nifikop icon indicating copy to clipboard operation
nifikop copied to clipboard

Published 20 hours ago verified publisher icon Orange-OpenSource

[Fix/NiFiUser] Setting permissions on componentId level

Open teplydat opened this issue 3 years ago • 1 comments

Q A
Bug fix? yes
New feature? no
API breaks? ?
Deprecations? no
Related tickets fixes #66
License Apache 2.0

What's in this PR?

First draft to fix setting permissions on componentId level.

Additional context

Background info

When you try to get an accessPolicy by the name of the componentId from the nifi api you will get back the accessPolicy from its parent (and not null or empty) in case it has no accessPolicy yet. (entity, err := nClient.GetAccessPolicy(string(accessPolicy.Action), accessPolicy.GetResource(cluster)) in pkg/clientwrappers/accesspolicies/policies.go) Then nifikop thinks the accessPolicy already exists and does not create it. That's why I added more or less an if statment (componentID_from_nifi_api != componentID_from_nifiuser). Then the accessPolicy does not exist yet and needs to be created.

Requirements

  • Create a processgroup in the nifi UI called "whatever". If you click on it you can see the id on the left side. In this example it is "e9c12f7e-0178-1000-0000-00007b03d420"

Example nifiuser CR

Here is an example to test a nifiuser including the edge case resource: / (adjust your componentId):

cat <<EOF | kubectl apply -f -
apiVersion: nifi.orange.com/v1alpha1
kind: NifiUser
metadata:
  name: default
spec:
  identity: user
  clusterRef:
    name: simplenifi
    namespace: default
  includeJKS: false
  createCert: false
  accessPolicies:
    - type: component
      action: write
      componentType: process-groups
      resource: /
      componentId: "e9c12f7e-0178-1000-0000-00007b03d420"
    - type: component
      action: write
      componentType: process-groups
      resource: /data
      componentId: "e9c12f7e-0178-1000-0000-00007b03d420"
EOF

Verify

In nifi UI under "User Policies" you can see now:

  • "Component policy for process group whatever (write)"
  • "Data policy for process group whatever (write)"

Without the fix no process group is mentioned under the "User Policies".

Checklist

  • [ ] Implementation tested
  • [ ] Error handling code meets the guideline
  • [ ] Logging code meets the guideline
  • [ ] User guide and development docs updated (if needed)
  • [ ] Append changelog with changes

Sorry for the bad code. I tried to make it understandable. What do you think about that behavior?

teplydat avatar May 21 '21 14:05 teplydat

@erdrix this PR would be great.

The codestyle is not perfect but I tested it over a couple of weeks and it works.

teplydat avatar Jun 16 '21 07:06 teplydat