP I must not declare the token as a sensitive value. But now I have a problem: The token is also displayed in Github. No-Go. How can I fix this?
      12:35
      I assumed that the values from the Context parameter are not synchronized with Github at all.

      Bryan Bende Today at 12:36
      why would it not be stored as a sensitive parameter?

      Andy LoPresto 15 minutes ago
      Because to craft the fully-formed header you need to prepend it with `Bearer: `.

      Andy LoPresto 15 minutes ago
      This is a unique edge case.

      Andy LoPresto 14 minutes ago
      It might make sense to add a static "Authorization" header property descriptor to this component because it's often required.

      Pierre Villard:nifi: 14 minutes ago
      this can be part of the parameter value, no?

      Andy LoPresto 14 minutes ago
      And a separate PD which determines the kind of token (JWT, cookie, etc.).

      Bryan Bende 14 minutes ago
      so the issue is its being used in a dynamic prop on InvokeHttp and those are not sensitive props?

      Andy LoPresto 14 minutes ago
      Yes, Pierre, it can be. Just makes it harder to generate dynamically and populate it.

      Pierre Villard:nifi: 14 minutes ago
      I see

      Andy LoPresto 14 minutes ago
      Bryan, it's that we restrict sensitive parameters and prohibit them from concatenation.

      Andy LoPresto 13 minutes ago
      You can do Bearer: #{nonSensitiveParameter} just fine.

      Andy LoPresto 13 minutes ago
      You can't do Bearer: #{sensitiveParameter}.

      Bryan Bende 13 minutes ago
      i see, well +1 to the new properties you suggested

      Andy LoPresto 12 minutes ago
      I'll create a ticket.

      Andy LoPresto 11 minutes ago
      It could use more thought so I won't prescribe that's the only way to move forward, but just to improve this experience in general.

      Andy LoPresto 11 minutes ago
      For today, Pierre's suggestion is probably the easiest to implement.

      [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
      [2] https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
      [3] https://tools.ietf.org/html/rfc4559#page-2

      Attachments

        Issue Links

          Activity

            People

              exceptionfactory David Handermann
              alopresto Andy LoPresto
              Votes:
              5 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: