[GitHub] nifi issue #971: Reuse DataTransferAuthorizable in DataTransferResource

[ijokarumawak]

Github user ijokarumawak commented on the issue:

    https://github.com/apache/nifi/pull/971
  
    ## Accessibility test of NiFi.Q based on Policies on NiFi.P
    
    NiFi.Q (RPG) <--pulls data from-- NiFi.P (output-port)
    
    I've done following test with output port. I did the same test for input 
port, too, got the same behavior.
    
    ###  'retrieve site-to-site details' policy
    1. OK: Without NiFi.Q group: RPG can't retrieve site-to-site info [1]
    2. OK: With NiFi.Q group: RPG can retrieve site-to-site info, but since 
NiFi.Q is not allowed to access NiFi.P's port, it can't see any port [2]
    
    ### 'send data via site-to-site' policy
    1. OK: Without NiFi.Q group: NiFi.Q can't see any port [2]
    2. OK: With NiFi.Q group: NiFi.Q can see the output port [3]
    3. OK: By enabling transmission, NiFi.Q can receive data from the output 
port [4]
    4. What if the NiFi.Q group is removed from this policy at this point? 
NiFi.Q started receiving 403, but no indication on the UI, other than the read 
warning mark on the relationship [5] Adding NiFi.Q group to the policy recovers 
data transfer. [6]
    5. How about RAW socket? "User not authorized" error is shown on bulletin 
board, output port reports error, too [7]
    
    ### Result
    
    Confirmed that this PR relaxes SiteToSiteResource authorization check, and 
addresses policy setting issue reported by 
[NIFI-2550](https://issues.apache.org/jira/browse/NIFI-2550).
    
    By doing step, 4 and 5, I noticed there's a difference on the UI in terms 
of how NiFi UI reports auth error to end user. I will submit another JIRA for 
this.
    
    ### Evidences:
    
    [1]
    Policies on NiFi.P
    
![image](https://cloud.githubusercontent.com/assets/1107620/18137130/1bdd1684-6fe2-11e6-80cd-b8931d09b9b6.png)
    
    ```
    2016-08-31 01:56:39,479 INFO [NiFi Web Server-292] 
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (L=0.q.nifi.aws.mine, 
C=US, CN=0.q.nifi.aws.mine) GET 
https://0.p.nifi.aws.mine:8443/nifi-api/site-to-site (source ip: 172.31.28.33)
    2016-08-31 01:56:39,479 INFO [NiFi Web Server-292] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for 
L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine
    2016-08-31 01:56:39,479 INFO [NiFi Web Server-292] 
o.a.n.w.a.c.AccessDeniedExceptionMapper L=0.q.nifi.aws.mine, C=US, 
CN=0.q.nifi.aws.mine does not have permission to access the requested resource. 
Returning Forbidden response.
    ```
    
    RPG on NiFi.Q
    
![image](https://cloud.githubusercontent.com/assets/1107620/18137173/4948a19c-6fe2-11e6-8d25-51fbb2e78468.png)
    
    [2]
    
![image](https://cloud.githubusercontent.com/assets/1107620/18137192/558638e8-6fe2-11e6-9e3a-e5ba02a4775a.png)
    
![image](https://cloud.githubusercontent.com/assets/1107620/18137203/5e2e1592-6fe2-11e6-9d3e-af5e8e38fd0d.png)
    
    ```
    2016-08-31 01:59:29,223 INFO [NiFi Web Server-289] 
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (L=0.q.nifi.aws.mine, 
C=US, CN=0.q.nifi.aws.mine) GET 
https://0.p.nifi.aws.mine:8443/nifi-api/site-to-site (source ip: 172.31.28.33)
    2016-08-31 01:59:29,223 INFO [NiFi Web Server-289] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for 
L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine
    2016-08-31 01:59:29,230 INFO [NiFi Web Server-292] 
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for 
(<L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine><L=0.p.nifi.aws.mine, C=US, 
CN=0.p.nifi.aws.mine>) GET https://0.p.nifi.aws.mine:8443/nifi-api/site-to-site 
(source ip: 172.31.28.12)
    2016-08-31 01:59:29,231 INFO [NiFi Web Server-292] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for 
L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine
    ```
    
    NiFi.Q can access the port
    
![image](https://cloud.githubusercontent.com/assets/1107620/18137231/817f0786-6fe2-11e6-95a9-f865ee2623cf.png)
    
    [3]
    
![image](https://cloud.githubusercontent.com/assets/1107620/18137293/b56497aa-6fe2-11e6-86b5-cc2d1f417905.png)
    
    [4]
    
![image](https://cloud.githubusercontent.com/assets/1107620/18137315/ca4eeb66-6fe2-11e6-8255-3ab082895478.png)
    
    ```
    2016-08-31 02:08:03,474 INFO [NiFi Web Server-335] 
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (L=0.q.nifi.aws.mine, 
C=US, CN=0.q.nifi.aws.mine) POST 
https://0.p.nifi.aws.mine:8443/nifi-api/data-transfer/output-ports/f46f3046-c250-1f1b-0000-0000029f9794/transactions
 (source ip: 172.31.28.33)
    2016-08-31 02:08:03,479 INFO [NiFi Web Server-292] 
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (L=0.q.nifi.aws.mine, 
C=US, CN=0.q.nifi.aws.mine) GET 
https://0.p.nifi.aws.mine:8443/nifi-api/data-transfer/output-ports/f46f3046-c250-1f1b-0000-0000029f9794/transactions/f6caf1f3-846c-42f6-8084-51f1883c07b2/flow-files
 (source ip: 172.31.28.33)
    2016-08-31 02:08:05,841 INFO [NiFi Web Server-443] 
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (L=0.q.nifi.aws.mine, 
C=US, CN=0.q.nifi.aws.mine) DELETE 
https://0.p.nifi.aws.mine:8443/nifi-api/data-transfer/output-ports/f46f3046-c250-1f1b-0000-0000029f9794/transactions/f6caf1f3-846c-42f6-8084-51f1883c07b2
 (source ip: 172.31.28.33)
    2016-08-31 02:08:05,841 INFO [NiFi Web Server-443] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for 
L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine
    ```
    
    [5]
    
![image](https://cloud.githubusercontent.com/assets/1107620/18137348/e4dbff14-6fe2-11e6-8d07-01556d559a0d.png)
    
    
![image](https://cloud.githubusercontent.com/assets/1107620/18137351/e9ed398c-6fe2-11e6-81ca-330ad87adeb5.png)
    
    NiFi.P's log
    ```
    2016-08-31 02:22:26,449 INFO [NiFi Web Server-292] 
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (L=0.q.nifi.aws.mine, 
C=US, CN=0.q.nifi.aws.mine) POST https://0.p.nifi.aws.mine:8443/nifi-api/
    
data-transfer/output-ports/f46f3046-c250-1f1b-0000-0000029f9794/transactions 
(source ip: 172.31.28.33)
    2016-08-31 02:22:26,449 INFO [NiFi Web Server-292] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for 
L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine
    2016-08-31 02:22:26,449 INFO [NiFi Web Server-292] 
o.a.n.w.a.c.AccessDeniedExceptionMapper L=0.q.nifi.aws.mine, C=US, 
CN=0.q.nifi.aws.mine does not have permission to access the requested resource. 
Return
    ing Forbidden response.
    ```
    
    NiFi.Q's log
    ```
    2016-08-31 02:22:26,445 DEBUG [Timer-Driven Process Thread-3] 
o.a.n.r.util.SiteToSiteRestApiClient initiateTransaction responseCode=403
    2016-08-31 02:22:26,445 DEBUG [Timer-Driven Process Thread-3] 
o.a.n.r.util.SiteToSiteRestApiClient readResponse responseMessage=Unable to 
perform the desired action due to insufficient permissions. Contact the system 
administrator.
    ```
    
    [6]
    
![image](https://cloud.githubusercontent.com/assets/1107620/18137422/3b6bbcca-6fe3-11e6-89dc-6af1c49f749a.png)
    
    [7]
    RAW socket transfer protocol
    
![image](https://cloud.githubusercontent.com/assets/1107620/18137498/7d083514-6fe3-11e6-9752-fb60f134e064.png)
    
    ```
    2016-08-31 02:44:12,080 ERROR [Timer-Driven Process Thread-7] 
o.a.nifi.remote.StandardRemoteGroupPort
    org.apache.nifi.remote.exception.HandshakeException: Received unexpected 
response User Not Authorized: 
StandardRootGroupPort[id=f46f3046-c250-1f1b-0000-0000029f9794] authorization 
failed for user L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine because Access 
is denied
            at 
org.apache.nifi.remote.protocol.socket.SocketClientProtocol.handshake(SocketClientProtocol.java:179)
 ~[nifi-site-to-site-client-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
            at 
org.apache.nifi.remote.protocol.socket.SocketClientProtocol.handshake(SocketClientProtocol.java:105)
 ~[nifi-site-to-site-client-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
    ```
    
    
![image](https://cloud.githubusercontent.com/assets/1107620/18137520/955e60d4-6fe3-11e6-8612-f82cf75a1c5f.png)
    
    ```
    2016-08-31 02:48:16,499 WARN [Site-to-Site Worker Thread-46] 
o.a.nifi.remote.StandardRootGroupPort 
StandardRootGroupPort[id=f46f3046-c250-1f1b-0000-0000029f9794] authorization 
failed for user L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine because Access 
is denied
    ```


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---