Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/592#discussion_r69003620 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/controller/ControllerFacade.java --- @@ -1145,54 +1141,8 @@ public DownloadableContent getContent(final Long eventId, final String uri, fina // calculate the dn chain final List<String> dnChain = ProxiedEntitiesUtils.buildProxiedEntitiesChain(user); dnChain.forEach(identity -> { - final String rootGroupId = flowController.getRootGroupId(); - final ProcessGroup rootGroup = flowController.getGroup(rootGroupId); - - final Resource eventResource; - if (rootGroupId.equals(event.getComponentId())) { - eventResource = ResourceFactory.getComponentProvenanceResource(ResourceType.ProcessGroup, rootGroup.getIdentifier(), rootGroup.getName()); - } else { - final Connectable connectable = rootGroup.findConnectable(event.getComponentId()); - - if (connectable == null) { - throw new AccessDeniedException("The component that generated this event is no longer part of the data flow. Unable to determine access policy."); - } - - switch (connectable.getConnectableType()) { - case PROCESSOR: - eventResource = ResourceFactory.getComponentProvenanceResource(ResourceType.Processor, connectable.getIdentifier(), connectable.getName()); - break; - case INPUT_PORT: - case REMOTE_INPUT_PORT: - eventResource = ResourceFactory.getComponentProvenanceResource(ResourceType.InputPort, connectable.getIdentifier(), connectable.getName()); - break; - case OUTPUT_PORT: - case REMOTE_OUTPUT_PORT: - eventResource = ResourceFactory.getComponentProvenanceResource(ResourceType.OutputPort, connectable.getIdentifier(), connectable.getName()); - break; - case FUNNEL: - eventResource = ResourceFactory.getComponentProvenanceResource(ResourceType.Funnel, connectable.getIdentifier(), connectable.getName()); - break; - default: - throw new WebApplicationException(Response.serverError().entity("An unexpected type of component generated this event.").build()); - } - } - - // build the request - final AuthorizationRequest request = new AuthorizationRequest.Builder() - .identity(identity) - .anonymous(user.isAnonymous()) // allow current user to drive anonymous flag as anonymous users are never chained... supports single user case - .accessAttempt(false) - .action(RequestAction.READ) - .resource(eventResource) - .eventAttributes(attributes) - .build(); - - // perform the authorization - final AuthorizationResult result = authorizer.authorize(request); - if (!Result.Approved.equals(result.getResult())) { - throw new AccessDeniedException(result.getExplanation()); - } + final Authorizable eventAuthorizable = flowController.createProvenanceAuthorizable(event.getComponentId()); + eventAuthorizable.authorize(authorizer, RequestAction.READ, user); --- End diff -- This needs to authorize each link in the chain, not just the current user.
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---