Github user markap14 commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2468#discussion_r173906446
  
    --- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java
 ---
    @@ -4506,6 +4515,123 @@ public ComponentHistoryDTO 
getComponentHistory(final String componentId) {
             return history;
         }
     
    +    private ControllerServiceEntity createControllerServiceEntity(final 
String serviceId, final NiFiUser user) {
    +        final ControllerServiceNode serviceNode = 
controllerServiceDAO.getControllerService(serviceId);
    +        return createControllerServiceEntity(serviceNode, 
Collections.emptySet(), user);
    +    }
    +
    +    @Override
    +    public ProcessorDiagnosticsEntity getProcessorDiagnostics(final String 
id) {
    +        final ProcessorNode processor = processorDAO.getProcessor(id);
    +        final ProcessorStatus processorStatus = 
controllerFacade.getProcessorStatus(id);
    +
    +        // Generate Processor Diagnostics
    +        final NiFiUser user = NiFiUserUtils.getNiFiUser();
    +        final ProcessorDiagnosticsDTO dto = 
controllerFacade.getProcessorDiagnostics(processor, processorStatus, 
bulletinRepository, serviceId -> createControllerServiceEntity(serviceId, 
user));
    +
    +        // Filter anything out of diagnostics that the user is not 
authorized to see.
    +        final List<JVMDiagnosticsSnapshotDTO> jvmDiagnosticsSnaphots = new 
ArrayList<>();
    +        final JVMDiagnosticsDTO jvmDiagnostics = dto.getJvmDiagnostics();
    +        jvmDiagnosticsSnaphots.add(jvmDiagnostics.getAggregateSnapshot());
    +
    +        // filter controller-related information
    +        final boolean canReadController = 
authorizableLookup.getController().isAuthorized(authorizer, RequestAction.READ, 
user);
    +        if (!canReadController) {
    +            for (final JVMDiagnosticsSnapshotDTO snapshot : 
jvmDiagnosticsSnaphots) {
    +                snapshot.setMaxEventDrivenThreads(null);
    +                snapshot.setMaxTimerDrivenThreads(null);
    +                snapshot.setBundlesLoaded(null);
    +            }
    +        }
    +
    +        // filter system diagnostics information
    +        final boolean canReadSystem = 
authorizableLookup.getSystem().isAuthorized(authorizer, RequestAction.READ, 
user);
    +        if (!canReadSystem) {
    +            for (final JVMDiagnosticsSnapshotDTO snapshot : 
jvmDiagnosticsSnaphots) {
    +                snapshot.setContentRepositoryStorageUsage(null);
    +                snapshot.setCpuCores(null);
    +                snapshot.setCpuLoadAverage(null);
    +                snapshot.setFlowFileRepositoryStorageUsage(null);
    +                snapshot.setMaxHeap(null);
    +                snapshot.setMaxHeapBytes(null);
    +                snapshot.setProvenanceRepositoryStorageUsage(null);
    +                snapshot.setPhysicalMemory(null);
    +                snapshot.setPhysicalMemoryBytes(null);
    +                snapshot.setGarbageCollectionDiagnostics(null);
    +            }
    +        }
    +
    +        // filter connections
    +        final Predicate<ConnectionDiagnosticsDTO> connectionAuthorized = 
connectionDiagnostics -> {
    +            final String connectionId = 
connectionDiagnostics.getConnection().getId();
    +            return 
authorizableLookup.getConnection(connectionId).getAuthorizable().isAuthorized(authorizer,
 RequestAction.READ, user);
    +        };
    +
    +        // Function that can be used to remove the Source or Destination 
of a ConnectionDTO, if the user is not authorized.
    +        final Function<ConnectionDiagnosticsDTO, ConnectionDiagnosticsDTO> 
filterSourceDestination = connectionDiagnostics -> {
    --- End diff --
    
    Good call. That would mean that the second Function there is not really 
needed. Will address.


---

Reply via email to