[
https://issues.apache.org/jira/browse/NIFI-14807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18011503#comment-18011503
]
ASF subversion and git services commented on NIFI-14807:
--------------------------------------------------------
Commit 37ce1daba35b0959b585f8b045340d2953fc88ce in nifi's branch
refs/heads/main from Pierre Villard
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=37ce1daba3 ]
NIFI-14807 Skipped parent authorization for deleting invalid policy (#10155)
Signed-off-by: David Handermann <[email protected]>
> NPE when deleting invalid Policy through REST API
> -------------------------------------------------
>
> Key: NIFI-14807
> URL: https://issues.apache.org/jira/browse/NIFI-14807
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 2.4.0
> Reporter: Patrik H
> Assignee: Pierre Villard
> Priority: Minor
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The NiFi REST API allows the user to set Policies on both existing and
> non-existing objects by POSTing a Policy body onto /nifi-api/policies like so:
> {code:java}
> {
> "revision": {
> "version": 0
> },
> "component": {
> "users": [],
> "userGroups": [
> {
> "id": "00000000-0000-0000-0000-000000000000"
> }
> ],
> "resource":
> "/controller-services/0a192a48-0191-1000-0000-00001742d074",
> "action": "read"
> }
> } {code}
> This mechanism may be used by scripts that maintain access rights in a
> multi-tenant NiFi.
> If a script or a user tries to assign a policy on a nonexistent resource,
> NiFi accepts the POST request anyway.
> Upon checking the relevant user's/group's policies in the Users screen, NiFi
> now displays 'Unknown resource
> /controller-services/0a192a48-0191-1000-0000-00001742d074' (with respect to
> the component type and component's UUID).
> To remove the invalid Policy object, one could try sending a DELETE onto
> /nifi-api/policies/d07460f2-0196-1000-c016-15206e13ed6c?version=0 (with
> respect to the relevant policy id and its version).
> This returns a HTTP 500 coded response:
> {code:java}
> An unexpected error has occurred. Please check the logs for additional
> details. {code}
> Stacktrace from nifi-user.log:
> {code:java}
> 2025-07-31 14:34:35,710 ERROR [NiFi Web Server-246635]
> o.a.nifi.web.api.config.ThrowableMapper An unexpected error has occurred:
> java.lang.NullPointerException: Cannot invoke
> "org.apache.nifi.authorization.resource.Authorizable.authorize(org.apache.nifi.authorization.Authorizer,
> org.apache.nifi.authorization.RequestAction,
> org.apache.nifi.authorization.user.NiFiUser)" because the return value of
> "org.apache.nifi.authorization.resource.Authorizable.getParentAuthorizable()"
> is null. Returning Internal Server Error response.
> java.lang.NullPointerException: Cannot invoke
> "org.apache.nifi.authorization.resource.Authorizable.authorize(org.apache.nifi.authorization.Authorizer,
> org.apache.nifi.authorization.RequestAction,
> org.apache.nifi.authorization.user.NiFiUser)" because the return value of
> "org.apache.nifi.authorization.resource.Authorizable.getParentAuthorizable()"
> is null
> at
> org.apache.nifi.web.api.AccessPolicyResource.lambda$removeAccessPolicy$6(AccessPolicyResource.java:479)
> at
> org.apache.nifi.web.StandardNiFiServiceFacade.authorizeAccess(StandardNiFiServiceFacade.java:517)
> at
> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
> at java.base/java.lang.reflect.Method.invoke(Method.java:580)
> at
> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:359)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:196)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
> at
> org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
> at
> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:727)
> at
> org.apache.nifi.web.StandardNiFiServiceFacade$$SpringCGLIB$$0.authorizeAccess(<generated>)
> at
> org.apache.nifi.web.api.ApplicationResource.withWriteLock(ApplicationResource.java:591)
> at
> org.apache.nifi.web.api.AccessPolicyResource.removeAccessPolicy(AccessPolicyResource.java:468)
> at
> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
> at java.base/java.lang.reflect.Method.invoke(Method.java:580)
> at
> org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189)
> at
> org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:93)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
> at
> org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:274)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
> at
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:266)
> at
> org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:253)
> at
> org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:696)
> at
> org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:397)
> at
> org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:349)
> at
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
> at
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:312)
> at
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
> at
> org.eclipse.jetty.ee10.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1379)
> at
> org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736)
> at
> org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1619)
> at
> org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:365)
> at
> org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:101)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
> at
> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
> at
> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
> at
> org.apache.nifi.web.security.log.AuthenticationUserFilter.doFilterInternal(AuthenticationUserFilter.java:57)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
> at
> org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
> at
> org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:145)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
> at
> org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94)
> at
> org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
> at
> org.apache.nifi.web.security.csrf.CsrfCookieFilter.doFilterInternal(CsrfCookieFilter.java:43)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
> at
> org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:131)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
> at
> org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
> at
> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278)
> at
> org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
> at
> org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591)
> at
> org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:44)
> at
> org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:208)
> at
> org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591)
> at
> org.eclipse.jetty.ee10.servlets.DoSFilter.doFilterChain(DoSFilter.java:462)
> at
> org.apache.nifi.web.server.filter.DataTransferExcludedDoSFilter.doFilterChain(DataTransferExcludedDoSFilter.java:51)
> at
> org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:317)
> at
> org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:282)
> at
> org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
> at
> org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591)
> at
> org.apache.nifi.web.server.log.RequestAuthenticationFilter.doFilterInternal(RequestAuthenticationFilter.java:59)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
> at
> org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
> at
> org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591)
> at
> org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1552)
> at
> org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:819)
> at
> org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:436)
> at
> org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:469)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:575)
> at
> org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:717)
> at
> org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1060)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:181)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:151)
> at org.eclipse.jetty.server.Handler$Sequence.handle(Handler.java:805)
> at org.eclipse.jetty.server.Server.handle(Server.java:182)
> at
> org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:662)
> at
> org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:418)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
> at
> org.eclipse.jetty.io.ssl.SslConnection$1.run(SslConnection.java:136)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:979)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1209)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1164)
> at java.base/java.lang.Thread.run(Thread.java:1583){code}
> So far, the only workaround found was to delete the invalid policy from
> authorizations.xml manually.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
