(nifi) branch main updated: NIFI-15265: Fixing bug where the getLocalConnectable was being used to authorize access to a RemoteProcessGroup. Instead we need to use getRemoteProcessGroup from the authorizable lookup.

[pvillard]

This is an automated email from the ASF dual-hosted git repository.

pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new 5a87d32aaa NIFI-15265: Fixing bug where the getLocalConnectable was 
being used to authorize access to a RemoteProcessGroup. Instead we need to use 
getRemoteProcessGroup from the authorizable lookup.
5a87d32aaa is described below

commit 5a87d32aaaf44c2f4bae86c3281cd7e86899616c
Author: Matt Gilman <matt.c.gil...@gmail.com>
AuthorDate: Wed Nov 26 13:37:53 2025 -0500

    NIFI-15265: Fixing bug where the getLocalConnectable was being used to 
authorize access to a RemoteProcessGroup. Instead we need to use 
getRemoteProcessGroup from the authorizable lookup.
    
    Signed-off-by: Pierre Villard <pierre.villard...@gmail.com>
    
    This closes #10566.
---
 .../src/main/java/org/apache/nifi/web/api/FlowResource.java | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git 
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowResource.java
 
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowResource.java
index 585ee6ec43..a53fe83b13 100644
--- 
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowResource.java
+++ 
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowResource.java
@@ -1295,6 +1295,13 @@ public class FlowResource extends ApplicationResource {
             throw new IllegalArgumentException("The from timestamp must be 
specified.");
         }
 
+        // Collect RPG IDs to distinguish them from local connectables during 
authorization
+        final Set<String> remoteProcessGroupIds = 
serviceFacade.filterComponents(id, group ->
+                group.findAllRemoteProcessGroups().stream()
+                        .map(rpg -> rpg.getIdentifier())
+                        .collect(Collectors.toSet())
+        );
+
         // if the components are not specified, gather all authorized 
components
         if (clearBulletinsForGroupRequestEntity.getComponents() == null) {
             // get component IDs that the user has write access to
@@ -1344,8 +1351,10 @@ public class FlowResource extends ApplicationResource {
                     // ensure access to every component being cleared
                     final Set<String> requestComponentsToClear = 
clearBulletinsForGroupRequestEntity.getComponents();
                     requestComponentsToClear.forEach(componentId -> {
-                        final Authorizable connectable = 
lookup.getLocalConnectable(componentId);
-                        connectable.authorize(authorizer, RequestAction.WRITE, 
NiFiUserUtils.getNiFiUser());
+                        final Authorizable authorizable = 
remoteProcessGroupIds.contains(componentId)
+                                ? lookup.getRemoteProcessGroup(componentId)
+                                : lookup.getLocalConnectable(componentId);
+                        authorizable.authorize(authorizer, 
RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
                     });
                 },
                 () -> { },