From 7340078de2229a4fc094cd2185117a7772389ec0 Mon Sep 17 00:00:00 2001 From: Matt Gilman Date: Thu, 5 Jan 2017 16:21:50 -0500 Subject: [PATCH] NIFI-3251: Delete requires WRITE perms on parent - Requiring WRITE permissions to the parent resource when attempting to remove a component. - Updating expired certificates in the REST API integration tests. This closes #1399. Signed-off-by: James Wing --- .../nifi/connectable/StandardConnection.java | 2 +- .../authorization/SnippetAuthorizable.java | 7 ++++ .../StandardAuthorizableLookup.java | 5 +++ .../nifi/web/api/AccessPolicyResource.java | 8 ++++- .../nifi/web/api/ConnectionResource.java | 6 ++++ .../web/api/ControllerServiceResource.java | 7 ++++ .../apache/nifi/web/api/FunnelResource.java | 8 ++++- .../nifi/web/api/InputPortResource.java | 8 ++++- .../apache/nifi/web/api/LabelResource.java | 8 ++++- .../nifi/web/api/OutputPortResource.java | 8 ++++- .../nifi/web/api/ProcessGroupResource.java | 10 +++++- .../nifi/web/api/ProcessorResource.java | 6 ++++ .../web/api/RemoteProcessGroupResource.java | 8 ++++- .../nifi/web/api/ReportingTaskResource.java | 6 ++++ .../apache/nifi/web/api/SnippetResource.java | 6 +++- .../apache/nifi/web/api/TemplateResource.java | 8 ++++- .../util/NiFiFlowTestAuthorizer.java | 2 +- .../integration/util/NiFiTestAuthorizer.java | 2 +- .../resources/access-control/localhost-ks.jks | Bin 3512 -> 3052 bytes .../resources/access-control/localhost-ts.jks | Bin 1816 -> 911 bytes .../webapp/js/nf/canvas/nf-canvas-utils.js | 5 +++ .../js/nf/canvas/nf-controller-services.js | 34 ++++++++++++++++-- .../main/webapp/js/nf/canvas/nf-settings.js | 2 +- 23 files changed, 141 insertions(+), 15 deletions(-) mode change 100755 => 100644 nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/localhost-ks.jks mode change 100755 => 100644 nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/localhost-ts.jks diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/connectable/StandardConnection.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/connectable/StandardConnection.java index ddb4523151..8b81c81a92 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/connectable/StandardConnection.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/connectable/StandardConnection.java @@ -110,7 +110,7 @@ public final class StandardConnection implements Connection { @Override public Authorizable getParentAuthorizable() { - return null; + return getProcessGroup(); } @Override diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/SnippetAuthorizable.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/SnippetAuthorizable.java index 5503f44ef0..e28bf741e0 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/SnippetAuthorizable.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/SnippetAuthorizable.java @@ -24,6 +24,13 @@ import java.util.Set; * Authorizable for a Snippet. */ public interface SnippetAuthorizable { + /** + * The authorizable for the parent process group of this snippet. + * + * @return authorizable for parent process group of this snippet + */ + Authorizable getParentProcessGroup(); + /** * The authorizables for selected processors. Non null * diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java index 18af600eca..28092cd4e1 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java @@ -329,6 +329,11 @@ class StandardAuthorizableLookup implements AuthorizableLookup { final ProcessGroup processGroup = processGroupDAO.getProcessGroup(snippet.getParentGroupId()); return new SnippetAuthorizable() { + @Override + public Authorizable getParentProcessGroup() { + return processGroup; + } + @Override public Set getSelectedProcessors() { return processGroup.getProcessors().stream() diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java index 9875df4c32..999c8322f6 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java @@ -422,7 +422,8 @@ public class AccessPolicyResource extends ApplicationResource { value = "Deletes an access policy", response = AccessPolicyEntity.class, authorizations = { - @Authorization(value = "Write - /policies/{resource}", type = "") + @Authorization(value = "Write - /policies/{resource}", type = ""), + @Authorization(value = "Write - Policy of the parent resource - /policies/{resource}", type = "") } ) @ApiResponses( @@ -472,7 +473,12 @@ public class AccessPolicyResource extends ApplicationResource { requestRevision, lookup -> { final Authorizable accessPolicy = lookup.getAccessPolicyById(id); + + // ensure write permission to the access policy accessPolicy.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + + // ensure write permission to the policy for the parent process group + accessPolicy.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); }, null, (revision, accessPolicyEntity) -> { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ConnectionResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ConnectionResource.java index 4527e87b6e..cfd65858b5 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ConnectionResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ConnectionResource.java @@ -295,6 +295,7 @@ public class ConnectionResource extends ApplicationResource { response = ConnectionEntity.class, authorizations = { @Authorization(value = "Write Source - /{component-type}/{uuid}", type = ""), + @Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = ""), @Authorization(value = "Write Destination - /{component-type}/{uuid}", type = "") } ) @@ -344,7 +345,12 @@ public class ConnectionResource extends ApplicationResource { lookup -> { // verifies write access to the source and destination final Authorizable authorizable = lookup.getConnection(id).getAuthorizable(); + + // ensure write permission to the connection authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + + // ensure write permission to the parent process group + authorizable.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); }, () -> serviceFacade.verifyDeleteConnection(id), (revision, connectionEntity) -> { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerServiceResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerServiceResource.java index 9544ff8181..26ebd2bfbe 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerServiceResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerServiceResource.java @@ -661,6 +661,8 @@ public class ControllerServiceResource extends ApplicationResource { response = ControllerServiceEntity.class, authorizations = { @Authorization(value = "Write - /controller-services/{uuid}", type = ""), + @Authorization(value = "Write - Parent Process Group if scoped by Process Group - /process-groups/{uuid}", type = ""), + @Authorization(value = "Write - Controller if scoped by Controller - /controller", type = ""), @Authorization(value = "Read - any referenced Controller Services - /controller-services/{uuid}", type = "") } ) @@ -706,8 +708,13 @@ public class ControllerServiceResource extends ApplicationResource { requestRevision, lookup -> { final ConfigurableComponentAuthorizable controllerService = lookup.getControllerService(id); + + // ensure write permission to the controller service controllerService.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + // ensure write permission to the parent process group + controllerService.getAuthorizable().getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + // verify any referenced services AuthorizeControllerServiceReference.authorizeControllerServiceReferences(controllerService, authorizer, lookup, false); }, diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FunnelResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FunnelResource.java index dcb35fa66d..811fc6139d 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FunnelResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FunnelResource.java @@ -245,7 +245,8 @@ public class FunnelResource extends ApplicationResource { value = "Deletes a funnel", response = FunnelEntity.class, authorizations = { - @Authorization(value = "Write - /funnels/{uuid}", type = "") + @Authorization(value = "Write - /funnels/{uuid}", type = ""), + @Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "") } ) @ApiResponses( @@ -290,7 +291,12 @@ public class FunnelResource extends ApplicationResource { requestRevision, lookup -> { final Authorizable funnel = lookup.getFunnel(id); + + // ensure write permission to the funnel funnel.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + + // ensure write permission to the parent process group + funnel.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); }, () -> serviceFacade.verifyDeleteFunnel(id), (revision, funnelEntity) -> { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/InputPortResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/InputPortResource.java index 65e871ee43..a5e8169322 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/InputPortResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/InputPortResource.java @@ -244,7 +244,8 @@ public class InputPortResource extends ApplicationResource { value = "Deletes an input port", response = PortEntity.class, authorizations = { - @Authorization(value = "Write - /input-ports/{uuid}", type = "") + @Authorization(value = "Write - /input-ports/{uuid}", type = ""), + @Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "") } ) @ApiResponses( @@ -289,7 +290,12 @@ public class InputPortResource extends ApplicationResource { requestRevision, lookup -> { final Authorizable inputPort = lookup.getInputPort(id); + + // ensure write permission to the input port inputPort.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + + // ensure write permission to the parent process group + inputPort.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); }, () -> serviceFacade.verifyDeleteInputPort(id), (revision, portEntity) -> { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/LabelResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/LabelResource.java index 34f62f5a69..fa6765728a 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/LabelResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/LabelResource.java @@ -244,7 +244,8 @@ public class LabelResource extends ApplicationResource { value = "Deletes a label", response = LabelEntity.class, authorizations = { - @Authorization(value = "Write - /labels/{uuid}", type = "") + @Authorization(value = "Write - /labels/{uuid}", type = ""), + @Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "") } ) @ApiResponses( @@ -289,7 +290,12 @@ public class LabelResource extends ApplicationResource { requestRevision, lookup -> { final Authorizable label = lookup.getLabel(id); + + // ensure write permission to the label label.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + + // ensure write permission to the parent process group + label.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); }, null, (revision, labelEntity) -> { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/OutputPortResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/OutputPortResource.java index 442473ccf0..c6cfac67b7 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/OutputPortResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/OutputPortResource.java @@ -244,7 +244,8 @@ public class OutputPortResource extends ApplicationResource { value = "Deletes an output port", response = PortEntity.class, authorizations = { - @Authorization(value = "Write - /output-ports/{uuid}", type = "") + @Authorization(value = "Write - /output-ports/{uuid}", type = ""), + @Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "") } ) @ApiResponses( @@ -289,7 +290,12 @@ public class OutputPortResource extends ApplicationResource { requestRevision, lookup -> { final Authorizable outputPort = lookup.getOutputPort(id); + + // ensure write permission to the output port outputPort.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + + // ensure write permission to the parent process group + outputPort.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); }, () -> serviceFacade.verifyDeleteOutputPort(id), (revision, portEntity) -> { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessGroupResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessGroupResource.java index 75bdc3e727..58c9e30b59 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessGroupResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessGroupResource.java @@ -339,6 +339,8 @@ public class ProcessGroupResource extends ApplicationResource { response = ProcessGroupEntity.class, authorizations = { @Authorization(value = "Write - /process-groups/{uuid}", type = ""), + @Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = ""), + @Authorization(value = "Read - any referenced Controller Services by any encapsulated components - /controller-services/{uuid}", type = ""), @Authorization(value = "Write - /{component-type}/{uuid} - For all encapsulated components", type = "") } ) @@ -384,12 +386,18 @@ public class ProcessGroupResource extends ApplicationResource { requestProcessGroupEntity, requestRevision, lookup -> { - final NiFiUser user = NiFiUserUtils.getNiFiUser(); final ProcessGroupAuthorizable processGroupAuthorizable = lookup.getProcessGroup(id); // ensure write to this process group and all encapsulated components including templates and controller services. additionally, ensure // read to any referenced services by encapsulated components authorizeProcessGroup(processGroupAuthorizable, authorizer, lookup, RequestAction.WRITE, true, true, true, false); + + // ensure write permission to the parent process group, if applicable... if this is the root group the + // request will fail later but still need to handle authorization here + final Authorizable parentAuthorizable = processGroupAuthorizable.getAuthorizable().getParentAuthorizable(); + if (parentAuthorizable != null) { + parentAuthorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + } }, () -> serviceFacade.verifyDeleteProcessGroup(id), (revision, processGroupEntity) -> { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessorResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessorResource.java index d17f7ac8ed..1238e649b9 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessorResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessorResource.java @@ -496,6 +496,7 @@ public class ProcessorResource extends ApplicationResource { response = ProcessorEntity.class, authorizations = { @Authorization(value = "Write - /processors/{uuid}", type = ""), + @Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = ""), @Authorization(value = "Read - any referenced Controller Services - /controller-services/{uuid}", type = "") } ) @@ -540,8 +541,13 @@ public class ProcessorResource extends ApplicationResource { requestRevision, lookup -> { final ConfigurableComponentAuthorizable processor = lookup.getProcessor(id); + + // ensure write permission to the processor processor.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + // ensure write permission to the parent process group + processor.getAuthorizable().getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + // verify any referenced services AuthorizeControllerServiceReference.authorizeControllerServiceReferences(processor, authorizer, lookup, false); }, diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/RemoteProcessGroupResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/RemoteProcessGroupResource.java index 3aef47efcf..0c192d7ea9 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/RemoteProcessGroupResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/RemoteProcessGroupResource.java @@ -159,7 +159,8 @@ public class RemoteProcessGroupResource extends ApplicationResource { value = "Deletes a remote process group", response = RemoteProcessGroupEntity.class, authorizations = { - @Authorization(value = "Write - /remote-process-groups/{uuid}", type = "") + @Authorization(value = "Write - /remote-process-groups/{uuid}", type = ""), + @Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "") } ) @ApiResponses( @@ -204,7 +205,12 @@ public class RemoteProcessGroupResource extends ApplicationResource { requestRevision, lookup -> { final Authorizable remoteProcessGroup = lookup.getRemoteProcessGroup(id); + + // ensure write permission to the remote process group remoteProcessGroup.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + + // ensure write permission to the parent process group + remoteProcessGroup.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); }, () -> serviceFacade.verifyDeleteRemoteProcessGroup(id), (revision, remoteProcessGroupEntity) -> { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ReportingTaskResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ReportingTaskResource.java index 31ceb9f968..39c75f960f 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ReportingTaskResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ReportingTaskResource.java @@ -465,6 +465,7 @@ public class ReportingTaskResource extends ApplicationResource { response = ReportingTaskEntity.class, authorizations = { @Authorization(value = "Write - /reporting-tasks/{uuid}", type = ""), + @Authorization(value = "Write - /controller", type = ""), @Authorization(value = "Read - any referenced Controller Services - /controller-services/{uuid}", type = "") } ) @@ -510,8 +511,13 @@ public class ReportingTaskResource extends ApplicationResource { requestRevision, lookup -> { final ConfigurableComponentAuthorizable reportingTask = lookup.getReportingTask(id); + + // ensure write permission to the reporting task reportingTask.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + // ensure write permission to the parent process group + reportingTask.getAuthorizable().getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + // verify any referenced services AuthorizeControllerServiceReference.authorizeControllerServiceReferences(reportingTask, authorizer, lookup, false); }, diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SnippetResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SnippetResource.java index f5fc6240a6..0be7218b61 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SnippetResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SnippetResource.java @@ -301,7 +301,8 @@ public class SnippetResource extends ApplicationResource { value = "Deletes the components in a snippet and discards the snippet", response = SnippetEntity.class, authorizations = { - @Authorization(value = "Write - /{component-type}/{uuid} - For each component in the Snippet and their descendant components", type = "") + @Authorization(value = "Write - /{component-type}/{uuid} - For each component in the Snippet and their descendant components", type = ""), + @Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = ""), } ) @ApiResponses( @@ -338,6 +339,9 @@ public class SnippetResource extends ApplicationResource { // ensure write permission to every component in the snippet excluding referenced services final SnippetAuthorizable snippet = lookup.getSnippet(snippetId); authorizeSnippet(snippet, authorizer, lookup, RequestAction.WRITE, true, false); + + // ensure write permission to the parent process group + snippet.getParentProcessGroup().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); }, () -> serviceFacade.verifyDeleteSnippet(snippetId, requestRevisions.stream().map(rev -> rev.getComponentId()).collect(Collectors.toSet())), (revisions, entity) -> { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/TemplateResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/TemplateResource.java index 63a37a8695..515ade6b3b 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/TemplateResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/TemplateResource.java @@ -165,7 +165,8 @@ public class TemplateResource extends ApplicationResource { value = "Deletes a template", response = TemplateEntity.class, authorizations = { - @Authorization(value = "Write - /templates/{uuid}", type = "") + @Authorization(value = "Write - /templates/{uuid}", type = ""), + @Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "") } ) @ApiResponses( @@ -197,7 +198,12 @@ public class TemplateResource extends ApplicationResource { requestTemplateEntity, lookup -> { final Authorizable template = lookup.getTemplate(id).getAuthorizable(); + + // ensure write permission to the template template.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); + + // ensure write permission to the parent process group + template.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); }, null, (templateEntity) -> { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiFlowTestAuthorizer.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiFlowTestAuthorizer.java index 07d69067a4..47f70eac03 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiFlowTestAuthorizer.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiFlowTestAuthorizer.java @@ -33,7 +33,7 @@ public class NiFiFlowTestAuthorizer implements Authorizer { public static final String NO_POLICY_COMPONENT_NAME = "No policies"; - public static final String PROXY_DN = "CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US"; + public static final String PROXY_DN = "CN=localhost, OU=NIFI"; public static final String NONE_USER_DN = "none@nifi"; public static final String READ_USER_DN = "read@nifi"; diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java index de55b8306d..c72d51291b 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java @@ -33,7 +33,7 @@ public class NiFiTestAuthorizer implements Authorizer { public static final String NO_POLICY_COMPONENT_NAME = "No policies"; - public static final String PROXY_DN = "CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US"; + public static final String PROXY_DN = "CN=localhost, OU=NIFI"; public static final String NONE_USER_DN = "none@nifi"; public static final String READ_USER_DN = "read@nifi"; diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/localhost-ks.jks b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/localhost-ks.jks old mode 100755 new mode 100644 index df36197d92ab8e9870f42666d74c47646fd56f26..44a35372b9ac5d239cd013ceff250a6424e57468 GIT binary patch literal 3052 zcmb`|c{J2r9{}+A%_huXh?$72BV*}j8GF{qh%|{TN!gWbk!^@cD7#P!q3j|fB1I~D zh)NA1k>wc_M%K*h={e_ld(U~#dEfV(_mA&6_j~U>_x|y{pYPqC-=2p+Akduve#I_t zPd88b^R6K~6Sh9wU#B1t1OQUuKS3@ehb$6+0|Y1r01yy36+Ua-Mr~&58n3_4zQrXl zuHoOaw)^W)Y0u-APk6gWyBfR*vCI{f*6w!2oQZllcRIY zGuNKz2h+YqFAB~%m{=57lELtwhuEV z1(rb zYK`9apitlGf)_;HR-A8GV)@`nZ~b=zAj8_ZOwNTPSVuFc_D2f+3tNGDz3AACrAbs^ z))(390le38j6nK9ZUghQbt5crym5hr?KmvHC5lu{p=C`n6xgjtP#SAFLNR-|V`-}w zOTv@wyi7vfLYm074j#3{YnGqRkXe!NKWg2hbrFVF3_~X^?oBgl_#7mTtwmbNbo_{M zi>gVsZ;9^oKC^!a$K67U8r4Uup9=6{FTuS+wycXJL4I^VH8APEPRHA{n>H-Rz{tQ) z3d+pwmIZsgi|<%S16uXS%TU2l<_#hgrDrpOAET#JSP@q}RqpDgYBd`M8ptEkL~66S zey-vdY))n0mgFgosU=^31BP-$dd(J*d1UOYB)&L--COprxx)5dGN9Dl=+W}0g*xU) zX|~UZSECyj>U64YRhRgtMJMWV+7S#s&ZNLzPjcXP>fEQt0;NBAEyvcxke)v>)BFohv0)W#firihO;0h>b+= z@^)^uuMVH^nZK@76@SU4-mVZzfBn(4o(nC}Y$!WW=6qp_GI(^CiMjL4sM`#0TM74e z*zM;7xf=Avc-n}^2?|$5@Kt#w@ss)MH>-|oO|6x0IZ$Q3hc$6*!dP(|yCYdBiT3*u zkBB#`T$5&w*sXjPDk3NiTkRP>#MFujU5 z@rU5iLgOWq8*k<_oYJ_Bo0NLOW4b9OFl2&Ds)%3i+V`|-Kj&>EaMW#d?uHUv@072)x{YhT`0?~~$=tivB~ zes3V^%EuSq-7)gIH0ss)tan4=uJp&t=koDVp2TabJ`%}4_=%e9`Lq53<#Xb@7`IYh z*KTSctY!u;M>=RtE*a`<9FD*EfX!8VOl^8JpmHDY0JYWDe|){Fkp5g^s$#6K>Q{?I z*eDP|4G08g3Q}RlAQh^R2ZI7oD95ix*|W0;0-}-Zgcy^URWtx_A|RlIA{yjG!mQw& zDELv5F-egZiB_*@JCMX+c^HBb>GDyk@}ff{yLv=aDR`rjQw1;l^9 ze5XOfr~o$vqyijJDgZ!Y&)D5gxyr_z*JV6sGRk#NJlfg=a}u-mIOmtQTAFDKBMa)D z$bIIv@AkrLm78^TjryA57MwHc+0R{AhW6y?@y<|0VEk zu(+2isIA&LnqqO2FR)(uz|=D9R8n$5EQz^jK9@aHWL}M7W$9{)#x*BvlQ^jF`vZy9 zg|fGXYbI4TdpVrlCYmM>p1iVgTh)!E9liaaf_|QZ)|h8VP$0~##TNQnl=NlotCe`w zIl17{+TwRsuXb>{v06sV(r@meIEP>6eghl$Rn#!vbMwYo?wryGi3I7VontMK52UH7 z+_Xg9X54eB7ke~pFF;`c1h_{5LqXx40tj=#1>n1Rye{`_$MKI_oVxXc4e{lZJe8mW z?)!6D0*(U(B6qj@4-?RZ*SEHoZ5d+nW62WtJ_zjmgF73z0e}UE!=SJ=kp0h`4-N$( ze;q9a7XWu7ckTR@2m~7p`u7O!!Z`+4DSk7n@>WlBtT= z8x^0Ao}nKYpS0A>laS2<72GzRr3Kf9)>iq0T;bEWxz1ILWie?J+aZtpeEwNTBF&HK zc}c!&{$xX4*SRr26lc6j!l)P2)F6~1C^o%QRz2SztaB? zs)7lA^}fS2d(KY#jEphOhgiBfwRU2AY7T)8pz?bfR z^;*KY4cj_AbMr);;na3o>IrF_rCr&wc5T1;gR=Nquec!h!8o#Ee$PCIa2a?)lfMsQ ztJ~-$>2L(hpbsXVDfv=v4l?fqC7tJ&VHg&R-N-V-knM`BkH1IZp9>|xx8%+9 zbr}r*R}{cDi24f!0)*{A`HkGa74;v<{UZB6xymyO5>Za#l~i)#UtB8BTju&p?g+B;y0^?#qYGFyIhuV1mH0S&8Kc^Rb zn1{V2*fBHmu|j}g^K?_WK1W@7L(VKlyy?zX9eeB{SHX%S{%;x8z6Bu#UKX3K)3dhB zZpUm6%zlu5m@nH{+N3f!F4wB3IN6zHbT4*Gy9T}VJx;1G1m>f(AfI(V#5{8@NtrLg y$W%dDSPUAJuo}Fpxke-m^Rd;sS*@ukR~mY^^@B>@$<8M=^VfU-23T`p&Iir~-L#Y=#ud?{E1Ldil!ycf^TKF)2%4dD_ z&CRl2juv-w;hX`>r;n!ME0*eJZQo{liYbqFr%&s4KWji3-S|{|Q#z3Bi!_n-HQIvn z)_yhbW3OmoReGZ$;mdsOy)j4ml{e?MpM3BXEZ&%y>@=UK++W7rcU+QDvQxbsYBP>C ziqWW_4}oMI2<5S^ml11u$vzs(Bz1QY%@RE`7dI!_J9pQZTH;ai+~*FZ-!&0FO}AsY zOxhC^^;ctKwcW!%@WtyMsu@6xd3zdv(I!8(v5$IseOUHF#yBeb=(KkBD?D*{)a_{6 zy11;ZtH1s5w8!+ewZvnrkKmE%X*#>Ul%b`b!V6_&L1)$_<6^i6k7Bh$Cbm8X7HN40 zS#G)q)jhM1yqIk|ug4$}yr>lNM^7CDi=S{rQqn53pE8J!Vk=?&Q_pATc&ICwBQ zS(^FTsqy1f=9leGJUj=gReI>!b5N4p{xQ7Yh?)gcpugwPJJKnkHLG#|+$oVkg4yV1aO1A$e7 zaQjo^Q#=uo%^bn4wLVp1-Lpy>m3Om-GmM2@#_FNth9W;Io4*MtEVVL^kgC7SFA-we z#qVjp#>O>$RucpY72eI-)`&+06CPE;lJYi4}@3m`# zJ_AU}qlHP&l8^Sxdy9$-4gOUb4UL4637oYGzAr%oZTy>dW-CT`%o3B(duSJ1(e{$Y zM<9UyvWx;+833RQMN{a4(G-wlHXR5E0)ZV>5?#@72%}__LDViB2!zoC&;$$&%?P2h z0z(iWD~mq^C<3ITh2caaj#n5E%ofhx0nUQPL~nPTGlqqB22Ex{K(u_Eac+1F2b%p@ zfFWRi2!bZ=dhQr@H0!ZShxiYx(fr(S%o#KWt$@YIDPiPok3$Sr4*fIyhqIvoh5uR( z+G9aS0kQzl6d)6b0t5omn(X@$hGj=yE`{&~S2Gtia5Gn?EL_(yG|G+K@=fp0D^(rz zxT1R64#p$fx05POs#deg9+l!c8gwhEor|BbmTA)uRlj-gz6)6_cB&4*Tc-M`bK9>c z*H4msFu-a#7iT^GkUgZvxqIcr(X*;=?XWBEh_4N)!@=`Ah5M!kt4cNNSPATwH?AXC zdENd&XqoAr2Dq}BQ6Gnc3D~XB-xhZWLe^fld)&QlbH&rFP$(?%sxBMiB_=cw?r7CH@9Dd8TnkYHTi)yt>lPMf~Qh{TVz-%zd}mpoX@Lx z7dHOF@cCta&Y}DYj>8M>y0uqvg+{1>9qQK_{DUz^17>%6baZre>Zg9-*JTh{JeEgE(Xc$3KCdGsnB0X~&288Q1yu50`xi`1$u zxw%0F{zoTzg?QpaXg#S%Pc}TD&G9sE#r*FN1sL2ia!PT<-siU_xsUiWo{_zcpd9U!Ni)~G zLi}%abS2t*$1jmQ&rh~)%FTUKeNh{2;~_;7Z1a$&S<~zN0o(9-C8gCXFPUtQaEi(Ok}L|C$~05J}GOTeZ2`>N!9w z|5?&Yv(xUn4w}Md-)+>Xm-idnwqK!l-ep)3M#!opq&#uM)v4O^f$5XSSy^-7P*&lV zi*Bv9WLRzp8QFh_Sp$75|b~$}d%! zADHN!cN?}Zq;Pfp`_&u3UsSsuum4tHmJnSKKJnFdCJT}j<9dY@Y9;CdG*Uh6JugW| zjszU%k%LnRdK;+FkhCS;r3tV3Qu-?q>U@4Gz20FckyBYJ$a2l5D|g6nnw|8he9Zuw zE>xvKu;5sW8RFB^dtl3__u=TrP;92~^c`S>V6o8(>LDq#2#WbkDhztv-Y+KRxxc_( z9-Ig8g=a}sc!GElV)j`DAZZobG^EycOweBae{tMx(CCHt3QRem*{+4B%V0XzUy$!_ zUZ;}wLq8Th?`+87LY**LY@JlekVGBR?rG8iZu@)~fnF^95n^RW1Nx_KH383=&5 z%siYq`N@en8TrK}26E!OhUNx_2BwB4hL)yAQR2Kt21s1u3~6FiLbjZdm4Ug5k)Oe! ziIIz`iII_E(PL4I^X{9}*6})Umxu)kNwZ7 z=^wY4ka4q7@sah#zYce@1*Dz@9;!I7XOGwlUBQnmUng0lEkBs=@qX{osjqXAB>LVd znBV$oEGt>0Cp;y+wX-MdSL8OeFTX=NoS*%hG%-Y7A~g|eC@nkaq>(b!N90x zVL?}U)DB4Zu>8?Y^ezjwY;igB&&Sc?eSX!(yTw9>r}$0Eiea=hra7VpxoKYu<)zE;$|->NrB@23wPs^=@2^Nrr=&RkOIJMB%M zv2dNMm!7e#B2#(K_X>{vo8_tnZyXKVZ@zEYJe%b^-Ml3~_!1s_!bTa@5 Ccvlnv literal 1816 zcmezO_TO6u1_mZL=FG`YPRz;3FD_wVU$4v!kJ?fiOsh zU6?00F|Q<1!8boIGdazbS85=;kbaqV>qY`p(FtRc*H!<=v7&I|*F*PwV zGR!y-b78_&{p;J_RLYcZ=UKH^oM-d2R~63QK8sqv6wbQ1c%Aj-tT=16Xl@Dp3*V;e zHf*;EU2s!d?EmGAwL4$*KMm76>RxSI^Y_{r+12XOyBVZ5SkF88wdmZUBCW>1mjpsy z^o8A>D^$57@$5Uk|7*7VJjNZDDg1En^sD7BzpeZg;PKvK$44Vgqc3^M$IC50#>}kV z5b(o}W%EH!_vB=5`RI47^%}8dvO6oHmz@0=8J8WnQn7ZTq?gtGwUN*b>^*j51vd`gXZ}Tj=d=! zZ5Q2p8)B?EgtP6!|DK($dm-WAwXXk9U+SN8m>b$H+55Tn^-f3Qi)|}kFy(38X`WLz zb3tscaO}@TH^6nkgPpdLY>Z2bWWLj})^PvwNNvp0VmYkR- zC$rcPs*X#TBPg{vHL)l;!%)D052TJ;m^~!5xFj<#9cRWgF)#(@MiUbYLkm#GG%*0? zP$-w~?rCD&0nCOvupnUsa^#sB8yWuA2RF)=3TX!2_nM>k=E?JKg4=^^-n%dyma}iz z7O0l#8tb4G_&d_JH{#d+qhEI!d^66fYKrV z-7ByE+kQ;?hjsY#V=I=4^0WMI{&xAO++ilu5aB4XiALW_Kd;kHysq{BlM=J!+>0KJ z$C*SKrY8jSiz;)U*)(Zq)1ucc+#e!jzJi?g{o#VvYqM?do!+xL#%xFU&dMq4cmJ|_ z)$}vmhufCDDLpVUyl>Z)NdISr>;jDqTRg=Im0$R1hzV~$&uP?iV%b9*v8wKnnqG|u zi`U6%Z(de9F>i4__b)}$q>sOosu)$Q&n)@4Z$;pQ&K1q~A4WZ$&o-$$Ev}(DR5gXs z$NJxSPc7!gRtAte7ABjPohmimJL!w=83*1S57xEkb0m5`p0y|T%0y91?Xr*$k!KcN z@qQxIFmK}r4~|)iTkLXzMLu+2k#TdI871R(