[jira] [Commented] (NIFI-15460) Create Access Policies for Registry Clients

Mon, 12 Jan 2026 13:39:28 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-15460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18051356#comment-18051356
 ] 

Joe Witt commented on NIFI-15460:
---------------------------------

Are the relevant APIs involved here on the order of being a NIP/proposal ?

> Create Access Policies for Registry Clients
> -------------------------------------------
>
>                 Key: NIFI-15460
>                 URL: https://issues.apache.org/jira/browse/NIFI-15460
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Mark Bean
>            Priority: Major
>
> For Registry Clients other than NiFiRegistryFlowRegistryClient, there is no 
> authorization to buckets or flows. And to be clear, even for 
> NiFiRegistryFlowRegistryClient, the authorization is within NiFi Registry, 
> not the client. It is desirable to maintain the same behavior without the 
> reliance on the NiFi Registry application to provide the authorizations. 
> This issue creates a new Access Policy, "access registry client", with 
> actions of "view" and "modify". The polices are applied to all Registry 
> Clients (with the possible exception of NiFiRegistryFlowRegistryClient so as 
> to avoid redundant, or worse, conflicting authorization.) This policy will 
> act like a Component Access Policy in that it applies only to a specific 
> component, i.e. Registry Client. However, there is no ability to inherit as 
> other Component Access Policies because they apply to specific clients which 
> do not have a notion of hierarchy.
> The "view" option grants users the ability to view buckets and versioned 
> flows with a specific client. With this capability, authorized users may 
> import flows from the Registry Client. However, "view" alone does not allow 
> users to update a versioned flow nor create a new one within the client. 
> Similarly, the "write" option grants users the ability to create a new 
> version of a flow including the initial version of a new versioned flow. The 
> scope of both "view" and "modify" are for the given Registry Client to which 
> the policy is attached.
> To assist in backward compatibility, existing clients at the time the Access 
> Policy is introduced will default to have the same users in the policy as 
> "access the controller", "view/modify". 
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to