[jira] [Commented] (NIFI-375) New user role: Operator who can start and stop components

Thu, 13 Sep 2018 07:54:23 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16613595#comment-16613595
 ] 

ASF GitHub Bot commented on NIFI-375:
-------------------------------------

Github user mcgilman commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2990#discussion_r217390667
  
    --- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/OperationAuthorizable.java
 ---
    @@ -0,0 +1,85 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one or more
    + * contributor license agreements.  See the NOTICE file distributed with
    + * this work for additional information regarding copyright ownership.
    + * The ASF licenses this file to You under the Apache License, Version 2.0
    + * (the "License"); you may not use this file except in compliance with
    + * the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.nifi.authorization.resource;
    +
    +import org.apache.nifi.authorization.AccessDeniedException;
    +import org.apache.nifi.authorization.Authorizer;
    +import org.apache.nifi.authorization.RequestAction;
    +import org.apache.nifi.authorization.Resource;
    +import org.apache.nifi.authorization.user.NiFiUser;
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +/**
    + * Authorizable for a component that can be scheduled by operators.
    + */
    +public class OperationAuthorizable implements Authorizable, 
EnforcePolicyPermissionsThroughBaseResource {
    +    private static Logger logger = 
LoggerFactory.getLogger(OperationAuthorizable.class);
    +    private final Authorizable baseAuthorizable;
    +
    +    public OperationAuthorizable(final Authorizable baseAuthorizable) {
    +        this.baseAuthorizable = baseAuthorizable;
    +    }
    +
    +    @Override
    +    public Authorizable getParentAuthorizable() {
    +        // Need to return parent operation authorizable. E.g. 
/operation/processor/xxxx -> /operation/process-group/yyyy -> 
/run-status/process-group/root
    +        if (baseAuthorizable.getParentAuthorizable() == null) {
    +            return null;
    +        } else {
    +            return new 
OperationAuthorizable(baseAuthorizable.getParentAuthorizable());
    +        }
    +    }
    +
    +    @Override
    +    public Authorizable getBaseAuthorizable() {
    +        return baseAuthorizable;
    +    }
    +
    +    @Override
    +    public Resource getResource() {
    +        return 
ResourceFactory.getOperationResource(baseAuthorizable.getResource());
    +    }
    +
    +    /**
    +     * <p>Authorize the request action with the resource using base 
authorizable and operation authorizable combination.</p>
    +     *
    +     * <p>This method authorizes the request with the base authorizable 
first. If the request is allowed, then finish authorization.
    +     * If base authorizable denies the request, then it checks if the user 
has WRITE permission for '/operation/{componentType}/{id}'.</p>
    +     */
    +    public static void authorize(final Authorizable baseAuthorizable, 
final Authorizer authorizer, final RequestAction requestAction, final NiFiUser 
user) {
    --- End diff --
    
    There is no time when someone should invoke this method with a 
`requestAction` of `WRITE`. Can we remove that parameter?
    
    Also, because of this and that the name is the same as the non-static 
version (which has admittedly confused me a number of times while reviewing) 
can we rename this method to more accurately depict its intention. Maybe 
something along the lines of `authorizeOperation`.


> New user role: Operator who can start and stop components
> ---------------------------------------------------------
>
>                 Key: NIFI-375
>                 URL: https://issues.apache.org/jira/browse/NIFI-375
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Core Framework
>            Reporter: Daniel Ueberfluss
>            Assignee: Koji Kawamura
>            Priority: Major
>
> Would like to have a user role that allows a user to stop/start processors 
> but perform no other changes to the dataflow.
> This would allow users to address simple problems without providing full 
> access to modifying a data flow. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to