NIFI-2237:

- Updating Rest Endpoint documentation specifically regarding access policies.
- Ensuring the resource listing is accurate.
- Removing unnecessary code.

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceFactory.java

@@ -34,30 +34,6 @@ public final class ResourceFactory {
         }
     };
 
-    private final static Resource CONTROLLER_SERVICE_RESOURCE = new Resource() {
-        @Override
-        public String getIdentifier() {
-            return ResourceType.ControllerService.getValue();
-        }
-
-        @Override
-        public String getName() {
-            return "Controller Service";
-        }
-    };
-
-    private final static Resource FUNNEL_RESOURCE = new Resource() {
-        @Override
-        public String getIdentifier() {
-            return ResourceType.Funnel.getValue();
-        }
-
-        @Override
-        public String getName() {
-            return "Funnel";
-        }
-    };
-
     private final static Resource FLOW_RESOURCE = new Resource() {
         @Override
         public String getIdentifier() {
@@ -70,42 +46,6 @@ public final class ResourceFactory {
         }
     };
 
-    private final static Resource INPUT_PORT_RESOURCE = new Resource() {
-        @Override
-        public String getIdentifier() {
-            return ResourceType.InputPort.getValue();
-        }
-
-        @Override
-        public String getName() {
-            return "Input Port";
-        }
-    };
-
-    private final static Resource LABEL_RESOURCE = new Resource() {
-        @Override
-        public String getIdentifier() {
-            return ResourceType.Label.getValue();
-        }
-
-        @Override
-        public String getName() {
-            return "Label";
-        }
-    };
-
-    private final static Resource OUTPUT_PORT_RESOURCE = new Resource() {
-        @Override
-        public String getIdentifier() {
-            return ResourceType.OutputPort.getValue();
-        }
-
-        @Override
-        public String getName() {
-            return "Output Port";
-        }
-    };
-
     private final static Resource POLICY_RESOURCE = new Resource() {
         @Override
         public String getIdentifier() {
@@ -118,30 +58,6 @@ public final class ResourceFactory {
         }
     };
 
-    private final static Resource PROCESSOR_RESOURCE = new Resource() {
-        @Override
-        public String getIdentifier() {
-            return ResourceType.Processor.getValue();
-        }
-
-        @Override
-        public String getName() {
-            return "Processor";
-        }
-    };
-
-    private final static Resource PROCESS_GROUP_RESOURCE = new Resource() {
-        @Override
-        public String getIdentifier() {
-            return ResourceType.ProcessGroup.getValue();
-        }
-
-        @Override
-        public String getName() {
-            return "Process Group";
-        }
-    };
-
     private final static Resource COUNTERS_RESOURCE = new Resource() {
         @Override
         public String getIdentifier() {
@@ -190,30 +106,6 @@ public final class ResourceFactory {
         }
     };
 
-    private final static Resource REMOTE_PROCESS_GROUP_RESOURCE = new Resource() {
-        @Override
-        public String getIdentifier() {
-            return ResourceType.RemoteProcessGroup.getValue();
-        }
-
-        @Override
-        public String getName() {
-            return "Remote Process Group";
-        }
-    };
-
-    private final static Resource REPORTING_TASK_RESOURCE = new Resource() {
-        @Override
-        public String getIdentifier() {
-            return ResourceType.ReportingTask.getValue();
-        }
-
-        @Override
-        public String getName() {
-            return "Reporting Task";
-        }
-    };
-
     private final static Resource RESOURCE_RESOURCE = new Resource() {
         @Override
         public String getIdentifier() {
@@ -250,18 +142,6 @@ public final class ResourceFactory {
         }
     };
 
-    private final static Resource TEMPLATE_RESOURCE = new Resource() {
-        @Override
-        public String getIdentifier() {
-            return ResourceType.Template.getValue();
-        }
-
-        @Override
-        public String getName() {
-            return "Template";
-        }
-    };
-
     private final static Resource TENANT_RESOURCE = new Resource() {
         @Override
         public String getIdentifier() {
@@ -296,24 +176,6 @@ public final class ResourceFactory {
         return CONTROLLER_RESOURCE;
     }
 
-    /**
-     * Gets the Resource for accessing Controller Services.
-     *
-     * @return The resource for accessing Controller Services
-     */
-    public static Resource getControllerServiceResource() {
-        return CONTROLLER_SERVICE_RESOURCE;
-    }
-
-    /**
-     * Gets the Resource for accessing Funnels.
-     *
-     * @return The resource for accessing Funnels.
-     */
-    public static Resource getFunnelResource() {
-        return FUNNEL_RESOURCE;
-    }
-
     /**
      * Gets the Resource for accessing the NiFi flow. This includes the data flow structure, component status, search results, and banner/about text.
      *
@@ -323,51 +185,6 @@ public final class ResourceFactory {
         return FLOW_RESOURCE;
     }
 
-    /**
-     * Gets the Resource for accessing Input Ports.
-     *
-     * @return The resource for accessing Input Ports
-     */
-    public static Resource getInputPortResource() {
-        return INPUT_PORT_RESOURCE;
-    }
-
-    /**
-     * Gets the Resource for accessing Labels.
-     *
-     * @return The resource for accessing Labels
-     */
-    public static Resource getLabelResource() {
-        return LABEL_RESOURCE;
-    }
-
-    /**
-     * Gets the Resource for accessing Output Ports.
-     *
-     * @return The resource for accessing Output Ports
-     */
-    public static Resource getOutputPortResource() {
-        return OUTPUT_PORT_RESOURCE;
-    }
-
-    /**
-     * Gets the Resource for accessing Processors.
-     *
-     * @return The resource for accessing Processors
-     */
-    public static Resource getProcessorResource() {
-        return PROCESSOR_RESOURCE;
-    }
-
-    /**
-     * Gets the Resource for accessing Process Groups.
-     *
-     * @return The resource for accessing Process Groups
-     */
-    public static Resource getProcessGroupResource() {
-        return PROCESS_GROUP_RESOURCE;
-    }
-
     /**
      * Gets the Resource for accessing the Counters..
      *
@@ -396,24 +213,6 @@ public final class ResourceFactory {
         return PROXY_RESOURCE;
     }
 
-    /**
-     * Gets the Resource for accessing Remote Process Groups.
-     *
-     * @return The resource accessing Remote Process Groups
-     */
-    public static Resource getRemoteProcessGroupResource() {
-        return REMOTE_PROCESS_GROUP_RESOURCE;
-    }
-
-    /**
-     * Gets the Resource for accessing Reporting Tasks.
-     *
-     * @return The resource for accessing Reporting Tasks
-     */
-    public static Resource getReportingTaskResource() {
-        return REPORTING_TASK_RESOURCE;
-    }
-
     /**
      * Gets the Resource for detailing all available NiFi Resources.
      *
@@ -442,15 +241,6 @@ public final class ResourceFactory {
         return SYSTEM_RESOURCE;
     }
 
-    /**
-     * Gets the Resource for accessing Templates.
-     *
-     * @return The Resource for accessing Tempaltes
-     */
-    public static Resource getTemplateResource() {
-        return TEMPLATE_RESOURCE;
-    }
-
     /**
      * Gets the Resource for accessing Tenants which includes creating, modifying, and deleting Users and UserGroups.
      *

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java

@@ -102,14 +102,18 @@ public class AccessPolicyResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{action}/{resource: .+}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
-            value = "Gets an access policy",
+            value = "Gets an access policy for the specified action and resource",
+            notes = "Will return the effective policy if no component specific policy exists for the specified action and resource. "
+                    + "Must have Read permissions to the policy with the desired action and resource. Permissions for the policy that is "
+                    + "returned will be indicated in the response. This means the client could be authorized to get the policy for a "
+                    + "given component but the effective policy may be inherited from an ancestor Process Group. If the client does not "
+                    + "have permissions to that policy, the response will not include the policy and the permissions in the response "
+                    + "will be marked accordingly. If the client does not have permissions to the policy of the desired action and resource "
+                    + "a 403 response will be returned.",
             response = AccessPolicyEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /policies/{resource}", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -172,12 +176,11 @@ public class AccessPolicyResource extends ApplicationResource {
     @POST
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates an access policy",
             response = AccessPolicyEntity.class,
             authorizations = {
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /policies/{resource}", type = "")
             }
     )
     @ApiResponses(
@@ -263,14 +266,11 @@ public class AccessPolicyResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets an access policy",
             response = AccessPolicyEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /policies/{resource}", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -323,12 +323,11 @@ public class AccessPolicyResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a access policy",
             response = AccessPolicyEntity.class,
             authorizations = {
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /policies/{resource}", type = "")
             }
     )
     @ApiResponses(
@@ -412,12 +411,11 @@ public class AccessPolicyResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes an access policy",
             response = AccessPolicyEntity.class,
             authorizations = {
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /policies/{resource}", type = "")
             }
     )
     @ApiResponses(

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java

@@ -29,13 +29,6 @@ import org.apache.nifi.authentication.LoginIdentityProvider;
 import org.apache.nifi.authentication.exception.IdentityAccessException;
 import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException;
 import org.apache.nifi.authorization.AccessDeniedException;
-import org.apache.nifi.authorization.AuthorizationRequest;
-import org.apache.nifi.authorization.AuthorizationResult;
-import org.apache.nifi.authorization.AuthorizationResult.Result;
-import org.apache.nifi.authorization.Authorizer;
-import org.apache.nifi.authorization.RequestAction;
-import org.apache.nifi.authorization.UserContextKeys;
-import org.apache.nifi.authorization.resource.ResourceFactory;
 import org.apache.nifi.authorization.user.NiFiUser;
 import org.apache.nifi.authorization.user.NiFiUserDetails;
 import org.apache.nifi.authorization.user.NiFiUserUtils;
@@ -78,8 +71,6 @@ import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import java.net.URI;
 import java.security.cert.X509Certificate;
-import java.util.HashMap;
-import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
 /**
@@ -105,33 +96,6 @@ public class AccessResource extends ApplicationResource {
 
     private KerberosService kerberosService;
 
-    private Authorizer authorizer;
-
-    /**
-     * Authorizes access to the flow.
-     */
-    private boolean hasFlowAccess(final NiFiUser user) {
-        final Map<String,String> userContext;
-        if (!StringUtils.isBlank(user.getClientAddress())) {
-            userContext = new HashMap<>();
-            userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
-        } else {
-            userContext = null;
-        }
-
-        final AuthorizationRequest request = new AuthorizationRequest.Builder()
-                .resource(ResourceFactory.getFlowResource())
-                .identity(user.getIdentity())
-                .anonymous(user.isAnonymous())
-                .accessAttempt(true)
-                .action(RequestAction.READ)
-                .userContext(userContext)
-                .build();
-
-        final AuthorizationResult result = authorizer.authorize(request);
-        return Result.Approved.equals(result.getResult());
-    }
-
     /**
      * Retrieves the access configuration for this NiFi.
      *
@@ -173,6 +137,7 @@ public class AccessResource extends ApplicationResource {
     @Path("")
     @ApiOperation(
             value = "Gets the status the client's access",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = AccessStatusEntity.class
     )
     @ApiResponses(
@@ -507,9 +472,6 @@ public class AccessResource extends ApplicationResource {
     }
 
     // setters
-    public void setAuthorizer(Authorizer authorizer) {
-        this.authorizer = authorizer;
-    }
 
     public void setLoginIdentityProvider(LoginIdentityProvider loginIdentityProvider) {
         this.loginIdentityProvider = loginIdentityProvider;

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ApplicationResource.java

@@ -95,6 +95,8 @@ public abstract class ApplicationResource {
     public static final String PROXY_PORT_HTTP_HEADER = "X-ProxyPort";
     public static final String PROXY_CONTEXT_PATH_HTTP_HEADER = "X-ProxyContextPath";
 
+    protected static final String NON_GUARANTEED_ENDPOINT = "Note: This endpoint is subject to change as the NiFi and it's REST API evolve.";
+
     private static final Logger logger = LoggerFactory.getLogger(ApplicationResource.class);
 
     public static final String NODEWISE = "false";
@@ -686,9 +688,7 @@ public abstract class ApplicationResource {
      * @param method            the HTTP method to use
      * @param entity            the entity to replicate
      * @param headersToOverride the headers to override
-     *
      * @return the response from the request
-     *
      * @throws InterruptedException if interrupted while replicating the request
      * @see #replicate(String, Object, Map)
      */
@@ -851,7 +851,7 @@ public abstract class ApplicationResource {
         }
 
         public Response handshakeExceptionResponse(HandshakeException e) {
-            if(logger.isDebugEnabled()){
+            if (logger.isDebugEnabled()) {
                 logger.debug("Handshake failed, {}", e.getMessage());
             }
             ResponseCode handshakeRes = e.getResponseCode();

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ConnectionResource.java

@@ -32,8 +32,6 @@ import org.apache.nifi.connectable.Connectable;
 import org.apache.nifi.web.NiFiServiceFacade;
 import org.apache.nifi.web.Revision;
 import org.apache.nifi.web.api.dto.ConnectionDTO;
-import org.apache.nifi.web.api.dto.FlowFileSummaryDTO;
-import org.apache.nifi.web.api.dto.ListingRequestDTO;
 import org.apache.nifi.web.api.entity.ConnectionEntity;
 import org.apache.nifi.web.api.request.ClientIdParameter;
 import org.apache.nifi.web.api.request.LongParameter;
@@ -91,38 +89,6 @@ public class ConnectionResource extends ApplicationResource {
         return connectionEntity;
     }
 
-    /**
-     * Populate the URIs for the specified flowfile listing.
-     *
-     * @param connectionId connection
-     * @param flowFileListing flowfile listing
-     * @return dto
-     */
-    public ListingRequestDTO populateRemainingFlowFileListingContent(final String connectionId, final ListingRequestDTO flowFileListing) {
-        // uri of the listing
-        flowFileListing.setUri(generateResourceUri("connections", connectionId, "listing-requests", flowFileListing.getId()));
-
-        // uri of each flowfile
-        if (flowFileListing.getFlowFileSummaries() != null) {
-            for (final FlowFileSummaryDTO flowFile : flowFileListing.getFlowFileSummaries()) {
-                populateRemainingFlowFileContent(connectionId, flowFile);
-            }
-        }
-        return flowFileListing;
-    }
-
-    /**
-     * Populate the URIs for the specified flowfile.
-     *
-     * @param connectionId the connection id
-     * @param flowFile the flowfile
-     * @return the dto
-     */
-    public FlowFileSummaryDTO populateRemainingFlowFileContent(final String connectionId, final FlowFileSummaryDTO flowFile) {
-        flowFile.setUri(generateResourceUri("connections", connectionId, "flowfiles", flowFile.getUuid()));
-        return flowFile;
-    }
-
     /**
      * Retrieves the specified connection.
      *
@@ -134,14 +100,12 @@ public class ConnectionResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a connection",
             response = ConnectionEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read Source - /{component-type}/{uuid}", type = ""),
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
+                    @Authorization(value = "Read Destination - /{component-type}/{uuid}", type = "")
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -192,12 +156,14 @@ public class ConnectionResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a connection",
             response = ConnectionEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write Source - /{component-type}/{uuid}", type = ""),
+                    @Authorization(value = "Write Destination - /{component-type}/{uuid}", type = ""),
+                    @Authorization(value = "Write New Destination - /{component-type}/{uuid} - if updating Destination", type = ""),
+                    @Authorization(value = "Write Process Group - /process-groups/{uuid} - if updating Destination", type = "")
             }
     )
     @ApiResponses(
@@ -289,12 +255,12 @@ public class ConnectionResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes a connection",
             response = ConnectionEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write Source - /{component-type}/{uuid}", type = ""),
+                    @Authorization(value = "Write Destination - /{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerResource.java

@@ -16,25 +16,13 @@
  */
 package org.apache.nifi.web.api;
 
-import java.net.URI;
+import com.sun.jersey.api.core.ResourceContext;
-import java.util.HashMap;
+import com.wordnik.swagger.annotations.Api;
-import java.util.Map;
+import com.wordnik.swagger.annotations.ApiOperation;
-
+import com.wordnik.swagger.annotations.ApiParam;
-import javax.servlet.http.HttpServletRequest;
+import com.wordnik.swagger.annotations.ApiResponse;
-import javax.ws.rs.Consumes;
+import com.wordnik.swagger.annotations.ApiResponses;
-import javax.ws.rs.DELETE;
+import com.wordnik.swagger.annotations.Authorization;
-import javax.ws.rs.GET;
-import javax.ws.rs.HttpMethod;
-import javax.ws.rs.POST;
-import javax.ws.rs.PUT;
-import javax.ws.rs.Path;
-import javax.ws.rs.PathParam;
-import javax.ws.rs.Produces;
-import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
-
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.authorization.AccessDeniedException;
 import org.apache.nifi.authorization.AuthorizationRequest;
@@ -60,13 +48,23 @@ import org.apache.nifi.web.api.entity.NodeEntity;
 import org.apache.nifi.web.api.entity.ReportingTaskEntity;
 import org.apache.nifi.web.api.request.DateTimeParameter;
 
-import com.sun.jersey.api.core.ResourceContext;
+import javax.servlet.http.HttpServletRequest;
-import com.wordnik.swagger.annotations.Api;
+import javax.ws.rs.Consumes;
-import com.wordnik.swagger.annotations.ApiOperation;
+import javax.ws.rs.DELETE;
-import com.wordnik.swagger.annotations.ApiParam;
+import javax.ws.rs.GET;
-import com.wordnik.swagger.annotations.ApiResponse;
+import javax.ws.rs.HttpMethod;
-import com.wordnik.swagger.annotations.ApiResponses;
+import javax.ws.rs.POST;
-import com.wordnik.swagger.annotations.Authorization;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import java.net.URI;
+import java.util.HashMap;
+import java.util.Map;
 
 /**
  * RESTful endpoint for managing a Flow Controller.
@@ -93,7 +91,7 @@ public class ControllerResource extends ApplicationResource {
     private void authorizeController(final RequestAction action) {
         final NiFiUser user = NiFiUserUtils.getNiFiUser();
 
-        final Map<String,String> userContext;
+        final Map<String, String> userContext;
         if (!StringUtils.isBlank(user.getClientAddress())) {
             userContext = new HashMap<>();
             userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
@@ -126,15 +124,11 @@ public class ControllerResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("config")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN', 'ROLE_NIFI')")
     @ApiOperation(
             value = "Retrieves the configuration for this NiFi Controller",
             response = ControllerConfigurationEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /controller", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN"),
-                @Authorization(value = "ROLE_NIFI", type = "ROLE_NIFI")
             }
     )
     @ApiResponses(
@@ -168,12 +162,11 @@ public class ControllerResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("config")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Retrieves the configuration for this NiFi",
             response = ControllerConfigurationEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /controller", type = "")
             }
     )
     @ApiResponses(
@@ -233,12 +226,11 @@ public class ControllerResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("reporting-tasks")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a new reporting task",
             response = ReportingTaskEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /controller", type = "")
             }
     )
     @ApiResponses(
@@ -315,12 +307,11 @@ public class ControllerResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("controller-services")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a new controller service",
             response = ControllerServiceEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /controller", type = "")
             }
     )
     @ApiResponses(
@@ -395,15 +386,12 @@ public class ControllerResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("cluster")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets the contents of the cluster",
             notes = "Returns the contents of the cluster including all nodes and their status.",
             response = ClusterEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /controller", type = "")
-                    @Authorization(value = "DFM", type = "ROLE_DFM"),
-                    @Authorization(value = "Admin", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -447,14 +435,11 @@ public class ControllerResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("cluster/nodes/{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a node in the cluster",
             response = NodeEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /controller", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -507,7 +492,7 @@ public class ControllerResource extends ApplicationResource {
             value = "Updates a node in the cluster",
             response = NodeEntity.class,
             authorizations = {
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
+                    @Authorization(value = "Write - /controller", type = "")
             }
     )
     @ApiResponses(
@@ -573,12 +558,11 @@ public class ControllerResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("cluster/nodes/{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_ADMIN')")
     @ApiOperation(
             value = "Removes a node from the cluster",
             response = NodeEntity.class,
             authorizations = {
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
+                    @Authorization(value = "Write - /controller", type = "")
             }
     )
     @ApiResponses(
@@ -631,12 +615,11 @@ public class ControllerResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("history")
-    // TODO - @PreAuthorize("hasRole('ROLE_ADMIN')")
     @ApiOperation(
             value = "Purges history",
             response = HistoryEntity.class,
             authorizations = {
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
+                    @Authorization(value = "Write - /controller", type = "")
             }
     )
     @ApiResponses(

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerServiceResource.java

@@ -148,14 +148,11 @@ public class ControllerServiceResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a controller service",
             response = ControllerServiceEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /controller-services/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -202,14 +199,11 @@ public class ControllerServiceResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/descriptors")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a controller service property descriptor",
             response = PropertyDescriptorEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /controller-services/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -269,12 +263,11 @@ public class ControllerServiceResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/state")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_DFM')")
     @ApiOperation(
             value = "Gets the state for a controller service",
             response = ComponentStateDTO.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /controller-services/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -325,12 +318,11 @@ public class ControllerServiceResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/state/clear-requests")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_DFM')")
     @ApiOperation(
             value = "Clears the state for a controller service",
             response = ComponentStateDTO.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /controller-services/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -358,8 +350,8 @@ public class ControllerServiceResource extends ApplicationResource {
         if (validationPhase || !isTwoPhaseRequest(httpServletRequest)) {
             // authorize access
             serviceFacade.authorizeAccess(lookup -> {
-                final Authorizable processor = lookup.getControllerService(id);
+                final Authorizable controllerService = lookup.getControllerService(id);
-                processor.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
+                controllerService.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
             });
         }
         if (validationPhase) {
@@ -387,14 +379,11 @@ public class ControllerServiceResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/references")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a controller service",
             response = ControllerServiceEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /controller-services/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -440,12 +429,11 @@ public class ControllerServiceResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/references")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a controller services references",
             response = ControllerServiceReferencingComponentsEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /{component-type}/{uuid} - For each referencing component specified", type = "")
             }
     )
     @ApiResponses(
@@ -555,12 +543,11 @@ public class ControllerServiceResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a controller service",
             response = ControllerServiceEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /controller-services/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -639,12 +626,11 @@ public class ControllerServiceResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes a controller service",
             response = ControllerServiceEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /controller-services/{uuid}", type = "")
             }
     )
     @ApiResponses(

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/CountersResource.java

@@ -42,7 +42,6 @@ import org.apache.nifi.web.api.dto.CounterDTO;
 import org.apache.nifi.web.api.dto.CountersDTO;
 import org.apache.nifi.web.api.entity.CounterEntity;
 import org.apache.nifi.web.api.entity.CountersEntity;
-import org.apache.nifi.web.api.entity.Entity;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
@@ -85,7 +84,7 @@ public class CountersResource extends ApplicationResource {
     private void authorizeCounters(final RequestAction action) {
         final NiFiUser user = NiFiUserUtils.getNiFiUser();
 
-        final Map<String,String> userContext;
+        final Map<String, String> userContext;
         if (!StringUtils.isBlank(user.getClientAddress())) {
             userContext = new HashMap<>();
             userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
@@ -119,14 +118,12 @@ public class CountersResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("") // necessary due to a bug in swagger
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets the current counters for this NiFi",
-            response = Entity.class,
+            notes = NON_GUARANTEED_ENDPOINT,
+            response = CountersEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /counters", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -214,9 +211,10 @@ public class CountersResource extends ApplicationResource {
     // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates the specified counter. This will reset the counter value to 0",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = CounterEntity.class,
             authorizations = {
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /counters", type = "")
             }
     )
     @ApiResponses(

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/DataTransferResource.java

@@ -119,7 +119,7 @@ public class DataTransferResource extends ApplicationResource {
 
     /**
      * Authorizes access to data transfers.
-     *
+     * <p>
      * Note: Protected for testing purposes
      */
     protected void authorizeDataTransfer(final ResourceType resourceType, final String identifier) {
@@ -129,7 +129,7 @@ public class DataTransferResource extends ApplicationResource {
             throw new IllegalArgumentException("The resource must be an Input or Output Port.");
         }
 
-        final Map<String,String> userContext;
+        final Map<String, String> userContext;
         if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
             userContext = new HashMap<>();
             userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
@@ -137,7 +137,6 @@ public class DataTransferResource extends ApplicationResource {
             userContext = null;
         }
 
-        // TODO - use DataTransferAuthorizable after looking up underlying component for consistentency
         final Resource resource = ResourceFactory.getComponentResource(resourceType, identifier, identifier);
         final AuthorizationRequest request = new AuthorizationRequest.Builder()
                 .resource(ResourceFactory.getDataTransferResource(resource))
@@ -158,14 +157,11 @@ public class DataTransferResource extends ApplicationResource {
     @POST
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{portType}/{portId}/transactions")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Create a transaction to the specified output port or input port",
             response = TransactionResultEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Write - /data-transfer/{component-type}/{uuid}", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -192,7 +188,7 @@ public class DataTransferResource extends ApplicationResource {
             InputStream inputStream) {
 
 
-        if(!PORT_TYPE_INPUT.equals(portType) && !PORT_TYPE_OUTPUT.equals(portType)){
+        if (!PORT_TYPE_INPUT.equals(portType) && !PORT_TYPE_OUTPUT.equals(portType)) {
             return responseCreator.wrongPortTypeResponse(portType, portId);
         }
 
@@ -235,14 +231,11 @@ public class DataTransferResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_OCTET_STREAM)
     @Produces(MediaType.TEXT_PLAIN)
     @Path("input-ports/{portId}/transactions/{transactionId}/flow-files")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Transfer flow files to the input port",
             response = String.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Write - /data-transfer/input-ports/{uuid}", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -301,7 +294,7 @@ public class DataTransferResource extends ApplicationResource {
             return responseCreator.unexpectedErrorResponse(portId, e);
         }
 
-        String serverChecksum = ((HttpServerCommunicationsSession)peer.getCommunicationsSession()).getChecksum();
+        String serverChecksum = ((HttpServerCommunicationsSession) peer.getCommunicationsSession()).getChecksum();
         return responseCreator.acceptedResponse(transactionManager, serverChecksum, transportProtocolVersion);
     }
 
@@ -379,14 +372,11 @@ public class DataTransferResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_OCTET_STREAM)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("output-ports/{portId}/transactions/{transactionId}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Commit or cancel the specified transaction",
             response = TransactionResultEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Write - /data-transfer/output-ports/{uuid}", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -445,12 +435,12 @@ public class DataTransferResource extends ApplicationResource {
             String inputErrMessage = null;
             if (responseCode == null) {
                 inputErrMessage = "responseCode is required.";
-            } else if(ResponseCode.CONFIRM_TRANSACTION.getCode() != responseCode
+            } else if (ResponseCode.CONFIRM_TRANSACTION.getCode() != responseCode
                     && ResponseCode.CANCEL_TRANSACTION.getCode() != responseCode) {
                 inputErrMessage = "responseCode " + responseCode + " is invalid. ";
             }
 
-            if (inputErrMessage != null){
+            if (inputErrMessage != null) {
                 entity.setMessage(inputErrMessage);
                 entity.setResponseCode(ResponseCode.ABORT.getCode());
                 return Response.status(Response.Status.BAD_REQUEST).entity(entity).build();
@@ -470,7 +460,7 @@ public class DataTransferResource extends ApplicationResource {
         } catch (Exception e) {
             HttpServerCommunicationsSession commsSession = (HttpServerCommunicationsSession) peer.getCommunicationsSession();
             logger.error("Failed to process the request", e);
-            if(ResponseCode.BAD_CHECKSUM.equals(commsSession.getResponseCode())){
+            if (ResponseCode.BAD_CHECKSUM.equals(commsSession.getResponseCode())) {
                 entity.setResponseCode(commsSession.getResponseCode().getCode());
                 entity.setMessage(e.getMessage());
 
@@ -489,14 +479,11 @@ public class DataTransferResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_OCTET_STREAM)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("input-ports/{portId}/transactions/{transactionId}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Commit or cancel the specified transaction",
             response = TransactionResultEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Write - /data-transfer/input-ports/{uuid}", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -552,13 +539,13 @@ public class DataTransferResource extends ApplicationResource {
             String inputErrMessage = null;
             if (responseCode == null) {
                 inputErrMessage = "responseCode is required.";
-            } else if(ResponseCode.BAD_CHECKSUM.getCode() != responseCode
+            } else if (ResponseCode.BAD_CHECKSUM.getCode() != responseCode
                     && ResponseCode.CONFIRM_TRANSACTION.getCode() != responseCode
                     && ResponseCode.CANCEL_TRANSACTION.getCode() != responseCode) {
                 inputErrMessage = "responseCode " + responseCode + " is invalid. ";
             }
 
-            if (inputErrMessage != null){
+            if (inputErrMessage != null) {
                 entity.setMessage(inputErrMessage);
                 entity.setResponseCode(ResponseCode.ABORT.getCode());
                 return Response.status(Response.Status.BAD_REQUEST).entity(entity).build();
@@ -575,8 +562,8 @@ public class DataTransferResource extends ApplicationResource {
                 entity.setResponseCode(commsSession.getResponseCode().getCode());
                 entity.setFlowFileSent(flowFileSent);
 
-            } catch (IOException e){
+            } catch (IOException e) {
-                if (ResponseCode.BAD_CHECKSUM.getCode() == responseCode && e.getMessage().contains("Received a BadChecksum response")){
+                if (ResponseCode.BAD_CHECKSUM.getCode() == responseCode && e.getMessage().contains("Received a BadChecksum response")) {
                     // AbstractFlowFileServerProtocol throws IOException after it canceled transaction.
                     // This is a known behavior and if we return 500 with this exception,
                     // it's not clear if there is an issue at server side, or cancel operation has been accomplished.
@@ -610,14 +597,11 @@ public class DataTransferResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_OCTET_STREAM)
     @Path("output-ports/{portId}/transactions/{transactionId}/flow-files")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Transfer flow files from the output port",
             response = StreamingOutput.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Write - /data-transfer/output-ports/{uuid}", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -665,13 +649,13 @@ public class DataTransferResource extends ApplicationResource {
                 @Override
                 public void write(OutputStream outputStream) throws IOException, WebApplicationException {
 
-                    HttpOutput output = (HttpOutput)peer.getCommunicationsSession().getOutput();
+                    HttpOutput output = (HttpOutput) peer.getCommunicationsSession().getOutput();
                     output.setOutputStream(outputStream);
 
                     try {
                         int numOfFlowFiles = serverProtocol.getPort().transferFlowFiles(peer, serverProtocol);
                         logger.debug("finished transferring flow files, numOfFlowFiles={}", numOfFlowFiles);
-                        if(numOfFlowFiles < 1){
+                        if (numOfFlowFiles < 1) {
                             // There was no flow file to transfer. Throw this exception to stop responding with SEE OTHER.
                             throw new WebApplicationException(Response.Status.OK);
                         }
@@ -697,14 +681,11 @@ public class DataTransferResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("input-ports/{portId}/transactions/{transactionId}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Extend transaction TTL",
             response = TransactionResultEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Write - /data-transfer/input-ports/{uuid}", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -735,14 +716,11 @@ public class DataTransferResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("output-ports/{portId}/transactions/{transactionId}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Extend transaction TTL",
             response = TransactionResultEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Write - /data-transfer/output-ports/{uuid}", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -785,7 +763,7 @@ public class DataTransferResource extends ApplicationResource {
             return validationResult.errResponse;
         }
 
-        if(!PORT_TYPE_INPUT.equals(portType) && !PORT_TYPE_OUTPUT.equals(portType)){
+        if (!PORT_TYPE_INPUT.equals(portType) && !PORT_TYPE_OUTPUT.equals(portType)) {
             return responseCreator.wrongPortTypeResponse(portType, portId);
         }
 
@@ -826,7 +804,7 @@ public class DataTransferResource extends ApplicationResource {
 
     private ValidateRequestResult validateResult(HttpServletRequest req, String portId, String transactionId) {
         ValidateRequestResult result = new ValidateRequestResult();
-        if(!properties.isSiteToSiteHttpEnabled()) {
+        if (!properties.isSiteToSiteHttpEnabled()) {
             result.errResponse = responseCreator.httpSiteToSiteIsNotEnabledResponse();
             return result;
         }
@@ -838,7 +816,7 @@ public class DataTransferResource extends ApplicationResource {
             return result;
         }
 
-        if(!isEmpty(transactionId) && !transactionManager.isTransactionActive(transactionId)) {
+        if (!isEmpty(transactionId) && !transactionManager.isTransactionActive(transactionId)) {
             result.errResponse = responseCreator.transactionNotFoundResponse(portId, transactionId);
             return result;
         }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowFileQueueResource.java

@@ -122,11 +122,10 @@ public class FlowFileQueueResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/flowfiles/{flowfile-uuid}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Gets a FlowFile from a Connection.",
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Read Source Data - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -198,11 +197,10 @@ public class FlowFileQueueResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.WILDCARD)
     @Path("{id}/flowfiles/{flowfile-uuid}/content")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Gets the content for a FlowFile in a Connection.",
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Read Source Data - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -294,12 +292,11 @@ public class FlowFileQueueResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/listing-requests")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Lists the contents of the queue in this connection.",
             response = ListingRequestEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Read Source Data - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -366,12 +363,11 @@ public class FlowFileQueueResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/listing-requests/{listing-request-id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Gets the current status of a listing request for the specified connection.",
             response = ListingRequestEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Read Source Data - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -429,12 +425,11 @@ public class FlowFileQueueResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/listing-requests/{listing-request-id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Cancels and/or removes a request to list the contents of this connection.",
             response = DropRequestEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Read Source Data - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -504,12 +499,11 @@ public class FlowFileQueueResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/drop-requests")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a request to drop the contents of the queue in this connection.",
             response = DropRequestEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write Source Data - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -575,12 +569,11 @@ public class FlowFileQueueResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/drop-requests/{drop-request-id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Gets the current status of a drop request for the specified connection.",
             response = DropRequestEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write Source Data - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -638,12 +631,11 @@ public class FlowFileQueueResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/drop-requests/{drop-request-id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Cancels and/or removes a request to drop the contents of this connection.",
             response = DropRequestEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write Source Data - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowResource.java

@@ -103,7 +103,6 @@ import org.apache.nifi.web.api.entity.StatusHistoryEntity;
 import org.apache.nifi.web.api.entity.TemplateEntity;
 import org.apache.nifi.web.api.entity.TemplatesEntity;
 import org.apache.nifi.web.api.request.BulletinBoardPatternParameter;
-import org.apache.nifi.web.api.request.ClientIdParameter;
 import org.apache.nifi.web.api.request.DateTimeParameter;
 import org.apache.nifi.web.api.request.IntegerParameter;
 import org.apache.nifi.web.api.request.LongParameter;
@@ -212,7 +211,7 @@ public class FlowResource extends ApplicationResource {
     private void authorizeFlow() {
         final NiFiUser user = NiFiUserUtils.getNiFiUser();
 
-        final Map<String,String> userContext;
+        final Map<String, String> userContext;
         if (!StringUtils.isBlank(user.getClientAddress())) {
             userContext = new HashMap<>();
             userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
@@ -249,9 +248,7 @@ public class FlowResource extends ApplicationResource {
             value = "Generates a client id.",
             response = String.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -259,7 +256,6 @@ public class FlowResource extends ApplicationResource {
                     @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."),
                     @ApiResponse(code = 401, message = "Client could not be authenticated."),
                     @ApiResponse(code = 403, message = "Client is not authorized to make this request."),
-                    @ApiResponse(code = 404, message = "The specified resource could not be found."),
                     @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.")
             }
     )
@@ -277,15 +273,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("config")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN', 'ROLE_NIFI')")
     @ApiOperation(
             value = "Retrieves the configuration for this NiFi flow",
             response = FlowConfigurationEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN"),
-                    @Authorization(value = "ROLE_NIFI", type = "ROLE_NIFI")
             }
     )
     @ApiResponses(
@@ -319,7 +311,10 @@ public class FlowResource extends ApplicationResource {
     @Path("current-user")
     @ApiOperation(
             value = "Retrieves the user identity of the user making the request",
-            response = CurrentUserEntity.class
+            response = CurrentUserEntity.class,
+            authorizations = {
+                    @Authorization(value = "Read - /flow", type = "")
+            }
     )
     public Response getCurrentUser() {
 
@@ -357,9 +352,7 @@ public class FlowResource extends ApplicationResource {
             value = "Gets a process group",
             response = ProcessGroupFlowEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -403,14 +396,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("controller/controller-services")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all controller services",
             response = ControllerServicesEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -451,14 +441,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("process-groups/{id}/controller-services")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all controller services",
             response = ControllerServicesEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -497,23 +484,17 @@ public class FlowResource extends ApplicationResource {
     /**
      * Retrieves all the of reporting tasks in this NiFi.
      *
-     * @param clientId Optional client id. If the client id is not specified, a
-     * new one will be generated. This value (whether specified or generated) is
-     * included in the response.
      * @return A reportingTasksEntity.
      */
     @GET
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("reporting-tasks")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all reporting tasks",
             response = ReportingTasksEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -524,12 +505,7 @@ public class FlowResource extends ApplicationResource {
                     @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.")
             }
     )
-    public Response getReportingTasks(
+    public Response getReportingTasks() {
-        @ApiParam(
-            value = "If the client id is not specified, new one will be generated. This value (whether specified or generated) is included in the response.",
-            required = false
-        )
-        @QueryParam(CLIENT_ID) @DefaultValue(StringUtils.EMPTY) ClientIdParameter clientId) {
 
         authorizeFlow();
 
@@ -561,12 +537,13 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("process-groups/{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
-        value = "Updates a process group",
+            value = "Schedule or unschedule comopnents in the specified Process Group.",
+            notes = "",
             response = ScheduleComponentsEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Read - /flow", type = ""),
+                    @Authorization(value = "Write - /{component-type}/{uuid} - For every component being scheduled/unscheduled", type = "")
             }
     )
     @ApiResponses(
@@ -587,8 +564,6 @@ public class FlowResource extends ApplicationResource {
             @PathParam("id") String id,
             ScheduleComponentsEntity scheduleComponentsEntity) {
 
-        authorizeFlow();
-
         // ensure the same id is being used
         if (!id.equals(scheduleComponentsEntity.getId())) {
             throw new IllegalArgumentException(String.format("The process group id (%s) in the request body does "
@@ -669,6 +644,9 @@ public class FlowResource extends ApplicationResource {
                 serviceFacade,
                 revisions,
                 lookup -> {
+                    // ensure access to the flow
+                    authorizeFlow();
+
                     // ensure access to every component being scheduled
                     componentsToSchedule.keySet().forEach(componentId -> {
                         final Authorizable connectable = lookup.getConnectable(componentId);
@@ -699,14 +677,12 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("search-results")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Performs a search against this NiFi using the specified search term",
+            notes = "Only search results from authorized components will be returned.",
             response = SearchResultsEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -741,14 +717,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("status")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets the current status of this NiFi",
             response = ControllerStatusEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -787,14 +760,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("cluster/summary")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets the current status of this NiFi",
             response = ControllerStatusEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -846,14 +816,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("controller/bulletins")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Retrieves Controller level bulletins",
             response = ControllerBulletinsEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -886,14 +853,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("banners")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Retrieves the banners for this NiFi",
             response = BannerEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -934,14 +898,12 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("processor-types")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Retrieves the types of processors that this NiFi supports",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = ProcessorTypesEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -974,14 +936,12 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("controller-service-types")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Retrieves the types of controller services that this NiFi supports",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = ControllerServiceTypesEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -998,6 +958,7 @@ public class FlowResource extends ApplicationResource {
                     required = false
             )
             @QueryParam("serviceType") String serviceType) throws InterruptedException {
+
         authorizeFlow();
 
         // create response entity
@@ -1018,14 +979,12 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("reporting-task-types")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Retrieves the types of reporting tasks that this NiFi supports",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = ReportingTaskTypesEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1057,14 +1016,12 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("prioritizers")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Retrieves the types of prioritizers that this NiFi supports",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = PrioritizerTypesEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1095,14 +1052,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("about")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Retrieves details about this NiFi to put in the About dialog",
             response = AboutEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1118,7 +1072,7 @@ public class FlowResource extends ApplicationResource {
 
         // create the about dto
         final AboutDTO aboutDTO = new AboutDTO();
-        aboutDTO.setTitle("NiFi"); // TODO - where to load title from
+        aboutDTO.setTitle("NiFi");
         aboutDTO.setVersion(getProperties().getUiTitle());
         aboutDTO.setUri(generateResourceUri());
 
@@ -1154,14 +1108,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("bulletin-board")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets current bulletins",
             response = BulletinBoardEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1259,14 +1210,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("processors/{id}/status")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets status for a processor",
             response = ProcessorStatusEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1341,14 +1289,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("input-ports/{id}/status")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets status for an input port",
             response = PortStatusEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1423,14 +1368,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("output-ports/{id}/status")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets status for an output port",
             response = PortStatusEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1505,14 +1447,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("remote-process-groups/{id}/status")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets status for a remote process group",
             response = ProcessorStatusEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1588,17 +1527,13 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("process-groups/{id}/status")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN', 'ROLE_NIFI')")
     @ApiOperation(
             value = "Gets the status for a process group",
             notes = "The status for a process group includes status for all descendent components. When invoked on the root group with "
                     + "recursive set to true, it will return the current status of every component in the flow.",
             response = ProcessGroupStatusEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN"),
-            @Authorization(value = "NiFi", type = "ROLE_NIFI")
             }
     )
     @ApiResponses(
@@ -1699,14 +1634,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("connections/{id}/status")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets status for a connection",
             response = ConnectionStatusEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1785,14 +1717,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("processors/{id}/status/history")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets status history for a processor",
             response = StatusHistoryEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1840,14 +1769,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("process-groups/{id}/status/history")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets status history for a remote process group",
             response = StatusHistoryEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1895,14 +1821,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("remote-process-groups/{id}/status/history")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets the status history",
             response = StatusHistoryEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1950,14 +1873,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("connections/{id}/status/history")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets the status history for a connection",
             response = StatusHistoryEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -2027,14 +1947,12 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("history")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets configuration history",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = HistoryEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -2166,15 +2084,13 @@ public class FlowResource extends ApplicationResource {
     @GET
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @Path("history/{id}")
     @ApiOperation(
             value = "Gets an action",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = ActionEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -2223,14 +2139,12 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("history/components/{componentId}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets configuration history for a processor",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = ComponentHistoryEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -2274,14 +2188,11 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("templates")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all templates",
             response = TemplatesEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -2328,14 +2239,12 @@ public class FlowResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("cluster/search-results")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Searches the cluster for a node with the specified address",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = ClusterSearchResultsEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /flow", type = "")
-                    @Authorization(value = "DFM", type = "ROLE_DFM"),
-                    @Authorization(value = "Admin", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -2394,6 +2303,7 @@ public class FlowResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FunnelResource.java

@@ -97,14 +97,11 @@ public class FunnelResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a funnel",
             response = FunnelEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /funnels/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -152,12 +149,11 @@ public class FunnelResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a funnel",
             response = FunnelEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /funnels/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -236,12 +232,11 @@ public class FunnelResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes a funnel",
             response = FunnelEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /funnels/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -294,6 +289,7 @@ public class FunnelResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/InputPortResource.java

@@ -97,14 +97,11 @@ public class InputPortResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets an input port",
             response = PortEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /input-ports/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -152,12 +149,11 @@ public class InputPortResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates an input port",
             response = PortEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /input-ports/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -233,12 +229,11 @@ public class InputPortResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes an input port",
             response = PortEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /input-ports/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -291,6 +286,7 @@ public class InputPortResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/LabelResource.java

@@ -97,14 +97,11 @@ public class LabelResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a label",
             response = LabelEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /labels/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -152,12 +149,11 @@ public class LabelResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a label",
             response = LabelEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /labels/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -233,12 +229,11 @@ public class LabelResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes a label",
             response = LabelEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /labels/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -291,6 +286,7 @@ public class LabelResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/OutputPortResource.java

@@ -97,14 +97,11 @@ public class OutputPortResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets an output port",
             response = PortEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /output-ports/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -152,12 +149,11 @@ public class OutputPortResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates an output port",
             response = PortEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /output-ports/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -233,12 +229,11 @@ public class OutputPortResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes an output port",
             response = PortEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /output-ports/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -291,6 +286,7 @@ public class OutputPortResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessGroupResource.java

@@ -179,14 +179,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a process group",
             response = ProcessGroupEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /process-groups/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -238,12 +235,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a process group",
             response = ProcessGroupEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -319,12 +315,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes a process group",
             response = ProcessGroupEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -391,12 +386,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/process-groups")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a process group",
             response = ProcessGroupEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -477,14 +471,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/process-groups")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all process groups",
             response = ProcessorsEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /process-groups/{uuid}", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -547,12 +538,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/processors")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a new processor",
             response = ProcessorEntity.class,
             authorizations = {
-            @Authorization(value = "ROLE_DFM", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -638,14 +628,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/processors")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all processors",
             response = ProcessorsEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /process-groups/{uuid}", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -701,12 +688,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/input-ports")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates an input port",
             response = PortEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -786,14 +772,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/input-ports")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all input ports",
             response = InputPortsEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /process-groups/{uuid}", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -848,12 +831,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/output-ports")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates an output port",
             response = PortEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -933,14 +915,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/output-ports")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all output ports",
             response = OutputPortsEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /process-groups/{uuid}", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -996,12 +975,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/funnels")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a funnel",
             response = FunnelEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -1081,14 +1059,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/funnels")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all funnels",
             response = FunnelsEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /process-groups/{uuid}", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1144,12 +1119,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/labels")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a label",
             response = LabelEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -1229,14 +1203,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/labels")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all labels",
             response = LabelsEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /process-groups/{uuid}", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1292,12 +1263,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/remote-process-groups")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a new process group",
             response = RemoteProcessGroupEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -1408,14 +1378,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/remote-process-groups")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all remote process groups",
             response = RemoteProcessGroupsEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /process-groups/{uuid}", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1478,12 +1445,13 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/connections")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a connection",
             response = ConnectionEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = ""),
+                    @Authorization(value = "Write Source - /{component-type}/{uuid}", type = ""),
+                    @Authorization(value = "Write Destination - /{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -1585,14 +1553,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/connections")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all connections",
             response = ConnectionsEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /process-groups/{uuid}", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -1639,7 +1604,7 @@ public class ProcessGroupResource extends ApplicationResource {
     /**
      * Copies the specified snippet within this ProcessGroup. The snippet instance that is instantiated cannot be referenced at a later time, therefore there is no
      * corresponding URI. Instead the request URI is returned.
-     *
+     * <p>
      * Alternatively, we could have performed a PUT request. However, PUT requests are supposed to be idempotent and this endpoint is certainly not.
      *
      * @param httpServletRequest request
@@ -1651,12 +1616,12 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/snippet-instance")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Copies a snippet",
             response = FlowSnippetEntity.class,
             authorizations = {
-            @Authorization(value = "ROLE_DFM", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = ""),
+                    @Authorization(value = "Read - /{component-type}/{uuid} - For each component in the snippet", type = "")
             }
     )
     @ApiResponses(
@@ -1731,7 +1696,7 @@ public class ProcessGroupResource extends ApplicationResource {
     /**
      * Instantiates the specified template within this ProcessGroup. The template instance that is instantiated cannot be referenced at a later time, therefore there is no
      * corresponding URI. Instead the request URI is returned.
-     *
+     * <p>
      * Alternatively, we could have performed a PUT request. However, PUT requests are supposed to be idempotent and this endpoint is certainly not.
      *
      * @param httpServletRequest               request
@@ -1743,12 +1708,12 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/template-instance")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Instantiates a template",
             response = FlowEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = ""),
+                    @Authorization(value = "Read - /templates/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -1839,12 +1804,12 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/templates")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a template",
             response = TemplateEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = ""),
+                    @Authorization(value = "Read - /{component-type}/{uuid} - For each component in the snippet", type = "")
             }
     )
     @ApiResponses(
@@ -1914,7 +1879,21 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.MULTIPART_FORM_DATA)
     @Produces(MediaType.APPLICATION_XML)
     @Path("{id}/templates/upload")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
+    @ApiOperation(
+            value = "Uploads a template",
+            response = TemplateEntity.class,
+            authorizations = {
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = "")
+            }
+    )
+    @ApiResponses(
+            value = {
+                    @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."),
+                    @ApiResponse(code = 401, message = "Client could not be authenticated."),
+                    @ApiResponse(code = 403, message = "Client is not authorized to make this request."),
+                    @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.")
+            }
+    )
     public Response uploadTemplate(
             @Context final HttpServletRequest httpServletRequest,
             @ApiParam(
@@ -1988,7 +1967,21 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_XML)
     @Produces(MediaType.APPLICATION_XML)
     @Path("{id}/templates/import")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
+    @ApiOperation(
+            value = "Imports a template",
+            response = TemplateEntity.class,
+            authorizations = {
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = "")
+            }
+    )
+    @ApiResponses(
+            value = {
+                    @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."),
+                    @ApiResponse(code = 401, message = "Client could not be authenticated."),
+                    @ApiResponse(code = 403, message = "Client is not authorized to make this request."),
+                    @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.")
+            }
+    )
     public Response importTemplate(
             @Context final HttpServletRequest httpServletRequest,
             @ApiParam(
@@ -2059,12 +2052,11 @@ public class ProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/controller-services")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a new controller service",
             response = ControllerServiceEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -2139,6 +2131,7 @@ public class ProcessGroupResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessorResource.java

@@ -144,14 +144,11 @@ public class ProcessorResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a processor",
             response = ProcessorEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /processors/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -200,14 +197,11 @@ public class ProcessorResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/{id}/descriptors")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets the descriptor for a processor property",
             response = PropertyDescriptorEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /processors/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -273,12 +267,11 @@ public class ProcessorResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/{id}/state")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_DFM')")
     @ApiOperation(
             value = "Gets the state for a processor",
             response = ComponentStateDTO.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /processors/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -330,12 +323,11 @@ public class ProcessorResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/state/clear-requests")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_DFM')")
     @ApiOperation(
             value = "Clears the state for a processor",
             response = ComponentStateDTO.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /processors/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -395,12 +387,11 @@ public class ProcessorResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a processor",
             response = ProcessorEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /processors/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -477,12 +468,11 @@ public class ProcessorResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes a processor",
             response = ProcessorEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /processors/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -536,6 +526,7 @@ public class ProcessorResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProvenanceEventResource.java

@@ -27,9 +27,7 @@ import org.apache.nifi.controller.repository.claim.ContentDirection;
 import org.apache.nifi.stream.io.StreamUtils;
 import org.apache.nifi.web.DownloadableContent;
 import org.apache.nifi.web.NiFiServiceFacade;
-import org.apache.nifi.web.api.dto.provenance.ProvenanceDTO;
 import org.apache.nifi.web.api.dto.provenance.ProvenanceEventDTO;
-import org.apache.nifi.web.api.dto.provenance.lineage.LineageDTO;
 import org.apache.nifi.web.api.entity.ProvenanceEventEntity;
 import org.apache.nifi.web.api.entity.SubmitReplayRequestEntity;
 import org.apache.nifi.web.api.request.LongParameter;
@@ -66,22 +64,6 @@ public class ProvenanceEventResource extends ApplicationResource {
 
     private NiFiServiceFacade serviceFacade;
 
-    /**
-     * Populates the uri for the specified provenance.
-     */
-    private ProvenanceDTO populateRemainingProvenanceContent(ProvenanceDTO provenance) {
-        provenance.setUri(generateResourceUri("provenance", provenance.getId()));
-        return provenance;
-    }
-
-    /**
-     * Populates the uri for the specified lineage.
-     */
-    private LineageDTO populateRemainingLineageContent(LineageDTO lineage) {
-        lineage.setUri(generateResourceUri("provenance", "lineage", lineage.getId()));
-        return lineage;
-    }
-
     /**
      * Gets the content for the input of the specified event.
      *
@@ -93,11 +75,10 @@ public class ProvenanceEventResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.WILDCARD)
     @Path("{id}/content/input")
-    // TODO - @PreAuthorize("hasRole('ROLE_PROVENANCE')")
     @ApiOperation(
             value = "Gets the input content for a provenance event",
             authorizations = {
-                @Authorization(value = "Provenance", type = "ROLE_PROVENANCE")
+                    @Authorization(value = "Read Component Data - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -176,11 +157,10 @@ public class ProvenanceEventResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.WILDCARD)
     @Path("{id}/content/output")
-    // TODO - @PreAuthorize("hasRole('ROLE_PROVENANCE')")
     @ApiOperation(
             value = "Gets the output content for a provenance event",
             authorizations = {
-                @Authorization(value = "Provenance", type = "ROLE_PROVENANCE")
+                    @Authorization(value = "Read Component Data - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -259,12 +239,11 @@ public class ProvenanceEventResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_PROVENANCE')")
     @ApiOperation(
             value = "Gets a provenance event",
             response = ProvenanceEventEntity.class,
             authorizations = {
-                @Authorization(value = "Provenance", type = "ROLE_PROVENANCE")
+                    @Authorization(value = "Read Component Data - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -283,7 +262,7 @@ public class ProvenanceEventResource extends ApplicationResource {
             )
             @QueryParam("clusterNodeId") final String clusterNodeId,
             @ApiParam(
-                    value = "The provenence event id.",
+                    value = "The provenance event id.",
                     required = true
             )
             @PathParam("id") final LongParameter id) {
@@ -326,12 +305,12 @@ public class ProvenanceEventResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("replays")
-    // TODO - @PreAuthorize("hasRole('ROLE_PROVENANCE') and hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Replays content from a provenance event",
             response = ProvenanceEventEntity.class,
             authorizations = {
-                    @Authorization(value = "Provenance and Data Flow Manager", type = "ROLE_PROVENANCE and ROLE_DFM")
+                    @Authorization(value = "Read Component Data - /data/{component-type}/{uuid}", type = ""),
+                    @Authorization(value = "Write Component Data - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProvenanceResource.java

@@ -93,7 +93,7 @@ public class ProvenanceResource extends ApplicationResource {
     private void authorizeProvenanceRequest() {
         final NiFiUser user = NiFiUserUtils.getNiFiUser();
 
-        final Map<String,String> userContext;
+        final Map<String, String> userContext;
         if (!StringUtils.isBlank(user.getClientAddress())) {
             userContext = new HashMap<>();
             userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
@@ -126,12 +126,11 @@ public class ProvenanceResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("search-options")
-    // TODO - @PreAuthorize("hasRole('ROLE_PROVENANCE')")
     @ApiOperation(
             value = "Gets the searchable attributes for provenance events",
             response = ProvenanceOptionsEntity.class,
             authorizations = {
-                @Authorization(value = "Provenance", type = "ROLE_PROVENANCE")
+                    @Authorization(value = "Read - /provenance", type = "")
             }
     )
     @ApiResponses(
@@ -172,7 +171,6 @@ public class ProvenanceResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("") // necessary due to bug in swagger
-    // TODO - @PreAuthorize("hasRole('ROLE_PROVENANCE')")
     @ApiOperation(
             value = "Submits a provenance query",
             notes = "Provenance queries may be long running so this endpoint submits a request. The response will include the "
@@ -181,7 +179,8 @@ public class ProvenanceResource extends ApplicationResource {
                     + "should be deleted by the client who originally submitted it.",
             response = ProvenanceEntity.class,
             authorizations = {
-                @Authorization(value = "Provenance", type = "ROLE_PROVENANCE")
+                    @Authorization(value = "Read - /provenance", type = ""),
+                    @Authorization(value = "Read - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -268,12 +267,12 @@ public class ProvenanceResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_PROVENANCE')")
     @ApiOperation(
             value = "Gets a provenance query",
             response = ProvenanceEntity.class,
             authorizations = {
-                @Authorization(value = "Provenance", type = "ROLE_PROVENANCE")
+                    @Authorization(value = "Read - /provenance", type = ""),
+                    @Authorization(value = "Read - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -335,12 +334,11 @@ public class ProvenanceResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_PROVENANCE')")
     @ApiOperation(
             value = "Deletes a provenance query",
             response = ProvenanceEntity.class,
             authorizations = {
-                @Authorization(value = "Provenance", type = "ROLE_PROVENANCE")
+                    @Authorization(value = "Read - /provenance", type = "")
             }
     )
     @ApiResponses(
@@ -396,10 +394,10 @@ public class ProvenanceResource extends ApplicationResource {
 
     /**
      * Submits a lineage request based on an event or a flowfile uuid.
-     *
+     * <p>
      * When querying for the lineage of an event you must specify the eventId and the eventDirection. The eventDirection must be 'parents' or 'children' and specifies whether we are going up or down
      * the flowfile ancestry. The uuid cannot be specified in these cases.
-     *
+     * <p>
      * When querying for the lineage of a flowfile you must specify the uuid. The eventId and eventDirection cannot be specified in this case.
      *
      * @param httpServletRequest request
@@ -410,7 +408,6 @@ public class ProvenanceResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("lineage")
-    // TODO - @PreAuthorize("hasRole('ROLE_PROVENANCE')")
     @ApiOperation(
             value = "Submits a lineage query",
             notes = "Lineage queries may be long running so this endpoint submits a request. The response will include the "
@@ -419,7 +416,8 @@ public class ProvenanceResource extends ApplicationResource {
                     + "should be deleted by the client who originally submitted it.",
             response = LineageEntity.class,
             authorizations = {
-                @Authorization(value = "Provenance", type = "ROLE_PROVENANCE")
+                    @Authorization(value = "Read - /provenance", type = ""),
+                    @Authorization(value = "Read - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -512,12 +510,12 @@ public class ProvenanceResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("lineage/{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_PROVENANCE')")
     @ApiOperation(
             value = "Gets a lineage query",
             response = LineageEntity.class,
             authorizations = {
-                @Authorization(value = "Provenance", type = "ROLE_PROVENANCE")
+                    @Authorization(value = "Read - /provenance", type = ""),
+                    @Authorization(value = "Read - /data/{component-type}/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -573,12 +571,11 @@ public class ProvenanceResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("lineage/{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_PROVENANCE')")
     @ApiOperation(
             value = "Deletes a lineage query",
             response = LineageEntity.class,
             authorizations = {
-                @Authorization(value = "Provenance", type = "ROLE_PROVENANCE")
+                    @Authorization(value = "Read - /provenance", type = "")
             }
     )
     @ApiResponses(
@@ -627,6 +624,7 @@ public class ProvenanceResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/RemoteProcessGroupResource.java

@@ -101,14 +101,11 @@ public class RemoteProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a remote process group",
             response = RemoteProcessGroupEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /remote-process-groups/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -157,12 +154,11 @@ public class RemoteProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes a remote process group",
             response = RemoteProcessGroupEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /remote-process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -220,19 +216,18 @@ public class RemoteProcessGroupResource extends ApplicationResource {
      * @param id                           The id of the remote process group to update.
      * @param portId                       The id of the input port to update.
      * @param remoteProcessGroupPortEntity The remoteProcessGroupPortEntity
-     *
      * @return A remoteProcessGroupPortEntity
      */
     @PUT
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/input-ports/{port-id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a remote port",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = RemoteProcessGroupPortEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /remote-process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -308,19 +303,18 @@ public class RemoteProcessGroupResource extends ApplicationResource {
      * @param id                           The id of the remote process group to update.
      * @param portId                       The id of the output port to update.
      * @param remoteProcessGroupPortEntity The remoteProcessGroupPortEntity
-     *
      * @return A remoteProcessGroupPortEntity
      */
     @PUT
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/output-ports/{port-id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a remote port",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = RemoteProcessGroupPortEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /remote-process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -402,12 +396,11 @@ public class RemoteProcessGroupResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a remote process group",
             response = RemoteProcessGroupEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /remote-process-groups/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -496,6 +489,7 @@ public class RemoteProcessGroupResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ReportingTaskResource.java

@@ -135,14 +135,11 @@ public class ReportingTaskResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a reporting task",
             response = ReportingTaskEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /reporting-tasks/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -189,14 +186,11 @@ public class ReportingTaskResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/descriptors")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a reporting task property descriptor",
             response = PropertyDescriptorEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /reporting-tasks/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -256,12 +250,11 @@ public class ReportingTaskResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/state")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_DFM')")
     @ApiOperation(
             value = "Gets the state for a reporting task",
             response = ComponentStateDTO.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /reporting-tasks/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -312,12 +305,11 @@ public class ReportingTaskResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}/state/clear-requests")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_DFM')")
     @ApiOperation(
             value = "Clears the state for a reporting task",
             response = ComponentStateDTO.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /reporting-tasks/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -376,12 +368,11 @@ public class ReportingTaskResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a reporting task",
             response = ReportingTaskEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /reporting-tasks/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -460,12 +451,11 @@ public class ReportingTaskResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes a reporting task",
             response = ReportingTaskEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /reporting-tasks/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -518,6 +508,7 @@ public class ReportingTaskResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ResourceResource.java

@@ -16,18 +16,11 @@
  */
 package org.apache.nifi.web.api;
 
-import java.util.HashMap;
+import com.wordnik.swagger.annotations.Api;
-import java.util.List;
+import com.wordnik.swagger.annotations.ApiOperation;
-import java.util.Map;
+import com.wordnik.swagger.annotations.ApiResponse;
-
+import com.wordnik.swagger.annotations.ApiResponses;
-import javax.ws.rs.Consumes;
+import com.wordnik.swagger.annotations.Authorization;
-import javax.ws.rs.GET;
-import javax.ws.rs.HttpMethod;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
-
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.authorization.AccessDeniedException;
 import org.apache.nifi.authorization.AuthorizationRequest;
@@ -43,11 +36,16 @@ import org.apache.nifi.web.NiFiServiceFacade;
 import org.apache.nifi.web.api.dto.ResourceDTO;
 import org.apache.nifi.web.api.entity.ResourcesEntity;
 
-import com.wordnik.swagger.annotations.Api;
+import javax.ws.rs.Consumes;
-import com.wordnik.swagger.annotations.ApiOperation;
+import javax.ws.rs.GET;
-import com.wordnik.swagger.annotations.ApiResponse;
+import javax.ws.rs.HttpMethod;
-import com.wordnik.swagger.annotations.ApiResponses;
+import javax.ws.rs.Path;
-import com.wordnik.swagger.annotations.Authorization;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
 /**
  * RESTful endpoint for retrieving system diagnostics.
@@ -65,7 +63,7 @@ public class ResourceResource extends ApplicationResource {
     private void authorizeResource() {
         final NiFiUser user = NiFiUserUtils.getNiFiUser();
 
-        final Map<String,String> userContext;
+        final Map<String, String> userContext;
         if (!StringUtils.isBlank(user.getClientAddress())) {
             userContext = new HashMap<>();
             userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
@@ -97,14 +95,11 @@ public class ResourceResource extends ApplicationResource {
     @GET
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets the available resources that support access/authorization policies",
             response = ResourcesEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /resources", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -120,7 +115,6 @@ public class ResourceResource extends ApplicationResource {
             return replicate(HttpMethod.GET);
         }
 
-        // TODO - if unsecure, return no resources?
         final List<ResourceDTO> resources = serviceFacade.getResources();
 
         // create the response
@@ -132,6 +126,7 @@ public class ResourceResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SiteToSiteResource.java

@@ -34,6 +34,11 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 
+import com.wordnik.swagger.annotations.Api;
+import com.wordnik.swagger.annotations.ApiOperation;
+import com.wordnik.swagger.annotations.ApiResponse;
+import com.wordnik.swagger.annotations.ApiResponses;
+import com.wordnik.swagger.annotations.Authorization;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.authorization.AccessDeniedException;
 import org.apache.nifi.authorization.AuthorizationRequest;
@@ -60,11 +65,20 @@ import org.apache.nifi.web.api.entity.PeersEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.wordnik.swagger.annotations.Api;
+import javax.servlet.http.HttpServletRequest;
-import com.wordnik.swagger.annotations.ApiOperation;
+import javax.ws.rs.Consumes;
-import com.wordnik.swagger.annotations.ApiResponse;
+import javax.ws.rs.GET;
-import com.wordnik.swagger.annotations.ApiResponses;
+import javax.ws.rs.HttpMethod;
-import com.wordnik.swagger.annotations.Authorization;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+
+import static org.apache.commons.lang3.StringUtils.isEmpty;
 
 /**
  * RESTful endpoint for managing a SiteToSite connection.
@@ -81,8 +95,6 @@ public class SiteToSiteResource extends ApplicationResource {
     private NiFiServiceFacade serviceFacade;
     private ClusterCoordinator clusterCoordinator;
     private Authorizer authorizer;
-    public static final String CHECK_SUM = "checksum";
-    public static final String RESPONSE_CODE = "responseCode";
 
     private final ResponseCreator responseCreator = new ResponseCreator();
     private final VersionNegotiator transportProtocolVersionNegotiator = new TransportProtocolVersionNegotiator(1);
@@ -90,7 +102,7 @@ public class SiteToSiteResource extends ApplicationResource {
 
     /**
      * Authorizes access to Site To Site details.
-     *
+     * <p>
      * Note: Protected for testing purposes
      */
     protected void authorizeSiteToSite() {
@@ -119,11 +131,12 @@ public class SiteToSiteResource extends ApplicationResource {
     @GET
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
-    // TODO - @PreAuthorize("hasRole('ROLE_NIFI')")
     @ApiOperation(
             value = "Returns the details about this NiFi necessary to communicate via site to site",
             response = ControllerEntity.class,
-            authorizations = @Authorization(value = "NiFi", type = "ROLE_NIFI")
+            authorizations = {
+                    @Authorization(value = "Read - /site-to-site", type = "")
+            }
     )
     @ApiResponses(
             value = {
@@ -174,7 +187,9 @@ public class SiteToSiteResource extends ApplicationResource {
     @ApiOperation(
             value = "Returns the available Peers and its status of this NiFi",
             response = PeersEntity.class,
-            authorizations = @Authorization(value = "NiFi", type = "ROLE_NIFI")
+            authorizations = {
+                    @Authorization(value = "Read - /site-to-site", type = "")
+            }
     )
     @ApiResponses(
             value = {
@@ -246,6 +261,7 @@ public class SiteToSiteResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(final NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SnippetResource.java

@@ -16,9 +16,20 @@
  */
 package org.apache.nifi.web.api;
 
-import java.net.URI;
+import com.wordnik.swagger.annotations.Api;
-import java.util.Set;
+import com.wordnik.swagger.annotations.ApiOperation;
-import java.util.stream.Collectors;
+import com.wordnik.swagger.annotations.ApiParam;
+import com.wordnik.swagger.annotations.ApiResponse;
+import com.wordnik.swagger.annotations.ApiResponses;
+import com.wordnik.swagger.annotations.Authorization;
+import org.apache.nifi.authorization.Authorizer;
+import org.apache.nifi.authorization.RequestAction;
+import org.apache.nifi.authorization.user.NiFiUserUtils;
+import org.apache.nifi.controller.Snippet;
+import org.apache.nifi.web.NiFiServiceFacade;
+import org.apache.nifi.web.Revision;
+import org.apache.nifi.web.api.dto.SnippetDTO;
+import org.apache.nifi.web.api.entity.SnippetEntity;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
@@ -32,22 +43,9 @@ import javax.ws.rs.Produces;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
-
+import java.net.URI;
-import org.apache.nifi.authorization.Authorizer;
+import java.util.Set;
-import org.apache.nifi.authorization.RequestAction;
+import java.util.stream.Collectors;
-import org.apache.nifi.authorization.user.NiFiUserUtils;
-import org.apache.nifi.controller.Snippet;
-import org.apache.nifi.web.NiFiServiceFacade;
-import org.apache.nifi.web.Revision;
-import org.apache.nifi.web.api.dto.SnippetDTO;
-import org.apache.nifi.web.api.entity.SnippetEntity;
-
-import com.wordnik.swagger.annotations.Api;
-import com.wordnik.swagger.annotations.ApiOperation;
-import com.wordnik.swagger.annotations.ApiParam;
-import com.wordnik.swagger.annotations.ApiResponse;
-import com.wordnik.swagger.annotations.ApiResponses;
-import com.wordnik.swagger.annotations.Authorization;
 
 /**
  * RESTful endpoint for querying dataflow snippets.
@@ -101,14 +99,11 @@ public class SnippetResource extends ApplicationResource {
     @POST
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a snippet",
             response = SnippetEntity.class,
             authorizations = {
-            @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /{component-type}/{uuid} - For each component in the Snippet", type = "")
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-            @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -165,8 +160,7 @@ public class SnippetResource extends ApplicationResource {
     }
 
     /**
-     * Updates the specified snippet. The contents of the snippet (component
+     * Move's the components in this Snippet into a new Process Group.
-     * ids) cannot be updated once the snippet is created.
      *
      * @param httpServletRequest request
      * @param snippetId          The id of the snippet.
@@ -177,12 +171,12 @@ public class SnippetResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
-        value = "Updates a snippet",
+            value = "Move's the components in this Snippet into a new Process Group and drops the snippet",
             response = SnippetEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write Process Group - /process-groups/{uuid}", type = ""),
+                    @Authorization(value = "Write - /{component-type}/{uuid} - For each component in the Snippet", type = "")
             }
     )
     @ApiResponses(
@@ -232,7 +226,7 @@ public class SnippetResource extends ApplicationResource {
                         lookup.getProcessGroup(requestSnippetDTO.getParentGroupId()).authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
                     }
 
-                // ensure read permission to every component in the snippet
+                    // ensure write permission to every component in the snippet
                     final Snippet snippet = lookup.getSnippet(snippetId);
                     authorizeSnippet(snippet, authorizer, lookup, RequestAction.WRITE);
                 },
@@ -257,12 +251,11 @@ public class SnippetResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes the components in a snippet and drops the snippet",
             response = SnippetEntity.class,
             authorizations = {
-            @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /{component-type}/{uuid} - For each component in the Snippet", type = "")
             }
     )
     @ApiResponses(
@@ -306,6 +299,7 @@ public class SnippetResource extends ApplicationResource {
     }
 
     /* setters */
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SystemDiagnosticsResource.java

@@ -69,7 +69,7 @@ public class SystemDiagnosticsResource extends ApplicationResource {
     private void authorizeSystem() {
         final NiFiUser user = NiFiUserUtils.getNiFiUser();
 
-        final Map<String,String> userContext;
+        final Map<String, String> userContext;
         if (!StringUtils.isBlank(user.getClientAddress())) {
             userContext = new HashMap<>();
             userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
@@ -102,14 +102,11 @@ public class SystemDiagnosticsResource extends ApplicationResource {
     @GET
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets the diagnostics for the system NiFi is running on",
             response = SystemDiagnosticsEntity.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /system", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -174,6 +171,7 @@ public class SystemDiagnosticsResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/TemplateResource.java

@@ -16,8 +16,21 @@
  */
 package org.apache.nifi.web.api;
 
-import java.nio.charset.StandardCharsets;
+import com.wordnik.swagger.annotations.Api;
-import java.util.Set;
+import com.wordnik.swagger.annotations.ApiOperation;
+import com.wordnik.swagger.annotations.ApiParam;
+import com.wordnik.swagger.annotations.ApiResponse;
+import com.wordnik.swagger.annotations.ApiResponses;
+import com.wordnik.swagger.annotations.Authorization;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.authorization.Authorizer;
+import org.apache.nifi.authorization.RequestAction;
+import org.apache.nifi.authorization.resource.Authorizable;
+import org.apache.nifi.authorization.user.NiFiUserUtils;
+import org.apache.nifi.persistence.TemplateSerializer;
+import org.apache.nifi.web.NiFiServiceFacade;
+import org.apache.nifi.web.api.dto.TemplateDTO;
+import org.apache.nifi.web.api.entity.TemplateEntity;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
@@ -30,23 +43,8 @@ import javax.ws.rs.Produces;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
-
+import java.nio.charset.StandardCharsets;
-import org.apache.commons.lang3.StringUtils;
+import java.util.Set;
-import org.apache.nifi.authorization.Authorizer;
-import org.apache.nifi.authorization.RequestAction;
-import org.apache.nifi.authorization.resource.Authorizable;
-import org.apache.nifi.authorization.user.NiFiUserUtils;
-import org.apache.nifi.persistence.TemplateSerializer;
-import org.apache.nifi.web.NiFiServiceFacade;
-import org.apache.nifi.web.api.dto.TemplateDTO;
-import org.apache.nifi.web.api.entity.TemplateEntity;
-
-import com.wordnik.swagger.annotations.Api;
-import com.wordnik.swagger.annotations.ApiOperation;
-import com.wordnik.swagger.annotations.ApiParam;
-import com.wordnik.swagger.annotations.ApiResponse;
-import com.wordnik.swagger.annotations.ApiResponses;
-import com.wordnik.swagger.annotations.Authorization;
 
 /**
  * RESTful endpoint for managing a Template.
@@ -76,32 +74,6 @@ public class TemplateResource extends ApplicationResource {
         return templateEntities;
     }
 
-    /**
-     * Populate the uri's for the specified templates.
-     *
-     * @param templateEntity templates
-     * @return templates
-     */
-    public TemplateEntity populateRemainingTemplateEntityContent(TemplateEntity templateEntity) {
-        if (templateEntity.getTemplate() != null) {
-            populateRemainingTemplateContent(templateEntity.getTemplate());
-        }
-        return templateEntity;
-    }
-
-    /**
-     * Populates the uri for the specified templates.
-     *
-     * @param templates templates
-     * @return templates
-     */
-    public Set<TemplateDTO> populateRemainingTemplatesContent(Set<TemplateDTO> templates) {
-        for (TemplateDTO template : templates) {
-            populateRemainingTemplateContent(template);
-        }
-        return templates;
-    }
-
     /**
      * Populates the uri for the specified template.
      */
@@ -121,14 +93,11 @@ public class TemplateResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_XML)
     @Path("{id}/download")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Exports a template",
             response = TemplateDTO.class,
             authorizations = {
-                @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /templates/{uuid}", type = "")
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -192,12 +161,11 @@ public class TemplateResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes a template",
             response = TemplateEntity.class,
             authorizations = {
-                @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /templates/{uuid}", type = "")
             }
     )
     @ApiResponses(
@@ -242,6 +210,7 @@ public class TemplateResource extends ApplicationResource {
     }
 
     // setters
+
     public void setServiceFacade(NiFiServiceFacade serviceFacade) {
         this.serviceFacade = serviceFacade;
     }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/TenantsResource.java

@@ -122,12 +122,12 @@ public class TenantsResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("users")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a user",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = UserEntity.class,
             authorizations = {
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /tenants", type = "")
             }
     )
     @ApiResponses(
@@ -205,14 +205,12 @@ public class TenantsResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("users/{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a user",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = UserEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /tenants", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -262,14 +260,12 @@ public class TenantsResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("users")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all users",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = UsersEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /tenants", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -322,12 +318,12 @@ public class TenantsResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("users/{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a user",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = UserEntity.class,
             authorizations = {
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /tenants", type = "")
             }
     )
     @ApiResponses(
@@ -411,12 +407,12 @@ public class TenantsResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("users/{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes a user",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = UserEntity.class,
             authorizations = {
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /tenants", type = "")
             }
     )
     @ApiResponses(
@@ -462,7 +458,7 @@ public class TenantsResource extends ApplicationResource {
                 revision,
                 lookup -> {
                     final Authorizable tenants = lookup.getTenant();
-                    tenants.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
+                    tenants.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
                 },
                 null,
                 () -> {
@@ -508,12 +504,12 @@ public class TenantsResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("user-groups")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Creates a user group",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = UserGroupEntity.class,
             authorizations = {
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /tenants", type = "")
             }
     )
     @ApiResponses(
@@ -591,14 +587,12 @@ public class TenantsResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("user-groups/{id}")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets a user group",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = UserGroupEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /tenants", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -648,14 +642,12 @@ public class TenantsResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("user-groups")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Gets all user groups",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = UserGroupsEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /tenants", type = "")
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM"),
-                    @Authorization(value = "Administrator", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(
@@ -707,12 +699,12 @@ public class TenantsResource extends ApplicationResource {
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("user-groups/{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Updates a user group",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = UserGroupEntity.class,
             authorizations = {
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /tenants", type = "")
             }
     )
     @ApiResponses(
@@ -796,12 +788,12 @@ public class TenantsResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("user-groups/{id}")
-    // TODO - @PreAuthorize("hasRole('ROLE_DFM')")
     @ApiOperation(
             value = "Deletes a user group",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = UserGroupEntity.class,
             authorizations = {
-                    @Authorization(value = "Data Flow Manager", type = "ROLE_DFM")
+                    @Authorization(value = "Write - /tenants", type = "")
             }
     )
     @ApiResponses(
@@ -847,7 +839,7 @@ public class TenantsResource extends ApplicationResource {
                 revision,
                 lookup -> {
                     final Authorizable tenants = lookup.getTenant();
-                    tenants.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
+                    tenants.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
                 },
                 null,
                 () -> {
@@ -872,14 +864,12 @@ public class TenantsResource extends ApplicationResource {
     @Consumes(MediaType.WILDCARD)
     @Produces(MediaType.APPLICATION_JSON)
     @Path("search-results")
-    // TODO - @PreAuthorize("hasAnyRole('ROLE_MONITOR', 'ROLE_DFM', 'ROLE_ADMIN')")
     @ApiOperation(
             value = "Searches the cluster for a node with the specified address",
+            notes = NON_GUARANTEED_ENDPOINT,
             response = ClusterSearchResultsEntity.class,
             authorizations = {
-                    @Authorization(value = "Read Only", type = "ROLE_MONITOR"),
+                    @Authorization(value = "Read - /tenants", type = "")
-                    @Authorization(value = "DFM", type = "ROLE_DFM"),
-                    @Authorization(value = "Admin", type = "ROLE_ADMIN")
             }
     )
     @ApiResponses(

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/config/InvalidRevisionExceptionMapper.java

@@ -16,14 +16,16 @@
  */
 package org.apache.nifi.web.api.config;
 
-import javax.ws.rs.core.Response;
-import javax.ws.rs.ext.ExceptionMapper;
-import javax.ws.rs.ext.Provider;
 import org.apache.nifi.util.StringUtils;
 import org.apache.nifi.web.InvalidRevisionException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
+import javax.ws.rs.ext.ExceptionMapper;
+import javax.ws.rs.ext.Provider;
+
 /**
  * Maps invalid revision exceptions into client responses.
  */
@@ -35,13 +37,13 @@ public class InvalidRevisionExceptionMapper implements ExceptionMapper<InvalidRe
     @Override
     public Response toResponse(InvalidRevisionException exception) {
         // log the error
-        logger.info(String.format("%s. Returning %s response.", exception, Response.Status.CONFLICT));
+        logger.info(String.format("%s. Returning %s response.", exception, Status.BAD_REQUEST));
 
         if (logger.isDebugEnabled()) {
             logger.debug(StringUtils.EMPTY, exception);
         }
 
-        return Response.status(Response.Status.CONFLICT).entity(exception.getMessage()).type("text/plain").build();
+        return Response.status(Status.BAD_REQUEST).entity(exception.getMessage()).type("text/plain").build();
     }
 
 }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/controller/ControllerFacade.java

@@ -27,7 +27,6 @@ import org.apache.nifi.authorization.RequestAction;
 import org.apache.nifi.authorization.Resource;
 import org.apache.nifi.authorization.resource.Authorizable;
 import org.apache.nifi.authorization.resource.ResourceFactory;
-import org.apache.nifi.authorization.resource.ResourceType;
 import org.apache.nifi.authorization.user.NiFiUser;
 import org.apache.nifi.authorization.user.NiFiUserUtils;
 import org.apache.nifi.cluster.coordination.ClusterCoordinator;
@@ -94,7 +93,6 @@ import org.apache.nifi.web.NiFiCoreException;
 import org.apache.nifi.web.ResourceNotFoundException;
 import org.apache.nifi.web.api.dto.DocumentedTypeDTO;
 import org.apache.nifi.web.api.dto.DtoFactory;
-import org.apache.nifi.web.api.dto.TemplateDTO;
 import org.apache.nifi.web.api.dto.provenance.AttributeDTO;
 import org.apache.nifi.web.api.dto.provenance.ProvenanceDTO;
 import org.apache.nifi.web.api.dto.provenance.ProvenanceEventDTO;
@@ -131,6 +129,7 @@ import java.util.SortedSet;
 import java.util.TimeZone;
 import java.util.TreeSet;
 import java.util.concurrent.TimeUnit;
+import java.util.function.Consumer;
 
 import static org.apache.nifi.controller.FlowController.ROOT_GROUP_ID_ALIAS;
 
@@ -754,68 +753,97 @@ public class ControllerFacade implements Authorizable {
 
     public List<Resource> getResources() {
         final List<Resource> resources = new ArrayList<>();
+        resources.add(ResourceFactory.getFlowResource());
         resources.add(ResourceFactory.getSystemResource());
         resources.add(ResourceFactory.getControllerResource());
-        resources.add(ResourceFactory.getFlowResource());
+        resources.add(ResourceFactory.getCountersResource());
         resources.add(ResourceFactory.getProvenanceResource());
+        resources.add(ResourceFactory.getPoliciesResource());
+        resources.add(ResourceFactory.getTenantResource());
         resources.add(ResourceFactory.getProxyResource());
         resources.add(ResourceFactory.getResourceResource());
+        resources.add(ResourceFactory.getSiteToSiteResource());
 
         final ProcessGroup root = flowController.getGroup(flowController.getRootGroupId());
 
         // add each processor
         for (final ProcessorNode processor : root.findAllProcessors()) {
-            resources.add(ResourceFactory.getComponentResource(ResourceType.Processor, processor.getIdentifier(), processor.getName()));
+            final Resource processorResource = processor.getResource();
-            resources.add(ResourceFactory.getDataResource(processor.getResource()));
+            resources.add(processorResource);
+            resources.add(ResourceFactory.getDataResource(processorResource));
+            resources.add(ResourceFactory.getPolicyResource(processorResource));
         }
 
         // add each label
         for (final Label label : root.findAllLabels()) {
-            resources.add(ResourceFactory.getComponentResource(ResourceType.Label, label.getIdentifier(), label.getValue()));
+            final Resource labelResource = label.getResource();
+            resources.add(labelResource);
+            resources.add(ResourceFactory.getPolicyResource(labelResource));
         }
 
         // add each process group
         for (final ProcessGroup processGroup : root.findAllProcessGroups()) {
-            resources.add(ResourceFactory.getComponentResource(ResourceType.ProcessGroup, processGroup.getIdentifier(), processGroup.getName()));
+            final Resource processGroupResource = processGroup.getResource();
-            resources.add(ResourceFactory.getDataResource(processGroup.getResource()));
+            resources.add(processGroupResource);
+            resources.add(ResourceFactory.getDataResource(processGroupResource));
+            resources.add(ResourceFactory.getPolicyResource(processGroupResource));
         }
 
         // add each remote process group
         for (final RemoteProcessGroup remoteProcessGroup : root.findAllRemoteProcessGroups()) {
-            resources.add(ResourceFactory.getComponentResource(ResourceType.RemoteProcessGroup, remoteProcessGroup.getIdentifier(), remoteProcessGroup.getName()));
+            final Resource remoteProcessGroupResource = remoteProcessGroup.getResource();
-            resources.add(ResourceFactory.getDataResource(remoteProcessGroup.getResource()));
+            resources.add(remoteProcessGroupResource);
+            resources.add(ResourceFactory.getDataResource(remoteProcessGroupResource));
+            resources.add(ResourceFactory.getPolicyResource(remoteProcessGroupResource));
         }
 
         // add each input port
         for (final Port inputPort : root.findAllInputPorts()) {
-            resources.add(ResourceFactory.getComponentResource(ResourceType.InputPort, inputPort.getIdentifier(), inputPort.getName()));
+            final Resource inputPortResource = inputPort.getResource();
-            resources.add(ResourceFactory.getDataResource(inputPort.getResource()));
+            resources.add(inputPortResource);
+            resources.add(ResourceFactory.getDataResource(inputPortResource));
+            resources.add(ResourceFactory.getPolicyResource(inputPortResource));
+            if (inputPort instanceof RootGroupPort) {
+                resources.add(ResourceFactory.getDataTransferResource(inputPortResource));
+            }
         }
 
         // add each output port
         for (final Port outputPort : root.findAllOutputPorts()) {
-            resources.add(ResourceFactory.getComponentResource(ResourceType.OutputPort, outputPort.getIdentifier(), outputPort.getName()));
+            final Resource outputPortResource = outputPort.getResource();
-            resources.add(ResourceFactory.getDataResource(outputPort.getResource()));
+            resources.add(outputPortResource);
+            resources.add(ResourceFactory.getDataResource(outputPortResource));
+            resources.add(ResourceFactory.getPolicyResource(outputPortResource));
+            if (outputPort instanceof RootGroupPort) {
+                resources.add(ResourceFactory.getDataTransferResource(outputPortResource));
+            }
         }
 
         // add each controller service
-        for (final ControllerServiceNode controllerService : flowController.getAllControllerServices()) {
+        final Consumer<ControllerServiceNode> csConsumer = controllerService -> {
-            resources.add(ResourceFactory.getComponentResource(ResourceType.ControllerService, controllerService.getIdentifier(), controllerService.getName()));
+            final Resource controllerServiceResource = controllerService.getResource();
-        }
+            resources.add(controllerServiceResource);
+            resources.add(ResourceFactory.getPolicyResource(controllerServiceResource));
+        };
+
+        flowController.getAllControllerServices().forEach(csConsumer);
+        root.findAllControllerServices().forEach(csConsumer);
+
 
         // add each reporting task
         for (final ReportingTaskNode reportingTask : flowController.getAllReportingTasks()) {
-            resources.add(ResourceFactory.getComponentResource(ResourceType.ReportingTask, reportingTask.getIdentifier(), reportingTask.getName()));
+            final Resource reportingTaskResource = reportingTask.getResource();
+            resources.add(reportingTaskResource);
+            resources.add(ResourceFactory.getPolicyResource(reportingTaskResource));
         }
 
         // add each template
         for (final Template template : root.findAllTemplates()) {
-            final TemplateDTO details = template.getDetails();
+            final Resource templateResource = template.getResource();
-            resources.add(ResourceFactory.getComponentResource(ResourceType.Template, details.getId(), details.getName()));
+            resources.add(templateResource);
+            resources.add(ResourceFactory.getPolicyResource(templateResource));
         }
 
-        // TODO - need token resource?
-        // resources.add(ResourceFactory.getTokenResource());
         return resources;
     }