[
https://issues.apache.org/jira/browse/NIFI-4907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16493573#comment-16493573
]
ASF GitHub Bot commented on NIFI-4907:
--------------------------------------
Github user mcgilman commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2703#discussion_r191444067
--- Diff:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/controller/ControllerFacade.java
---
@@ -1359,7 +1363,12 @@ public ProvenanceEventDTO getProvenanceEvent(final
Long eventId) {
} else {
dataAuthorizable =
flowController.createLocalDataAuthorizable(event.getComponentId());
}
- dataAuthorizable.authorize(authorizer, RequestAction.READ,
NiFiUserUtils.getNiFiUser(), attributes);
+ // If not authorized for 'view the data', create only
summarized provenance event
--- End diff --
@markobean The summary concept was introduced for performance reasons [1].
The summary represents the details required to render a row in the table. Some
events can contain a lot of details (many children/parents UUIDs, flowfile
attributes, etc) which was causing the table to load extremely slowly. The
fully populated event (not summary) is returned once a dialog is opened and
those details can be rendered.
My suggestion would be to not modify the summary concept. Returning more
details in the summary for users with access to the event but not the data will
begin to regress NIFI-1135. Artificially withholding event fields they should
have access to also doesn't seem right.
Since we're moving to this super granular approach, I would recommend the
following.
1) `createProvenanceEventDto(...)` is only invoked once we know the user
has permissions to the event.
2) Within `createProvenanceEventDto(...)` I would check if the user is
allowed to access that component to populate the component details. If the user
does not have access, I would use the ID in place of the name and 'Processor'
in place of the fully qualified class name (for Processors).
3) Within `createProvenanceEventDto(...)` I would check if the user is
allowed to access the component's data to populate the attributes and content
details. If the user does not have access, I would leave those fields unset.
This should retain the summary concept while introducing the granular
approach we're looking for. Thoughts?
[1] https://issues.apache.org/jira/browse/NIFI-1135
> Provenance authorization refactoring
> ------------------------------------
>
> Key: NIFI-4907
> URL: https://issues.apache.org/jira/browse/NIFI-4907
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.5.0
> Reporter: Mark Bean
> Assignee: Mark Bean
> Priority: Major
>
> Currently, the 'view the data' component policy is too tightly coupled with
> Provenance queries. The 'query provenance' policy should be the only policy
> required for viewing Provenance query results. Both 'view the component' and
> 'view the data' policies should be used to refine the appropriate visibility
> of event details - but not the event itself.
> 1) Component Visibility
> The authorization of Provenance events is inconsistent with the behavior of
> the graph. For example, if a user does not have 'view the component' policy,
> the graph shows this component as a "black box" (no details such as name,
> UUID, etc.) However, when querying Provenance, this component will show up
> including the Component Type and the Component Name. This is in effect a
> violation of the policy. These component details should be obscured in the
> Provenance event displayed if user does not have the appropriate 'view the
> component' policy.
> 2) Data Visibility
> For a Provenance query, all events should be visible as long as the user
> performing the query belongs to the 'query provenance' global policy. As
> mentioned above, some information about the component may be obscured
> depending on 'view the component' policy, but the event itself should be
> visible. Additionally, details of the event (clicking the View Details "i"
> icon) should only be accessible if the user belongs to the 'view the data'
> policy for the affected component. If the user is not in the appropriate
> 'view the data' policy, a popup warning should be displayed indicating the
> reason details are not visible with more specific detail than the current
> "Contact the system administrator".
> 3) Lineage Graphs
> As with the Provenance table view recommendation above, the lineage graph
> should display all events. Currently, if the lineage graph includes an event
> belonging to a component which the user does not have 'view the data', it is
> shown on the graph as "UNKNOWN". As with Data Visibility mentioned above, the
> graph should indicate the event type as long as the user is in the 'view the
> component'. Subsequent "View Details" on the event should only be visible if
> the user is in the 'view the data' policy.
> In summary, for Provenance query results and lineage graphs, all events
> should be shown. Component Name and Component Type information should be
> conditionally visible depending on the corresponding component policy 'view
> the component' policy. Event details including Provenance event type and
> FlowFile information should be conditionally available depending on the
> corresponding component policy 'view the data'. Inability to display event
> details should provide feedback to the user indicating the reason.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
