Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-1497

Access token not included in all requests

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.6.0, 0.5.1
    • Component/s: Core UI
    • Labels:
      None

      Description

      Some requests do not have the access token included with them (specifically custom UIs and view content). Without the access token, the request will fail with Access Denied.

        Issue Links

          Activity

          Hide
          joewitt Joseph Witt added a comment -

          probably critical in terms of priority. happy to review as soon as you have it.

          Show
          joewitt Joseph Witt added a comment - probably critical in terms of priority. happy to review as soon as you have it.
          Hide
          mcgilman Matt Gilman added a comment -

          Additional details...

          Viewing and downloading content are performed by opening a new page with the path to the viewer or the content respectively. When opening a new page, additional HTTP headers (like the access token) cannot be included. Additionally, content cannot be downloaded via an AJAX request.

          Show
          mcgilman Matt Gilman added a comment - Additional details... Viewing and downloading content are performed by opening a new page with the path to the viewer or the content respectively. When opening a new page, additional HTTP headers (like the access token) cannot be included. Additionally, content cannot be downloaded via an AJAX request.
          Hide
          mcgilman Matt Gilman added a comment -

          The issue also impacts opening custom UIs. Will likely need to add support for single-use tokens for opening UI extensions (like Update Attribute UIs and content viewers) and downloading content. The lack of existing infrastructure around single-use tokens will move the target to the next release.

          The issue is not present when using client certificates as they are included in every request.

          Show
          mcgilman Matt Gilman added a comment - The issue also impacts opening custom UIs. Will likely need to add support for single-use tokens for opening UI extensions (like Update Attribute UIs and content viewers) and downloading content. The lack of existing infrastructure around single-use tokens will move the target to the next release. The issue is not present when using client certificates as they are included in every request.
          Hide
          bende Bryan Bende added a comment -

          Been reviewing this... after applying the patch and running some tests, it appears that this patch introduced a regression allowing content to be incorrectly accessed through the content viewer.

          Show
          bende Bryan Bende added a comment - Been reviewing this... after applying the patch and running some tests, it appears that this patch introduced a regression allowing content to be incorrectly accessed through the content viewer.
          Hide
          mcgilman Matt Gilman added a comment -

          Great catch. It appears this is the result of moving the location of a PreAuthorize annotation to a location where the aspect isn't triggering (calling a method within a class vs from outside of a class). Will update as appropriate in a new patch. Thanks!

          Show
          mcgilman Matt Gilman added a comment - Great catch. It appears this is the result of moving the location of a PreAuthorize annotation to a location where the aspect isn't triggering (calling a method within a class vs from outside of a class). Will update as appropriate in a new patch. Thanks!
          Hide
          mcgilman Matt Gilman added a comment -

          Updating patch with issue below resolved.

          Show
          mcgilman Matt Gilman added a comment - Updating patch with issue below resolved.
          Hide
          bende Bryan Bende added a comment -

          Testing last patch with a secure cluster and attempted to view content from listing a queue, received error message saying:

          An unexcepted error has occurred: The specified cluster node does not exist.

          Show
          bende Bryan Bende added a comment - Testing last patch with a secure cluster and attempted to view content from listing a queue, received error message saying: An unexcepted error has occurred: The specified cluster node does not exist.
          Hide
          mcgilman Matt Gilman added a comment -

          Another great catch Bryan Bende! It looks as though the cluster node identifier is no longer being parsed out correctly when attempting to access content from a given node. I'll address and update the patch. Thanks!

          Show
          mcgilman Matt Gilman added a comment - Another great catch Bryan Bende ! It looks as though the cluster node identifier is no longer being parsed out correctly when attempting to access content from a given node. I'll address and update the patch. Thanks!
          Hide
          mcgilman Matt Gilman added a comment -

          New patch that addresses the latest comments.

          Show
          mcgilman Matt Gilman added a comment - New patch that addresses the latest comments.
          Hide
          mcgilman Matt Gilman added a comment -

          Removed patch as it wasn't quite correct in parsing out the cluster node in all cases. Will update.

          Show
          mcgilman Matt Gilman added a comment - Removed patch as it wasn't quite correct in parsing out the cluster node in all cases. Will update.
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit a8edab2e7955b175c5cbd2a3266fb51fa9712aee in nifi's branch refs/heads/master from Matt Gilman
          [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=a8edab2 ]

          NIFI-1497: - Introducing a one time use password service for use in query parameters when accessing UI extensions and downloading resources. - Using one time use tokens when accessing ui extensions and downloading resources. - Ensuring appropriate roles when accessing component details through the web context for custom UIs. - Addressing typo in class name. - Ensuring appropriate roles when accessing content through the content access. - Code clean up. - Refactoring some basic scripts for accessing JWT tokens so UI extensions can reuse common functionality.

          Signed-off-by: Bryan Bende <bbende@apache.org>

          Show
          jira-bot ASF subversion and git services added a comment - Commit a8edab2e7955b175c5cbd2a3266fb51fa9712aee in nifi's branch refs/heads/master from Matt Gilman [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=a8edab2 ] NIFI-1497 : - Introducing a one time use password service for use in query parameters when accessing UI extensions and downloading resources. - Using one time use tokens when accessing ui extensions and downloading resources. - Ensuring appropriate roles when accessing component details through the web context for custom UIs. - Addressing typo in class name. - Ensuring appropriate roles when accessing content through the content access. - Code clean up. - Refactoring some basic scripts for accessing JWT tokens so UI extensions can reuse common functionality. Signed-off-by: Bryan Bende <bbende@apache.org>
          Hide
          bende Bryan Bende added a comment -

          Latest patch looks good, all tests pass, applies cleanly, pushed to master.

          Will also push to the 0.5.1 support branch.

          Show
          bende Bryan Bende added a comment - Latest patch looks good, all tests pass, applies cleanly, pushed to master. Will also push to the 0.5.1 support branch.
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit a7195b5fe9f4db7e688761297e47b0cc7612ee3e in nifi's branch refs/heads/support/nifi-0.5.x from Matt Gilman
          [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=a7195b5 ]

          NIFI-1497: - Introducing a one time use password service for use in query parameters when accessing UI extensions and downloading resources. - Using one time use tokens when accessing ui extensions and downloading resources. - Ensuring appropriate roles when accessing component details through the web context for custom UIs. - Addressing typo in class name. - Ensuring appropriate roles when accessing content through the content access. - Code clean up. - Refactoring some basic scripts for accessing JWT tokens so UI extensions can reuse common functionality.

          Signed-off-by: Bryan Bende <bbende@apache.org>

          Show
          jira-bot ASF subversion and git services added a comment - Commit a7195b5fe9f4db7e688761297e47b0cc7612ee3e in nifi's branch refs/heads/support/nifi-0.5.x from Matt Gilman [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=a7195b5 ] NIFI-1497 : - Introducing a one time use password service for use in query parameters when accessing UI extensions and downloading resources. - Using one time use tokens when accessing ui extensions and downloading resources. - Ensuring appropriate roles when accessing component details through the web context for custom UIs. - Addressing typo in class name. - Ensuring appropriate roles when accessing content through the content access. - Code clean up. - Refactoring some basic scripts for accessing JWT tokens so UI extensions can reuse common functionality. Signed-off-by: Bryan Bende <bbende@apache.org>
          Hide
          bende Bryan Bende added a comment -

          Pushed to 0.5.x support branch, will mark ticket as resolved.

          Show
          bende Bryan Bende added a comment - Pushed to 0.5.x support branch, will mark ticket as resolved.

            People

            • Assignee:
              mcgilman Matt Gilman
              Reporter:
              mcgilman Matt Gilman
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development