Github user markap14 commented on the issue:
@mcgilman great point! When I looked through the code, I saw the section of code that was handling permissions around the Status History but didn't look close enough. I had assumed that if the user doesn't have read permissions on the processor, that the stats would be made unavailable. However, looking again, I see that what we do is allow access to the stats but just blank out the name of the Processor.
What probably makes sense, then, is to filter out any stats that come from counters unless the user does have read permissions to the Processor. I.e., if User A has no read permissions to a processor, its stats would return just the way they are now, with just the pre-defined Bytes In, Bytes Out, FlowFiles In, FlowFiles out, etc. But if the user does have read permissions, then they will also see all stats for counters emitted by that processor (but not type-specific counters, just instance-specific counters). Thoughts?