rfellows commented on code in PR #10846:
URL: https://github.com/apache/nifi/pull/10846#discussion_r2765522722
##########
nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowFileQueueResource.java:
##########
Review Comment:
Not sure where to leave this comment, so i'll leave it here.
I have a kafka2s3 connector set up with data flowing in from kafka. when i
try to list the queue of a connection in the connector, i am getting a 403
Forbidden message on the POST to
`nifi-api/flowfile-queues/{id}/listing-requests`.
I have policies on `/connectors/{uuid}` (component policies), but viewing
the flowfile queue requires policies on `/data/...` (data policies). These are
two completely separate policy hierarchies that do not cross over.
How the Authorization Chain Works
When you view a flowfile queue for a connection inside a connector, NiFi
checks the DATA policy chain:
`/data/processors/{source-processor-uuid}` - data policy on the source
processor
→ `/data/process-groups/{managed-group-uuid}` - data policy on the
connector's managed group
→ `/data/connectors/{connector-uuid}` - data policy on the specific connector
→ `/data/connectors` - global data policy on all connectors
→ `null` → "No applicable policies could be found."
We need a data policy somewhere in that chain to support this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
