Nifi Basic Auth implementation

Question

Objective

Nifi ListenHTTP/HandleHTTPRequest processors don't support Basic Auth, so as it was suggested by this answer - you can use ListenHTTP/HandleHTTPRequest processors with RouteOnAttribute to validate username & password. In my case, Nifi accepts plain HTTP request because Nifi is hidden under Api Gateway SSL termination. If to be precise, Nifi gets HTTP Authorization header, which due to Basic Auth Client Protocol equals to base64(username + ':' + password)

Question

Does it make sense to store credentials on Nifi side as sensitive parameters, if Nifi got Authorization HTTP header in plain text?

If yes, how can I securely validate HTTP request credentials against expected pair?

If no, is there any other secure way to store password on Nifi side and implement Basic Auth?

The issue

I have to store expected username-password pair inside Parameter Context sensitive parameters. That means I can't reach those parameters from UpdateAttribute or RouteOnAttribute processors = I don't know how to validate/authorize request.

Answer 1

When you send a request to the HandleHttpRequest processor with Basic Auth, you have an access to the http.headers.Authorization attribute. It looks like Basic dXNlcm5hbWU6cGFzc3dvcmQ= for username:password. So you can use RouteOnAttribute if this value matches your credentials or not. You can also fetch the value from a database for comparing. You should evaluate the value before the HandleHttpResponse processor.