Mark Bean created NIFI-4907:
Summary: Provenance authorization refactoring
Project: Apache NiFi
Issue Type: Bug
Components: Core Framework
Affects Versions: 1.5.0
Reporter: Mark Bean
Currently, the 'view the data' component policy is too tightly coupled with
Provenance queries. The 'query provenance' policy should be the only policy
required for viewing Provenance query results. Both 'view the component' and
'view the data' policies should be used to refine the appropriate visibility of
event details - but not the event itself.
1) Component Visibility
The authorization of Provenance events is inconsistent with the behavior of the
graph. For example, if a user does not have 'view the component' policy, the
graph shows this component as a "black box" (no details such as name, UUID,
etc.) However, when querying Provenance, this component will show up including
the Component Type and the Component Name. This is in effect a violation of the
policy. These component details should be obscured in the Provenance event
displayed if user does not have the appropriate 'view the component' policy.
2) Data Visibility
For a Provenance query, all events should be visible as long as the user
performing the query belongs to the 'query provenance' global policy. As
mentioned above, some information about the component may be obscured depending
on 'view the component' policy, but the event itself should be visible.
Additionally, details of the event (clicking the View Details "i" icon) should
only be accessible if the user belongs to the 'view the data' policy for the
affected component. If the user is not in the appropriate 'view the data'
policy, a popup warning should be displayed indicating the reason details are
not visible with more specific detail than the current "Contact the system
3) Lineage Graphs
As with the Provenance table view recommendation above, the lineage graph
should display all events. Currently, if the lineage graph includes an event
belonging to a component which the user does not have 'view the data', it is
shown on the graph as "UNKNOWN". As with Data Visibility mentioned above, the
graph should indicate the event type as long as the user is in the 'view the
component'. Subsequent "View Details" on the event should only be visible if
the user is in the 'view the data' policy.
In summary, for Provenance query results and lineage graphs, all events should
be shown. Component Name and Component Type information should be conditionally
visible depending on the corresponding component policy 'view the component'
policy. Event details including Provenance event type and FlowFile information
should be conditionally available depending on the corresponding component
policy 'view the data'. Inability to display event details should provide
feedback to the user indicating the reason.
This message was sent by Atlassian JIRA