Pushing flows to Registry with Sensitive Information

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Pushing flows to Registry with Sensitive Information

Jorge Machado
Hi Guys,

so I was playing with the registry and If I pushed a Processor that has sensitive information like a password it will be discarded when pulling it from the Registry, which is fine.

Now comes the but. But if I put a variable there IMHO I think it should save it on the registry.

What do you think ?

Jorge





Reply | Threaded
Open this post in threaded view
|

Re: Pushing flows to Registry with Sensitive Information

Bryan Bende
Jorge,

Currently variables are not meant to store sensitive information, the
reason has to do with how users access variables...

The way a user accesses a variable is via expression language, and
since EL is just free from text entered into a property descriptor, it
is impossible to restrict which users can access a variable. Imagine a
multi-tenant environment with many teams, say there is variable
"db.password" at the root group... anyone anywhere in the dataflow can
create an UpdateAttribute processor and set foo = ${db.password} and
now they can list the queue and look at the attribute foo and get the
password.

When a flow is saved to registry, all sensitive properties are cleared
out (they shouldn't be variables anyway based on above). When the flow
is imported to the next environment, there is a one-time operation
required to go in and set those values specific for the given
environment. Setting these values will not trigger a local change for
version control, and they will also be retained across updates, so it
is really a one-time setup on import and then never worry about it
again when upgrading to a new versions.

There is probably some room for improvement around the UX of how the
sensitive variables are set during first import. Right now you have to
manually go through and find them and set them, but this could be
presented in a better way to automatically show all the sensitive
properties that need to be filled in.

Hope this helps.

-Bryan


On Wed, Apr 25, 2018 at 4:44 AM, Jorge Machado <[hidden email]> wrote:

> Hi Guys,
>
> so I was playing with the registry and If I pushed a Processor that has sensitive information like a password it will be discarded when pulling it from the Registry, which is fine.
>
> Now comes the but. But if I put a variable there IMHO I think it should save it on the registry.
>
> What do you think ?
>
> Jorge
>
>
>
>
>