NIFI-14541 Added Scoped Authorization for Flow Registry Clients

- Added Registry Client Resource Type with path nested under Controller
- Updated Controller Resource Flow Registry Client methods to use new Authorizable resolution

Author: exceptionfactory

nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceFactory.java

@@ -553,6 +553,7 @@ public String getSafeDescription() {
                     case InputPort -> "Input Port";
                     case OutputPort -> "Output Port";
                     case Processor -> "Processor";
+                    case RegistryClient -> "Registry Client";
                     case RemoteProcessGroup -> "Remote Process Group";
                     case ReportingTask -> "Reporting Task";
                     case FlowAnalysisRule -> "Flow Analysis Rule";

nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceType.java

@@ -35,6 +35,7 @@ public enum ResourceType {
     RemoteProcessGroup("/remote-process-groups"),
     ReportingTask("/reporting-tasks"),
     FlowAnalysisRule("/controller/flow-analysis-rules"),
+    RegistryClient("/controller/registry-clients"),
     Resource("/resources"),
     SiteToSite("/site-to-site"),
     DataTransfer("/data-transfer"),

nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/registry/flow/StandardFlowRegistryClientNode.java

@@ -99,7 +99,7 @@ public Authorizable getParentAuthorizable() {
 
     @Override
     public Resource getResource() {
-        return ResourceFactory.getComponentResource(ResourceType.Controller, getIdentifier(), getName());
+        return ResourceFactory.getComponentResource(ResourceType.RegistryClient, getIdentifier(), getName());
     }
 
     @Override

nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java

@@ -644,6 +644,9 @@ private Authorizable getAccessPolicyByResource(final ResourceType resourceType,
             case ProcessGroup:
                 authorizable = getProcessGroup(componentId).getAuthorizable();
                 break;
+            case RegistryClient:
+                authorizable = getFlowRegistryClient(componentId).getAuthorizable();
+                break;
             case RemoteProcessGroup:
                 authorizable = getRemoteProcessGroup(componentId);
                 break;

nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerResource.java

@@ -1443,7 +1443,7 @@ private VerifyConfigRequestEntity createVerifyFlowAnalysisRuleConfigRequestEntit
                     @ApiResponse(responseCode = "409", description = "The request was valid but NiFi was not in the appropriate state to process it.")
             },
             security = {
-                    @SecurityRequirement(name = "Read - /flow")
+                    @SecurityRequirement(name = "Read - /controller")
             }
     )
     public Response getFlowRegistryClients() {
@@ -1481,6 +1481,7 @@ public Response getFlowRegistryClients() {
                     @ApiResponse(responseCode = "409", description = "The request was valid but NiFi was not in the appropriate state to process it.")
             },
             security = {
+                    @SecurityRequirement(name = "Read - /controller"),
                     @SecurityRequirement(name = "Write - /controller")
             }
     )
@@ -1569,7 +1570,7 @@ public Response createFlowRegistryClient(
                     @ApiResponse(responseCode = "409", description = "The request was valid but NiFi was not in the appropriate state to process it.")
             },
             security = {
-                    @SecurityRequirement(name = "Read - /controller")
+                    @SecurityRequirement(name = "Read - /controller/registry-clients/{id}")
             }
     )
     public Response getFlowRegistryClient(
@@ -1584,7 +1585,10 @@ public Response getFlowRegistryClient(
         }
 
         // authorize access
-        authorizeController(RequestAction.READ);
+        serviceFacade.authorizeAccess(lookup -> {
+            final Authorizable authorizable = lookup.getFlowRegistryClient(id).getAuthorizable();
+            authorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
+        });
 
         // get the flow registry client
         final FlowRegistryClientEntity entity = serviceFacade.getRegistryClient(id);
@@ -1613,7 +1617,7 @@ public Response getFlowRegistryClient(
                     @ApiResponse(responseCode = "409", description = "The request was valid but NiFi was not in the appropriate state to process it.")
             },
             security = {
-                    @SecurityRequirement(name = "Write - /controller")
+                    @SecurityRequirement(name = "Write - /controller/registry-clients/{id}")
             }
     )
     public Response updateFlowRegistryClient(
@@ -1635,8 +1639,11 @@ public Response updateFlowRegistryClient(
             throw new IllegalArgumentException("Revision must be specified.");
         }
 
-        // authorize access
-        authorizeController(RequestAction.WRITE);
+        // Authorize Read before Write Action
+        serviceFacade.authorizeAccess(lookup -> {
+            final Authorizable authorizable = lookup.getFlowRegistryClient(id).getAuthorizable();
+            authorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
+        });
 
         // ensure the ids are the same
         final FlowRegistryClientDTO requestRegistryClient = requestFlowRegistryClientEntity.getComponent();
@@ -1662,7 +1669,8 @@ public Response updateFlowRegistryClient(
                 requestFlowRegistryClientEntity,
                 requestRevision,
                 lookup -> {
-                    authorizeController(RequestAction.WRITE);
+                    final Authorizable authorizable = lookup.getFlowRegistryClient(id).getAuthorizable();
+                    authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
                 },
                 null,
                 (revision, registryClientEntity) -> {
@@ -1702,7 +1710,7 @@ public Response updateFlowRegistryClient(
                     @ApiResponse(responseCode = "409", description = "The request was valid but NiFi was not in the appropriate state to process it.")
             },
             security = {
-                    @SecurityRequirement(name = "Write - /controller")
+                    @SecurityRequirement(name = "Write - /controller/registry-clients/{id}")
             }
     )
     public Response deleteFlowRegistryClient(
@@ -1731,7 +1739,10 @@ public Response deleteFlowRegistryClient(
         }
 
         // authorize access
-        authorizeController(RequestAction.WRITE);
+        serviceFacade.authorizeAccess(lookup -> {
+            final Authorizable authorizable = lookup.getFlowRegistryClient(id).getAuthorizable();
+            authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
+        });
 
         final FlowRegistryClientEntity requestFlowRegistryClientEntity = new FlowRegistryClientEntity();
         requestFlowRegistryClientEntity.setId(id);
@@ -1743,7 +1754,8 @@ public Response deleteFlowRegistryClient(
                 requestFlowRegistryClientEntity,
                 requestRevision,
                 lookup -> {
-                    authorizeController(RequestAction.WRITE);
+                    final Authorizable authorizable = lookup.getFlowRegistryClient(id).getAuthorizable();
+                    authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
                 },
                 () -> serviceFacade.verifyDeleteRegistry(id),
                 (revision, registryClientEntity) -> {
@@ -1776,7 +1788,7 @@ public Response deleteFlowRegistryClient(
                     @ApiResponse(responseCode = "409", description = "The request was valid but NiFi was not in the appropriate state to process it.")
             },
             security = {
-                    @SecurityRequirement(name = "Read - /controller/registry-clients/{uuid}")
+                    @SecurityRequirement(name = "Read - /controller/registry-clients/{id}")
             }
     )
     public Response getPropertyDescriptor(
@@ -1804,7 +1816,10 @@ public Response getPropertyDescriptor(
         }
 
         // authorize access
-        authorizeController(RequestAction.READ);
+        serviceFacade.authorizeAccess(lookup -> {
+            final Authorizable authorizable = lookup.getFlowRegistryClient(id).getAuthorizable();
+            authorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
+        });
 
         // get the property descriptor
         final PropertyDescriptorDTO descriptor = serviceFacade.getRegistryClientPropertyDescriptor(id, propertyName, sensitive);
@@ -1837,7 +1852,7 @@ public Response getPropertyDescriptor(
                     @ApiResponse(responseCode = "409", description = "The request was valid but NiFi was not in the appropriate state to process it.")
             },
             security = {
-                    @SecurityRequirement(name = "Read - /flow")
+                    @SecurityRequirement(name = "Read - /controller")
             }
     )
     public Response getRegistryClientTypes() {