question securing secrets when using Nifi PutIceberg Processor in Support Questions

securing secrets when using Nifi PutIceberg Processor

jnk32 — Thu, 11 Apr 2024 06:54:19 GMT

I use the PutIcebergProcessor to write data to my data lake. Therefore I need to specify a HiveCatalogService. This Service needs HadoopConfigurationResources. This parameter is a path to an xml file containing the credentials to the S3 where the Iceberg files are stored.

My Problem with this, that some content of this file is supposed to be secret to the users interacting with the nifi ui. However, as soon as a UI user knows this path, he can simply use ExecuteProcess Processor to retrieve those information.

Is there any way to keep those information safe?

Reference:

Re: securing secrets when using Nifi PutIceberg Processor

ckumar — Mon, 15 Apr 2024 13:08:26 GMT

ExecuteProcessor is a restricted type of processor that prevents the user from using it and reading anything from the NiFi filesystem path. you can stop users from accessing processors that are restricted, Please refer to the following link to know more.

https://community.cloudera.com/t5/Community-Articles/NiFi-Restricted-Components-Policy-Descriptions/ta-p/249157

Re: securing secrets when using Nifi PutIceberg Processor

Jim_Steinebrey — Tue, 16 Apr 2024 02:33:06 GMT

I agree with ckumar's point and there is one more thing you could do if it makes you feel safer.
You could put the HadoopConfigurationResources file path string into a sensitive parameter and refer to the that parameter (using #{paramname}) in the HiveCatalogService property.