[
https://issues.apache.org/jira/browse/NIFI-3653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16041401#comment-16041401
]
ASF GitHub Bot commented on NIFI-3653:
--------------------------------------
GitHub user mcgilman opened a pull request:
https://github.com/apache/nifi/pull/1897
NIFI-3653: Introduce ManagedAuthorizer
NIFI-3653:
- Introducing UserGroup and Policy provider interfaces.
- Introducing FileUserGroupProvider and FileAccessPolicyProvider.
- Refactoring FileAuthorizer to utilize the file based implementations.
- Introducing the StandardManagedAuthorizer.
- Decorating the configured ManagedAuthorizer to ensure integrity checks
are still performed.
- Loading user groups if possible to use during access decisions.
- Merging responses for requests for AccessPolicies, Users, and UserGroups.
- Adding unit tests as appropriate.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/mcgilman/nifi NIFI-3653
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/1897.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1897
----
commit 55524cc7d2f45c9c17dab02627e7c29159acbe28
Author: Matt Gilman <[email protected]>
Date: 2017-05-26T19:02:44Z
NIFI-3653:
- Introducing UserGroup and Policy provider interfaces.
- Introducing FileUserGroupProvider and FileAccessPolicyProvider.
- Refactoring FileAuthorizer to utilize the file based implementations.
- Introducing the StandardManagedAuthorizer.
- Decorating the configured ManagedAuthorizer to ensure integrity checks
are still performed.
- Loading user groups if possible to use during access decisions.
- Merging responses for requests for AccessPolicies, Users, and UserGroups.
- Adding unit tests as appropriate.
----
> Create PolicyBasedAuthorizer interface to allow authorization chain
> -------------------------------------------------------------------
>
> Key: NIFI-3653
> URL: https://issues.apache.org/jira/browse/NIFI-3653
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Reporter: Michael Moser
> Assignee: Matt Gilman
>
> Rather than using AbstractPolicyBasedAuthorizer to trigger policy management,
> refactor to use a new interface. New implementations of this interface can
> then create an authorization chain with existing
> AbstractPolicyBasedAuthorizer sub-classes.
> ----
> While investigating alternate implementations of the Authorizer interface, I
> see the AbstractPolicyBasedAuthorizer is meant to be extended. It's
> authorize() method is final, however, and does not have an abstract
> doAuthorize() method that sub-classes can extend.
> In particular, the existing AbstractPolicyBasedAuthorizer authorize() method
> does not take into account the AuthorizationRequest "resourceContext" in its
> authorization decision. This is especially important when authorizing access
> to events in Provenance, which places attributes in resouceContext of its
> AuthorizationRequest when obtaining an authorization decision. I would like
> to use attributes to authorize access to Provenance download & view content
> feature.
> If I had my own sub-class of AbstractPolicyBasedAuthorizer, with the
> availability of a doAuthorize() method, then I could maintain my own user
> policies for allowing access to flowfile content via Provenance.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
