From 532578799c0a4cb1edc54dadda81aa60787e54b0 Mon Sep 17 00:00:00 2001 From: exceptionfactory Date: Thu, 22 Jun 2023 11:11:56 -0500 Subject: [PATCH] NIFI-11744 Added Required Permission to Reference Remote Resources - Applied Required Permission to components supporting URL Resource References Signed-off-by: Matt Burgess --- .../apache/nifi/components/RequiredPermission.java | 3 ++- .../nifi/cdc/mysql/processors/CaptureChangeMySQL.java | 11 +++++++++++ .../nifi/jms/cf/JMSConnectionFactoryProvider.java | 11 +++++++++++ .../org/apache/nifi/jms/processors/ConsumeJMS.java | 11 +++++++++++ .../org/apache/nifi/jms/processors/PublishJMS.java | 11 +++++++++++ .../apache/nifi/processors/standard/ExtractGrok.java | 11 +++++++++++ .../apache/nifi/processors/standard/ValidateJson.java | 11 +++++++++++ .../apache/nifi/processors/standard/ValidateXml.java | 11 +++++++++++ .../java/org/apache/nifi/dbcp/DBCPConnectionPool.java | 11 +++++++++++ .../org/apache/nifi/dbcp/HikariCPConnectionPool.java | 11 +++++++++++ .../apache/nifi/dbcp/HadoopDBCPConnectionPool.java | 11 +++++++++++ .../org/apache/nifi/hbase/HBase_2_ClientService.java | 11 +++++++++++ .../main/java/org/apache/nifi/grok/GrokReader.java | 11 +++++++++++ 13 files changed, 134 insertions(+), 1 deletion(-) diff --git a/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java b/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java index d931b13ee2f7..6e3fd44664d3 100644 --- a/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java +++ b/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java @@ -30,7 +30,8 @@ public enum RequiredPermission { ACCESS_KEYTAB("access-keytab", "access keytab"), ACCESS_TICKET_CACHE("access-ticket-cache", "access ticket cache"), ACCESS_ENVIRONMENT_CREDENTIALS("access-environment-credentials", "access environment credentials"), - EXPORT_NIFI_DETAILS("export-nifi-details", "export nifi details"); + EXPORT_NIFI_DETAILS("export-nifi-details", "export nifi details"), + REFERENCE_REMOTE_RESOURCES("reference-remote-resources", "reference remote resources"); private String permissionIdentifier; private String permissionLabel; diff --git a/nifi-nar-bundles/nifi-cdc/nifi-cdc-mysql-bundle/nifi-cdc-mysql-processors/src/main/java/org/apache/nifi/cdc/mysql/processors/CaptureChangeMySQL.java b/nifi-nar-bundles/nifi-cdc/nifi-cdc-mysql-bundle/nifi-cdc-mysql-processors/src/main/java/org/apache/nifi/cdc/mysql/processors/CaptureChangeMySQL.java index d63ac8bc1555..3c0e942434d5 100644 --- a/nifi-nar-bundles/nifi-cdc/nifi-cdc-mysql-bundle/nifi-cdc-mysql-processors/src/main/java/org/apache/nifi/cdc/mysql/processors/CaptureChangeMySQL.java +++ b/nifi-nar-bundles/nifi-cdc/nifi-cdc-mysql-bundle/nifi-cdc-mysql-processors/src/main/java/org/apache/nifi/cdc/mysql/processors/CaptureChangeMySQL.java @@ -31,6 +31,8 @@ import org.apache.nifi.annotation.behavior.InputRequirement; import org.apache.nifi.annotation.behavior.PrimaryNodeOnly; import org.apache.nifi.annotation.behavior.RequiresInstanceClassLoading; +import org.apache.nifi.annotation.behavior.Restricted; +import org.apache.nifi.annotation.behavior.Restriction; import org.apache.nifi.annotation.behavior.Stateful; import org.apache.nifi.annotation.behavior.TriggerSerially; import org.apache.nifi.annotation.behavior.WritesAttribute; @@ -65,6 +67,7 @@ import org.apache.nifi.components.AllowableValue; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyValue; +import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationResult; import org.apache.nifi.components.resource.ResourceCardinality; @@ -151,6 +154,14 @@ + "application/json") }) @RequiresInstanceClassLoading +@Restricted( + restrictions = { + @Restriction( + requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, + explanation = "Database Driver Location can reference resources over HTTP" + ) + } +) public class CaptureChangeMySQL extends AbstractSessionFactoryProcessor { // Random invalid constant used as an indicator to not set the binlog position on the client (thereby using the latest available) diff --git a/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/cf/JMSConnectionFactoryProvider.java b/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/cf/JMSConnectionFactoryProvider.java index 49a95c888072..8a8c4b12fe85 100644 --- a/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/cf/JMSConnectionFactoryProvider.java +++ b/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/cf/JMSConnectionFactoryProvider.java @@ -17,12 +17,15 @@ package org.apache.nifi.jms.cf; import org.apache.nifi.annotation.behavior.DynamicProperty; +import org.apache.nifi.annotation.behavior.Restricted; +import org.apache.nifi.annotation.behavior.Restriction; import org.apache.nifi.annotation.documentation.CapabilityDescription; import org.apache.nifi.annotation.documentation.SeeAlso; import org.apache.nifi.annotation.documentation.Tags; import org.apache.nifi.annotation.lifecycle.OnDisabled; import org.apache.nifi.annotation.lifecycle.OnEnabled; import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.controller.AbstractControllerService; import org.apache.nifi.controller.ConfigurationContext; import org.apache.nifi.expression.ExpressionLanguageScope; @@ -61,6 +64,14 @@ + "property and 'com.ibm.mq.jms.MQConnectionFactory.setTransportType(int)' would imply 'transportType' property.", expressionLanguageScope = ExpressionLanguageScope.VARIABLE_REGISTRY) @SeeAlso(classNames = {"org.apache.nifi.jms.processors.ConsumeJMS", "org.apache.nifi.jms.processors.PublishJMS"}) +@Restricted( + restrictions = { + @Restriction( + requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, + explanation = "Client Library Location can reference resources over HTTP" + ) + } +) public class JMSConnectionFactoryProvider extends AbstractControllerService implements JMSConnectionFactoryProviderDefinition, VerifiableControllerService { private static final String ESTABLISH_CONNECTION = "Establish Connection"; private static final String VERIFY_JMS_INTERACTION = "Verify JMS Interaction"; diff --git a/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/processors/ConsumeJMS.java b/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/processors/ConsumeJMS.java index 9fb5c4b87733..c3027bff7640 100644 --- a/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/processors/ConsumeJMS.java +++ b/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/processors/ConsumeJMS.java @@ -19,6 +19,8 @@ import org.apache.nifi.annotation.behavior.DynamicProperty; import org.apache.nifi.annotation.behavior.InputRequirement; import org.apache.nifi.annotation.behavior.InputRequirement.Requirement; +import org.apache.nifi.annotation.behavior.Restricted; +import org.apache.nifi.annotation.behavior.Restriction; import org.apache.nifi.annotation.behavior.WritesAttribute; import org.apache.nifi.annotation.behavior.WritesAttributes; import org.apache.nifi.annotation.documentation.CapabilityDescription; @@ -27,6 +29,7 @@ import org.apache.nifi.annotation.lifecycle.OnScheduled; import org.apache.nifi.components.AllowableValue; import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationResult; import org.apache.nifi.expression.ExpressionLanguageScope; @@ -94,6 +97,14 @@ "properties of the processor. For more information, see the Additional Details page.", expressionLanguageScope = ExpressionLanguageScope.VARIABLE_REGISTRY) @SeeAlso(value = { PublishJMS.class, JMSConnectionFactoryProvider.class }) +@Restricted( + restrictions = { + @Restriction( + requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, + explanation = "Client Library Location can reference resources over HTTP" + ) + } +) public class ConsumeJMS extends AbstractJMSProcessor { public static final String JMS_MESSAGETYPE = "jms.messagetype"; diff --git a/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/processors/PublishJMS.java b/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/processors/PublishJMS.java index 03158f4cbce9..333fcad1e2bf 100644 --- a/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/processors/PublishJMS.java +++ b/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/processors/PublishJMS.java @@ -22,12 +22,15 @@ import org.apache.nifi.annotation.behavior.InputRequirement.Requirement; import org.apache.nifi.annotation.behavior.ReadsAttribute; import org.apache.nifi.annotation.behavior.ReadsAttributes; +import org.apache.nifi.annotation.behavior.Restricted; +import org.apache.nifi.annotation.behavior.Restriction; import org.apache.nifi.annotation.behavior.SystemResource; import org.apache.nifi.annotation.behavior.SystemResourceConsideration; import org.apache.nifi.annotation.documentation.CapabilityDescription; import org.apache.nifi.annotation.documentation.SeeAlso; import org.apache.nifi.annotation.documentation.Tags; import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.expression.ExpressionLanguageScope; import org.apache.nifi.flowfile.FlowFile; import org.apache.nifi.jms.cf.JMSConnectionFactoryProvider; @@ -102,6 +105,14 @@ expressionLanguageScope = ExpressionLanguageScope.VARIABLE_REGISTRY) @SeeAlso(value = { ConsumeJMS.class, JMSConnectionFactoryProvider.class }) @SystemResourceConsideration(resource = SystemResource.MEMORY) +@Restricted( + restrictions = { + @Restriction( + requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, + explanation = "Client Library Location can reference resources over HTTP" + ) + } +) public class PublishJMS extends AbstractJMSProcessor { static final PropertyDescriptor MESSAGE_BODY = new PropertyDescriptor.Builder() diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ExtractGrok.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ExtractGrok.java index 4d97548b4b62..d3b1515f51ae 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ExtractGrok.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ExtractGrok.java @@ -24,6 +24,8 @@ import io.krakens.grok.api.exception.GrokException; import org.apache.nifi.annotation.behavior.EventDriven; import org.apache.nifi.annotation.behavior.InputRequirement; +import org.apache.nifi.annotation.behavior.Restricted; +import org.apache.nifi.annotation.behavior.Restriction; import org.apache.nifi.annotation.behavior.SideEffectFree; import org.apache.nifi.annotation.behavior.SupportsBatching; import org.apache.nifi.annotation.behavior.WritesAttribute; @@ -33,6 +35,7 @@ import org.apache.nifi.annotation.lifecycle.OnScheduled; import org.apache.nifi.annotation.lifecycle.OnStopped; import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationResult; import org.apache.nifi.components.resource.ResourceCardinality; @@ -77,6 +80,14 @@ @WritesAttribute(attribute = "grok.XXX", description = "When operating in flowfile-attribute mode, each of the Grok identifier that is matched in the flowfile " + "will be added as an attribute, prefixed with \"grok.\" For example," + "if the grok identifier \"timestamp\" is matched, then the value will be added to an attribute named \"grok.timestamp\"")}) +@Restricted( + restrictions = { + @Restriction( + requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, + explanation = "Patterns can reference resources over HTTP" + ) + } +) public class ExtractGrok extends AbstractProcessor { public static final String FLOWFILE_ATTRIBUTE = "flowfile-attribute"; diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ValidateJson.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ValidateJson.java index 5120b36700c4..c5aa5dc12b8b 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ValidateJson.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ValidateJson.java @@ -25,6 +25,8 @@ import com.networknt.schema.ValidationMessage; import org.apache.nifi.annotation.behavior.InputRequirement; import org.apache.nifi.annotation.behavior.InputRequirement.Requirement; +import org.apache.nifi.annotation.behavior.Restricted; +import org.apache.nifi.annotation.behavior.Restriction; import org.apache.nifi.annotation.behavior.SideEffectFree; import org.apache.nifi.annotation.behavior.SupportsBatching; import org.apache.nifi.annotation.behavior.SystemResource; @@ -36,6 +38,7 @@ import org.apache.nifi.annotation.lifecycle.OnScheduled; import org.apache.nifi.components.DescribedValue; import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.components.resource.ResourceCardinality; import org.apache.nifi.components.resource.ResourceType; import org.apache.nifi.flowfile.FlowFile; @@ -64,6 +67,14 @@ }) @CapabilityDescription("Validates the contents of FlowFiles against a configurable JSON Schema. See json-schema.org for specification standards.") @SystemResourceConsideration(resource = SystemResource.MEMORY, description = "Validating JSON requires reading FlowFile content into memory") +@Restricted( + restrictions = { + @Restriction( + requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, + explanation = "Schema configuration can reference resources over HTTP" + ) + } +) public class ValidateJson extends AbstractProcessor { public enum SchemaVersion implements DescribedValue { DRAFT_4("Draft Version 4", "Draft 4", VersionFlag.V4), diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ValidateXml.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ValidateXml.java index 0ae33391d8aa..130f39e9c4ba 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ValidateXml.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ValidateXml.java @@ -19,6 +19,8 @@ import org.apache.nifi.annotation.behavior.EventDriven; import org.apache.nifi.annotation.behavior.InputRequirement; import org.apache.nifi.annotation.behavior.InputRequirement.Requirement; +import org.apache.nifi.annotation.behavior.Restricted; +import org.apache.nifi.annotation.behavior.Restriction; import org.apache.nifi.annotation.behavior.SideEffectFree; import org.apache.nifi.annotation.behavior.SupportsBatching; import org.apache.nifi.annotation.behavior.SystemResource; @@ -29,6 +31,7 @@ import org.apache.nifi.annotation.documentation.Tags; import org.apache.nifi.annotation.lifecycle.OnScheduled; import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.components.resource.ResourceCardinality; import org.apache.nifi.components.resource.ResourceType; import org.apache.nifi.expression.ExpressionLanguageScope; @@ -81,6 +84,14 @@ + "to ensure the XML syntax is correct and well-formed, e.g. all opening tags are properly closed.") @SystemResourceConsideration(resource = SystemResource.MEMORY, description = "While this processor supports processing XML within attributes, it is strongly discouraged to hold " + "large amounts of data in attributes. In general, attribute values should be as small as possible and hold no more than a couple hundred characters.") +@Restricted( + restrictions = { + @Restriction( + requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, + explanation = "Schema configuration can reference resources over HTTP" + ) + } +) public class ValidateXml extends AbstractProcessor { public static final String ERROR_ATTRIBUTE_KEY = "validatexml.invalid.error"; diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-dbcp-service-bundle/nifi-dbcp-service/src/main/java/org/apache/nifi/dbcp/DBCPConnectionPool.java b/nifi-nar-bundles/nifi-standard-services/nifi-dbcp-service-bundle/nifi-dbcp-service/src/main/java/org/apache/nifi/dbcp/DBCPConnectionPool.java index 904b9229abcd..d531257b0f1c 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-dbcp-service-bundle/nifi-dbcp-service/src/main/java/org/apache/nifi/dbcp/DBCPConnectionPool.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-dbcp-service-bundle/nifi-dbcp-service/src/main/java/org/apache/nifi/dbcp/DBCPConnectionPool.java @@ -21,11 +21,14 @@ import org.apache.nifi.annotation.behavior.DynamicProperties; import org.apache.nifi.annotation.behavior.DynamicProperty; import org.apache.nifi.annotation.behavior.RequiresInstanceClassLoading; +import org.apache.nifi.annotation.behavior.Restricted; +import org.apache.nifi.annotation.behavior.Restriction; import org.apache.nifi.annotation.behavior.SupportsSensitiveDynamicProperties; import org.apache.nifi.annotation.documentation.CapabilityDescription; import org.apache.nifi.annotation.documentation.Tags; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyValue; +import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationResult; import org.apache.nifi.controller.ConfigurationContext; @@ -86,6 +89,14 @@ description = "JDBC driver property name prefixed with 'SENSITIVE.' handled as a sensitive property.") }) @RequiresInstanceClassLoading +@Restricted( + restrictions = { + @Restriction( + requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, + explanation = "Database Driver Location can reference resources over HTTP" + ) + } +) public class DBCPConnectionPool extends AbstractDBCPConnectionPool implements DBCPService, VerifiableControllerService { /** * Property Name Prefix for Sensitive Dynamic Properties diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-dbcp-service-bundle/nifi-hikari-dbcp-service/src/main/java/org/apache/nifi/dbcp/HikariCPConnectionPool.java b/nifi-nar-bundles/nifi-standard-services/nifi-dbcp-service-bundle/nifi-hikari-dbcp-service/src/main/java/org/apache/nifi/dbcp/HikariCPConnectionPool.java index 190b8a109b5c..f4f7f68e8dc1 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-dbcp-service-bundle/nifi-hikari-dbcp-service/src/main/java/org/apache/nifi/dbcp/HikariCPConnectionPool.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-dbcp-service-bundle/nifi-hikari-dbcp-service/src/main/java/org/apache/nifi/dbcp/HikariCPConnectionPool.java @@ -20,6 +20,8 @@ import org.apache.commons.lang3.StringUtils; import org.apache.nifi.annotation.behavior.DynamicProperty; import org.apache.nifi.annotation.behavior.RequiresInstanceClassLoading; +import org.apache.nifi.annotation.behavior.Restricted; +import org.apache.nifi.annotation.behavior.Restriction; import org.apache.nifi.annotation.behavior.SupportsSensitiveDynamicProperties; import org.apache.nifi.annotation.documentation.CapabilityDescription; import org.apache.nifi.annotation.documentation.Tags; @@ -27,6 +29,7 @@ import org.apache.nifi.annotation.lifecycle.OnEnabled; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyValue; +import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.components.resource.ResourceCardinality; import org.apache.nifi.components.resource.ResourceType; import org.apache.nifi.controller.AbstractControllerService; @@ -60,6 +63,14 @@ description = "Specifies a property name and value to be set on the JDBC connection(s). " + "If Expression Language is used, evaluation will be performed upon the controller service being enabled. " + "Note that no flow file input (attributes, e.g.) is available for use in Expression Language constructs for these properties.") +@Restricted( + restrictions = { + @Restriction( + requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, + explanation = "Database Driver Location can reference resources over HTTP" + ) + } +) public class HikariCPConnectionPool extends AbstractControllerService implements DBCPService { /** * Property Name Prefix for Sensitive Dynamic Properties diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-hadoop-dbcp-service-bundle/nifi-hadoop-dbcp-service/src/main/java/org/apache/nifi/dbcp/HadoopDBCPConnectionPool.java b/nifi-nar-bundles/nifi-standard-services/nifi-hadoop-dbcp-service-bundle/nifi-hadoop-dbcp-service/src/main/java/org/apache/nifi/dbcp/HadoopDBCPConnectionPool.java index eb97cf519c95..a62417d410be 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-hadoop-dbcp-service-bundle/nifi-hadoop-dbcp-service/src/main/java/org/apache/nifi/dbcp/HadoopDBCPConnectionPool.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-hadoop-dbcp-service-bundle/nifi-hadoop-dbcp-service/src/main/java/org/apache/nifi/dbcp/HadoopDBCPConnectionPool.java @@ -23,12 +23,15 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.nifi.annotation.behavior.DynamicProperty; import org.apache.nifi.annotation.behavior.RequiresInstanceClassLoading; +import org.apache.nifi.annotation.behavior.Restricted; +import org.apache.nifi.annotation.behavior.Restriction; import org.apache.nifi.annotation.documentation.CapabilityDescription; import org.apache.nifi.annotation.documentation.Tags; import org.apache.nifi.annotation.lifecycle.OnDisabled; import org.apache.nifi.annotation.lifecycle.OnEnabled; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyValue; +import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationResult; import org.apache.nifi.components.resource.ResourceCardinality; @@ -76,6 +79,14 @@ @DynamicProperty(name = "The name of a Hadoop configuration property.", value = "The value of the given Hadoop configuration property.", description = "These properties will be set on the Hadoop configuration after loading any provided configuration files.", expressionLanguageScope = ExpressionLanguageScope.VARIABLE_REGISTRY) +@Restricted( + restrictions = { + @Restriction( + requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, + explanation = "Database Driver Location can reference resources over HTTP" + ) + } +) public class HadoopDBCPConnectionPool extends AbstractControllerService implements DBCPService { private static final String ALLOW_EXPLICIT_KEYTAB = "NIFI_ALLOW_EXPLICIT_KEYTAB"; diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/src/main/java/org/apache/nifi/hbase/HBase_2_ClientService.java b/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/src/main/java/org/apache/nifi/hbase/HBase_2_ClientService.java index d1797d4fd11d..6166e66ba368 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/src/main/java/org/apache/nifi/hbase/HBase_2_ClientService.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/src/main/java/org/apache/nifi/hbase/HBase_2_ClientService.java @@ -42,11 +42,14 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.nifi.annotation.behavior.DynamicProperty; import org.apache.nifi.annotation.behavior.RequiresInstanceClassLoading; +import org.apache.nifi.annotation.behavior.Restricted; +import org.apache.nifi.annotation.behavior.Restriction; import org.apache.nifi.annotation.documentation.CapabilityDescription; import org.apache.nifi.annotation.documentation.Tags; import org.apache.nifi.annotation.lifecycle.OnDisabled; import org.apache.nifi.annotation.lifecycle.OnEnabled; import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationResult; import org.apache.nifi.components.resource.ResourceCardinality; @@ -93,6 +96,14 @@ "configuration.") @DynamicProperty(name="The name of an HBase configuration property.", value="The value of the given HBase configuration property.", description="These properties will be set on the HBase configuration after loading any provided configuration files.") +@Restricted( + restrictions = { + @Restriction( + requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, + explanation = "Client JAR Location can reference resources over HTTP" + ) + } +) public class HBase_2_ClientService extends AbstractControllerService implements HBaseClientService { private static final String ALLOW_EXPLICIT_KEYTAB = "NIFI_ALLOW_EXPLICIT_KEYTAB"; diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/src/main/java/org/apache/nifi/grok/GrokReader.java b/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/src/main/java/org/apache/nifi/grok/GrokReader.java index 80528281da0d..437d7361218a 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/src/main/java/org/apache/nifi/grok/GrokReader.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/src/main/java/org/apache/nifi/grok/GrokReader.java @@ -21,11 +21,14 @@ import io.krakens.grok.api.GrokCompiler; import io.krakens.grok.api.GrokUtils; import io.krakens.grok.api.exception.GrokException; +import org.apache.nifi.annotation.behavior.Restricted; +import org.apache.nifi.annotation.behavior.Restriction; import org.apache.nifi.annotation.documentation.CapabilityDescription; import org.apache.nifi.annotation.documentation.Tags; import org.apache.nifi.annotation.lifecycle.OnEnabled; import org.apache.nifi.components.AllowableValue; import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationResult; import org.apache.nifi.components.resource.ResourceCardinality; @@ -73,6 +76,14 @@ + "a log message is considered to be part of the previous message but is added to the 'stackTrace' field of the Record. If a record has " + "no stack trace, it will have a NULL value for the stackTrace field (assuming that the schema does in fact include a stackTrace field of type String). " + "Assuming that the schema includes a '_raw' field of type String, the raw message will be included in the Record.") +@Restricted( + restrictions = { + @Restriction( + requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, + explanation = "Patterns and Expressions can reference resources over HTTP" + ) + } +) public class GrokReader extends SchemaRegistryService implements RecordReaderFactory { private volatile List groks; private volatile NoMatchStrategy noMatchStrategy;