NIFI-2587:

- Adding additional authorization for accessing component property history.
2016-08-18 10:15:23 -04:00 · 2016-08-18 10:15:23 -04:00 · f3387426a0
parent 6874a5d82d
commit f3387426a0
1 changed files with 36 additions and 3 deletions
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowResource.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowResource.java
@ -44,6 +44,7 @@ import org.apache.nifi.groups.ProcessGroup;
 import org.apache.nifi.util.NiFiProperties;
 import org.apache.nifi.web.IllegalClusterResourceRequestException;
 import org.apache.nifi.web.NiFiServiceFacade;
+import org.apache.nifi.web.ResourceNotFoundException;
 import org.apache.nifi.web.Revision;
 import org.apache.nifi.web.api.dto.AboutDTO;
 import org.apache.nifi.web.api.dto.BannerDTO;
@ -2056,11 +2057,12 @@ public class FlowResource extends ApplicationResource {
    @Produces(MediaType.APPLICATION_JSON)
    @Path("history/components/{componentId}")
    @ApiOperation(
-            value = "Gets configuration history for a processor",
+            value = "Gets configuration history for a component",
            notes = NON_GUARANTEED_ENDPOINT,
            response = ComponentHistoryEntity.class,
            authorizations = {
-                    @Authorization(value = "Read - /flow", type = "")
+                    @Authorization(value = "Read - /flow", type = ""),
+                    @Authorization(value = "Read underlying component - /{component-type}/{uuid}", type = "")
            }
    )
    @ApiResponses(
@ -2079,8 +2081,39 @@ public class FlowResource extends ApplicationResource {
            )
            @PathParam("componentId") final String componentId) {

+        serviceFacade.authorizeAccess(lookup -> {
+            final NiFiUser user = NiFiUserUtils.getNiFiUser();
+
+            // authorize the flow
            authorizeFlow();

+            try {
+                final Authorizable authorizable = lookup.getProcessor(componentId).getAuthorizable();
+                authorizable.authorize(authorizer, RequestAction.READ, user);
+                return;
+            } catch (final ResourceNotFoundException e) {
+                // ignore as the component may not be a processor
+            }
+
+            try {
+                final Authorizable authorizable = lookup.getControllerService(componentId).getAuthorizable();
+                authorizable.authorize(authorizer, RequestAction.READ, user);
+                return;
+            } catch (final ResourceNotFoundException e) {
+                // ignore as the component may not be a controller service
+            }
+
+            try {
+                final Authorizable authorizable = lookup.getReportingTask(componentId).getAuthorizable();
+                authorizable.authorize(authorizer, RequestAction.READ, user);
+                return;
+            } catch (final ResourceNotFoundException e) {
+                // ignore as the component may not be a reporting task
+            }
+
+            throw new ResourceNotFoundException(String.format("Unable to find component with id '%s'.", componentId));
+        });
+
        // Note: History requests are not replicated throughout the cluster and are instead handled by the nodes independently

        // create the response entity