[GitHub] nifi pull request #2703: NIFI-4907: add 'view provenance' component policy

[markobean]

Github user markobean commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2703#discussion_r194730011
  
    --- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/controller/ControllerFacade.java
 ---
    @@ -1338,6 +1339,67 @@ private void authorizeReplay(final 
ProvenanceEventRecord event) {
             dataAuthorizable.authorize(authorizer, RequestAction.WRITE, user, 
eventAttributes);
         }
     
    +    private AuthorizationResult 
checkAuthorizationForData(ProvenanceEventRecord event) {
    +        final NiFiUser user = NiFiUserUtils.getNiFiUser();
    +        final Authorizable dataAuthorizable;
    +        if (event.isRemotePortType()) {
    +            dataAuthorizable = 
flowController.createRemoteDataAuthorizable(event.getComponentId());
    +        } else {
    +            dataAuthorizable = 
flowController.createLocalDataAuthorizable(event.getComponentId());
    +        }
    +
    +        final Map<String, String> eventAttributes = event.getAttributes();
    +
    +        // ensure we can read the data
    +        return dataAuthorizable.checkAuthorization(authorizer, 
RequestAction.READ, user, eventAttributes);
    +    }
    +
    +    private AuthorizationResult checkAuthorizationForProvenanceData(final 
ProvenanceEventRecord event) {
    +        final ProcessGroup rootGroup = 
flowController.getGroup(getRootGroupId());
    +        final NiFiUser user = NiFiUserUtils.getNiFiUser();
    +        final String componentId = event.getComponentId();
    +        Connectable connectable;
    +        String targetId = null;
    +        // check if the component is the rootGroup
    +        if (getRootGroupId().equals(componentId)) {
    +            targetId = componentId;
    +        }
    +        if (targetId == null) {
    +            // check if the component is a processor
    +            connectable = rootGroup.findProcessor(componentId);
    +            if (connectable == null) {
    +                // if the component id is not a processor then consider a 
connection
    +                connectable = 
rootGroup.findConnection(componentId).getSource();
    +
    +                if (connectable == null) {
    +                    throw new ResourceNotFoundException("The component 
that generated this event is no longer part of the data flow");
    +                }
    +            }
    +            targetId = connectable.getIdentifier();
    +        }
    +        final Authorizable provenanceDataAuthorizable = 
flowController.createProvenanceDataAuthorizable(targetId);
    +
    +        return provenanceDataAuthorizable.checkAuthorization(authorizer, 
RequestAction.READ, user);
    +    }
    +
    +    private AuthorizationResult checkConnectableAuthorization(final String 
componentId) {
    +        final ProcessGroup rootGroup = 
flowController.getGroup(getRootGroupId());
    +        final NiFiUser user = NiFiUserUtils.getNiFiUser();
    +        if (rootGroup.getIdentifier().equals(componentId)) {
    +            return rootGroup.checkAuthorization(authorizer, 
RequestAction.READ, user);
    +        }
    +        Connectable connectable = 
rootGroup.findLocalConnectable(componentId);
    --- End diff --
    
    Will findLocalConnectable() versus findProcessor() include connections as 
well? If so, then this should return to findProcessor() to account for 
connections and subsequently finding the connection's source component.


---