Github user pepov commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2965#discussion_r212879535
--- Diff:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java
---
@@ -604,12 +610,26 @@ private void populateInitialAdmin(final
Authorizations authorizations) {
* @param authorizations the overall authorizations
*/
private void populateNodes(Authorizations authorizations) {
+ // authorize static nodes
+ authorizeNodeIdentities(authorizations, nodeIdentities);
+
+ // authorize dynamic nodes (node group)
+ if (nodeGroupName != null) {
+ Group nodeGroup = userGroupProvider.getGroup(nodeGroupName);
+ if (nodeGroup == null) {
+ throw new AuthorizerCreationException("Unable to locate
node group " + nodeGroupName + " to seed policies.");
+ }
+ Set<String> nodeGroupUserIdentities = nodeGroup.getUsers();
+ authorizeNodeIdentities(authorizations,
nodeGroupUserIdentities);
--- End diff --
I'm not intimate with how this works, but wouldn't this just authorize the
users in the group initially and not the group itself? I mean will this
authorization include nodes added later to the group? Is there a way to do the
same authorization on the group object directly?
---
