[ https://issues.apache.org/jira/browse/NIFI-5542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16593660#comment-16593660 ]
ASF GitHub Bot commented on NIFI-5542: -------------------------------------- Github user achristianson commented on a diff in the pull request: https://github.com/apache/nifi/pull/2965#discussion_r212977830 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java --- @@ -604,12 +610,26 @@ private void populateInitialAdmin(final Authorizations authorizations) { * @param authorizations the overall authorizations */ private void populateNodes(Authorizations authorizations) { + // authorize static nodes + authorizeNodeIdentities(authorizations, nodeIdentities); + + // authorize dynamic nodes (node group) + if (nodeGroupName != null) { + Group nodeGroup = userGroupProvider.getGroup(nodeGroupName); + if (nodeGroup == null) { + throw new AuthorizerCreationException("Unable to locate node group " + nodeGroupName + " to seed policies."); + } + Set<String> nodeGroupUserIdentities = nodeGroup.getUsers(); + authorizeNodeIdentities(authorizations, nodeGroupUserIdentities); --- End diff -- Hmm, good point. It depends on how/when the FileAccessPolicyProvider is called. Looking into it... > Add support for node groups to FileAccessPolicyProvider > ------------------------------------------------------- > > Key: NIFI-5542 > URL: https://issues.apache.org/jira/browse/NIFI-5542 > Project: Apache NiFi > Issue Type: Improvement > Reporter: Andrew Christianson > Priority: Major > > Currently in FileAccessPolicyProvider, it is possible to specify a set of > node identities, which are given access to /proxy. This works well for static > clusters, but does not work so well for dynamic clusters (scaling up/down # > of nodes) because we don't know in advance what the node identities will be > or how many there will be. > In order to support dynamic sets of node identities, add support for > specifying a "Node Group," for which all identities in the group will be > granted access to /proxy. A UserGroupProvider can then be implemented to > gather node identities dynamically from the cluster environment. -- This message was sent by Atlassian JIRA (v7.6.3#76005)