You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Simon Bence (Jira)" <ji...@apache.org> on 2020/04/14 14:51:00 UTC
[jira] [Commented] (NIFI-7292) ListFile should apply filters before
checking permissions.
[ https://issues.apache.org/jira/browse/NIFI-7292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17083303#comment-17083303 ]
Simon Bence commented on NIFI-7292:
-----------------------------------
Hi [~msclarke]!
I have a solution proposal (automatically linked PR) aims directly the effects of files and folders are not accessible by NiFi due to insufficient privileges. One of my primary goals was to minimise the change and keep using the -otherwise- properly working {{FileTreeWalker}} based implementation. In order to this, I did replace the {{find}} call with {{walkFileTree}}, which provides a more direct access to the file visiting with tree walker. With this, the code have more control over handling inaccessible files and folders, preventing the tree walker from instantly stopping.
In practice this means that, in order to prevent divergence from the current underlaying solution, instead of reordering the steps (and checking permission before apply filter) I built a permission check on a hook point of the already used tool and made the processor skip the files and directories without sufficient privileges regardless of the filter. The filter will be applied afterward.
Is this solution acceptable to you?
> ListFile should apply filters before checking permissions.
> ----------------------------------------------------------
>
> Key: NIFI-7292
> URL: https://issues.apache.org/jira/browse/NIFI-7292
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.9.2
> Reporter: Matthew Clarke
> Assignee: Simon Bence
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> I noticed that NiFi's ListFile processor (and probably other list based processors) will check permissions on sub-directories before it evaluates the path filter.
> Let's assume we have a mounted directory (/NiFi/mount) that contains sub directories (A, B, C, D, and private). The NiFi Service user has permissions to access all directories A,B,C, and D, but not the "private" directory.
> I then add a path filter in my ListFile to exclude the "private" directory
> (for example: (?!(private)).* )
> When I start the ListFile it errors because the NiFi service user does not have permissions to "private" directory even though I have no intention of listing anything from that directory. Since it Errors it does not listed files from any directory including those which have the needed permissions.
> If I give the NiFi service user access to that "private" dir then the listing works ignoring the "private" dir files.
> I feel as though the processor should apply the path and/or file filters before checking permissions?
> Users may not have ability to edit permissions on some sub directories. And with other sub-directories having being dynamically created or having a very large number of sub-directories, creating a separate ListFile for each sub-directory is not a desirable solution either.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)