This is an automated email from the ASF dual-hosted git repository.
pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new cd1ff92be8 NIFI-14541 Added Scoped Authorization for Flow Registry
Clients
cd1ff92be8 is described below
commit cd1ff92be81cfa4b50b67975b9fa50827c639a7e
Author: exceptionfactory <[email protected]>
AuthorDate: Tue May 6 21:04:32 2025 -0500
NIFI-14541 Added Scoped Authorization for Flow Registry Clients
- Added Registry Client Resource Type with path nested under Controller
- Updated Controller Resource Flow Registry Client methods to use new
Authorizable resolution
Signed-off-by: Pierre Villard <[email protected]>
This closes #9918.
---
.../authorization/resource/ResourceFactory.java | 1 +
.../nifi/authorization/resource/ResourceType.java | 1 +
.../flow/StandardFlowRegistryClientNode.java | 2 +-
.../authorization/StandardAuthorizableLookup.java | 3 ++
.../apache/nifi/web/api/ControllerResource.java | 41 +++++++++++++++-------
5 files changed, 34 insertions(+), 14 deletions(-)
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceFactory.java
b/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceFactory.java
index 7b5f4d84a0..c6c2b5ff8f 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceFactory.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceFactory.java
@@ -553,6 +553,7 @@ public final class ResourceFactory {
case InputPort -> "Input Port";
case OutputPort -> "Output Port";
case Processor -> "Processor";
+ case RegistryClient -> "Registry Client";
case RemoteProcessGroup -> "Remote Process Group";
case ReportingTask -> "Reporting Task";
case FlowAnalysisRule -> "Flow Analysis Rule";
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceType.java
b/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceType.java
index 4cca47fb7a..4c61dad5ff 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceType.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceType.java
@@ -35,6 +35,7 @@ public enum ResourceType {
RemoteProcessGroup("/remote-process-groups"),
ReportingTask("/reporting-tasks"),
FlowAnalysisRule("/controller/flow-analysis-rules"),
+ RegistryClient("/controller/registry-clients"),
Resource("/resources"),
SiteToSite("/site-to-site"),
DataTransfer("/data-transfer"),
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/registry/flow/StandardFlowRegistryClientNode.java
b/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/registry/flow/StandardFlowRegistryClientNode.java
index 8b968d3f2e..bf4398f271 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/registry/flow/StandardFlowRegistryClientNode.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/registry/flow/StandardFlowRegistryClientNode.java
@@ -99,7 +99,7 @@ public final class StandardFlowRegistryClientNode extends
AbstractComponentNode
@Override
public Resource getResource() {
- return ResourceFactory.getComponentResource(ResourceType.Controller,
getIdentifier(), getName());
+ return
ResourceFactory.getComponentResource(ResourceType.RegistryClient,
getIdentifier(), getName());
}
@Override
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java
index a41334bd6c..a780e5f22b 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java
@@ -644,6 +644,9 @@ public class StandardAuthorizableLookup implements
AuthorizableLookup {
case ProcessGroup:
authorizable = getProcessGroup(componentId).getAuthorizable();
break;
+ case RegistryClient:
+ authorizable =
getFlowRegistryClient(componentId).getAuthorizable();
+ break;
case RemoteProcessGroup:
authorizable = getRemoteProcessGroup(componentId);
break;
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerResource.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerResource.java
index e0d662caac..f2afba9242 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerResource.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerResource.java
@@ -1443,7 +1443,7 @@ public class ControllerResource extends
ApplicationResource {
@ApiResponse(responseCode = "409", description = "The
request was valid but NiFi was not in the appropriate state to process it.")
},
security = {
- @SecurityRequirement(name = "Read - /flow")
+ @SecurityRequirement(name = "Read - /controller")
}
)
public Response getFlowRegistryClients() {
@@ -1481,6 +1481,7 @@ public class ControllerResource extends
ApplicationResource {
@ApiResponse(responseCode = "409", description = "The
request was valid but NiFi was not in the appropriate state to process it.")
},
security = {
+ @SecurityRequirement(name = "Read - /controller"),
@SecurityRequirement(name = "Write - /controller")
}
)
@@ -1569,7 +1570,7 @@ public class ControllerResource extends
ApplicationResource {
@ApiResponse(responseCode = "409", description = "The
request was valid but NiFi was not in the appropriate state to process it.")
},
security = {
- @SecurityRequirement(name = "Read - /controller")
+ @SecurityRequirement(name = "Read -
/controller/registry-clients/{id}")
}
)
public Response getFlowRegistryClient(
@@ -1584,7 +1585,10 @@ public class ControllerResource extends
ApplicationResource {
}
// authorize access
- authorizeController(RequestAction.READ);
+ serviceFacade.authorizeAccess(lookup -> {
+ final Authorizable authorizable =
lookup.getFlowRegistryClient(id).getAuthorizable();
+ authorizable.authorize(authorizer, RequestAction.READ,
NiFiUserUtils.getNiFiUser());
+ });
// get the flow registry client
final FlowRegistryClientEntity entity =
serviceFacade.getRegistryClient(id);
@@ -1613,7 +1617,7 @@ public class ControllerResource extends
ApplicationResource {
@ApiResponse(responseCode = "409", description = "The
request was valid but NiFi was not in the appropriate state to process it.")
},
security = {
- @SecurityRequirement(name = "Write - /controller")
+ @SecurityRequirement(name = "Write -
/controller/registry-clients/{id}")
}
)
public Response updateFlowRegistryClient(
@@ -1635,8 +1639,11 @@ public class ControllerResource extends
ApplicationResource {
throw new IllegalArgumentException("Revision must be specified.");
}
- // authorize access
- authorizeController(RequestAction.WRITE);
+ // Authorize Read before Write Action
+ serviceFacade.authorizeAccess(lookup -> {
+ final Authorizable authorizable =
lookup.getFlowRegistryClient(id).getAuthorizable();
+ authorizable.authorize(authorizer, RequestAction.READ,
NiFiUserUtils.getNiFiUser());
+ });
// ensure the ids are the same
final FlowRegistryClientDTO requestRegistryClient =
requestFlowRegistryClientEntity.getComponent();
@@ -1662,7 +1669,8 @@ public class ControllerResource extends
ApplicationResource {
requestFlowRegistryClientEntity,
requestRevision,
lookup -> {
- authorizeController(RequestAction.WRITE);
+ final Authorizable authorizable =
lookup.getFlowRegistryClient(id).getAuthorizable();
+ authorizable.authorize(authorizer, RequestAction.WRITE,
NiFiUserUtils.getNiFiUser());
},
null,
(revision, registryClientEntity) -> {
@@ -1702,7 +1710,7 @@ public class ControllerResource extends
ApplicationResource {
@ApiResponse(responseCode = "409", description = "The
request was valid but NiFi was not in the appropriate state to process it.")
},
security = {
- @SecurityRequirement(name = "Write - /controller")
+ @SecurityRequirement(name = "Write -
/controller/registry-clients/{id}")
}
)
public Response deleteFlowRegistryClient(
@@ -1731,7 +1739,10 @@ public class ControllerResource extends
ApplicationResource {
}
// authorize access
- authorizeController(RequestAction.WRITE);
+ serviceFacade.authorizeAccess(lookup -> {
+ final Authorizable authorizable =
lookup.getFlowRegistryClient(id).getAuthorizable();
+ authorizable.authorize(authorizer, RequestAction.WRITE,
NiFiUserUtils.getNiFiUser());
+ });
final FlowRegistryClientEntity requestFlowRegistryClientEntity = new
FlowRegistryClientEntity();
requestFlowRegistryClientEntity.setId(id);
@@ -1743,7 +1754,8 @@ public class ControllerResource extends
ApplicationResource {
requestFlowRegistryClientEntity,
requestRevision,
lookup -> {
- authorizeController(RequestAction.WRITE);
+ final Authorizable authorizable =
lookup.getFlowRegistryClient(id).getAuthorizable();
+ authorizable.authorize(authorizer, RequestAction.WRITE,
NiFiUserUtils.getNiFiUser());
},
() -> serviceFacade.verifyDeleteRegistry(id),
(revision, registryClientEntity) -> {
@@ -1776,7 +1788,7 @@ public class ControllerResource extends
ApplicationResource {
@ApiResponse(responseCode = "409", description = "The
request was valid but NiFi was not in the appropriate state to process it.")
},
security = {
- @SecurityRequirement(name = "Read -
/controller/registry-clients/{uuid}")
+ @SecurityRequirement(name = "Read -
/controller/registry-clients/{id}")
}
)
public Response getPropertyDescriptor(
@@ -1804,7 +1816,10 @@ public class ControllerResource extends
ApplicationResource {
}
// authorize access
- authorizeController(RequestAction.READ);
+ serviceFacade.authorizeAccess(lookup -> {
+ final Authorizable authorizable =
lookup.getFlowRegistryClient(id).getAuthorizable();
+ authorizable.authorize(authorizer, RequestAction.READ,
NiFiUserUtils.getNiFiUser());
+ });
// get the property descriptor
final PropertyDescriptorDTO descriptor =
serviceFacade.getRegistryClientPropertyDescriptor(id, propertyName, sensitive);
@@ -1837,7 +1852,7 @@ public class ControllerResource extends
ApplicationResource {
@ApiResponse(responseCode = "409", description = "The
request was valid but NiFi was not in the appropriate state to process it.")
},
security = {
- @SecurityRequirement(name = "Read - /flow")
+ @SecurityRequirement(name = "Read - /controller")
}
)
public Response getRegistryClientTypes() {
