nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lars Francke <lars.fran...@gmail.com>
Subject Re: API to get all Policies
Date Fri, 09 Nov 2018 09:01:02 GMT
Andy,

that's a good question. I have to admit that I thought about it and then
saw that there is already an Authorizable for this scenario so I assumed
that part was already taken care of. So whoever has the permission to view
"access all policies" would also be able to use the API? Were you thinking
of something different?

Cheers,
Lars



On Fri, Nov 9, 2018 at 12:35 AM Andy LoPresto <alopresto@apache.org> wrote:

> Lars,
>
> What access controls do you anticipate putting on this API endpoint and
> what potential issues do you see? I could see this being abused if not
> secured very carefully, and it doesn’t seem like a common use case
> (notwithstanding your current requirement). Is this something that can be
> done by using the NiFi CLI to iterate/recurse through the various PGs and
> retrieve these policies?
>
> Andy LoPresto
> alopresto@apache.org
> alopresto.apache@gmail.com
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> > On Nov 9, 2018, at 3:31 AM, Lars Francke <lars.francke@gmail.com> wrote:
> >
> > Hi,
> >
> > I was tasked with writing a tool to generate a kind of "audit report".
> For
> > that I need to get all policies that people have across various systems.
> > NiFi is one of them.
> >
> > I see that we have a REST API for Policies but that doesn't expose a
> method
> > to expose _all_ policies. I'd like to add a REST endpoint that allows
> > retrieving all policies.
> > Before I open a Jira I wanted to get feedback whether this addition would
> > be acceptable.
> >
> > Implementation notes
> > This is how I see the current flow of requests from the
> > AccessPolicyResource to the actual AccessPolicyProider:
> >
> > AccessPolicyResource -> NiFiServiceFacade (StandardNiFiServiceFacade) ->
> > AccessPolicyDAO (StandardPolicyBasedAuthorizerDAO) ->
> AccessPolicyProvider
> >
> > Fortunately the AccessPolicyProvider already has a method to retrieve all
> > policies. Should there be custom implementations by third-parties they
> > already support the necessary methods and I believe the classes that need
> > to be changed are all NiFi internal:
> >
> > * AccessPolicyResource
> > * NiFiServiceFacade
> > * StandardNiFiServiceFacade
> > * AccessPolicyDAO
> > * StandardPolicyBasedAuthorizerDAO
> > * And probably a bunch of others especially test classes
> >
> > If I don't hear any objections I will open a Jira issue and would try and
> > provide a patch.
> >
> > Cheers,
> > Lars
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message