Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Nifi Credentials

avatar
Explorer

Nifi - Is there a way where credentials for sftp NIFI can be read from DB and used

3 ACCEPTED SOLUTIONS

avatar
Super Guru

Yes. Have you ever used expression language to set\get flowfile attributes and use them as parameters for other processors? For example Username and Password on the GetSFTP can be set as follows :

Username: ${my.sftp.db.username}

Password: ${my.sftp.db.password}

 

Both (my.sftp.db.username, my.sftp.db.password) are set once you get this info from DB. For example if use ExecuteSQLRecrod processor where the "SQL Select Query" is set to something like: select username, password from myCredentialTable

Assuming you use JsonWriter to output the data in Json format like:

{

   "username": "...",

   password: "..."

}

Then you can use EvaluateJsonPath to set the attributes by adding dynamic properties to this processor as follows:

 

SAMSAL_0-1673980877061.png

 

Hope that helps. If it does, please accept solution

 

View solution in original post

avatar
Master Mentor

@hkh The only downside to this dynamic approach is that the passwords are in plaintext as attributes on the FlowFile.  This means that these passwords could be read by users who are authorized to access your NiFi through listing of FlowFiles on a queued connection or through running a provenance query on a processor in that flow and inspecting the returned results.

I have no alternative solution to offer, but wanted you to be aware of downside of adding sensitive values to FlowFile attributes.

Thanks,

Matt

View solution in original post

avatar
Explorer
6 REPLIES 6

avatar
Super Guru

Hi,

 

You can read data from DB using processors like ExecuteSQL or ExecuteSQLRecord. The result can be parsed into flowfile attributes which you can use later to set the credential in the SFPT nifi processor using expression language.

avatar
Explorer

Can SFTP creds be dynamic?

avatar
Super Guru

Yes. Have you ever used expression language to set\get flowfile attributes and use them as parameters for other processors? For example Username and Password on the GetSFTP can be set as follows :

Username: ${my.sftp.db.username}

Password: ${my.sftp.db.password}

 

Both (my.sftp.db.username, my.sftp.db.password) are set once you get this info from DB. For example if use ExecuteSQLRecrod processor where the "SQL Select Query" is set to something like: select username, password from myCredentialTable

Assuming you use JsonWriter to output the data in Json format like:

{

   "username": "...",

   password: "..."

}

Then you can use EvaluateJsonPath to set the attributes by adding dynamic properties to this processor as follows:

 

SAMSAL_0-1673980877061.png

 

Hope that helps. If it does, please accept solution

 

avatar
Explorer

Thank you. I will try out the suggested approach.

avatar
Master Mentor

@hkh The only downside to this dynamic approach is that the passwords are in plaintext as attributes on the FlowFile.  This means that these passwords could be read by users who are authorized to access your NiFi through listing of FlowFiles on a queued connection or through running a provenance query on a processor in that flow and inspecting the returned results.

I have no alternative solution to offer, but wanted you to be aware of downside of adding sensitive values to FlowFile attributes.

Thanks,

Matt

avatar
Explorer

Thank you Matt.