Lars, What access controls do you anticipate putting on this API endpoint and what potential issues do you see? I could see this being abused if not secured very carefully, and it doesn’t seem like a common use case (notwithstanding your current requirement). Is this something that can be done by using the NiFi CLI to iterate/recurse through the various PGs and retrieve these policies?
Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Nov 9, 2018, at 3:31 AM, Lars Francke <[email protected]> wrote: > > Hi, > > I was tasked with writing a tool to generate a kind of "audit report". For > that I need to get all policies that people have across various systems. > NiFi is one of them. > > I see that we have a REST API for Policies but that doesn't expose a method > to expose _all_ policies. I'd like to add a REST endpoint that allows > retrieving all policies. > Before I open a Jira I wanted to get feedback whether this addition would > be acceptable. > > Implementation notes > This is how I see the current flow of requests from the > AccessPolicyResource to the actual AccessPolicyProider: > > AccessPolicyResource -> NiFiServiceFacade (StandardNiFiServiceFacade) -> > AccessPolicyDAO (StandardPolicyBasedAuthorizerDAO) -> AccessPolicyProvider > > Fortunately the AccessPolicyProvider already has a method to retrieve all > policies. Should there be custom implementations by third-parties they > already support the necessary methods and I believe the classes that need > to be changed are all NiFi internal: > > * AccessPolicyResource > * NiFiServiceFacade > * StandardNiFiServiceFacade > * AccessPolicyDAO > * StandardPolicyBasedAuthorizerDAO > * And probably a bunch of others especially test classes > > If I don't hear any objections I will open a Jira issue and would try and > provide a patch. > > Cheers, > Lars
