mirror of https://github.com/apache/nifi.git
NIFI-3251: Delete requires WRITE perms on parent
- Requiring WRITE permissions to the parent resource when attempting to remove a component. - Updating expired certificates in the REST API integration tests. This closes #1399. Signed-off-by: James Wing <jvwing@gmail.com>
This commit is contained in:
parent
ddda602620
commit
7340078de2
|
@ -110,7 +110,7 @@ public final class StandardConnection implements Connection {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Authorizable getParentAuthorizable() {
|
public Authorizable getParentAuthorizable() {
|
||||||
return null;
|
return getProcessGroup();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -24,6 +24,13 @@ import java.util.Set;
|
||||||
* Authorizable for a Snippet.
|
* Authorizable for a Snippet.
|
||||||
*/
|
*/
|
||||||
public interface SnippetAuthorizable {
|
public interface SnippetAuthorizable {
|
||||||
|
/**
|
||||||
|
* The authorizable for the parent process group of this snippet.
|
||||||
|
*
|
||||||
|
* @return authorizable for parent process group of this snippet
|
||||||
|
*/
|
||||||
|
Authorizable getParentProcessGroup();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The authorizables for selected processors. Non null
|
* The authorizables for selected processors. Non null
|
||||||
*
|
*
|
||||||
|
|
|
@ -329,6 +329,11 @@ class StandardAuthorizableLookup implements AuthorizableLookup {
|
||||||
final ProcessGroup processGroup = processGroupDAO.getProcessGroup(snippet.getParentGroupId());
|
final ProcessGroup processGroup = processGroupDAO.getProcessGroup(snippet.getParentGroupId());
|
||||||
|
|
||||||
return new SnippetAuthorizable() {
|
return new SnippetAuthorizable() {
|
||||||
|
@Override
|
||||||
|
public Authorizable getParentProcessGroup() {
|
||||||
|
return processGroup;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Set<ConfigurableComponentAuthorizable> getSelectedProcessors() {
|
public Set<ConfigurableComponentAuthorizable> getSelectedProcessors() {
|
||||||
return processGroup.getProcessors().stream()
|
return processGroup.getProcessors().stream()
|
||||||
|
|
|
@ -422,7 +422,8 @@ public class AccessPolicyResource extends ApplicationResource {
|
||||||
value = "Deletes an access policy",
|
value = "Deletes an access policy",
|
||||||
response = AccessPolicyEntity.class,
|
response = AccessPolicyEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write - /policies/{resource}", type = "")
|
@Authorization(value = "Write - /policies/{resource}", type = ""),
|
||||||
|
@Authorization(value = "Write - Policy of the parent resource - /policies/{resource}", type = "")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
@ApiResponses(
|
@ApiResponses(
|
||||||
|
@ -472,7 +473,12 @@ public class AccessPolicyResource extends ApplicationResource {
|
||||||
requestRevision,
|
requestRevision,
|
||||||
lookup -> {
|
lookup -> {
|
||||||
final Authorizable accessPolicy = lookup.getAccessPolicyById(id);
|
final Authorizable accessPolicy = lookup.getAccessPolicyById(id);
|
||||||
|
|
||||||
|
// ensure write permission to the access policy
|
||||||
accessPolicy.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
accessPolicy.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
|
// ensure write permission to the policy for the parent process group
|
||||||
|
accessPolicy.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
},
|
},
|
||||||
null,
|
null,
|
||||||
(revision, accessPolicyEntity) -> {
|
(revision, accessPolicyEntity) -> {
|
||||||
|
|
|
@ -295,6 +295,7 @@ public class ConnectionResource extends ApplicationResource {
|
||||||
response = ConnectionEntity.class,
|
response = ConnectionEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write Source - /{component-type}/{uuid}", type = ""),
|
@Authorization(value = "Write Source - /{component-type}/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = ""),
|
||||||
@Authorization(value = "Write Destination - /{component-type}/{uuid}", type = "")
|
@Authorization(value = "Write Destination - /{component-type}/{uuid}", type = "")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
@ -344,7 +345,12 @@ public class ConnectionResource extends ApplicationResource {
|
||||||
lookup -> {
|
lookup -> {
|
||||||
// verifies write access to the source and destination
|
// verifies write access to the source and destination
|
||||||
final Authorizable authorizable = lookup.getConnection(id).getAuthorizable();
|
final Authorizable authorizable = lookup.getConnection(id).getAuthorizable();
|
||||||
|
|
||||||
|
// ensure write permission to the connection
|
||||||
authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
|
// ensure write permission to the parent process group
|
||||||
|
authorizable.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
},
|
},
|
||||||
() -> serviceFacade.verifyDeleteConnection(id),
|
() -> serviceFacade.verifyDeleteConnection(id),
|
||||||
(revision, connectionEntity) -> {
|
(revision, connectionEntity) -> {
|
||||||
|
|
|
@ -661,6 +661,8 @@ public class ControllerServiceResource extends ApplicationResource {
|
||||||
response = ControllerServiceEntity.class,
|
response = ControllerServiceEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write - /controller-services/{uuid}", type = ""),
|
@Authorization(value = "Write - /controller-services/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Write - Parent Process Group if scoped by Process Group - /process-groups/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Write - Controller if scoped by Controller - /controller", type = ""),
|
||||||
@Authorization(value = "Read - any referenced Controller Services - /controller-services/{uuid}", type = "")
|
@Authorization(value = "Read - any referenced Controller Services - /controller-services/{uuid}", type = "")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
@ -706,8 +708,13 @@ public class ControllerServiceResource extends ApplicationResource {
|
||||||
requestRevision,
|
requestRevision,
|
||||||
lookup -> {
|
lookup -> {
|
||||||
final ConfigurableComponentAuthorizable controllerService = lookup.getControllerService(id);
|
final ConfigurableComponentAuthorizable controllerService = lookup.getControllerService(id);
|
||||||
|
|
||||||
|
// ensure write permission to the controller service
|
||||||
controllerService.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
controllerService.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
|
// ensure write permission to the parent process group
|
||||||
|
controllerService.getAuthorizable().getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
// verify any referenced services
|
// verify any referenced services
|
||||||
AuthorizeControllerServiceReference.authorizeControllerServiceReferences(controllerService, authorizer, lookup, false);
|
AuthorizeControllerServiceReference.authorizeControllerServiceReferences(controllerService, authorizer, lookup, false);
|
||||||
},
|
},
|
||||||
|
|
|
@ -245,7 +245,8 @@ public class FunnelResource extends ApplicationResource {
|
||||||
value = "Deletes a funnel",
|
value = "Deletes a funnel",
|
||||||
response = FunnelEntity.class,
|
response = FunnelEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write - /funnels/{uuid}", type = "")
|
@Authorization(value = "Write - /funnels/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
@ApiResponses(
|
@ApiResponses(
|
||||||
|
@ -290,7 +291,12 @@ public class FunnelResource extends ApplicationResource {
|
||||||
requestRevision,
|
requestRevision,
|
||||||
lookup -> {
|
lookup -> {
|
||||||
final Authorizable funnel = lookup.getFunnel(id);
|
final Authorizable funnel = lookup.getFunnel(id);
|
||||||
|
|
||||||
|
// ensure write permission to the funnel
|
||||||
funnel.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
funnel.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
|
// ensure write permission to the parent process group
|
||||||
|
funnel.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
},
|
},
|
||||||
() -> serviceFacade.verifyDeleteFunnel(id),
|
() -> serviceFacade.verifyDeleteFunnel(id),
|
||||||
(revision, funnelEntity) -> {
|
(revision, funnelEntity) -> {
|
||||||
|
|
|
@ -244,7 +244,8 @@ public class InputPortResource extends ApplicationResource {
|
||||||
value = "Deletes an input port",
|
value = "Deletes an input port",
|
||||||
response = PortEntity.class,
|
response = PortEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write - /input-ports/{uuid}", type = "")
|
@Authorization(value = "Write - /input-ports/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
@ApiResponses(
|
@ApiResponses(
|
||||||
|
@ -289,7 +290,12 @@ public class InputPortResource extends ApplicationResource {
|
||||||
requestRevision,
|
requestRevision,
|
||||||
lookup -> {
|
lookup -> {
|
||||||
final Authorizable inputPort = lookup.getInputPort(id);
|
final Authorizable inputPort = lookup.getInputPort(id);
|
||||||
|
|
||||||
|
// ensure write permission to the input port
|
||||||
inputPort.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
inputPort.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
|
// ensure write permission to the parent process group
|
||||||
|
inputPort.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
},
|
},
|
||||||
() -> serviceFacade.verifyDeleteInputPort(id),
|
() -> serviceFacade.verifyDeleteInputPort(id),
|
||||||
(revision, portEntity) -> {
|
(revision, portEntity) -> {
|
||||||
|
|
|
@ -244,7 +244,8 @@ public class LabelResource extends ApplicationResource {
|
||||||
value = "Deletes a label",
|
value = "Deletes a label",
|
||||||
response = LabelEntity.class,
|
response = LabelEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write - /labels/{uuid}", type = "")
|
@Authorization(value = "Write - /labels/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
@ApiResponses(
|
@ApiResponses(
|
||||||
|
@ -289,7 +290,12 @@ public class LabelResource extends ApplicationResource {
|
||||||
requestRevision,
|
requestRevision,
|
||||||
lookup -> {
|
lookup -> {
|
||||||
final Authorizable label = lookup.getLabel(id);
|
final Authorizable label = lookup.getLabel(id);
|
||||||
|
|
||||||
|
// ensure write permission to the label
|
||||||
label.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
label.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
|
// ensure write permission to the parent process group
|
||||||
|
label.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
},
|
},
|
||||||
null,
|
null,
|
||||||
(revision, labelEntity) -> {
|
(revision, labelEntity) -> {
|
||||||
|
|
|
@ -244,7 +244,8 @@ public class OutputPortResource extends ApplicationResource {
|
||||||
value = "Deletes an output port",
|
value = "Deletes an output port",
|
||||||
response = PortEntity.class,
|
response = PortEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write - /output-ports/{uuid}", type = "")
|
@Authorization(value = "Write - /output-ports/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
@ApiResponses(
|
@ApiResponses(
|
||||||
|
@ -289,7 +290,12 @@ public class OutputPortResource extends ApplicationResource {
|
||||||
requestRevision,
|
requestRevision,
|
||||||
lookup -> {
|
lookup -> {
|
||||||
final Authorizable outputPort = lookup.getOutputPort(id);
|
final Authorizable outputPort = lookup.getOutputPort(id);
|
||||||
|
|
||||||
|
// ensure write permission to the output port
|
||||||
outputPort.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
outputPort.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
|
// ensure write permission to the parent process group
|
||||||
|
outputPort.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
},
|
},
|
||||||
() -> serviceFacade.verifyDeleteOutputPort(id),
|
() -> serviceFacade.verifyDeleteOutputPort(id),
|
||||||
(revision, portEntity) -> {
|
(revision, portEntity) -> {
|
||||||
|
|
|
@ -339,6 +339,8 @@ public class ProcessGroupResource extends ApplicationResource {
|
||||||
response = ProcessGroupEntity.class,
|
response = ProcessGroupEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write - /process-groups/{uuid}", type = ""),
|
@Authorization(value = "Write - /process-groups/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Read - any referenced Controller Services by any encapsulated components - /controller-services/{uuid}", type = ""),
|
||||||
@Authorization(value = "Write - /{component-type}/{uuid} - For all encapsulated components", type = "")
|
@Authorization(value = "Write - /{component-type}/{uuid} - For all encapsulated components", type = "")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
@ -384,12 +386,18 @@ public class ProcessGroupResource extends ApplicationResource {
|
||||||
requestProcessGroupEntity,
|
requestProcessGroupEntity,
|
||||||
requestRevision,
|
requestRevision,
|
||||||
lookup -> {
|
lookup -> {
|
||||||
final NiFiUser user = NiFiUserUtils.getNiFiUser();
|
|
||||||
final ProcessGroupAuthorizable processGroupAuthorizable = lookup.getProcessGroup(id);
|
final ProcessGroupAuthorizable processGroupAuthorizable = lookup.getProcessGroup(id);
|
||||||
|
|
||||||
// ensure write to this process group and all encapsulated components including templates and controller services. additionally, ensure
|
// ensure write to this process group and all encapsulated components including templates and controller services. additionally, ensure
|
||||||
// read to any referenced services by encapsulated components
|
// read to any referenced services by encapsulated components
|
||||||
authorizeProcessGroup(processGroupAuthorizable, authorizer, lookup, RequestAction.WRITE, true, true, true, false);
|
authorizeProcessGroup(processGroupAuthorizable, authorizer, lookup, RequestAction.WRITE, true, true, true, false);
|
||||||
|
|
||||||
|
// ensure write permission to the parent process group, if applicable... if this is the root group the
|
||||||
|
// request will fail later but still need to handle authorization here
|
||||||
|
final Authorizable parentAuthorizable = processGroupAuthorizable.getAuthorizable().getParentAuthorizable();
|
||||||
|
if (parentAuthorizable != null) {
|
||||||
|
parentAuthorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
}
|
||||||
},
|
},
|
||||||
() -> serviceFacade.verifyDeleteProcessGroup(id),
|
() -> serviceFacade.verifyDeleteProcessGroup(id),
|
||||||
(revision, processGroupEntity) -> {
|
(revision, processGroupEntity) -> {
|
||||||
|
|
|
@ -496,6 +496,7 @@ public class ProcessorResource extends ApplicationResource {
|
||||||
response = ProcessorEntity.class,
|
response = ProcessorEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write - /processors/{uuid}", type = ""),
|
@Authorization(value = "Write - /processors/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = ""),
|
||||||
@Authorization(value = "Read - any referenced Controller Services - /controller-services/{uuid}", type = "")
|
@Authorization(value = "Read - any referenced Controller Services - /controller-services/{uuid}", type = "")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
@ -540,8 +541,13 @@ public class ProcessorResource extends ApplicationResource {
|
||||||
requestRevision,
|
requestRevision,
|
||||||
lookup -> {
|
lookup -> {
|
||||||
final ConfigurableComponentAuthorizable processor = lookup.getProcessor(id);
|
final ConfigurableComponentAuthorizable processor = lookup.getProcessor(id);
|
||||||
|
|
||||||
|
// ensure write permission to the processor
|
||||||
processor.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
processor.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
|
// ensure write permission to the parent process group
|
||||||
|
processor.getAuthorizable().getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
// verify any referenced services
|
// verify any referenced services
|
||||||
AuthorizeControllerServiceReference.authorizeControllerServiceReferences(processor, authorizer, lookup, false);
|
AuthorizeControllerServiceReference.authorizeControllerServiceReferences(processor, authorizer, lookup, false);
|
||||||
},
|
},
|
||||||
|
|
|
@ -159,7 +159,8 @@ public class RemoteProcessGroupResource extends ApplicationResource {
|
||||||
value = "Deletes a remote process group",
|
value = "Deletes a remote process group",
|
||||||
response = RemoteProcessGroupEntity.class,
|
response = RemoteProcessGroupEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write - /remote-process-groups/{uuid}", type = "")
|
@Authorization(value = "Write - /remote-process-groups/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
@ApiResponses(
|
@ApiResponses(
|
||||||
|
@ -204,7 +205,12 @@ public class RemoteProcessGroupResource extends ApplicationResource {
|
||||||
requestRevision,
|
requestRevision,
|
||||||
lookup -> {
|
lookup -> {
|
||||||
final Authorizable remoteProcessGroup = lookup.getRemoteProcessGroup(id);
|
final Authorizable remoteProcessGroup = lookup.getRemoteProcessGroup(id);
|
||||||
|
|
||||||
|
// ensure write permission to the remote process group
|
||||||
remoteProcessGroup.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
remoteProcessGroup.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
|
// ensure write permission to the parent process group
|
||||||
|
remoteProcessGroup.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
},
|
},
|
||||||
() -> serviceFacade.verifyDeleteRemoteProcessGroup(id),
|
() -> serviceFacade.verifyDeleteRemoteProcessGroup(id),
|
||||||
(revision, remoteProcessGroupEntity) -> {
|
(revision, remoteProcessGroupEntity) -> {
|
||||||
|
|
|
@ -465,6 +465,7 @@ public class ReportingTaskResource extends ApplicationResource {
|
||||||
response = ReportingTaskEntity.class,
|
response = ReportingTaskEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write - /reporting-tasks/{uuid}", type = ""),
|
@Authorization(value = "Write - /reporting-tasks/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Write - /controller", type = ""),
|
||||||
@Authorization(value = "Read - any referenced Controller Services - /controller-services/{uuid}", type = "")
|
@Authorization(value = "Read - any referenced Controller Services - /controller-services/{uuid}", type = "")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
@ -510,8 +511,13 @@ public class ReportingTaskResource extends ApplicationResource {
|
||||||
requestRevision,
|
requestRevision,
|
||||||
lookup -> {
|
lookup -> {
|
||||||
final ConfigurableComponentAuthorizable reportingTask = lookup.getReportingTask(id);
|
final ConfigurableComponentAuthorizable reportingTask = lookup.getReportingTask(id);
|
||||||
|
|
||||||
|
// ensure write permission to the reporting task
|
||||||
reportingTask.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
reportingTask.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
|
// ensure write permission to the parent process group
|
||||||
|
reportingTask.getAuthorizable().getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
// verify any referenced services
|
// verify any referenced services
|
||||||
AuthorizeControllerServiceReference.authorizeControllerServiceReferences(reportingTask, authorizer, lookup, false);
|
AuthorizeControllerServiceReference.authorizeControllerServiceReferences(reportingTask, authorizer, lookup, false);
|
||||||
},
|
},
|
||||||
|
|
|
@ -301,7 +301,8 @@ public class SnippetResource extends ApplicationResource {
|
||||||
value = "Deletes the components in a snippet and discards the snippet",
|
value = "Deletes the components in a snippet and discards the snippet",
|
||||||
response = SnippetEntity.class,
|
response = SnippetEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write - /{component-type}/{uuid} - For each component in the Snippet and their descendant components", type = "")
|
@Authorization(value = "Write - /{component-type}/{uuid} - For each component in the Snippet and their descendant components", type = ""),
|
||||||
|
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = ""),
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
@ApiResponses(
|
@ApiResponses(
|
||||||
|
@ -338,6 +339,9 @@ public class SnippetResource extends ApplicationResource {
|
||||||
// ensure write permission to every component in the snippet excluding referenced services
|
// ensure write permission to every component in the snippet excluding referenced services
|
||||||
final SnippetAuthorizable snippet = lookup.getSnippet(snippetId);
|
final SnippetAuthorizable snippet = lookup.getSnippet(snippetId);
|
||||||
authorizeSnippet(snippet, authorizer, lookup, RequestAction.WRITE, true, false);
|
authorizeSnippet(snippet, authorizer, lookup, RequestAction.WRITE, true, false);
|
||||||
|
|
||||||
|
// ensure write permission to the parent process group
|
||||||
|
snippet.getParentProcessGroup().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
},
|
},
|
||||||
() -> serviceFacade.verifyDeleteSnippet(snippetId, requestRevisions.stream().map(rev -> rev.getComponentId()).collect(Collectors.toSet())),
|
() -> serviceFacade.verifyDeleteSnippet(snippetId, requestRevisions.stream().map(rev -> rev.getComponentId()).collect(Collectors.toSet())),
|
||||||
(revisions, entity) -> {
|
(revisions, entity) -> {
|
||||||
|
|
|
@ -165,7 +165,8 @@ public class TemplateResource extends ApplicationResource {
|
||||||
value = "Deletes a template",
|
value = "Deletes a template",
|
||||||
response = TemplateEntity.class,
|
response = TemplateEntity.class,
|
||||||
authorizations = {
|
authorizations = {
|
||||||
@Authorization(value = "Write - /templates/{uuid}", type = "")
|
@Authorization(value = "Write - /templates/{uuid}", type = ""),
|
||||||
|
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
@ApiResponses(
|
@ApiResponses(
|
||||||
|
@ -197,7 +198,12 @@ public class TemplateResource extends ApplicationResource {
|
||||||
requestTemplateEntity,
|
requestTemplateEntity,
|
||||||
lookup -> {
|
lookup -> {
|
||||||
final Authorizable template = lookup.getTemplate(id).getAuthorizable();
|
final Authorizable template = lookup.getTemplate(id).getAuthorizable();
|
||||||
|
|
||||||
|
// ensure write permission to the template
|
||||||
template.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
template.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
|
|
||||||
|
// ensure write permission to the parent process group
|
||||||
|
template.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
|
||||||
},
|
},
|
||||||
null,
|
null,
|
||||||
(templateEntity) -> {
|
(templateEntity) -> {
|
||||||
|
|
|
@ -33,7 +33,7 @@ public class NiFiFlowTestAuthorizer implements Authorizer {
|
||||||
|
|
||||||
public static final String NO_POLICY_COMPONENT_NAME = "No policies";
|
public static final String NO_POLICY_COMPONENT_NAME = "No policies";
|
||||||
|
|
||||||
public static final String PROXY_DN = "CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US";
|
public static final String PROXY_DN = "CN=localhost, OU=NIFI";
|
||||||
|
|
||||||
public static final String NONE_USER_DN = "none@nifi";
|
public static final String NONE_USER_DN = "none@nifi";
|
||||||
public static final String READ_USER_DN = "read@nifi";
|
public static final String READ_USER_DN = "read@nifi";
|
||||||
|
|
|
@ -33,7 +33,7 @@ public class NiFiTestAuthorizer implements Authorizer {
|
||||||
|
|
||||||
public static final String NO_POLICY_COMPONENT_NAME = "No policies";
|
public static final String NO_POLICY_COMPONENT_NAME = "No policies";
|
||||||
|
|
||||||
public static final String PROXY_DN = "CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US";
|
public static final String PROXY_DN = "CN=localhost, OU=NIFI";
|
||||||
|
|
||||||
public static final String NONE_USER_DN = "none@nifi";
|
public static final String NONE_USER_DN = "none@nifi";
|
||||||
public static final String READ_USER_DN = "read@nifi";
|
public static final String READ_USER_DN = "read@nifi";
|
||||||
|
|
BIN
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/localhost-ks.jks
Executable file → Normal file
BIN
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/localhost-ks.jks
Executable file → Normal file
Binary file not shown.
BIN
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/localhost-ts.jks
Executable file → Normal file
BIN
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/localhost-ts.jks
Executable file → Normal file
Binary file not shown.
|
@ -953,6 +953,11 @@ nf.CanvasUtils = (function () {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ensure the user has write permissions to the current process group
|
||||||
|
if (nf.Canvas.canWrite() === false) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
if (nf.CanvasUtils.canModify(selection) === false) {
|
if (nf.CanvasUtils.canModify(selection) === false) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -505,7 +505,37 @@ nf.ControllerServices = (function () {
|
||||||
if (nf.Common.isDefinedAndNotNull(dataContext.component.parentGroupId)) {
|
if (nf.Common.isDefinedAndNotNull(dataContext.component.parentGroupId)) {
|
||||||
return dataContext.component.parentGroupId;
|
return dataContext.component.parentGroupId;
|
||||||
} else {
|
} else {
|
||||||
return 'Controller'
|
return 'Controller';
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determines if the user has write permissions for the parent of the specified controller service.
|
||||||
|
*
|
||||||
|
* @param dataContext
|
||||||
|
* @returns {boolean} whether the user has write permissions for the parent of the controller service
|
||||||
|
*/
|
||||||
|
var canWriteControllerServiceParent = function (dataContext) {
|
||||||
|
// we know the process group for this controller service is part
|
||||||
|
// of the current breadcrumb trail
|
||||||
|
var canWriteProcessGroupParent = function (processGroupId) {
|
||||||
|
var breadcrumbs = nf.ng.Bridge.injector.get('breadcrumbsCtrl').getBreadcrumbs();
|
||||||
|
|
||||||
|
var isAuthorized = false;
|
||||||
|
$.each(breadcrumbs, function (_, breadcrumbEntity) {
|
||||||
|
if (breadcrumbEntity.id === processGroupId) {
|
||||||
|
isAuthorized = breadcrumbEntity.permissions.canWrite;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
return isAuthorized;
|
||||||
|
};
|
||||||
|
|
||||||
|
if (nf.Common.isDefinedAndNotNull(dataContext.component.parentGroupId)) {
|
||||||
|
return canWriteProcessGroupParent(dataContext.component.parentGroupId);
|
||||||
|
} else {
|
||||||
|
return nf.Common.canModifyController();
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -650,7 +680,7 @@ nf.ControllerServices = (function () {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (dataContext.permissions.canWrite) {
|
if (dataContext.permissions.canWrite && canWriteControllerServiceParent(dataContext)) {
|
||||||
markup += '<div class="pointer delete-controller-service fa fa-trash" title="Remove" style="margin-top: 2px; margin-right: 3px;" ></div>';
|
markup += '<div class="pointer delete-controller-service fa fa-trash" title="Remove" style="margin-top: 2px; margin-right: 3px;" ></div>';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -754,7 +754,7 @@ nf.Settings = (function () {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (dataContext.permissions.canWrite) {
|
if (dataContext.permissions.canWrite && nf.Common.canModifyController()) {
|
||||||
markup += '<div title="Remove" class="pointer delete-reporting-task fa fa-trash" style="margin-top: 2px; margin-right: 3px;" ></div>';
|
markup += '<div title="Remove" class="pointer delete-reporting-task fa fa-trash" style="margin-top: 2px; margin-right: 3px;" ></div>';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue