Bryan Bende created NIFI-12482:
----------------------------------
Summary: Improve authorization of registry clients
Key: NIFI-12482
URL: https://issues.apache.org/jira/browse/NIFI-12482
Project: Apache NiFi
Issue Type: Improvement
Affects Versions: 1.24.0, 2.0.0-M1
Reporter: Bryan Bende
Currently the authorization for accessing a registry client is based on
permissions to /controller.
* Create registry client
**
authorizeController({color:#000000}RequestAction{color}.{color:#871094}READ{color});
** Seems like this should be checking WRITE
* Update registry client
**
authorizeController({color:#000000}RequestAction{color}.{color:#871094}WRITE{color});
* Delete registry client
**
authorizeController({color:#000000}RequestAction{color}.{color:#871094}WRITE{color});
* List registry clients
** Creates permissions fromĀ
{color:#871094}authorizableLookup{color}.getController()
** Nulls out entity if !permissions.canRead()
It seems too restrictive that a user must have READ to /controller in order to
perform any action like import/start/stop version control. There should be
ability to have more specific policies on a registry client, similar to
parameter contexts.
It also creates a weird situation with parameter contexts since their parent is
/controller, so now if a user needs access to registry clients, they also
inherently get access to all parameter contexts that don't have a specific
policy on them.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
