[
https://issues.apache.org/jira/browse/NIFI-15460?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mark Bean updated NIFI-15460:
-----------------------------
Description:
For Registry Clients other than NiFiRegistryFlowRegistryClient, there is no
authorization to buckets or flows. And to be clear, even for
NiFiRegistryFlowRegistryClient, the authorization is within NiFi Registry, not
the client. It is desirable to maintain the same behavior without the reliance
on the NiFi Registry application to provide the authorizations.
This issue creates a new Access Policy, "access registry client", with actions
of "view" and "modify". The polices are applied to all Registry Clients (with
the possible exception of NiFiRegistryFlowRegistryClient so as to avoid
redundant, or worse, conflicting authorization.) This policy will act like a
Component Access Policy in that it applies only to a specific component, i.e.
Registry Client. However, there is no ability to inherit as other Component
Access Policies because they apply to specific clients which do not have a
notion of hierarchy.
The "view" option grants users the ability to view buckets and versioned flows
with a specific client. With this capability, authorized users may import flows
from the Registry Client. However, "view" alone does not allow users to update
a versioned flow nor create a new one within the client.
Similarly, the "modify" option grants users the ability to create a new version
of a flow including the initial version of a new versioned flow. The scope of
both "view" and "modify" are for the given Registry Client to which the policy
is attached.
To assist in backward compatibility, existing clients at the time the Access
Policy is introduced will default to have the same users in the policy as
"access the controller", "view/modify".
was:
For Registry Clients other than NiFiRegistryFlowRegistryClient, there is no
authorization to buckets or flows. And to be clear, even for
NiFiRegistryFlowRegistryClient, the authorization is within NiFi Registry, not
the client. It is desirable to maintain the same behavior without the reliance
on the NiFi Registry application to provide the authorizations.
This issue creates a new Access Policy, "access registry client", with actions
of "view" and "modify". The polices are applied to all Registry Clients (with
the possible exception of NiFiRegistryFlowRegistryClient so as to avoid
redundant, or worse, conflicting authorization.) This policy will act like a
Component Access Policy in that it applies only to a specific component, i.e.
Registry Client. However, there is no ability to inherit as other Component
Access Policies because they apply to specific clients which do not have a
notion of hierarchy.
The "view" option grants users the ability to view buckets and versioned flows
with a specific client. With this capability, authorized users may import flows
from the Registry Client. However, "view" alone does not allow users to update
a versioned flow nor create a new one within the client.
Similarly, the "write" option grants users the ability to create a new version
of a flow including the initial version of a new versioned flow. The scope of
both "view" and "modify" are for the given Registry Client to which the policy
is attached.
To assist in backward compatibility, existing clients at the time the Access
Policy is introduced will default to have the same users in the policy as
"access the controller", "view/modify".
> Create Access Policies for Registry Clients
> -------------------------------------------
>
> Key: NIFI-15460
> URL: https://issues.apache.org/jira/browse/NIFI-15460
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: Mark Bean
> Priority: Major
>
> For Registry Clients other than NiFiRegistryFlowRegistryClient, there is no
> authorization to buckets or flows. And to be clear, even for
> NiFiRegistryFlowRegistryClient, the authorization is within NiFi Registry,
> not the client. It is desirable to maintain the same behavior without the
> reliance on the NiFi Registry application to provide the authorizations.
> This issue creates a new Access Policy, "access registry client", with
> actions of "view" and "modify". The polices are applied to all Registry
> Clients (with the possible exception of NiFiRegistryFlowRegistryClient so as
> to avoid redundant, or worse, conflicting authorization.) This policy will
> act like a Component Access Policy in that it applies only to a specific
> component, i.e. Registry Client. However, there is no ability to inherit as
> other Component Access Policies because they apply to specific clients which
> do not have a notion of hierarchy.
> The "view" option grants users the ability to view buckets and versioned
> flows with a specific client. With this capability, authorized users may
> import flows from the Registry Client. However, "view" alone does not allow
> users to update a versioned flow nor create a new one within the client.
> Similarly, the "modify" option grants users the ability to create a new
> version of a flow including the initial version of a new versioned flow. The
> scope of both "view" and "modify" are for the given Registry Client to which
> the policy is attached.
> To assist in backward compatibility, existing clients at the time the Access
> Policy is introduced will default to have the same users in the policy as
> "access the controller", "view/modify".
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
