You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2016/11/21 20:31:20 UTC
[3/3] nifi git commit: NIFI-3050: Implemented access control logic
for restricted components.
NIFI-3050: Implemented access control logic for restricted components.
- Addressing comments from PR.
- Adding restricted tags to relevant components.
- Showing a restricted icon overlay on the processor node on the canvas. (+1 squashed commit)
Squashed commits:
[f487682] NIFI-3050:
- Introducing a Restricted annotation for components that require elevated privileges to use.
- Updating the new Processor, Controller Service, and Reporting Task dialogs to include these details and prevent unauthorized selection.
- Including the Restricted description in the generated component documentation.
- Updating processor access control integration test to verify restricted component creation.
- Updating the developer, user, and admin guide to include the restricted component policy.
This closes #1247.
Signed-off-by: Andy LoPresto <al...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/7f5eabd6
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/7f5eabd6
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/7f5eabd6
Branch: refs/heads/master
Commit: 7f5eabd603bfc326dadc35590bbe69304e8c90fa
Parents: eb5abf8
Author: Matt Gilman <ma...@gmail.com>
Authored: Fri Nov 18 16:51:13 2016 -0500
Committer: Andy LoPresto <al...@apache.org>
Committed: Mon Nov 21 12:07:48 2016 -0800
----------------------------------------------------------------------
.../nifi/annotation/behavior/Restricted.java | 51 +++++++++
.../src/main/asciidoc/administration-guide.adoc | 5 +
.../src/main/asciidoc/developer-guide.adoc | 17 +++
.../src/main/asciidoc/images/restricted.png | Bin 0 -> 3621 bytes
nifi-docs/src/main/asciidoc/user-guide.adoc | 16 ++-
.../nifi/processors/flume/ExecuteFlumeSink.java | 15 +--
.../processors/flume/ExecuteFlumeSource.java | 17 +--
.../nifi/web/api/dto/ControllerServiceDTO.java | 25 +++--
.../nifi/web/api/dto/DocumentedTypeDTO.java | 18 +++-
.../apache/nifi/web/api/dto/ProcessorDTO.java | 18 +++-
.../nifi/web/api/dto/ReportingTaskDTO.java | 19 +++-
.../nifi/web/api/entity/CurrentUserEntity.java | 13 +++
.../html/HtmlDocumentationWriter.java | 41 ++++++--
.../FullyDocumentedControllerService.java | 10 +-
.../example/FullyDocumentedProcessor.java | 14 +--
.../example/FullyDocumentedReportingTask.java | 12 ++-
.../html/HtmlDocumentationWriterTest.java | 18 ++--
.../html/ProcessorDocumentationWriterTest.java | 14 +--
.../nifi/authorization/FileAuthorizer.java | 3 +
.../nifi/authorization/RoleAccessPolicy.java | 1 +
.../nifi/authorization/FileAuthorizerTest.java | 8 +-
.../authorization/resource/ResourceFactory.java | 21 ++++
.../authorization/resource/ResourceType.java | 1 +
.../RestrictedComponentsAuthorizable.java | 33 ++++++
.../nifi/controller/ConfiguredComponent.java | 40 +++++++
.../nifi/controller/StandardProcessorNode.java | 8 +-
.../reporting/StandardReportingTaskNode.java | 6 ++
.../service/StandardControllerServiceNode.java | 6 ++
.../nifi/authorization/AuthorizableLookup.java | 18 ++--
.../AuthorizeControllerServiceReference.java | 2 +-
.../ConfigurableComponentAuthorizable.java | 55 ++++++++++
...ServiceReferencingComponentAuthorizable.java | 48 ---------
.../StandardAuthorizableLookup.java | 104 ++++++++++---------
.../nifi/web/StandardNiFiServiceFacade.java | 1 +
.../StandardNiFiWebConfigurationContext.java | 8 +-
.../apache/nifi/web/api/ControllerResource.java | 14 ++-
.../nifi/web/api/ControllerServiceResource.java | 4 +-
.../nifi/web/api/ProcessGroupResource.java | 22 +++-
.../apache/nifi/web/api/ProcessorResource.java | 4 +-
.../nifi/web/api/ReportingTaskResource.java | 4 +-
.../org/apache/nifi/web/api/dto/DtoFactory.java | 10 ++
.../nifi/web/controller/ControllerFacade.java | 1 +
.../accesscontrol/AccessControlHelper.java | 6 ++
.../accesscontrol/ITProcessorAccessControl.java | 38 +++++++
.../integration/util/NiFiTestAuthorizer.java | 14 ++-
.../integration/util/RestrictedProcessor.java | 51 +++++++++
.../src/main/webapp/css/common-ui.css | 8 +-
.../nifi-web-ui/src/main/webapp/css/graph.css | 12 +++
.../main/webapp/css/new-processor-dialog.css | 8 ++
.../src/main/webapp/css/policy-management.css | 2 +-
.../main/webapp/js/jquery/modal/jquery.modal.js | 77 +++++++++++---
.../components/nf-ng-processor-component.js | 74 +++++++++++--
.../js/nf/canvas/nf-controller-services.js | 73 ++++++++++++-
.../webapp/js/nf/canvas/nf-policy-management.js | 5 +-
.../main/webapp/js/nf/canvas/nf-processor.js | 35 +++++++
.../src/main/webapp/js/nf/canvas/nf-settings.js | 72 ++++++++++++-
.../src/main/webapp/js/nf/nf-common.js | 43 ++++++++
.../nifi/processors/hadoop/DeleteHDFS.java | 27 ++---
.../nifi/processors/hadoop/FetchHDFS.java | 4 +-
.../apache/nifi/processors/hadoop/GetHDFS.java | 4 +-
.../apache/nifi/processors/hadoop/PutHDFS.java | 4 +-
.../nifi/processors/script/ExecuteScript.java | 35 ++++---
.../script/InvokeScriptedProcessor.java | 33 +++---
.../SiteToSiteProvenanceReportingTask.java | 4 +-
.../processors/standard/ExecuteProcess.java | 46 ++++----
.../standard/ExecuteStreamCommand.java | 36 ++++---
.../nifi/processors/standard/FetchFile.java | 34 +++---
.../nifi/processors/standard/GetFile.java | 47 +++++----
.../nifi/processors/standard/ListFile.java | 42 ++++----
.../nifi/processors/standard/PutFile.java | 40 +++----
.../nifi/processors/standard/TailFile.java | 62 +++++------
71 files changed, 1258 insertions(+), 423 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/Restricted.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/Restricted.java b/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/Restricted.java
new file mode 100644
index 0000000..07d729d
--- /dev/null
+++ b/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/Restricted.java
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.annotation.behavior;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Inherited;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * <p>
+ * Marks the usage of a component as restricted to users with elevated privileges.
+ * </p>
+ * <p>
+ * A {@code Restricted} component is one that can be used to execute arbitrary unsanitized
+ * code provided by the operator through the NiFi REST API/UI or can be used to obtain
+ * or alter data on the NiFi host system using the NiFi OS credentials. These components
+ * could be used by an otherwise authorized NiFi user to go beyond the intended use of
+ * the application, escalate privilege, or could expose data about the internals of the
+ * NiFi process or the host system. All of these capabilities should be considered
+ * privileged, and admins should be aware of these capabilities and explicitly enable
+ * them for a subset of trusted users.
+ * </p>
+ */
+@Documented
+@Target({ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@Inherited
+public @interface Restricted {
+ /**
+ * Provides a description of why the component usage is restricted
+ */
+ String value();
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-docs/src/main/asciidoc/administration-guide.adoc
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index 6bf8547..b386088 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -481,6 +481,7 @@ Here is a summary of policies assigned to each legacy role if the NiFi instance
|view policies |* | | | | |
|modify policies |* | | | | |
|query provenance | | | |* | |
+|access restricted components | |* | | | |
|view the data | |* | |* | |*
|modify the data | |* | | | |*
|retrieve site-to-site details | | | | |* |
@@ -584,6 +585,10 @@ Global access policies govern the following system level authorizations:
|Allows users to submit a Provenance Search and request Event Lineage
|Data Provenance
+|access restricted components
+|Allows users to create/modify restricted components assuming otherwise sufficient permissions
+|N/A
+
|access all policies
|Allows users to view/modify the policies for all components
|Policies
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-docs/src/main/asciidoc/developer-guide.adoc
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/developer-guide.adoc b/nifi-docs/src/main/asciidoc/developer-guide.adoc
index 195b4f1..0f45c84 100644
--- a/nifi-docs/src/main/asciidoc/developer-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/developer-guide.adoc
@@ -565,6 +565,23 @@ for instance, they should not be
relied upon for critical business logic.
+[[restricted]]
+=== Restricted
+
+A Restricted component is one that can be used to execute arbitrary unsanitized code provided by the operator
+through the NiFi REST API/UI or can be used to obtain or alter data on the NiFi host system using the NiFi OS
+credentials. These components could be used by an otherwise authorized NiFi user to go beyond the intended use of
+the application, escalate privilege, or could expose data about the internals of the NiFi process or the host
+system. All of these capabilities should be considered privileged, and admins should be aware of these
+capabilities and explicitly enable them for a subset of trusted users.
+
+A Processor, Controller Service, or Reporting Task can be marked with the @Restricted annotation. This
+will result in the component being treated as restricted and will require a user to be explicitly added to the
+list of users who can access restricted components. Once a user is permitted to access restricted components,
+they will be allowed to create and modify those components assuming all other permissions are permitted.
+Without access to restricted components, a user will be still be aware these types of components exist but will
+be unable to create or modify them even with otherwise sufficient permissions.
+
[[state_manager]]
=== State Manager
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-docs/src/main/asciidoc/images/restricted.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/restricted.png b/nifi-docs/src/main/asciidoc/images/restricted.png
new file mode 100644
index 0000000..fe6d716
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/restricted.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-docs/src/main/asciidoc/user-guide.adoc
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/user-guide.adoc b/nifi-docs/src/main/asciidoc/user-guide.adoc
index 34a03e0..b64454c 100644
--- a/nifi-docs/src/main/asciidoc/user-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/user-guide.adoc
@@ -40,15 +40,13 @@ Browser Support
|Browser |Version
|Chrome |Current and Current - 1
|FireFox |Current and Current - 1
-|Edge |Current
+|Edge |Current and Current - 1
|Safari |Current and Current - 1
|======================
Current and Current - 1 indicates that the UI is supported in the current stable release of that browser and the preceding one. For instance, if
the current stable release is 45.X then the officially supported versions will be 45.X and 44.X.
-Current indicates that the UI is supported in the current stable release of that browser.
-
The supported browser versions are driven by the capabilities the UI employs and the dependencies it uses. UI features will be developed and tested
against the supported browsers. Any problem using a supported browser should be reported to Apache NiFi.
@@ -195,6 +193,7 @@ The available global access policies are:
|view the UI |Allows users to view the UI
|access the controller |Allows users to view and modify the controller including reporting tasks, Controller Services, and nodes in the cluster
|query provenance |Allows users to submit a provenance search and request even lineage
+|access restricted components |Allows users to create/modify restricted components assuming otherwise sufficient permissions
|access all policies |Allows users to view and modify the policies for all components
|access users/groups |Allows users view and modify the users and user groups
|retrieve site-to-site details | Allows other NiFi instances to retrieve Site-To-Site details
@@ -270,6 +269,17 @@ Processors that allow us to ingest data via HTTP, we can select both the `http`
image::add-processor-with-tag-cloud.png["Add Processor with Tag Cloud"]
+Restricted components will be marked with a
+image:restricted.png["Restricted"]
+icon next to their name. These are components that can be used to execute arbitrary unsanitized code provided by the operator
+through the NiFi REST API/UI or can be used to obtain or alter data on the NiFi host system using the NiFi OS credentials.
+These components could be used by an otherwise authorized NiFi user to go beyond the intended use of the application, escalate
+privilege, or could expose data about the internals of the NiFi process or the host system. All of these capabilities should
+be considered privileged, and admins should be aware of these capabilities and explicitly enable them for a subset of trusted users.
+
+Before a user is allowed to create and modify restricted components they must be granted access to restricted components. Refer to
+<<UI-with-multi-tenant-authorization,multi-tenant>> documentation.
+
Clicking the `Add` button or double-clicking on a Processor Type will add the selected Processor to the canvas at the
location that it was dropped.
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/src/main/java/org/apache/nifi/processors/flume/ExecuteFlumeSink.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/src/main/java/org/apache/nifi/processors/flume/ExecuteFlumeSink.java b/nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/src/main/java/org/apache/nifi/processors/flume/ExecuteFlumeSink.java
index e40608d..ec99acb 100644
--- a/nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/src/main/java/org/apache/nifi/processors/flume/ExecuteFlumeSink.java
+++ b/nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/src/main/java/org/apache/nifi/processors/flume/ExecuteFlumeSink.java
@@ -16,14 +16,15 @@
*/
package org.apache.nifi.processors.flume;
-import java.util.List;
-import java.util.Set;
-
+import com.google.common.base.Throwables;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
import org.apache.flume.EventDeliveryException;
import org.apache.flume.Sink;
import org.apache.flume.conf.Configurables;
import org.apache.nifi.annotation.behavior.InputRequirement;
import org.apache.nifi.annotation.behavior.InputRequirement.Requirement;
+import org.apache.nifi.annotation.behavior.Restricted;
import org.apache.nifi.annotation.behavior.TriggerSerially;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
@@ -38,17 +39,17 @@ import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.util.StandardValidators;
-import com.google.common.base.Throwables;
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableSet;
+import java.util.List;
+import java.util.Set;
/**
* This processor runs a Flume sink
*/
@TriggerSerially
-@Tags({"flume", "hadoop", "put", "sink"})
+@Tags({"flume", "hadoop", "put", "sink", "restricted"})
@InputRequirement(Requirement.INPUT_REQUIRED)
@CapabilityDescription("Execute a Flume sink. Each input FlowFile is converted into a Flume Event for processing by the sink.")
+@Restricted("Provides operator the ability to execute arbitrary Flume configurations assuming all permissions that NiFi has.")
public class ExecuteFlumeSink extends AbstractFlumeProcessor {
public static final PropertyDescriptor SINK_TYPE = new PropertyDescriptor.Builder()
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/src/main/java/org/apache/nifi/processors/flume/ExecuteFlumeSource.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/src/main/java/org/apache/nifi/processors/flume/ExecuteFlumeSource.java b/nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/src/main/java/org/apache/nifi/processors/flume/ExecuteFlumeSource.java
index 3ef72ff..63ed190 100644
--- a/nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/src/main/java/org/apache/nifi/processors/flume/ExecuteFlumeSource.java
+++ b/nifi-nar-bundles/nifi-flume-bundle/nifi-flume-processors/src/main/java/org/apache/nifi/processors/flume/ExecuteFlumeSource.java
@@ -16,10 +16,9 @@
*/
package org.apache.nifi.processors.flume;
-import java.util.List;
-import java.util.Set;
-import java.util.concurrent.atomic.AtomicReference;
-
+import com.google.common.base.Throwables;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
import org.apache.flume.EventDeliveryException;
import org.apache.flume.EventDrivenSource;
import org.apache.flume.PollableSource;
@@ -29,6 +28,7 @@ import org.apache.flume.conf.Configurables;
import org.apache.flume.source.EventDrivenSourceRunner;
import org.apache.nifi.annotation.behavior.InputRequirement;
import org.apache.nifi.annotation.behavior.InputRequirement.Requirement;
+import org.apache.nifi.annotation.behavior.Restricted;
import org.apache.nifi.annotation.behavior.TriggerSerially;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
@@ -44,17 +44,18 @@ import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.util.StandardValidators;
-import com.google.common.base.Throwables;
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableSet;
+import java.util.List;
+import java.util.Set;
+import java.util.concurrent.atomic.AtomicReference;
/**
* This processor runs a Flume source
*/
@TriggerSerially
-@Tags({"flume", "hadoop", "get", "source"})
+@Tags({"flume", "hadoop", "get", "source", "restricted"})
@InputRequirement(Requirement.INPUT_FORBIDDEN)
@CapabilityDescription("Execute a Flume source. Each Flume Event is sent to the success relationship as a FlowFile")
+@Restricted("Provides operator the ability to execute arbitrary Flume configurations assuming all permissions that NiFi has.")
public class ExecuteFlumeSource extends AbstractFlumeProcessor {
public static final PropertyDescriptor SOURCE_TYPE = new PropertyDescriptor.Builder()
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ControllerServiceDTO.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ControllerServiceDTO.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ControllerServiceDTO.java
index 9f2f74a..778128f 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ControllerServiceDTO.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ControllerServiceDTO.java
@@ -16,16 +16,14 @@
*/
package org.apache.nifi.web.api.dto;
+import com.wordnik.swagger.annotations.ApiModelProperty;
+import org.apache.nifi.web.api.entity.ControllerServiceReferencingComponentEntity;
+
+import javax.xml.bind.annotation.XmlType;
import java.util.Collection;
import java.util.Map;
import java.util.Set;
-import javax.xml.bind.annotation.XmlType;
-
-import org.apache.nifi.web.api.entity.ControllerServiceReferencingComponentEntity;
-
-import com.wordnik.swagger.annotations.ApiModelProperty;
-
/**
* A Controller Service that can be shared by other components
*/
@@ -37,6 +35,7 @@ public class ControllerServiceDTO extends ComponentDTO {
private String comments;
private String state;
private Boolean persistsState;
+ private Boolean restricted;
private Map<String, String> properties;
private Map<String, PropertyDescriptorDTO> descriptors;
@@ -105,6 +104,20 @@ public class ControllerServiceDTO extends ComponentDTO {
}
/**
+ * @return whether this controller service requires elevated privileges
+ */
+ @ApiModelProperty(
+ value = "Whether the controller service requires elevated privileges."
+ )
+ public Boolean getRestricted() {
+ return restricted;
+ }
+
+ public void setRestricted(Boolean restricted) {
+ this.restricted = restricted;
+ }
+
+ /**
* @return The state of this controller service. Possible values are ENABLED, ENABLING, DISABLED, DISABLING
*/
@ApiModelProperty(
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/DocumentedTypeDTO.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/DocumentedTypeDTO.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/DocumentedTypeDTO.java
index 67b26ca..dc0ea78 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/DocumentedTypeDTO.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/DocumentedTypeDTO.java
@@ -17,8 +17,9 @@
package org.apache.nifi.web.api.dto;
import com.wordnik.swagger.annotations.ApiModelProperty;
-import java.util.Set;
+
import javax.xml.bind.annotation.XmlType;
+import java.util.Set;
/**
* Class used for providing documentation of a specified type.
@@ -28,6 +29,7 @@ public class DocumentedTypeDTO {
private String type;
private String description;
+ private String usageRestriction;
private Set<String> tags;
/**
@@ -45,6 +47,20 @@ public class DocumentedTypeDTO {
}
/**
+ * @return An optional description of why the usage of this component is restricted
+ */
+ @ApiModelProperty(
+ value = "The description of why the usage of this component is restricted."
+ )
+ public String getUsageRestriction() {
+ return usageRestriction;
+ }
+
+ public void setUsageRestriction(String usageRestriction) {
+ this.usageRestriction = usageRestriction;
+ }
+
+ /**
* @return The type is the fully-qualified name of a Java class
*/
@ApiModelProperty(
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ProcessorDTO.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ProcessorDTO.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ProcessorDTO.java
index 38053ce..ee641c9 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ProcessorDTO.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ProcessorDTO.java
@@ -17,10 +17,11 @@
package org.apache.nifi.web.api.dto;
import com.wordnik.swagger.annotations.ApiModelProperty;
+
+import javax.xml.bind.annotation.XmlType;
import java.util.Collection;
import java.util.List;
import java.util.Map;
-import javax.xml.bind.annotation.XmlType;
/**
* Details for a processor within this NiFi.
@@ -38,6 +39,7 @@ public class ProcessorDTO extends ComponentDTO {
private Boolean supportsEventDriven;
private Boolean supportsBatching;
private Boolean persistsState;
+ private Boolean restricted;
private String inputRequirement;
private ProcessorConfigDTO config;
@@ -138,6 +140,20 @@ public class ProcessorDTO extends ComponentDTO {
}
/**
+ * @return whether this processor requires elevated privileges
+ */
+ @ApiModelProperty(
+ value = "Whether the processor requires elevated privileges."
+ )
+ public Boolean getRestricted() {
+ return restricted;
+ }
+
+ public void setRestricted(Boolean restricted) {
+ this.restricted = restricted;
+ }
+
+ /**
* @return the input requirement of this processor
*/
@ApiModelProperty(
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ReportingTaskDTO.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ReportingTaskDTO.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ReportingTaskDTO.java
index e5afe6e..203fd0e 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ReportingTaskDTO.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/dto/ReportingTaskDTO.java
@@ -17,10 +17,10 @@
package org.apache.nifi.web.api.dto;
import com.wordnik.swagger.annotations.ApiModelProperty;
-import java.util.Collection;
-import java.util.Map;
import javax.xml.bind.annotation.XmlType;
+import java.util.Collection;
+import java.util.Map;
/**
* Component that is capable of reporting internal NiFi state to an external service
@@ -33,6 +33,7 @@ public class ReportingTaskDTO extends ComponentDTO {
private String state;
private String comments;
private Boolean persistsState;
+ private Boolean restricted;
private String schedulingPeriod;
private String schedulingStrategy;
@@ -120,6 +121,20 @@ public class ReportingTaskDTO extends ComponentDTO {
}
/**
+ * @return whether this reporting task requires elevated privileges
+ */
+ @ApiModelProperty(
+ value = "Whether the reporting task requires elevated privileges."
+ )
+ public Boolean getRestricted() {
+ return restricted;
+ }
+
+ public void setRestricted(Boolean restricted) {
+ this.restricted = restricted;
+ }
+
+ /**
* @return current scheduling state of the reporting task
*/
@ApiModelProperty(
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/entity/CurrentUserEntity.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/entity/CurrentUserEntity.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/entity/CurrentUserEntity.java
index 76a692e..d24ce67 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/entity/CurrentUserEntity.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-client-dto/src/main/java/org/apache/nifi/web/api/entity/CurrentUserEntity.java
@@ -36,6 +36,7 @@ public class CurrentUserEntity extends Entity {
private PermissionsDTO controllerPermissions;
private PermissionsDTO policiesPermissions;
private PermissionsDTO systemPermissions;
+ private PermissionsDTO restrictedComponentsPermissions;
/**
* @return the user identity being serialized
@@ -132,4 +133,16 @@ public class CurrentUserEntity extends Entity {
public void setSystemPermissions(PermissionsDTO systemPermissions) {
this.systemPermissions = systemPermissions;
}
+
+ /**
+ * @return permissions for accessing the restricted components
+ */
+ @ApiModelProperty("Permissions for accessing restricted components. Note: the read permission are not used and will always be false.")
+ public PermissionsDTO getRestrictedComponentsPermissions() {
+ return restrictedComponentsPermissions;
+ }
+
+ public void setRestrictedComponentsPermissions(PermissionsDTO restrictedComponentsPermissions) {
+ this.restrictedComponentsPermissions = restrictedComponentsPermissions;
+ }
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/main/java/org/apache/nifi/documentation/html/HtmlDocumentationWriter.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/main/java/org/apache/nifi/documentation/html/HtmlDocumentationWriter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/main/java/org/apache/nifi/documentation/html/HtmlDocumentationWriter.java
index 236ff83..9a60c27 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/main/java/org/apache/nifi/documentation/html/HtmlDocumentationWriter.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/main/java/org/apache/nifi/documentation/html/HtmlDocumentationWriter.java
@@ -16,19 +16,9 @@
*/
package org.apache.nifi.documentation.html;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-
-import javax.xml.stream.FactoryConfigurationError;
-import javax.xml.stream.XMLOutputFactory;
-import javax.xml.stream.XMLStreamException;
-import javax.xml.stream.XMLStreamWriter;
-
import org.apache.nifi.annotation.behavior.DynamicProperties;
import org.apache.nifi.annotation.behavior.DynamicProperty;
+import org.apache.nifi.annotation.behavior.Restricted;
import org.apache.nifi.annotation.behavior.Stateful;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.SeeAlso;
@@ -40,6 +30,16 @@ import org.apache.nifi.controller.ControllerService;
import org.apache.nifi.documentation.DocumentationWriter;
import org.apache.nifi.nar.ExtensionManager;
+import javax.xml.stream.FactoryConfigurationError;
+import javax.xml.stream.XMLOutputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamWriter;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+
/**
* Generates HTML documentation for a ConfigurableComponent. This class is used
* to generate documentation for ControllerService and ReportingTask because
@@ -129,6 +129,7 @@ public class HtmlDocumentationWriter implements DocumentationWriter {
writeDynamicProperties(configurableComponent, xmlStreamWriter);
writeAdditionalBodyInfo(configurableComponent, xmlStreamWriter);
writeStatefulInfo(configurableComponent, xmlStreamWriter);
+ writeRestrictedInfo(configurableComponent, xmlStreamWriter);
writeSeeAlso(configurableComponent, xmlStreamWriter);
xmlStreamWriter.writeEndElement();
}
@@ -166,6 +167,24 @@ public class HtmlDocumentationWriter implements DocumentationWriter {
}
/**
+ * Write the description of the Restricted annotation if provided in this component.
+ *
+ * @param configurableComponent the component to describe
+ * @param xmlStreamWriter the stream writer to use
+ * @throws XMLStreamException thrown if there was a problem writing the XML
+ */
+ private void writeRestrictedInfo(ConfigurableComponent configurableComponent, XMLStreamWriter xmlStreamWriter)
+ throws XMLStreamException {
+ final Restricted restricted = configurableComponent.getClass().getAnnotation(Restricted.class);
+
+ writeSimpleElement(xmlStreamWriter, "h3", "Restricted: ");
+
+ if(restricted != null) {
+ writeSimpleElement(xmlStreamWriter, "td", restricted.value());
+ }
+ }
+
+ /**
* Writes the list of components that may be linked from this component.
*
* @param configurableComponent the component to describe
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedControllerService.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedControllerService.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedControllerService.java
index 195a75b..62e12a8 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedControllerService.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedControllerService.java
@@ -16,10 +16,7 @@
*/
package org.apache.nifi.documentation.example;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
+import org.apache.nifi.annotation.behavior.Restricted;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnRemoved;
@@ -29,8 +26,13 @@ import org.apache.nifi.controller.AbstractControllerService;
import org.apache.nifi.controller.ConfigurationContext;
import org.apache.nifi.processor.util.StandardValidators;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
@CapabilityDescription("A documented controller service that can help you do things")
@Tags({ "one", "two", "three" })
+@Restricted("controller service restriction description")
public class FullyDocumentedControllerService extends AbstractControllerService implements SampleService {
public static final PropertyDescriptor KEYSTORE = new PropertyDescriptor.Builder().name("Keystore Filename").description("The fully-qualified filename of the Keystore").defaultValue(null)
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedProcessor.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedProcessor.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedProcessor.java
index af668ba..bc1be1f 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedProcessor.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedProcessor.java
@@ -16,15 +16,10 @@
*/
package org.apache.nifi.documentation.example;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
import org.apache.nifi.annotation.behavior.DynamicProperty;
import org.apache.nifi.annotation.behavior.DynamicRelationship;
import org.apache.nifi.annotation.behavior.ReadsAttribute;
+import org.apache.nifi.annotation.behavior.Restricted;
import org.apache.nifi.annotation.behavior.Stateful;
import org.apache.nifi.annotation.behavior.WritesAttribute;
import org.apache.nifi.annotation.behavior.WritesAttributes;
@@ -44,6 +39,12 @@ import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.util.StandardValidators;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
@Tags({"one", "two", "three"})
@CapabilityDescription("This is a processor that is used to test documentation.")
@WritesAttributes({
@@ -54,6 +55,7 @@ import org.apache.nifi.processor.util.StandardValidators;
@DynamicProperty(name = "Relationship Name", supportsExpressionLanguage = true, value = "some XPath", description = "Routes FlowFiles to relationships based on XPath")
@DynamicRelationship(name = "name from dynamic property", description = "all files that match the properties XPath")
@Stateful(scopes = {Scope.CLUSTER, Scope.LOCAL}, description = "state management description")
+@Restricted("processor restriction description")
public class FullyDocumentedProcessor extends AbstractProcessor {
public static final PropertyDescriptor DIRECTORY = new PropertyDescriptor.Builder().name("Input Directory")
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedReportingTask.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedReportingTask.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedReportingTask.java
index 28a6dc6..64118bf 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedReportingTask.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/example/FullyDocumentedReportingTask.java
@@ -16,20 +16,22 @@
*/
package org.apache.nifi.documentation.example;
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.nifi.components.PropertyDescriptor;
-import org.apache.nifi.controller.ConfigurationContext;
+import org.apache.nifi.annotation.behavior.Restricted;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnRemoved;
import org.apache.nifi.annotation.lifecycle.OnShutdown;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.controller.ConfigurationContext;
import org.apache.nifi.reporting.AbstractReportingTask;
import org.apache.nifi.reporting.ReportingContext;
+import java.util.ArrayList;
+import java.util.List;
+
@CapabilityDescription("A helper reporting task to do...")
@Tags({"first", "second", "third"})
+@Restricted("reporting task restriction description")
public class FullyDocumentedReportingTask extends AbstractReportingTask {
public static final PropertyDescriptor SHOW_DELTAS = new PropertyDescriptor.Builder()
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/html/HtmlDocumentationWriterTest.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/html/HtmlDocumentationWriterTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/html/HtmlDocumentationWriterTest.java
index 2bd9def..0402a9f 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/html/HtmlDocumentationWriterTest.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/html/HtmlDocumentationWriterTest.java
@@ -16,12 +16,6 @@
*/
package org.apache.nifi.documentation.html;
-import static org.apache.nifi.documentation.html.XmlValidator.assertContains;
-import static org.junit.Assert.assertEquals;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-
import org.apache.nifi.controller.ControllerService;
import org.apache.nifi.documentation.DocumentationWriter;
import org.apache.nifi.documentation.example.ControllerServiceWithLogger;
@@ -37,6 +31,12 @@ import org.apache.nifi.reporting.ReportingTask;
import org.junit.Assert;
import org.junit.Test;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+import static org.apache.nifi.documentation.html.XmlValidator.assertContains;
+import static org.junit.Assert.assertEquals;
+
public class HtmlDocumentationWriterTest {
@Test
@@ -77,6 +77,9 @@ public class HtmlDocumentationWriterTest {
assertContains(results, "PKCS12");
assertContains(results, "Sensitive Property: true");
+ // restricted
+ assertContains(results, "controller service restriction description");
+
// verify the right OnRemoved and OnShutdown methods were called
Assert.assertEquals(0, controllerService.getOnRemovedArgs());
Assert.assertEquals(0, controllerService.getOnRemovedNoArgs());
@@ -114,6 +117,9 @@ public class HtmlDocumentationWriterTest {
assertContains(results, "true");
assertContains(results, "false");
+ // restricted
+ assertContains(results, "reporting task restriction description");
+
// verify the right OnRemoved and OnShutdown methods were called
Assert.assertEquals(0, reportingTask.getOnRemovedArgs());
Assert.assertEquals(0, reportingTask.getOnRemovedNoArgs());
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/html/ProcessorDocumentationWriterTest.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/html/ProcessorDocumentationWriterTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/html/ProcessorDocumentationWriterTest.java
index 7c6173a..61045b0 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/html/ProcessorDocumentationWriterTest.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-documentation/src/test/java/org/apache/nifi/documentation/html/ProcessorDocumentationWriterTest.java
@@ -16,12 +16,6 @@
*/
package org.apache.nifi.documentation.html;
-import static org.apache.nifi.documentation.html.XmlValidator.assertContains;
-import static org.apache.nifi.documentation.html.XmlValidator.assertNotContains;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.documentation.DocumentationWriter;
import org.apache.nifi.documentation.example.FullyDocumentedProcessor;
@@ -31,6 +25,12 @@ import org.apache.nifi.documentation.init.ProcessorInitializer;
import org.junit.Assert;
import org.junit.Test;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+import static org.apache.nifi.documentation.html.XmlValidator.assertContains;
+import static org.apache.nifi.documentation.html.XmlValidator.assertNotContains;
+
public class ProcessorDocumentationWriterTest {
@Test
@@ -69,6 +69,8 @@ public class ProcessorDocumentationWriterTest {
assertContains(results, "CLUSTER, LOCAL");
assertContains(results, "state management description");
+ assertContains(results, "processor restriction description");
+
assertNotContains(results, "iconSecure.png");
assertContains(results, FullyDocumentedProcessor.class.getAnnotation(CapabilityDescription.class)
.value());
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
index 69733a8..7f89ddd 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
@@ -333,6 +333,9 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
addAccessPolicy(authorizations, ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, adminUser.getIdentifier(), WRITE_CODE);
}
+ // grant the user write to restricted components
+ addAccessPolicy(authorizations, ResourceType.RestrictedComponents.getValue(), adminUser.getIdentifier(), WRITE_CODE);
+
// grant the user read/write access to the /tenants resource
addAccessPolicy(authorizations, ResourceType.Tenant.getValue(), adminUser.getIdentifier(), READ_CODE);
addAccessPolicy(authorizations, ResourceType.Tenant.getValue(), adminUser.getIdentifier(), WRITE_CODE);
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/RoleAccessPolicy.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/RoleAccessPolicy.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/RoleAccessPolicy.java
index 867423e..16e9c9c 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/RoleAccessPolicy.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/RoleAccessPolicy.java
@@ -72,6 +72,7 @@ public final class RoleAccessPolicy {
dfmPolicies.add(new RoleAccessPolicy(ResourceType.Controller.getValue(), READ_ACTION));
dfmPolicies.add(new RoleAccessPolicy(ResourceType.Controller.getValue(), WRITE_ACTION));
dfmPolicies.add(new RoleAccessPolicy(ResourceType.System.getValue(), READ_ACTION));
+ dfmPolicies.add(new RoleAccessPolicy(ResourceType.RestrictedComponents.getValue(), WRITE_ACTION));
if (rootGroupId != null) {
dfmPolicies.add(new RoleAccessPolicy(ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, READ_ACTION));
dfmPolicies.add(new RoleAccessPolicy(ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, WRITE_ACTION));
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java
index 7e77e05..c335e19 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java
@@ -312,7 +312,7 @@ public class FileAuthorizerTest {
// verify user3's policies
final Map<String,Set<RequestAction>> user3Policies = getResourceActions(policies, user3);
- assertEquals(5, user3Policies.size());
+ assertEquals(6, user3Policies.size());
assertTrue(user3Policies.containsKey(ResourceType.Flow.getValue()));
assertEquals(1, user3Policies.get(ResourceType.Flow.getValue()).size());
@@ -502,7 +502,7 @@ public class FileAuthorizerTest {
assertEquals(adminIdentity, adminUser.getIdentity());
final Set<AccessPolicy> policies = authorizer.getAccessPolicies();
- assertEquals(11, policies.size());
+ assertEquals(12, policies.size());
final String rootGroupResource = ResourceType.ProcessGroup.getValue() + "/" + ROOT_GROUP_ID;
@@ -540,7 +540,7 @@ public class FileAuthorizerTest {
assertEquals(adminIdentity, adminUser.getIdentity());
final Set<AccessPolicy> policies = authorizer.getAccessPolicies();
- assertEquals(7, policies.size());
+ assertEquals(8, policies.size());
final String rootGroupResource = ResourceType.ProcessGroup.getValue() + "/" + ROOT_GROUP_ID;
@@ -578,7 +578,7 @@ public class FileAuthorizerTest {
assertEquals(adminIdentity, adminUser.getIdentity());
final Set<AccessPolicy> policies = authorizer.getAccessPolicies();
- assertEquals(7, policies.size());
+ assertEquals(8, policies.size());
final String rootGroupResource = ResourceType.ProcessGroup.getValue() + "/" + ROOT_GROUP_ID;
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceFactory.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceFactory.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceFactory.java
index 25f5ec3..83c5bb9 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceFactory.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceFactory.java
@@ -142,6 +142,18 @@ public final class ResourceFactory {
}
};
+ private final static Resource RESTRICTED_COMPONENTS_RESOURCE = new Resource() {
+ @Override
+ public String getIdentifier() {
+ return ResourceType.RestrictedComponents.getValue();
+ }
+
+ @Override
+ public String getName() {
+ return "Restricted Components";
+ }
+ };
+
private final static Resource TENANT_RESOURCE = new Resource() {
@Override
public String getIdentifier() {
@@ -242,6 +254,15 @@ public final class ResourceFactory {
}
/**
+ * Gets the Resource for accessing restricted components.
+ *
+ * @return The restricted components resource
+ */
+ public static Resource getRestrictedComponentsResource() {
+ return RESTRICTED_COMPONENTS_RESOURCE;
+ }
+
+ /**
* Gets the Resource for accessing Tenants which includes creating, modifying, and deleting Users and UserGroups.
*
* @return The Resource for accessing Tenants
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceType.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceType.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceType.java
index 37fe018..5973f6b 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceType.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceType.java
@@ -37,6 +37,7 @@ public enum ResourceType {
SiteToSite("/site-to-site"),
DataTransfer("/data-transfer"),
System("/system"),
+ RestrictedComponents("/restricted-components"),
Template("/templates"),
Tenant("/tenants");
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/RestrictedComponentsAuthorizable.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/RestrictedComponentsAuthorizable.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/RestrictedComponentsAuthorizable.java
new file mode 100644
index 0000000..92a905b
--- /dev/null
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/RestrictedComponentsAuthorizable.java
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.authorization.resource;
+
+import org.apache.nifi.authorization.Resource;
+
+public class RestrictedComponentsAuthorizable implements Authorizable {
+
+ @Override
+ public Authorizable getParentAuthorizable() {
+ return null;
+ }
+
+ @Override
+ public Resource getResource() {
+ return ResourceFactory.getRestrictedComponentsResource();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/src/main/java/org/apache/nifi/controller/ConfiguredComponent.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/src/main/java/org/apache/nifi/controller/ConfiguredComponent.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/src/main/java/org/apache/nifi/controller/ConfiguredComponent.java
index 7ec3a14..a0a6060 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/src/main/java/org/apache/nifi/controller/ConfiguredComponent.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/src/main/java/org/apache/nifi/controller/ConfiguredComponent.java
@@ -16,7 +16,14 @@
*/
package org.apache.nifi.controller;
+import org.apache.nifi.authorization.AccessDeniedException;
+import org.apache.nifi.authorization.AuthorizationResult;
+import org.apache.nifi.authorization.AuthorizationResult.Result;
+import org.apache.nifi.authorization.Authorizer;
+import org.apache.nifi.authorization.RequestAction;
import org.apache.nifi.authorization.resource.ComponentAuthorizable;
+import org.apache.nifi.authorization.resource.RestrictedComponentsAuthorizable;
+import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.ValidationResult;
@@ -58,4 +65,37 @@ public interface ConfiguredComponent extends ComponentAuthorizable {
*/
String getCanonicalClassName();
+ /**
+ * @return whether or not the underlying implementation is restricted
+ */
+ boolean isRestricted();
+
+ @Override
+ default AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
+ // if this is a modification request and the reporting task is restricted ensure the user has elevated privileges. if this
+ // is not a modification request, we just want to use the normal rules
+ if (RequestAction.WRITE.equals(action) && isRestricted()) {
+ final RestrictedComponentsAuthorizable restrictedComponentsAuthorizable = new RestrictedComponentsAuthorizable();
+ final AuthorizationResult result = restrictedComponentsAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user, resourceContext);
+ if (Result.Denied.equals(result.getResult())) {
+ return result;
+ }
+ }
+
+ // defer to the base authorization check
+ return ComponentAuthorizable.super.checkAuthorization(authorizer, action, user, resourceContext);
+ }
+
+ @Override
+ default void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
+ // if this is a modification request and the reporting task is restricted ensure the user has elevated privileges. if this
+ // is not a modification request, we just want to use the normal rules
+ if (RequestAction.WRITE.equals(action) && isRestricted()) {
+ final RestrictedComponentsAuthorizable restrictedComponentsAuthorizable = new RestrictedComponentsAuthorizable();
+ restrictedComponentsAuthorizable.authorize(authorizer, RequestAction.WRITE, user, resourceContext);
+ }
+
+ // defer to the base authorization check
+ ComponentAuthorizable.super.authorize(authorizer, action, user, resourceContext);
+ }
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/StandardProcessorNode.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/StandardProcessorNode.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/StandardProcessorNode.java
index bfa2129..f94cc8b 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/StandardProcessorNode.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/StandardProcessorNode.java
@@ -21,6 +21,7 @@ import org.apache.commons.lang3.builder.HashCodeBuilder;
import org.apache.nifi.annotation.behavior.EventDriven;
import org.apache.nifi.annotation.behavior.InputRequirement;
import org.apache.nifi.annotation.behavior.InputRequirement.Requirement;
+import org.apache.nifi.annotation.behavior.Restricted;
import org.apache.nifi.annotation.behavior.SideEffectFree;
import org.apache.nifi.annotation.behavior.SupportsBatching;
import org.apache.nifi.annotation.behavior.TriggerSerially;
@@ -56,8 +57,8 @@ import org.apache.nifi.processor.Processor;
import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.SimpleProcessLogger;
import org.apache.nifi.registry.VariableRegistry;
-import org.apache.nifi.scheduling.SchedulingStrategy;
import org.apache.nifi.scheduling.ExecutionNode;
+import org.apache.nifi.scheduling.SchedulingStrategy;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.ReflectionUtils;
@@ -236,6 +237,11 @@ public class StandardProcessorNode extends ProcessorNode implements Connectable
return ResourceFactory.getComponentResource(ResourceType.Processor, getIdentifier(), getName());
}
+ @Override
+ public boolean isRestricted() {
+ return getProcessor().getClass().isAnnotationPresent(Restricted.class);
+ }
+
/**
* Provides and opportunity to retain information about this particular
* processor instance
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/reporting/StandardReportingTaskNode.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/reporting/StandardReportingTaskNode.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/reporting/StandardReportingTaskNode.java
index bb58577..adb2240 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/reporting/StandardReportingTaskNode.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/reporting/StandardReportingTaskNode.java
@@ -16,6 +16,7 @@
*/
package org.apache.nifi.controller.reporting;
+import org.apache.nifi.annotation.behavior.Restricted;
import org.apache.nifi.authorization.Resource;
import org.apache.nifi.authorization.resource.Authorizable;
import org.apache.nifi.authorization.resource.ResourceFactory;
@@ -58,6 +59,11 @@ public class StandardReportingTaskNode extends AbstractReportingTaskNode impleme
}
@Override
+ public boolean isRestricted() {
+ return getReportingTask().getClass().isAnnotationPresent(Restricted.class);
+ }
+
+ @Override
public ReportingContext getReportingContext() {
return new StandardReportingContext(flowController, flowController.getBulletinRepository(), getProperties(), flowController, getReportingTask(), getVariableRegistry());
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/service/StandardControllerServiceNode.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/service/StandardControllerServiceNode.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/service/StandardControllerServiceNode.java
index c61325a..d4a16b3 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/service/StandardControllerServiceNode.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/service/StandardControllerServiceNode.java
@@ -17,6 +17,7 @@
package org.apache.nifi.controller.service;
import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.annotation.behavior.Restricted;
import org.apache.nifi.annotation.lifecycle.OnDisabled;
import org.apache.nifi.annotation.lifecycle.OnEnabled;
import org.apache.nifi.authorization.Resource;
@@ -121,6 +122,11 @@ public class StandardControllerServiceNode extends AbstractConfiguredComponent i
}
@Override
+ public boolean isRestricted() {
+ return getControllerServiceImplementation().getClass().isAnnotationPresent(Restricted.class);
+ }
+
+ @Override
public ControllerService getProxiedControllerService() {
return proxedControllerService;
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizableLookup.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizableLookup.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizableLookup.java
index 6f3c01b..1d1a828 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizableLookup.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizableLookup.java
@@ -34,7 +34,7 @@ public interface AuthorizableLookup {
* @param id processor id
* @return authorizable
*/
- ControllerServiceReferencingComponentAuthorizable getProcessor(String id);
+ ConfigurableComponentAuthorizable getProcessor(String id);
/**
* Get the authorizable for this Processor. This will create a dummy instance of the
@@ -44,7 +44,7 @@ public interface AuthorizableLookup {
* @param type processor type
* @return authorizable
*/
- ControllerServiceReferencingComponentAuthorizable getProcessorByType(String type);
+ ConfigurableComponentAuthorizable getProcessorByType(String type);
/**
* Get the authorizable for querying Provenance.
@@ -156,7 +156,7 @@ public interface AuthorizableLookup {
* @param id controller service id
* @return authorizable
*/
- ControllerServiceReferencingComponentAuthorizable getControllerService(String id);
+ ConfigurableComponentAuthorizable getControllerService(String id);
/**
* Get the authorizable for this Controller Service. This will create a dummy instance of the
@@ -166,7 +166,7 @@ public interface AuthorizableLookup {
* @param type processor type
* @return authorizable
*/
- ControllerServiceReferencingComponentAuthorizable getControllerServiceByType(String type);
+ ConfigurableComponentAuthorizable getControllerServiceByType(String type);
/**
* Get the authorizable referencing component.
@@ -183,7 +183,7 @@ public interface AuthorizableLookup {
* @param id reporting task id
* @return authorizable
*/
- ControllerServiceReferencingComponentAuthorizable getReportingTask(String id);
+ ConfigurableComponentAuthorizable getReportingTask(String id);
/**
* Get the authorizable for this Reporting Task. This will create a dummy instance of the
@@ -193,7 +193,7 @@ public interface AuthorizableLookup {
* @param type processor type
* @return authorizable
*/
- ControllerServiceReferencingComponentAuthorizable getReportingTaskByType(String type);
+ ConfigurableComponentAuthorizable getReportingTaskByType(String type);
/**
* Get the authorizable Template.
@@ -271,4 +271,10 @@ public interface AuthorizableLookup {
*/
Authorizable getSystem();
+ /**
+ * Get the authorizable for accessing restricted components.
+ *
+ * @return authorizable
+ */
+ Authorizable getRestrictedComponents();
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizeControllerServiceReference.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizeControllerServiceReference.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizeControllerServiceReference.java
index 48c782f..a3a4e19 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizeControllerServiceReference.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizeControllerServiceReference.java
@@ -38,7 +38,7 @@ public final class AuthorizeControllerServiceReference {
* @param authorizer authorizer
* @param lookup lookup
*/
- public static void authorizeControllerServiceReferences(final Map<String, String> proposedProperties, final ControllerServiceReferencingComponentAuthorizable authorizable,
+ public static void authorizeControllerServiceReferences(final Map<String, String> proposedProperties, final ConfigurableComponentAuthorizable authorizable,
final Authorizer authorizer, final AuthorizableLookup lookup) {
// only attempt to authorize if properties are changing
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/ConfigurableComponentAuthorizable.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/ConfigurableComponentAuthorizable.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/ConfigurableComponentAuthorizable.java
new file mode 100644
index 0000000..a06c7a0
--- /dev/null
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/ConfigurableComponentAuthorizable.java
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.authorization;
+
+import org.apache.nifi.authorization.resource.Authorizable;
+import org.apache.nifi.components.PropertyDescriptor;
+
+/**
+ * Authorizable for a component that references a ControllerService.
+ */
+public interface ConfigurableComponentAuthorizable {
+ /**
+ * Returns the base authorizable for this ControllerServiceReference. Non null
+ *
+ * @return authorizable
+ */
+ Authorizable getAuthorizable();
+
+ /**
+ * Returns whether or not the underlying configurable component is restricted.
+ *
+ * @return whether or not the underlying configurable component is restricted
+ */
+ boolean isRestricted();
+
+ /**
+ * Returns the property descriptor for the specified property.
+ *
+ * @param propertyName property name
+ * @return property descriptor
+ */
+ PropertyDescriptor getPropertyDescriptor(String propertyName);
+
+ /**
+ * Returns the current value of the specified property.
+ *
+ * @param propertyDescriptor property descriptor
+ * @return value
+ */
+ String getValue(PropertyDescriptor propertyDescriptor);
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/7f5eabd6/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/ControllerServiceReferencingComponentAuthorizable.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/ControllerServiceReferencingComponentAuthorizable.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/ControllerServiceReferencingComponentAuthorizable.java
deleted file mode 100644
index abffc94..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/ControllerServiceReferencingComponentAuthorizable.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization;
-
-import org.apache.nifi.authorization.resource.Authorizable;
-import org.apache.nifi.components.PropertyDescriptor;
-
-/**
- * Authorizable for a component that references a ControllerService.
- */
-public interface ControllerServiceReferencingComponentAuthorizable {
- /**
- * Returns the base authorizable for this ControllerServiceReference. Non null
- *
- * @return authorizable
- */
- Authorizable getAuthorizable();
-
- /**
- * Returns the property descriptor for the specified property.
- *
- * @param propertyName property name
- * @return property descriptor
- */
- PropertyDescriptor getPropertyDescriptor(String propertyName);
-
- /**
- * Returns the current value of the specified property.
- *
- * @param propertyDescriptor property descriptor
- * @return value
- */
- String getValue(PropertyDescriptor propertyDescriptor);
-}