[
https://issues.apache.org/jira/browse/NIFI-15460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18051402#comment-18051402
]
Mark Bean commented on NIFI-15460:
----------------------------------
I'm not sure if any API changes will be required. The AccessPolicy class (not
in nifi-api) will be used for the new policy. I have not dug into
implementation details yet. Certainly, UI changes will be needed on top of
backend implementation.
Is there a documented guideline on what requires or would benefit from NIP
versus just a Jira issue (possibly more if UI work is handled separately, for
example)?
> Create Access Policies for Registry Clients
> -------------------------------------------
>
> Key: NIFI-15460
> URL: https://issues.apache.org/jira/browse/NIFI-15460
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: Mark Bean
> Priority: Major
>
> For Registry Clients other than NiFiRegistryFlowRegistryClient, there is no
> authorization to buckets or flows. And to be clear, even for
> NiFiRegistryFlowRegistryClient, the authorization is within NiFi Registry,
> not the client. It is desirable to maintain the same behavior without the
> reliance on the NiFi Registry application to provide the authorizations.
> This issue creates a new Access Policy, "access registry client", with
> actions of "view" and "modify". The polices are applied to all Registry
> Clients (with the possible exception of NiFiRegistryFlowRegistryClient so as
> to avoid redundant, or worse, conflicting authorization.) This policy will
> act like a Component Access Policy in that it applies only to a specific
> component, i.e. Registry Client. However, there is no ability to inherit as
> other Component Access Policies because they apply to specific clients which
> do not have a notion of hierarchy.
> The "view" option grants users the ability to view buckets and versioned
> flows with a specific client. With this capability, authorized users may
> import flows from the Registry Client. However, "view" alone does not allow
> users to update a versioned flow nor create a new one within the client.
> Similarly, the "write" option grants users the ability to create a new
> version of a flow including the initial version of a new versioned flow. The
> scope of both "view" and "modify" are for the given Registry Client to which
> the policy is attached.
> To assist in backward compatibility, existing clients at the time the Access
> Policy is introduced will default to have the same users in the policy as
> "access the controller", "view/modify".
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
