mcgilman commented on code in PR #10998:
URL: https://github.com/apache/nifi/pull/10998#discussion_r2926280650
##########
nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ConnectorResource.java:
##########
@@ -327,6 +327,26 @@ private String normalizeUuid(final String
clientSpecifiedId) {
}
}
+ private void authorizeReadConnector(final String connectorId) {
+ if (connectorId == null) {
+ throw new IllegalArgumentException("Connector ID must be
specified");
+ }
+
+ // In order for a node to complete applying updates to a connector, it
needs to be able to READ any connector from every other node in the cluster,
and connectors can have specific policies
+ // which would require users adding the node identities to all of
these policies, so this identifies if the incoming request is made directly by
a known node identity and allows
+ // it to bypass standard authorization, meaning a node is
automatically granted READ to any connector
+ final NiFiUser currentUser = NiFiUserUtils.getNiFiUser();
+ if (isRequestFromClusterNode()) {
+ logger.debug("Authorizing READ on Connector[{}] to cluster node
[{}]", connectorId, currentUser.getIdentity());
+ return;
+ }
Review Comment:
I've verified this fix does allow the API call to proceed however, the
response object isn't fully populated because permissions are evaluated again
when the Entity/DTO is created and this new check is missing there.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
