Mark Bean created NIFI-15460:
--------------------------------
Summary: Create Access Policies for Registry Clients
Key: NIFI-15460
URL: https://issues.apache.org/jira/browse/NIFI-15460
Project: Apache NiFi
Issue Type: Improvement
Reporter: Mark Bean
For Registry Clients other than NiFiRegistryFlowRegistryClient, there is no
authorization to buckets or flows. And to be clear, even for
NiFiRegistryFlowRegistryClient, the authorization is within NiFi Registry, not
the client. It is desirable to maintain the same behavior without the reliance
on the NiFi Registry application to provide the authorizations.
This issue creates a new Access Policy, "access registry client", with actions
of "view" and "modify". The polices are applied to all Registry Clients (with
the possible exception of NiFiRegistryFlowRegistryClient so as to avoid
redundant, or worse, conflicting authorization.) This policy will act like a
Component Access Policy in that it applies only to a specific component, i.e.
Registry Client. However, there is no ability to inherit as other Component
Access Policies because they apply to specific clients which do not have a
notion of hierarchy.
The "view" option grants users the ability to view buckets and versioned flows
with a specific client. With this capability, authorized users may import flows
from the Registry Client. However, "view" alone does not allow users to update
a versioned flow nor create a new one within the client.
Similarly, the "write" option grants users the ability to create a new version
of a flow including the initial version of a new versioned flow. The scope of
both "view" and "modify" are for the given Registry Client to which the policy
is attached.
To assist in backward compatibility, existing clients at the time the Access
Policy is introduced will default to have the same users in the policy as
"access the controller", "view/modify".
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
