Bryan Bende created NIFI-12482: ---------------------------------- Summary: Improve authorization of registry clients Key: NIFI-12482 URL: https://issues.apache.org/jira/browse/NIFI-12482 Project: Apache NiFi Issue Type: Improvement Affects Versions: 1.24.0, 2.0.0-M1 Reporter: Bryan Bende
Currently the authorization for accessing a registry client is based on permissions to /controller. * Create registry client ** authorizeController({color:#000000}RequestAction{color}.{color:#871094}READ{color}); ** Seems like this should be checking WRITE * Update registry client ** authorizeController({color:#000000}RequestAction{color}.{color:#871094}WRITE{color}); * Delete registry client ** authorizeController({color:#000000}RequestAction{color}.{color:#871094}WRITE{color}); * List registry clients ** Creates permissions fromĀ {color:#871094}authorizableLookup{color}.getController() ** Nulls out entity if !permissions.canRead() It seems too restrictive that a user must have READ to /controller in order to perform any action like import/start/stop version control. There should be ability to have more specific policies on a registry client, similar to parameter contexts. It also creates a weird situation with parameter contexts since their parent is /controller, so now if a user needs access to registry clients, they also inherently get access to all parameter contexts that don't have a specific policy on them. -- This message was sent by Atlassian Jira (v8.20.10#820010)