[jira] [Commented] (NIFI-2123) Authorize Individual Provenance Events
[ https://issues.apache.org/jira/browse/NIFI-2123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15356963#comment-15356963 ] ASF GitHub Bot commented on NIFI-2123: -- Github user mcgilman commented on the issue: https://github.com/apache/nifi/pull/592 Looks great @markap14! This has been merged to master. > Authorize Individual Provenance Events > -- > > Key: NIFI-2123 > URL: https://issues.apache.org/jira/browse/NIFI-2123 > Project: Apache NiFi > Issue Type: Task > Components: Core Framework >Reporter: Mark Payne >Assignee: Mark Payne >Priority: Blocker > Fix For: 1.0.0 > > > As part of the new authorization paradigm, we need to authorize each > provenance event individually. We do this by finding the component that the > event belongs to and then authorizing using that component's authorizations. > If the component no longer exists, no user will have authorization to the > event. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2123) Authorize Individual Provenance Events
[ https://issues.apache.org/jira/browse/NIFI-2123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15356962#comment-15356962 ] ASF GitHub Bot commented on NIFI-2123: -- Github user asfgit closed the pull request at: https://github.com/apache/nifi/pull/592 > Authorize Individual Provenance Events > -- > > Key: NIFI-2123 > URL: https://issues.apache.org/jira/browse/NIFI-2123 > Project: Apache NiFi > Issue Type: Task > Components: Core Framework >Reporter: Mark Payne >Assignee: Mark Payne >Priority: Blocker > Fix For: 1.0.0 > > > As part of the new authorization paradigm, we need to authorize each > provenance event individually. We do this by finding the component that the > event belongs to and then authorizing using that component's authorizations. > If the component no longer exists, no user will have authorization to the > event. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2123) Authorize Individual Provenance Events
[ https://issues.apache.org/jira/browse/NIFI-2123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15356960#comment-15356960 ] ASF subversion and git services commented on NIFI-2123: --- Commit ae9e2fdf0bfce31c38020784b78171709618903c in nifi's branch refs/heads/master from [~markap14] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=ae9e2fd ] NIFI-2123: Add authorization of provenance events; refactor core classes so that Authorizable is located within nifi-api. This closes #592 > Authorize Individual Provenance Events > -- > > Key: NIFI-2123 > URL: https://issues.apache.org/jira/browse/NIFI-2123 > Project: Apache NiFi > Issue Type: Task > Components: Core Framework >Reporter: Mark Payne >Assignee: Mark Payne >Priority: Blocker > Fix For: 1.0.0 > > > As part of the new authorization paradigm, we need to authorize each > provenance event individually. We do this by finding the component that the > event belongs to and then authorizing using that component's authorizations. > If the component no longer exists, no user will have authorization to the > event. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2123) Authorize Individual Provenance Events
[ https://issues.apache.org/jira/browse/NIFI-2123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15355594#comment-15355594 ] ASF GitHub Bot commented on NIFI-2123: -- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/592#discussion_r69003620 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/controller/ControllerFacade.java --- @@ -1145,54 +1141,8 @@ public DownloadableContent getContent(final Long eventId, final String uri, fina // calculate the dn chain final List dnChain = ProxiedEntitiesUtils.buildProxiedEntitiesChain(user); dnChain.forEach(identity -> { -final String rootGroupId = flowController.getRootGroupId(); -final ProcessGroup rootGroup = flowController.getGroup(rootGroupId); - -final Resource eventResource; -if (rootGroupId.equals(event.getComponentId())) { -eventResource = ResourceFactory.getComponentProvenanceResource(ResourceType.ProcessGroup, rootGroup.getIdentifier(), rootGroup.getName()); -} else { -final Connectable connectable = rootGroup.findConnectable(event.getComponentId()); - -if (connectable == null) { -throw new AccessDeniedException("The component that generated this event is no longer part of the data flow. Unable to determine access policy."); -} - -switch (connectable.getConnectableType()) { -case PROCESSOR: -eventResource = ResourceFactory.getComponentProvenanceResource(ResourceType.Processor, connectable.getIdentifier(), connectable.getName()); -break; -case INPUT_PORT: -case REMOTE_INPUT_PORT: -eventResource = ResourceFactory.getComponentProvenanceResource(ResourceType.InputPort, connectable.getIdentifier(), connectable.getName()); -break; -case OUTPUT_PORT: -case REMOTE_OUTPUT_PORT: -eventResource = ResourceFactory.getComponentProvenanceResource(ResourceType.OutputPort, connectable.getIdentifier(), connectable.getName()); -break; -case FUNNEL: -eventResource = ResourceFactory.getComponentProvenanceResource(ResourceType.Funnel, connectable.getIdentifier(), connectable.getName()); -break; -default: -throw new WebApplicationException(Response.serverError().entity("An unexpected type of component generated this event.").build()); -} -} - -// build the request -final AuthorizationRequest request = new AuthorizationRequest.Builder() -.identity(identity) -.anonymous(user.isAnonymous()) // allow current user to drive anonymous flag as anonymous users are never chained... supports single user case -.accessAttempt(false) -.action(RequestAction.READ) -.resource(eventResource) -.eventAttributes(attributes) -.build(); - -// perform the authorization -final AuthorizationResult result = authorizer.authorize(request); -if (!Result.Approved.equals(result.getResult())) { -throw new AccessDeniedException(result.getExplanation()); -} +final Authorizable eventAuthorizable = flowController.createProvenanceAuthorizable(event.getComponentId()); +eventAuthorizable.authorize(authorizer, RequestAction.READ, user); --- End diff -- This needs to authorize each link in the chain, not just the current user. > Authorize Individual Provenance Events > -- > > Key: NIFI-2123 > URL: https://issues.apache.org/jira/browse/NIFI-2123 > Project: Apache NiFi > Issue Type: Task > Components: Core Framework >Reporter: Mark Payne >Assignee: Mark Payne >Priority: Blocker > Fix For: 1.0.0 > > > As part of the new authorization paradigm, we need to authorize each > provenance event individually. We do this by finding the component
[jira] [Commented] (NIFI-2123) Authorize Individual Provenance Events
[ https://issues.apache.org/jira/browse/NIFI-2123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15355583#comment-15355583 ] ASF GitHub Bot commented on NIFI-2123: -- Github user mcgilman commented on the issue: https://github.com/apache/nifi/pull/592 Reviewing... > Authorize Individual Provenance Events > -- > > Key: NIFI-2123 > URL: https://issues.apache.org/jira/browse/NIFI-2123 > Project: Apache NiFi > Issue Type: Task > Components: Core Framework >Reporter: Mark Payne >Assignee: Mark Payne >Priority: Blocker > Fix For: 1.0.0 > > > As part of the new authorization paradigm, we need to authorize each > provenance event individually. We do this by finding the component that the > event belongs to and then authorizing using that component's authorizations. > If the component no longer exists, no user will have authorization to the > event. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2123) Authorize Individual Provenance Events
[ https://issues.apache.org/jira/browse/NIFI-2123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15355380#comment-15355380 ] ASF GitHub Bot commented on NIFI-2123: -- GitHub user markap14 opened a pull request: https://github.com/apache/nifi/pull/592 NIFI-2123: Add authorization of provenance events Also refactored core classes so that Authorizable is located within nifi-api You can merge this pull request into a Git repository by running: $ git pull https://github.com/markap14/nifi NIFI-2123 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/592.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #592 commit 8ceda4953094daf6dd92fbc9cf18f40b1b6855da Author: Mark PayneDate: 2016-06-28T18:53:35Z NIFI-2123: Add authorization of provenance events; refactor core classes so that Authorizable is located within nifi-api > Authorize Individual Provenance Events > -- > > Key: NIFI-2123 > URL: https://issues.apache.org/jira/browse/NIFI-2123 > Project: Apache NiFi > Issue Type: Task > Components: Core Framework >Reporter: Mark Payne >Assignee: Mark Payne >Priority: Blocker > Fix For: 1.0.0 > > > As part of the new authorization paradigm, we need to authorize each > provenance event individually. We do this by finding the component that the > event belongs to and then authorizing using that component's authorizations. > If the component no longer exists, no user will have authorization to the > event. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2123) Authorize Individual Provenance Events
[ https://issues.apache.org/jira/browse/NIFI-2123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15350961#comment-15350961 ] Mark Payne commented on NIFI-2123: -- As part of the new authorization paradigm, we need to authorize each provenance event individually. We do this by finding the component that the event belongs to and then authorizing using that component's authorizations. If the component no longer exists, no user will have authorization to the event. > Authorize Individual Provenance Events > -- > > Key: NIFI-2123 > URL: https://issues.apache.org/jira/browse/NIFI-2123 > Project: Apache NiFi > Issue Type: Task > Components: Core Framework >Reporter: Mark Payne >Assignee: Mark Payne >Priority: Blocker > Fix For: 1.0.0 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)