NIFI-2486: - Authorizing individual bulletins being returned through the bulletin board.

This closes #792

Signed-off-by: jpercivall <joepercivall@yahoo.com>
This commit is contained in:
Matt Gilman 2016-08-04 17:43:52 -04:00 committed by jpercivall
parent 04147ac22a
commit c0a253568e
3 changed files with 102 additions and 44 deletions

View File

@ -2184,6 +2184,47 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
return controllerFacade.getProcessorStatusHistory(id);
}
private boolean authorizeBulletin(final Bulletin bulletin) {
final String sourceId = bulletin.getSourceId();
final ComponentType type = bulletin.getSourceType();
final Authorizable authorizable;
try {
switch (type) {
case PROCESSOR:
authorizable = authorizableLookup.getProcessor(sourceId);
break;
case REPORTING_TASK:
authorizable = authorizableLookup.getReportingTask(sourceId);
break;
case CONTROLLER_SERVICE:
authorizable = authorizableLookup.getControllerService(sourceId);
break;
case FLOW_CONTROLLER:
authorizable = controllerFacade;
break;
case INPUT_PORT:
authorizable = authorizableLookup.getInputPort(sourceId);
break;
case OUTPUT_PORT:
authorizable = authorizableLookup.getOutputPort(sourceId);
break;
case REMOTE_PROCESS_GROUP:
authorizable = authorizableLookup.getRemoteProcessGroup(sourceId);
break;
default:
throw new WebApplicationException(Response.serverError().entity("An unexpected type of component is the source of this bulletin.").build());
}
} catch (final ResourceNotFoundException e) {
// if the underlying component is gone, disallow
return false;
}
// perform the authorization
final AuthorizationResult result = authorizable.checkAuthorization(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
return Result.Approved.equals(result.getResult());
}
@Override
public BulletinBoardDTO getBulletinBoard(final BulletinQueryDTO query) {
// build the query
@ -2203,7 +2244,18 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
// exact results we want but in reverse order
final List<BulletinDTO> bulletins = new ArrayList<>();
for (final ListIterator<Bulletin> bulletinIter = results.listIterator(results.size()); bulletinIter.hasPrevious(); ) {
bulletins.add(dtoFactory.createBulletinDto(bulletinIter.previous()));
final Bulletin bulletin = bulletinIter.previous();
if (authorizeBulletin(bulletin)) {
bulletins.add(dtoFactory.createBulletinDto(bulletin));
} else {
final BulletinDTO bulletinDTO = new BulletinDTO();
bulletinDTO.setTimestamp(bulletin.getTimestamp());
bulletinDTO.setId(bulletin.getId());
bulletinDTO.setSourceId(bulletin.getSourceId());
bulletinDTO.setGroupId(bulletin.getGroupId());
bulletins.add(bulletinDTO);
}
}
// create the bulletin board

View File

@ -820,7 +820,10 @@ public class FlowResource extends ApplicationResource {
value = "Retrieves Controller level bulletins",
response = ControllerBulletinsEntity.class,
authorizations = {
@Authorization(value = "Read - /flow", type = "")
@Authorization(value = "Read - /flow", type = ""),
@Authorization(value = "Read - /controller - For controller bulletins", type = ""),
@Authorization(value = "Read - /controller-services/{uuid} - For controller service bulletins", type = ""),
@Authorization(value = "Read - /reporting-tasks/{uuid} - For reporting task bulletins", type = "")
}
)
@ApiResponses(
@ -1113,7 +1116,8 @@ public class FlowResource extends ApplicationResource {
value = "Gets current bulletins",
response = BulletinBoardEntity.class,
authorizations = {
@Authorization(value = "Read - /flow", type = "")
@Authorization(value = "Read - /flow", type = ""),
@Authorization(value = "Read - /{component-type}/{uuid} - For component specific bulletins", type = "")
}
)
@ApiResponses(

View File

@ -355,6 +355,7 @@ nf.ng.BulletinBoardCtrl = function (serviceProvider) {
// append each bulletin
$.each(bulletins, function (i, bulletin) {
if (!nf.Common.isBlank(bulletin.level)) {
// format the severity
var severityStyle = 'bulletin-normal';
if (bulletin.level === 'ERROR') {
@ -398,6 +399,7 @@ nf.ng.BulletinBoardCtrl = function (serviceProvider) {
// append the content
content.push(bulletinMarkup.get(0));
}
// record the id of the last bulletin in this request
if (i + 1 === bulletins.length) {