nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopre...@apache.org>
Subject Re: API to get all Policies
Date Thu, 08 Nov 2018 23:34:54 GMT
Lars,

What access controls do you anticipate putting on this API endpoint and what potential issues
do you see? I could see this being abused if not secured very carefully, and it doesn’t
seem like a common use case (notwithstanding your current requirement). Is this something
that can be done by using the NiFi CLI to iterate/recurse through the various PGs and retrieve
these policies?

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Nov 9, 2018, at 3:31 AM, Lars Francke <lars.francke@gmail.com> wrote:
> 
> Hi,
> 
> I was tasked with writing a tool to generate a kind of "audit report". For
> that I need to get all policies that people have across various systems.
> NiFi is one of them.
> 
> I see that we have a REST API for Policies but that doesn't expose a method
> to expose _all_ policies. I'd like to add a REST endpoint that allows
> retrieving all policies.
> Before I open a Jira I wanted to get feedback whether this addition would
> be acceptable.
> 
> Implementation notes
> This is how I see the current flow of requests from the
> AccessPolicyResource to the actual AccessPolicyProider:
> 
> AccessPolicyResource -> NiFiServiceFacade (StandardNiFiServiceFacade) ->
> AccessPolicyDAO (StandardPolicyBasedAuthorizerDAO) -> AccessPolicyProvider
> 
> Fortunately the AccessPolicyProvider already has a method to retrieve all
> policies. Should there be custom implementations by third-parties they
> already support the necessary methods and I believe the classes that need
> to be changed are all NiFi internal:
> 
> * AccessPolicyResource
> * NiFiServiceFacade
> * StandardNiFiServiceFacade
> * AccessPolicyDAO
> * StandardPolicyBasedAuthorizerDAO
> * And probably a bunch of others especially test classes
> 
> If I don't hear any objections I will open a Jira issue and would try and
> provide a patch.
> 
> Cheers,
> Lars


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message