[jira] [Commented] (NIFI-15845) Remove Restricted Component Authorization from Framework

Thu, 16 Apr 2026 04:07:41 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-15845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18073947#comment-18073947
 ] 

ASF subversion and git services commented on NIFI-15845:
--------------------------------------------------------

Commit 8fb3240441282825b6ef131b856c67b2476aeb28 in nifi's branch 
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=8fb32404412 ]

NIFI-15845 Removed Restricted Component Authorization from Framework (#11148)

> Remove Restricted Component Authorization from Framework
> --------------------------------------------------------
>
>                 Key: NIFI-15845
>                 URL: https://issues.apache.org/jira/browse/NIFI-15845
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework, Security
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Following the deprecation of the Restricted annotation released in NiFi API 
> 2.8.0 and NiFi 2.9.0, the framework authorization handling should be updated 
> to remove evaluation of Restricted status and Required Permissions.
> The initial set of changes should avoid modifying the structure of REST API 
> requests and responses, instead returning {{false}} for restricted status and 
> empty lists for required permissions where applicable. This approach 
> maintains compatibility with existing frontend and REST API clients that may 
> check for the presence of restricted status.
> The initial set of changes should be limited to framework components, leaving 
> removal of the Restricted annotation to a subsequent issue for clarity of 
> implementation.
> Removing Restricted component authorization retains all other authorization 
> checks, requiring users to have applicable write access for Process Groups 
> and components in order to make changes or add components. Following the 
> removal, users will no longer be prevented from adding components based on 
> Restricted status alone. As described in the improvement proposal, this 
> change in behavior provides better alignment between enforceable security 
> boundaries and configurable access policies.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to