Github user mcgilman commented on a diff in the pull request:
https://github.com/apache/nifi/pull/592#discussion_r69003620
--- Diff:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/controller/ControllerFacade.java
---
@@ -1145,54 +1141,8 @@ public DownloadableContent getContent(final Long
eventId, final String uri, fina
// calculate the dn chain
final List<String> dnChain =
ProxiedEntitiesUtils.buildProxiedEntitiesChain(user);
dnChain.forEach(identity -> {
- final String rootGroupId = flowController.getRootGroupId();
- final ProcessGroup rootGroup =
flowController.getGroup(rootGroupId);
-
- final Resource eventResource;
- if (rootGroupId.equals(event.getComponentId())) {
- eventResource =
ResourceFactory.getComponentProvenanceResource(ResourceType.ProcessGroup,
rootGroup.getIdentifier(), rootGroup.getName());
- } else {
- final Connectable connectable =
rootGroup.findConnectable(event.getComponentId());
-
- if (connectable == null) {
- throw new AccessDeniedException("The component
that generated this event is no longer part of the data flow. Unable to
determine access policy.");
- }
-
- switch (connectable.getConnectableType()) {
- case PROCESSOR:
- eventResource =
ResourceFactory.getComponentProvenanceResource(ResourceType.Processor,
connectable.getIdentifier(), connectable.getName());
- break;
- case INPUT_PORT:
- case REMOTE_INPUT_PORT:
- eventResource =
ResourceFactory.getComponentProvenanceResource(ResourceType.InputPort,
connectable.getIdentifier(), connectable.getName());
- break;
- case OUTPUT_PORT:
- case REMOTE_OUTPUT_PORT:
- eventResource =
ResourceFactory.getComponentProvenanceResource(ResourceType.OutputPort,
connectable.getIdentifier(), connectable.getName());
- break;
- case FUNNEL:
- eventResource =
ResourceFactory.getComponentProvenanceResource(ResourceType.Funnel,
connectable.getIdentifier(), connectable.getName());
- break;
- default:
- throw new
WebApplicationException(Response.serverError().entity("An unexpected type of
component generated this event.").build());
- }
- }
-
- // build the request
- final AuthorizationRequest request = new
AuthorizationRequest.Builder()
- .identity(identity)
- .anonymous(user.isAnonymous()) // allow current
user to drive anonymous flag as anonymous users are never chained... supports
single user case
- .accessAttempt(false)
- .action(RequestAction.READ)
- .resource(eventResource)
- .eventAttributes(attributes)
- .build();
-
- // perform the authorization
- final AuthorizationResult result =
authorizer.authorize(request);
- if (!Result.Approved.equals(result.getResult())) {
- throw new
AccessDeniedException(result.getExplanation());
- }
+ final Authorizable eventAuthorizable =
flowController.createProvenanceAuthorizable(event.getComponentId());
+ eventAuthorizable.authorize(authorizer,
RequestAction.READ, user);
--- End diff --
This needs to authorize each link in the chain, not just the current user.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
