Andy, that's a good question. I have to admit that I thought about it and then saw that there is already an Authorizable for this scenario so I assumed that part was already taken care of. So whoever has the permission to view "access all policies" would also be able to use the API? Were you thinking of something different?
Cheers, Lars On Fri, Nov 9, 2018 at 12:35 AM Andy LoPresto <alopre...@apache.org> wrote: > Lars, > > What access controls do you anticipate putting on this API endpoint and > what potential issues do you see? I could see this being abused if not > secured very carefully, and it doesn’t seem like a common use case > (notwithstanding your current requirement). Is this something that can be > done by using the NiFi CLI to iterate/recurse through the various PGs and > retrieve these policies? > > Andy LoPresto > alopre...@apache.org > alopresto.apa...@gmail.com > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > On Nov 9, 2018, at 3:31 AM, Lars Francke <lars.fran...@gmail.com> wrote: > > > > Hi, > > > > I was tasked with writing a tool to generate a kind of "audit report". > For > > that I need to get all policies that people have across various systems. > > NiFi is one of them. > > > > I see that we have a REST API for Policies but that doesn't expose a > method > > to expose _all_ policies. I'd like to add a REST endpoint that allows > > retrieving all policies. > > Before I open a Jira I wanted to get feedback whether this addition would > > be acceptable. > > > > Implementation notes > > This is how I see the current flow of requests from the > > AccessPolicyResource to the actual AccessPolicyProider: > > > > AccessPolicyResource -> NiFiServiceFacade (StandardNiFiServiceFacade) -> > > AccessPolicyDAO (StandardPolicyBasedAuthorizerDAO) -> > AccessPolicyProvider > > > > Fortunately the AccessPolicyProvider already has a method to retrieve all > > policies. Should there be custom implementations by third-parties they > > already support the necessary methods and I believe the classes that need > > to be changed are all NiFi internal: > > > > * AccessPolicyResource > > * NiFiServiceFacade > > * StandardNiFiServiceFacade > > * AccessPolicyDAO > > * StandardPolicyBasedAuthorizerDAO > > * And probably a bunch of others especially test classes > > > > If I don't hear any objections I will open a Jira issue and would try and > > provide a patch. > > > > Cheers, > > Lars > >
