[ https://issues.apache.org/jira/browse/NIFI-3653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947235#comment-15947235 ]
Matt Gilman commented on NIFI-3653: ----------------------------------- [~boardm26] Sorry, I do see an issue with what I just proposed. The end of the authorizer chain needs to be an instance of AbstractPolicyBaseAuthorizer in order for the UI to enable user/policy management. I think that it would make sense to introduce a new interface (one that AbstractPolicyBaseAuthorizer already satisfies) and use it to trigger policy management. This should allow you to implement the suggestions and simply delegate all the methods to the configured authorizer. Then in your authorize method, you can perform your additional checks. > Allow extension of authorize method in AbstractPolicyBasedAuthorizer > -------------------------------------------------------------------- > > Key: NIFI-3653 > URL: https://issues.apache.org/jira/browse/NIFI-3653 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework > Reporter: Michael Moser > > While investigating alternate implementations of the Authorizer interface, I > see the AbstractPolicyBasedAuthorizer is meant to be extended. It's > authorize() method is final, however, and does not have an abstract > doAuthorize() method that sub-classes can extend. > In particular, the existing AbstractPolicyBasedAuthorizer authorize() method > does not take into account the AuthorizationRequest "resourceContext" in its > authorization decision. This is especially important when authorizing access > to events in Provenance, which places attributes in resouceContext of its > AuthorizationRequest when obtaining an authorization decision. I would like > to use attributes to authorize access to Provenance download & view content > feature. > If I had my own sub-class of AbstractPolicyBasedAuthorizer, with the > availability of a doAuthorize() method, then I could maintain my own user > policies for allowing access to flowfile content via Provenance. -- This message was sent by Atlassian JIRA (v6.3.15#6346)