Tags • NiFi
Apache NiFi 1.13.0 introduced support for single sign-on authentication through a SAML identity provider. NiFi 1.17.0 included a refactored implementation based on Spring Security 5 while maintaining compatible points of integration. The Okta identity platform enables configurable SAML 2.0 authentication, supporting federated access as well as group management and single logout processing. Configuring Apache NiFi with Okta SAML provides a strong access management solution.
Apache NiFi 1.18.0 added deprecation logging to warn administrators about components and features targeted for removal in future major releases. Deprecation messages presents important software versioning information in a standard format, improving communication between project developers and community users. Reading and responding to deprecation warnings enables administrators to prepare for upgrades and avoid breaking changes.
The syslog protocol has provided a conventional approach to networked logging for decades. Apache NiFi has supported sending and receiving syslog messages since version 0.4.0. Apache NiFi 1.17.0 introduced the UDPEventRecordSink service, supporting record-oriented message transmission over User Datagram Protocol for syslog and other use cases.
Apache NiFi 1.17.0 introduced framework support for sensitive dynamic properties, allowing operators to protect custom properties in selected components. Sensitive dynamic properties enable component developers to support flexible configuration while maintaining system security.
The Hypertext Transfer Protocol is one of the foundational Internet protocols. Almost 20 years after the initial version, RFC 7540 codified HTTP/2, maintaining the core concepts of HTTP/1.1 and incorporating several important optimizations. Building on advances in Jetty 9 and JDK 8, recent improvements to Apache NiFi introduced server support for HTTP/2 in both framework and extension components.
Apache NiFi 1.16.1 resolved XML external entity vulnerabilities in multiple components, described in CVE-2022-29265. Reviewing current and previous XML vulnerabilities enables an accurate characterization of the impact on particular deployments. A summary of the resolution provides useful details for any project that performs XML processing.
Apache NiFi 1.16.0 added configurable logging for HTTP requests, which the framework processes during user interface actions or service operations. HTTP request logging supports a number of use cases, including access auditing, communication troubleshooting, and performance monitoring.
Apache NiFi 1.15.0 incorporates new processors for signing and verifying OpenPGP messages. SignContentPGP and VerifyContentPGP provide enhanced security for OpenPGP processing, supporting cryptographic signature handling as a standalone operation or in conjunction with encryption.
Vulnerabilities in Log4j 2 and other logging libraries have prompted increased scrutiny across many products. Apache NiFi integrates with a wide variety of services that require various dependencies, including multiple types of logging. NiFi 1.15.2 incorporated the removal and exclusion of several unnecessary libraries, highlighting the importance of managing logging dependencies.
The Apache Log4j 2 arbitrary code execution vulnerability known as Log4Shell has impacted numerous products and services. Although Apache NiFi does not use Log4j 2 directly, several extension components include library references that should be considered.
Configurable information storage is a core feature of Apache NiFi. Multiple releases have expanded support for encrypting information in application repositories. Recent updates in NiFi 1.15.0 have streamlined both the implementation and the configuration associated with repository encryption.
JSON Web Tokens provide authorized access to Apache NiFi for a number of authentication strategies. Recent changes to JWT handling have improved the security posture of several important elements including key generation, secret storage, signature verification, and token revocation.
Apache NiFi 1.14.0 includes a redesigned approach for encrypting and decrypting OpenPGP messages. The introduction of new Processors and Controller Services for OpenPGP provides additional capabilities and address a number of issues with the original implementation. These new components support a variety of potential use cases and create opportunities for additional development efforts.
Encrypting sensitive component properties is one of the foundational features of Apache NiFi. Understanding and configuring the required settings is essential to deploying a secure system.
Apache NiFi 1.14.0 builds on a foundation of configurable security and provides a better starting point for simple deployments. Single user authentication and automatic certificate generation for HTTPS access close several gaps in the default configuration.