Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-5656

Remove Node Group property from FileAccessPolicyProvider in the default case

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.8.0
    • 1.8.0
    • Core Framework
    • None

    Description

      The "Node Group" property was introduced to let configuring node policies easier in a more dynamic environment. This feature is a base for future custom UserGroupProviders to provide a Group and the list of contained nodes dynamically. However in it's current form (if left empty) will throw an exception that would end in a confusing user experience as NiFi will fail to start.

      Attachments

        Issue Links

          Activity

            githubbot ASF GitHub Bot added a comment -

            GitHub user pepov opened a pull request:

            https://github.com/apache/nifi/pull/3043

            NIFI-5656 Remove "Node Group" from the default FileAccessPolicyProvider propert…

            …er properties, extend the docs, add more logs to help debugging, add test for the empty case.

            Thank you for submitting a contribution to Apache NiFi.

            In order to streamline the review of the contribution we ask you
            to ensure the following steps have been taken:

                1. For all changes:
            • [ ] Is there a JIRA ticket associated with this PR? Is it referenced
              in the commit message?
            • [ ] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
            • [ ] Has your PR been rebased against the latest commit within the target branch (typically master)?
            • [ ] Is your initial contribution a single, squashed commit?
                1. For code changes:
            • [ ] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder?
            • [ ] Have you written or updated unit tests to verify your changes?
            • [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
            • [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly?
            • [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly?
            • [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties?
                1. For documentation related changes:
            • [ ] Have you ensured that format looks appropriate for the output in which it is rendered?
                1. Note:
                  Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.

            You can merge this pull request into a Git repository by running:

            $ git pull https://github.com/pepov/nifi NIFI-5656

            Alternatively you can review and apply these changes as the patch at:

            https://github.com/apache/nifi/pull/3043.patch

            To close this pull request, make a commit to your master/trunk branch
            with (at least) the following in the commit message:

            This closes #3043


            commit 251f1c476eece342bd6be6b3c5d3d8c17248f5b5
            Author: pepov <peterwilcsinszky@...>
            Date: 2018-10-02T13:21:36Z

            NIFI-5656 Remove "Node Group" from the default FileAccessPolicyProvider properties, extend the docs, add more logs to help debugging, add test for the empty case.


            githubbot ASF GitHub Bot added a comment - GitHub user pepov opened a pull request: https://github.com/apache/nifi/pull/3043 NIFI-5656 Remove "Node Group" from the default FileAccessPolicyProvider propert… …er properties, extend the docs, add more logs to help debugging, add test for the empty case. Thank you for submitting a contribution to Apache NiFi. In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: For all changes: [ ] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? [ ] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. [ ] Has your PR been rebased against the latest commit within the target branch (typically master)? [ ] Is your initial contribution a single, squashed commit? For code changes: [ ] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder? [ ] Have you written or updated unit tests to verify your changes? [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0] ( http://www.apache.org/legal/resolved.html#category-a)? [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly? [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly? [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties? For documentation related changes: [ ] Have you ensured that format looks appropriate for the output in which it is rendered? Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. You can merge this pull request into a Git repository by running: $ git pull https://github.com/pepov/nifi NIFI-5656 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/3043.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #3043 commit 251f1c476eece342bd6be6b3c5d3d8c17248f5b5 Author: pepov <peterwilcsinszky@...> Date: 2018-10-02T13:21:36Z NIFI-5656 Remove "Node Group" from the default FileAccessPolicyProvider properties, extend the docs, add more logs to help debugging, add test for the empty case.
            githubbot ASF GitHub Bot added a comment -

            Github user pepov commented on the issue:

            https://github.com/apache/nifi/pull/3043

            I didn't think about considering an empty group as not set, but now I can see that initial admin is treated the same, so will update the PR to work like that.

            I used custom because I was thinking non of the available UGPs match that criteria. FileUserGroupProvider needs to be extended and wouldn't add that much benefit (nodes would still need to be added manually), however we may consider it if there are valid use cases.

            However you are right with LdapUserGroupProvider and I missed that it loads first time synchronously and starts the background thread right after, my bad and thanks for pointing it out. I referred to configuration time because I wanted to emphasize that the initial user/group loading should be done in the `onConfigured` method, not later. Of course that is how it's done by the LdapUserGroupProvider already, without that, the initial admin setup wouldn't work reliable.

            githubbot ASF GitHub Bot added a comment - Github user pepov commented on the issue: https://github.com/apache/nifi/pull/3043 I didn't think about considering an empty group as not set, but now I can see that initial admin is treated the same, so will update the PR to work like that. I used custom because I was thinking non of the available UGPs match that criteria. FileUserGroupProvider needs to be extended and wouldn't add that much benefit (nodes would still need to be added manually), however we may consider it if there are valid use cases. However you are right with LdapUserGroupProvider and I missed that it loads first time synchronously and starts the background thread right after, my bad and thanks for pointing it out. I referred to configuration time because I wanted to emphasize that the initial user/group loading should be done in the `onConfigured` method, not later. Of course that is how it's done by the LdapUserGroupProvider already, without that, the initial admin setup wouldn't work reliable.
            githubbot ASF GitHub Bot added a comment -

            Github user kevdoran commented on the issue:

            https://github.com/apache/nifi/pull/3043

            Thanks @pepov! I'll re-review the PR when your changes are in.

            githubbot ASF GitHub Bot added a comment - Github user kevdoran commented on the issue: https://github.com/apache/nifi/pull/3043 Thanks @pepov! I'll re-review the PR when your changes are in.
            githubbot ASF GitHub Bot added a comment -

            Github user pepov commented on the issue:

            https://github.com/apache/nifi/pull/3043

            @kevdoran changes are in

            githubbot ASF GitHub Bot added a comment - Github user pepov commented on the issue: https://github.com/apache/nifi/pull/3043 @kevdoran changes are in
            githubbot ASF GitHub Bot added a comment -

            Github user kevdoran commented on a diff in the pull request:

            https://github.com/apache/nifi/pull/3043#discussion_r222308394

            — Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java —
            @@ -232,16 +232,21 @@ public void onConfigured(AuthorizerConfigurationContext configurationContext) th
            nodeGroupIdentifier = null;

            if (nodeGroupName != null) {

            • for (Group group : userGroupProvider.getGroups()) {
            • if (group.getName().equals(nodeGroupName)) {
            • nodeGroupIdentifier = group.getIdentifier();
            • break;
              + if (!StringUtils.isBlank(nodeGroupName)) {
              + logger.debug("Trying to load node group '{}' from the underlying userGroupProvider", nodeGroupName);
              + for (Group group : userGroupProvider.getGroups())
              Unknown macro: { + if (group.getName().equals(nodeGroupName)) { + nodeGroupIdentifier = group.getIdentifier(); + break; + } }
            • }
            • if (nodeGroupIdentifier == null) {
            • throw new AuthorizerCreationException(String.format(
              + if (nodeGroupIdentifier == null) { + throw new AuthorizerCreationException(String.format( "Authorizations node group '%s' could not be found", nodeGroupName)); + }

              + } else {
              + logger.warn("Empty node group name provided");

                • End diff –

            I don't think this merits a warning, given that it empty by default. Perhaps a debug message would be appropriate.

            githubbot ASF GitHub Bot added a comment - Github user kevdoran commented on a diff in the pull request: https://github.com/apache/nifi/pull/3043#discussion_r222308394 — Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java — @@ -232,16 +232,21 @@ public void onConfigured(AuthorizerConfigurationContext configurationContext) th nodeGroupIdentifier = null; if (nodeGroupName != null) { for (Group group : userGroupProvider.getGroups()) { if (group.getName().equals(nodeGroupName)) { nodeGroupIdentifier = group.getIdentifier(); break; + if (!StringUtils.isBlank(nodeGroupName)) { + logger.debug("Trying to load node group '{}' from the underlying userGroupProvider", nodeGroupName); + for (Group group : userGroupProvider.getGroups()) Unknown macro: { + if (group.getName().equals(nodeGroupName)) { + nodeGroupIdentifier = group.getIdentifier(); + break; + } } } if (nodeGroupIdentifier == null) { throw new AuthorizerCreationException(String.format( + if (nodeGroupIdentifier == null) { + throw new AuthorizerCreationException(String.format( "Authorizations node group '%s' could not be found", nodeGroupName)); + } + } else { + logger.warn("Empty node group name provided"); End diff – I don't think this merits a warning, given that it empty by default. Perhaps a debug message would be appropriate.
            githubbot ASF GitHub Bot added a comment -

            Github user kevdoran commented on the issue:

            https://github.com/apache/nifi/pull/3043

            Thansk @pepov. I had one minor comment regarding logging, but aside from that these changes look good to me

            githubbot ASF GitHub Bot added a comment - Github user kevdoran commented on the issue: https://github.com/apache/nifi/pull/3043 Thansk @pepov. I had one minor comment regarding logging, but aside from that these changes look good to me
            githubbot ASF GitHub Bot added a comment -

            Github user pepov commented on the issue:

            https://github.com/apache/nifi/pull/3043

            Fixed that and also a checkstyle error that broke the build, hopefully will pass this time, thanks!

            githubbot ASF GitHub Bot added a comment - Github user pepov commented on the issue: https://github.com/apache/nifi/pull/3043 Fixed that and also a checkstyle error that broke the build, hopefully will pass this time, thanks!

            Commit de685a7a741888c6ffd6468d89b536276975934c in nifi's branch refs/heads/master from pepov
            [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=de685a7 ]

            NIFI-5656 Handly empty "Node Group" property in FileAccessPolicyProvider consistently, add some logs to help with debugging, add test for the invalid group name and for the empty case.

            This closes #3043.

            Signed-off-by: Kevin Doran <kdoran@apache.org>

            jira-bot ASF subversion and git services added a comment - Commit de685a7a741888c6ffd6468d89b536276975934c in nifi's branch refs/heads/master from pepov [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=de685a7 ] NIFI-5656 Handly empty "Node Group" property in FileAccessPolicyProvider consistently, add some logs to help with debugging, add test for the invalid group name and for the empty case. This closes #3043. Signed-off-by: Kevin Doran <kdoran@apache.org>
            githubbot ASF GitHub Bot added a comment -

            Github user asfgit closed the pull request at:

            https://github.com/apache/nifi/pull/3043

            githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/nifi/pull/3043
            githubbot ASF GitHub Bot added a comment -

            Github user kevdoran commented on the issue:

            https://github.com/apache/nifi/pull/3043

            +1 thanks! Merged to master...

            githubbot ASF GitHub Bot added a comment - Github user kevdoran commented on the issue: https://github.com/apache/nifi/pull/3043 +1 thanks! Merged to master...
            joewitt Joe Witt added a comment -

            kdoran this can be closed right?

            joewitt Joe Witt added a comment - kdoran this can be closed right?
            kdoran Kevin Doran added a comment -

            joewitt yep, closed.

            kdoran Kevin Doran added a comment - joewitt yep, closed.

            People

              pepov Peter Wilcsinszky
              pepov Peter Wilcsinszky
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: