[
https://issues.apache.org/jira/browse/NIFI-12741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17867253#comment-17867253
]
David Szabo commented on NIFI-12741:
------------------------------------
Due to changes in Kafka processors in most recent Nifi they are no longer
suitable for testing this issue. I was able to reproduce using
SimpleScriptedLookupService and LookupAttribute processor instead.
The current behavior was introduced in NIFI-9895. When a component property to
controller service is changed both read & write permission is required for the
referenced controller service if the new value is referenced through parameter.
This seems excessive and leads to the issue described in the ticket. I am
proposing to remove the write permission requirement so it matches the case
when the property is set to the controller service directly.
> Parameters does not work with "Access Restricted Components" - "Requiring
> 'access keytab'"
> ------------------------------------------------------------------------------------------
>
> Key: NIFI-12741
> URL: https://issues.apache.org/jira/browse/NIFI-12741
> Project: Apache NiFi
> Issue Type: Bug
> Reporter: Matthew Clarke
> Assignee: David Szabo
> Priority: Major
>
> Parameters does not work with "Access Restricted Components" - "Requiring
> 'access keytab'".
> Reproduction steps:
> * User A has full permissions to child PG “test”
> * User A creates a parameter context that is mapped to this child PG
> * User A adds ConsumeKafka_2_6 processor
> * Admin user creates a keytab credentials service “kerb-test” within PG “test”
> * User A configures ConsumeKafKa_2_6 processor, selects “kerb-test”, and
> clicks apply. (all works as expected)
> * User A clicks on option to convert to parameter on Kerberos Credentials
> Service property in ConsumeKafla_2_6 processor and sets name to “kerb-test”.
> Property Value now reflects “#{kerb-test}. Click APPLY and encounter
> exception: “Unable to modify Components requiring additional permission:
> access keytab. Contact the system administrator. Contact the system
> administrator.”
> Verified parameter “kerb-test” was successfully added to parameter context on
> child PG “test”
> User should be able to use parameter contexts to reference keytab credentials
> service created on an authorized process PG. Policy should only block user
> from being able to create a new keytab credentials service or modify an
> existing keytab credentials service. Ability to select an already created
> keytab credentials service shoudl be controlled by authorized via "view the
> component" policy on the controller service.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
