[jira] [Commented] (NIFI-3653) Allow extension of authorize method in AbstractPolicyBasedAuthorizer

Wed, 29 Mar 2017 07:33:06 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-3653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947235#comment-15947235
 ] 

Matt Gilman commented on NIFI-3653:
-----------------------------------

[~boardm26] Sorry, I do see an issue with what I just proposed. The end of the 
authorizer chain needs to be an instance of AbstractPolicyBaseAuthorizer in 
order for the UI to enable user/policy management. I think that it would make 
sense to introduce a new interface (one that AbstractPolicyBaseAuthorizer 
already satisfies) and use it to trigger policy management. This should allow 
you to implement the suggestions and simply delegate all the methods to the 
configured authorizer. Then in your authorize method, you can perform your 
additional checks.

> Allow extension of authorize method in AbstractPolicyBasedAuthorizer
> --------------------------------------------------------------------
>
>                 Key: NIFI-3653
>                 URL: https://issues.apache.org/jira/browse/NIFI-3653
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>            Reporter: Michael Moser
>
> While investigating alternate implementations of the Authorizer interface, I 
> see the AbstractPolicyBasedAuthorizer is meant to be extended.  It's 
> authorize() method is final, however, and does not have an abstract 
> doAuthorize() method that sub-classes can extend.
> In particular, the existing AbstractPolicyBasedAuthorizer authorize() method 
> does not take into account the AuthorizationRequest "resourceContext" in its 
> authorization decision.  This is especially important when authorizing access 
> to events in Provenance, which places attributes in resouceContext of its 
> AuthorizationRequest when obtaining an authorization decision.  I would like 
> to use attributes to authorize access to Provenance download & view content 
> feature.
> If I had my own sub-class of AbstractPolicyBasedAuthorizer, with the 
> availability of a doAuthorize() method, then I could maintain my own user 
> policies for allowing access to flowfile content via Provenance.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to