[jira] [Commented] (NIFIREG-75) FileUserGroupProvider allows updating a group to contain unknown users

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFIREG-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16299413#comment-16299413
 ] 

ASF GitHub Bot commented on NIFIREG-75:
---------------------------------------

GitHub user kevdoran opened a pull request:

    https://github.com/apache/nifi-registry/pull/64

    NIFIREG-75 Add check for user when updating group

    Adds a check that users are known to the FileUserGroupProvider prior
    to allowing an update. This fixes a corner-case bug when using a
    CompositeConfigurableUserGroupProvider with a FileUserGroupProvider
    as the configurable provider along with another provider, such as
    LdapUserGroupProvider, in which it was possible to add users from
    the Ldap provider to groups in the file provider.
    
    Also updates a package in the authorizers.xml template.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/kevdoran/nifi-registry NIFIREG-75

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/nifi-registry/pull/64.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #64
    
----
commit 0eefbc29b604d646e90cc9d8d4b39fbb08cbe419
Author: Kevin Doran <kdoran.apache@...>
Date:   2017-12-21T01:57:20Z

    NIFIREG-75 Add check for user when updating group
    
    Adds a check that users are known to the FileUserGroupProvider prior
    to allowing an update. This fixes a corner-case bug when using a
    CompositeConfigurableUserGroupProvider with a FileUserGroupProvider
    as the configurable provider along with another provider, such as
    LdapUserGroupProvider, in which it was possible to add users from
    the Ldap provider to groups in the file provider.
    
    Also updates a package in the authorizers.xml template.

----


> FileUserGroupProvider allows updating a group to contain unknown users
> ----------------------------------------------------------------------
>
>                 Key: NIFIREG-75
>                 URL: https://issues.apache.org/jira/browse/NIFIREG-75
>             Project: NiFi Registry
>          Issue Type: Bug
>            Reporter: Kevin Doran
>            Assignee: Kevin Doran
>             Fix For: 0.0.1
>
>
> In FileUserGroupProvider, when a new group is created, all the users in the 
> group are checked to ensure they are known to the FileUserGroupProvider prior 
> to creating the group.
> However, when a group is updated, a similar check does not exist, allowing 
> one to add invalid users to a group. This gets the server in a bad state with 
> unexpected behavior surrounding authorization actions.
> Note that this logic was ported from NiFi, so NiFi should probably be updated 
> with the same fix after verifying this is the intended behavior (having the 
> check on update).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)