kevdoran commented on code in PR #10998:
URL: https://github.com/apache/nifi/pull/10998#discussion_r2943099318
##########
nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ConnectorResource.java:
##########
@@ -327,6 +327,26 @@ private String normalizeUuid(final String
clientSpecifiedId) {
}
}
+ private void authorizeReadConnector(final String connectorId) {
+ if (connectorId == null) {
+ throw new IllegalArgumentException("Connector ID must be
specified");
+ }
+
+ // In order for a node to complete applying updates to a connector, it
needs to be able to READ any connector from every other node in the cluster,
and connectors can have specific policies
+ // which would require users adding the node identities to all of
these policies, so this identifies if the incoming request is made directly by
a known node identity and allows
+ // it to bypass standard authorization, meaning a node is
automatically granted READ to any connector
+ final NiFiUser currentUser = NiFiUserUtils.getNiFiUser();
+ if (isRequestFromClusterNode()) {
+ logger.debug("Authorizing READ on Connector[{}] to cluster node
[{}]", connectorId, currentUser.getIdentity());
+ return;
+ }
Review Comment:
Thanks @mcgilman - I have updated this PR as we discussed to both solve the
Entity/DTO creation issue in the service facade layer as well as make the logic
for determining when requests come from node identities more reliable by using
trusted http headers rather than mtls client cert identity matching against
node identities.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
