[ https://issues.apache.org/jira/browse/NIFI-375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16613596#comment-16613596 ]
ASF GitHub Bot commented on NIFI-375: ------------------------------------- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2990#discussion_r217390883 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/OperationAuthorizable.java --- @@ -0,0 +1,85 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.authorization.resource; + +import org.apache.nifi.authorization.AccessDeniedException; +import org.apache.nifi.authorization.Authorizer; +import org.apache.nifi.authorization.RequestAction; +import org.apache.nifi.authorization.Resource; +import org.apache.nifi.authorization.user.NiFiUser; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Authorizable for a component that can be scheduled by operators. + */ +public class OperationAuthorizable implements Authorizable, EnforcePolicyPermissionsThroughBaseResource { + private static Logger logger = LoggerFactory.getLogger(OperationAuthorizable.class); + private final Authorizable baseAuthorizable; + + public OperationAuthorizable(final Authorizable baseAuthorizable) { + this.baseAuthorizable = baseAuthorizable; + } + + @Override + public Authorizable getParentAuthorizable() { + // Need to return parent operation authorizable. E.g. /operation/processor/xxxx -> /operation/process-group/yyyy -> /run-status/process-group/root + if (baseAuthorizable.getParentAuthorizable() == null) { + return null; + } else { + return new OperationAuthorizable(baseAuthorizable.getParentAuthorizable()); + } + } + + @Override + public Authorizable getBaseAuthorizable() { + return baseAuthorizable; + } + + @Override + public Resource getResource() { + return ResourceFactory.getOperationResource(baseAuthorizable.getResource()); + } + + /** + * <p>Authorize the request action with the resource using base authorizable and operation authorizable combination.</p> + * + * <p>This method authorizes the request with the base authorizable first. If the request is allowed, then finish authorization. + * If base authorizable denies the request, then it checks if the user has WRITE permission for '/operation/{componentType}/{id}'.</p> + */ + public static void authorize(final Authorizable baseAuthorizable, final Authorizer authorizer, final RequestAction requestAction, final NiFiUser user) { + try { + baseAuthorizable.authorize(authorizer, requestAction, user); + } catch (AccessDeniedException e) { + logger.debug("Authorization failed with {}. Try authorizing with OperationAuthorizable.", baseAuthorizable, e); + // Always use WRITE action for operation. + new OperationAuthorizable(baseAuthorizable).authorize(authorizer, RequestAction.WRITE, user); + } + + } + + /** + * Check if the request is authorized. + * + * @return True if the request is allowed by the base authorizable, or the user has WRITE permission for '/operation/{componentType}/id'. + */ + public static boolean isAuthorized(final Authorizable baseAuthorizable, final Authorizer authorizer, final RequestAction requestAction, final NiFiUser user) { --- End diff -- There is no time when someone should invoke this method with a `requestAction` of `WRITE`. Can we remove that parameter? Also, because of this and that the name is the same as the non-static version (which has admittedly confused me a number of times while reviewing) can we rename this method to more accurately depict its intention. Maybe something along the lines of `isOperationAuthorized`. > New user role: Operator who can start and stop components > --------------------------------------------------------- > > Key: NIFI-375 > URL: https://issues.apache.org/jira/browse/NIFI-375 > Project: Apache NiFi > Issue Type: New Feature > Components: Core Framework > Reporter: Daniel Ueberfluss > Assignee: Koji Kawamura > Priority: Major > > Would like to have a user role that allows a user to stop/start processors > but perform no other changes to the dataflow. > This would allow users to address simple problems without providing full > access to modifying a data flow. -- This message was sent by Atlassian JIRA (v7.6.3#76005)