[jira] [Commented] (NIFI-3653) Create PolicyBasedAuthorizer interface to allow authorization chain

Tue, 30 May 2017 08:10:42 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-3653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16029523#comment-16029523
 ] 

Matt Gilman commented on NIFI-3653:
-----------------------------------

No estimate currently. Work is underway [1] and there is no set date yet for 
1.2.1/1.3.0. The fix will introduce interfaces as necessary for authorizers to 
decorate other authorizers. This was the shortcoming identified above. This 
will allow implementations to override authorize(). Additionally, new 
interfaces will be added for managing users/groups and access policies 
providing more granular access (read only vs configurable, etc).

[1] https://github.com/mcgilman/nifi/tree/NIFI-3653

> Create PolicyBasedAuthorizer interface to allow authorization chain
> -------------------------------------------------------------------
>
>                 Key: NIFI-3653
>                 URL: https://issues.apache.org/jira/browse/NIFI-3653
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>            Reporter: Michael Moser
>            Assignee: Matt Gilman
>
> Rather than using AbstractPolicyBasedAuthorizer to trigger policy management, 
> refactor to use a new interface.  New implementations of this interface can 
> then create an authorization chain with existing 
> AbstractPolicyBasedAuthorizer sub-classes.
> ----
> While investigating alternate implementations of the Authorizer interface, I 
> see the AbstractPolicyBasedAuthorizer is meant to be extended.  It's 
> authorize() method is final, however, and does not have an abstract 
> doAuthorize() method that sub-classes can extend.
> In particular, the existing AbstractPolicyBasedAuthorizer authorize() method 
> does not take into account the AuthorizationRequest "resourceContext" in its 
> authorization decision.  This is especially important when authorizing access 
> to events in Provenance, which places attributes in resouceContext of its 
> AuthorizationRequest when obtaining an authorization decision.  I would like 
> to use attributes to authorize access to Provenance download & view content 
> feature.
> If I had my own sub-class of AbstractPolicyBasedAuthorizer, with the 
> availability of a doAuthorize() method, then I could maintain my own user 
> policies for allowing access to flowfile content via Provenance.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to