You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2020/11/25 20:14:00 UTC

[jira] [Commented] (NIFI-7884) Separate "read-filesystem" restricted permission into local file system and HDFS file system permissions

    [ https://issues.apache.org/jira/browse/NIFI-7884?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17238927#comment-17238927 ] 

David Handermann commented on NIFI-7884:
----------------------------------------

The current implementation of {{RequiredPermission}} in the {{Restriction}} annotation appears to indicate that all permissions must be granted in order to use the component in question.  At a concept level, since the HDFS processors could access the local filesystem depending on system configuration, it seems that sometimes the READ_FILESYSTEM and WRITE_FILESYSTEM permissions would be applicable, and sometimes not.  However, in light of the current implementation of {{Restriction}} annotations, the simplest approach seems to be introducing new {{RequiredPermission}} values along the lines of READ_DISTRIBUTED_FILESYSTEM and WRITE_DISTRIBUTED_FILESYSTEM, then applying those to the HDFS processors.

> Separate "read-filesystem" restricted permission into local file system and HDFS file system permissions
> --------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-7884
>                 URL: https://issues.apache.org/jira/browse/NIFI-7884
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework, Extensions
>    Affects Versions: 1.12.1
>            Reporter: Andy LoPresto
>            Priority: Major
>              Labels: file-system, hdfs, restricted, security
>
> Currently the {{read-filesystem}} value for {{RequiredPermission}} is used for both the processors which read directly from the local file system of the machine hosting NiFi ({{GetFile}}, {{ListFile}}, etc.) and the processors which read from external file systems like HDFS ({{GetHDFS}}, {{PutHDFS}}, etc.). There are use cases where NiFi users should be able to interact with the HDFS file system without having permissions to access the local file system. 
> This will also require introducing a global setting in {{nifi.properties}} that an admin can set to allow local file system access via the HDFS processors (default {{true}} for backward compatibility), and additional validation logic in the HDFS processors (ideally the abstract shared logic) to ensure that if this setting is disabled, the HDFS processors are not accessing the local file system via the {{file:///}} protocol in their configuration. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)