You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by markobean <gi...@git.apache.org> on 2018/06/07 01:42:44 UTC

[GitHub] nifi issue #2703: NIFI-4907: add 'view provenance' component policy

Github user markobean commented on the issue:

    https://github.com/apache/nifi/pull/2703
  
    When calling getEvent() from the provenance repository, the user is authorized for the event (including component level authorization). See ControllerFacade.java:1353. This getEvent() method call is prior to createProvenanceEventDto(). So, it would be redundant to authorize the user for the event inside createProvenanceEventDto() as any unauthorized events will have already been filtered out. The original approach was to exclude all events from a provenance query result for which the user is not authorized (e.g. the user is not in the 'view provenance' component level policy). Therefore, it should not be necessary to perform your point #2 above.
    
    For point #3 and a slight refactor of authorizeReplay(), I've renamed it to authorizeData(). And, removed the duplicate authorization block from getProvenanceEvent(). Instead, the createProvenanceEventDto() will perform the data authorization prior to the if !summarize block. In this way, the event will need to be authorized for data access as well as not summarized in order for the dto to populate the attributes and content.
    
    I also updated some authorization unit tests with more detailed expected results. And, rebased to master.


---