You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Matt Gilman (JIRA)" <ji...@apache.org> on 2017/03/28 17:22:41 UTC
[jira] [Commented] (NIFI-3653) Allow extension of authorize method
in AbstractPolicyBasedAuthorizer
[ https://issues.apache.org/jira/browse/NIFI-3653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15945577#comment-15945577 ]
Matt Gilman commented on NIFI-3653:
-----------------------------------
[~boardm26] I think the desired approach was to create a custom Authorizer that performs the specific access decisions and decorates a separately configured authorizer. This will allow a more cohesive logic within each authorizer and support the configuration of an authorization chain.
> Allow extension of authorize method in AbstractPolicyBasedAuthorizer
> --------------------------------------------------------------------
>
> Key: NIFI-3653
> URL: https://issues.apache.org/jira/browse/NIFI-3653
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Reporter: Michael Moser
>
> While investigating alternate implementations of the Authorizer interface, I see the AbstractPolicyBasedAuthorizer is meant to be extended. It's authorize() method is final, however, and does not have an abstract doAuthorize() method that sub-classes can extend.
> In particular, the existing AbstractPolicyBasedAuthorizer authorize() method does not take into account the AuthorizationRequest "resourceContext" in its authorization decision. This is especially important when authorizing access to events in Provenance, which places attributes in resouceContext of its AuthorizationRequest when obtaining an authorization decision. I would like to use attributes to authorize access to Provenance download & view content feature.
> If I had my own sub-class of AbstractPolicyBasedAuthorizer, with the availability of a doAuthorize() method, then I could maintain my own user policies for allowing access to flowfile content via Provenance.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)