|
| 1 | +From 7bae76c6e7361356fdab4886bf078b0c4fbbce51 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Andrew Kenworthy <andrew.kenworthy@stackable.tech> |
| 3 | +Date: Fri, 10 Oct 2025 15:28:56 +0200 |
| 4 | +Subject: replace process groups root with root ID |
| 5 | + |
| 6 | +--- |
| 7 | + .../FileAccessPolicyProvider.java | 30 +++++++++++++++++-- |
| 8 | + 1 file changed, 28 insertions(+), 2 deletions(-) |
| 9 | + |
| 10 | +diff --git a/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java b/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java |
| 11 | +index 5363bb5619..2951e6899a 100644 |
| 12 | +--- a/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java |
| 13 | ++++ b/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java |
| 14 | +@@ -568,8 +568,8 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide |
| 15 | + final boolean hasInitialAdminIdentity = (initialAdminIdentity != null && !StringUtils.isBlank(initialAdminIdentity)); |
| 16 | + |
| 17 | + // if we are starting fresh then we might need to populate an initial admin or convert legacy users |
| 18 | ++ parseFlow(); |
| 19 | + if (emptyAuthorizations) { |
| 20 | +- parseFlow(); |
| 21 | + |
| 22 | + if (hasInitialAdminIdentity) { |
| 23 | + logger.info("Populating authorizations for Initial Admin: {}", initialAdminIdentity); |
| 24 | +@@ -581,7 +581,12 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide |
| 25 | + // save any changes that were made and repopulate the holder |
| 26 | + saveAndRefreshHolder(authorizations); |
| 27 | + } else { |
| 28 | +- this.authorizationsHolder.set(authorizationsHolder); |
| 29 | ++ if (isUpdatedRootInAccessPolicy(authorizations)) { |
| 30 | ++ // only do this if we have actually changed something |
| 31 | ++ saveAndRefreshHolder(authorizations); |
| 32 | ++ } else { |
| 33 | ++ this.authorizationsHolder.set(authorizationsHolder); |
| 34 | ++ } |
| 35 | + } |
| 36 | + } |
| 37 | + |
| 38 | +@@ -744,6 +749,27 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide |
| 39 | + } |
| 40 | + } |
| 41 | + |
| 42 | ++ /** |
| 43 | ++ * Replaces process group root references with the process group ID. |
| 44 | ++ * Relevant when a static authorizations file is provided, which can |
| 45 | ++ * then use "root" as a placeholder. |
| 46 | ++ * |
| 47 | ++ * @param authorizations the Authorizations instance to edit the policies in |
| 48 | ++ */ |
| 49 | ++ private boolean isUpdatedRootInAccessPolicy(final Authorizations authorizations) { |
| 50 | ++ boolean authorizationsChanged = false; |
| 51 | ++ for (Policy policy: authorizations.getPolicies().getPolicy()) { |
| 52 | ++ String resource = policy.getResource(); |
| 53 | ++ String processGroupRoot = ResourceType.ProcessGroup.getValue() + "/root"; |
| 54 | ++ if (resource.endsWith(processGroupRoot)) { |
| 55 | ++ int pos = resource.indexOf(processGroupRoot); |
| 56 | ++ policy.setResource(resource.substring(0, pos) + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId); |
| 57 | ++ authorizationsChanged = true; |
| 58 | ++ } |
| 59 | ++ } |
| 60 | ++ return authorizationsChanged; |
| 61 | ++ } |
| 62 | ++ |
| 63 | + /** |
| 64 | + * Creates and adds an access policy for the given resource, group identity, and actions to the specified authorizations. |
| 65 | + * |
0 commit comments