Github user pepov commented on a diff in the pull request: https://github.com/apache/nifi/pull/2965#discussion_r212879535 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java --- @@ -604,12 +610,26 @@ private void populateInitialAdmin(final Authorizations authorizations) { * @param authorizations the overall authorizations */ private void populateNodes(Authorizations authorizations) { + // authorize static nodes + authorizeNodeIdentities(authorizations, nodeIdentities); + + // authorize dynamic nodes (node group) + if (nodeGroupName != null) { + Group nodeGroup = userGroupProvider.getGroup(nodeGroupName); + if (nodeGroup == null) { + throw new AuthorizerCreationException("Unable to locate node group " + nodeGroupName + " to seed policies."); + } + Set<String> nodeGroupUserIdentities = nodeGroup.getUsers(); + authorizeNodeIdentities(authorizations, nodeGroupUserIdentities); --- End diff -- I'm not intimate with how this works, but wouldn't this just authorize the users in the group initially and not the group itself? I mean will this authorization include nodes added later to the group? Is there a way to do the same authorization on the group object directly?
---