[jira] [Commented] (NIFI-5542) Add support for node groups to FileAccessPolicyProvider

Mon, 27 Aug 2018 06:39:12 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16593660#comment-16593660
 ] 

ASF GitHub Bot commented on NIFI-5542:
--------------------------------------

Github user achristianson commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2965#discussion_r212977830
  
    --- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java
 ---
    @@ -604,12 +610,26 @@ private void populateInitialAdmin(final 
Authorizations authorizations) {
          * @param authorizations the overall authorizations
          */
         private void populateNodes(Authorizations authorizations) {
    +        // authorize static nodes
    +        authorizeNodeIdentities(authorizations, nodeIdentities);
    +
    +        // authorize dynamic nodes (node group)
    +        if (nodeGroupName != null) {
    +            Group nodeGroup = userGroupProvider.getGroup(nodeGroupName);
    +            if (nodeGroup == null) {
    +                throw new AuthorizerCreationException("Unable to locate 
node group " + nodeGroupName + " to seed policies.");
    +            }
    +            Set<String> nodeGroupUserIdentities = nodeGroup.getUsers();
    +            authorizeNodeIdentities(authorizations, 
nodeGroupUserIdentities);
    --- End diff --
    
    Hmm, good point. It depends on how/when the FileAccessPolicyProvider is 
called. Looking into it...


> Add support for node groups to FileAccessPolicyProvider
> -------------------------------------------------------
>
>                 Key: NIFI-5542
>                 URL: https://issues.apache.org/jira/browse/NIFI-5542
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Andrew Christianson
>            Priority: Major
>
> Currently in FileAccessPolicyProvider, it is possible to specify a set of 
> node identities, which are given access to /proxy. This works well for static 
> clusters, but does not work so well for dynamic clusters (scaling up/down # 
> of nodes) because we don't know in advance what the node identities will be 
> or how many there will be.
> In order to support dynamic sets of node identities, add support for 
> specifying a "Node Group," for which all identities in the group will be 
> granted access to /proxy. A UserGroupProvider can then be implemented to 
> gather node identities dynamically from the cluster environment.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to