Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-3653

Create PolicyBasedAuthorizer interface to allow authorization chain

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.4.0
    • Component/s: Core Framework
    • Labels:
      None

      Description

      Rather than using AbstractPolicyBasedAuthorizer to trigger policy management, refactor to use a new interface. New implementations of this interface can then create an authorization chain with existing AbstractPolicyBasedAuthorizer sub-classes.


      While investigating alternate implementations of the Authorizer interface, I see the AbstractPolicyBasedAuthorizer is meant to be extended. It's authorize() method is final, however, and does not have an abstract doAuthorize() method that sub-classes can extend.

      In particular, the existing AbstractPolicyBasedAuthorizer authorize() method does not take into account the AuthorizationRequest "resourceContext" in its authorization decision. This is especially important when authorizing access to events in Provenance, which places attributes in resouceContext of its AuthorizationRequest when obtaining an authorization decision. I would like to use attributes to authorize access to Provenance download & view content feature.

      If I had my own sub-class of AbstractPolicyBasedAuthorizer, with the availability of a doAuthorize() method, then I could maintain my own user policies for allowing access to flowfile content via Provenance.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mcgilman Matt Gilman
                Reporter:
                mosermw Michael W Moser
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: