[GitHub] nifi pull request #2703: NIFI-4907: add 'view provenance' component policy

Mon, 11 Jun 2018 11:34:55 -0700 

Github user mcgilman commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2703#discussion_r194503331
  
    --- Diff: 
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/controller/ControllerFacade.java
 ---
    @@ -1389,104 +1420,119 @@ private ProvenanceEventDTO 
createProvenanceEventDto(final ProvenanceEventRecord
             // sets the component details if it can find the component still 
in the flow
             setComponentDetails(dto);
     
    -        // only include all details if not summarizing
    -        if (!summarize) {
    -            // convert the attributes
    -            final Comparator<AttributeDTO> attributeComparator = new 
Comparator<AttributeDTO>() {
    -                @Override
    -                public int compare(AttributeDTO a1, AttributeDTO a2) {
    -                    return 
Collator.getInstance(Locale.US).compare(a1.getName(), a2.getName());
    -                }
    -            };
    +//        try {
    +//            AuthorizationResult result = 
flowController.checkConnectableAuthorization(event.getComponentId());
    +        AuthorizationResult result = 
checkConnectableAuthorization(event.getComponentId());
    +            if (Result.Denied.equals(result.getResult())) {
    +                dto.setComponentType("Processor"); // is this always a 
Processor?
    +                dto.setComponentName(dto.getComponentId());
    +                dto.setEventType("UNKNOWN");
    +            }
     
    -            final SortedSet<AttributeDTO> attributes = new 
TreeSet<>(attributeComparator);
    +//            authorizeData(event);
    +            final AuthorizationResult dataResult = 
checkAuthorizationForData(event); //(authorizer, RequestAction.READ, user, 
event.getAttributes());
    --- End diff --
    
    Also, it appears that we're checking the checkAuthorizationForData is 
verifying READ to the data of the corresponding component. This check is 
already done as part of the checkAuthorizationForReplay method. It appears that 
is the only place the replay authorization check is performed. It likely makes 
sense to refactor some of this so that we're only checking permissions for READ 
to the data of the corresponding component once. The remainder of the replay 
authorization check only needs to be performed when we're populating the data 
fields (READ to the data of the corresponding component is approved). See below.


---

Reply via email to