Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How to handle credentials in a flowfile?

Labels:
avatar
author-rank Alexandros
Contributor

Created ‎06-25-2020 06:39 PM

I have my credential stored in AWS Secret Manager, use a PutLamda to retrieve it and send it to a jsonextract and then invokehttp processor where I use the credentials in the body of a post message to get a bearer token.

Between those processors the secret travels in plaintext. Is there a way to hide the credentials?

The idea is to rotate the credentials on aws and the only way to view those is using aws console, doing this we can log the access to the secret, when and who.

Thank you!

 

1,871 Views
0 Kudos
2 REPLIES 2

avatar
author-rank Alexandros
Contributor

Created ‎07-05-2020 03:16 PM

Sorry for the bump, but I am very courious of how everyone handles this kind of *possible* security issues.

Thanks!

1,830 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-06-2020 05:56 AM

@Alexandros 

 

As soon as you retrieve the json from which you later extract the sensitive values, those sensitive values are available/readable by anyone who has access to view the content of a FlowFile.  Even if you restrict user access so they can not view the FlowFile content, once you extract those sensitive values to FlowFile attributes they become exposed further.  There is currently no methods within NiFi for encrypting FlowFile attributes.  Doing so would also require any downstream processor in which you would want use those encrypted attributes to be able to understand that it is a sensitive value and decrypt it for use.  Bottom line here, is that the capability you are looking for does not exist within NiFi right now.

This sounds like a new development opportunity/contribution maybe.  Perhaps a new NiFi controller service that handles pulling the credentials from the AWS Secret Manager and obtaining the JWT token without writing anything to the FlowFIle's attributes or content.  Then any processor you would want to use this new CS in would need to be extended to support the new capability.  I am not a developer myself, but this sound like non-trivial work.

@alopresto might have some thoughts to add here.

Thanks,

Matt

1,810 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements