[NIFI-7884] Separate "read-filesystem" restricted permission into local file system and HDFS file system permissions - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.12.1
Fix Version/s: 1.13.0
Component/s: Core Framework, Extensions
Labels:
- file-system
- hdfs
- restricted
- security

Description

Currently the read-filesystem value for RequiredPermission is used for both the processors which read directly from the local file system of the machine hosting NiFi (GetFile, ListFile, etc.) and the processors which read from external file systems like HDFS (GetHDFS, PutHDFS, etc.). There are use cases where NiFi users should be able to interact with the HDFS file system without having permissions to access the local file system.

This will also require introducing a global setting in nifi.properties that an admin can set to allow local file system access via the HDFS processors (default true for backward compatibility), and additional validation logic in the HDFS processors (ideally the abstract shared logic) to ensure that if this setting is disabled, the HDFS processors are not accessing the local file system via the file:/// protocol in their configuration.