[jira] [Created] (NIFI-14807) NPE when deleting invalid Policy through REST API

Thu, 31 Jul 2025 05:50:04 -0700 

Patrik H created NIFI-14807:
-------------------------------

             Summary: NPE when deleting invalid Policy through REST API
                 Key: NIFI-14807
                 URL: https://issues.apache.org/jira/browse/NIFI-14807
             Project: Apache NiFi
          Issue Type: Bug
          Components: Core Framework
    Affects Versions: 2.4.0
            Reporter: Patrik H


The NiFi REST API allows the user to set Policies on both existing and 
non-existing objects by POSTing a Policy body onto /nifi-api/policies like so:
{code:java}
{
    "revision": {
        "version": 0
    },
    "component": {
        "users": [],
        "userGroups": [
            {
                "id": "00000000-0000-0000-0000-000000000000"
            }
        ],
        "resource": "/controller-services/0a192a48-0191-1000-0000-00001742d074",
        "action": "read"
    }
} {code}
This mechanism may be used by scripts that maintain access rights in a 
multi-tenant NiFi.


If a script or a user tries to assign a policy on a nonexistent resource, NiFi 
accepts the POST request anyway.

Upon checking the relevant user's/group's policies in the Users screen, NiFi 
now displays 'Unknown resource 
/controller-services/0a192a48-0191-1000-0000-00001742d074' (with respect to the 
component type and component's UUID).


To remove the invalid Policy object, one could try sending a DELETE onto 
/nifi-api/policies/d07460f2-0196-1000-c016-15206e13ed6c?version=0 (with respect 
to the relevant policy id and its version).


This returns a HTTP 500 coded response: 
{code:java}
An unexpected error has occurred. Please check the logs for additional details. 
{code}
Stacktrace from nifi-user.log:
{code:java}
2025-07-31 14:34:35,710 ERROR [NiFi Web Server-246635] 
o.a.nifi.web.api.config.ThrowableMapper An unexpected error has occurred: 
java.lang.NullPointerException: Cannot invoke 
"org.apache.nifi.authorization.resource.Authorizable.authorize(org.apache.nifi.authorization.Authorizer,
 org.apache.nifi.authorization.RequestAction, 
org.apache.nifi.authorization.user.NiFiUser)" because the return value of 
"org.apache.nifi.authorization.resource.Authorizable.getParentAuthorizable()" 
is null. Returning Internal Server Error response.
java.lang.NullPointerException: Cannot invoke 
"org.apache.nifi.authorization.resource.Authorizable.authorize(org.apache.nifi.authorization.Authorizer,
 org.apache.nifi.authorization.RequestAction, 
org.apache.nifi.authorization.user.NiFiUser)" because the return value of 
"org.apache.nifi.authorization.resource.Authorizable.getParentAuthorizable()" 
is null
        at 
org.apache.nifi.web.api.AccessPolicyResource.lambda$removeAccessPolicy$6(AccessPolicyResource.java:479)
        at 
org.apache.nifi.web.StandardNiFiServiceFacade.authorizeAccess(StandardNiFiServiceFacade.java:517)
        at 
java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at 
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:359)
        at 
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:196)
        at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
        at 
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
        at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
        at 
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:727)
        at 
org.apache.nifi.web.StandardNiFiServiceFacade$$SpringCGLIB$$0.authorizeAccess(<generated>)
        at 
org.apache.nifi.web.api.ApplicationResource.withWriteLock(ApplicationResource.java:591)
        at 
org.apache.nifi.web.api.AccessPolicyResource.removeAccessPolicy(AccessPolicyResource.java:468)
        at 
java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at 
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
        at 
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146)
        at 
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189)
        at 
org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
        at 
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:93)
        at 
org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478)
        at 
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400)
        at 
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
        at 
org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:274)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
        at 
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:266)
        at 
org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:253)
        at 
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:696)
        at 
org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:397)
        at 
org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:349)
        at 
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
        at 
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:312)
        at 
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
        at 
org.eclipse.jetty.ee10.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1379)
        at 
org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736)
        at 
org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1619)
        at 
org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:365)
        at 
org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:101)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
        at 
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
        at 
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
        at 
org.apache.nifi.web.security.log.AuthenticationUserFilter.doFilterInternal(AuthenticationUserFilter.java:57)
        at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
        at 
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
        at 
org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:145)
        at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
        at 
org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94)
        at 
org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
        at 
org.apache.nifi.web.security.csrf.CsrfCookieFilter.doFilterInternal(CsrfCookieFilter.java:43)
        at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
        at 
org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:131)
        at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
        at 
org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59)
        at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
        at 
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
        at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
        at 
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
        at 
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
        at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362)
        at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278)
        at 
org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
        at 
org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591)
        at 
org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:44)
        at 
org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:208)
        at 
org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591)
        at 
org.eclipse.jetty.ee10.servlets.DoSFilter.doFilterChain(DoSFilter.java:462)
        at 
org.apache.nifi.web.server.filter.DataTransferExcludedDoSFilter.doFilterChain(DataTransferExcludedDoSFilter.java:51)
        at 
org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:317)
        at 
org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:282)
        at 
org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
        at 
org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591)
        at 
org.apache.nifi.web.server.log.RequestAuthenticationFilter.doFilterInternal(RequestAuthenticationFilter.java:59)
        at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at 
org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
        at 
org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591)
        at 
org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1552)
        at 
org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:819)
        at 
org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:436)
        at 
org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:469)
        at 
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:575)
        at 
org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:717)
        at 
org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1060)
        at 
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:181)
        at 
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:151)
        at org.eclipse.jetty.server.Handler$Sequence.handle(Handler.java:805)
        at org.eclipse.jetty.server.Server.handle(Server.java:182)
        at 
org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:662)
        at 
org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:418)
        at 
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
        at org.eclipse.jetty.io.ssl.SslConnection$1.run(SslConnection.java:136)
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:979)
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1209)
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1164)
        at java.base/java.lang.Thread.run(Thread.java:1583){code}
So far, the only workaround found was to delete the invalid policy from 
authorizations.xml manually.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to