org.apache.nifi.authorization.RequestAction Java Examples
The following examples show how to use
org.apache.nifi.authorization.RequestAction.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: ControllerFacade.java From localization_nifi with Apache License 2.0 | 6 votes |
|
/**
* Returns the status history for the specified processor.
*
* @param processorId processor id
* @return status history
*/
public StatusHistoryDTO getProcessorStatusHistory(final String processorId) {
final ProcessGroup root = flowController.getGroup(flowController.getRootGroupId());
final ProcessorNode processor = root.findProcessor(processorId);
// ensure the processor was found
if (processor == null) {
throw new ResourceNotFoundException(String.format("Unable to locate processor with id '%s'.", processorId));
}
final StatusHistoryDTO statusHistory = flowController.getProcessorStatusHistory(processorId);
// if not authorized
if (!processor.isAuthorized(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser())) {
statusHistory.getComponentDetails().put(ComponentStatusRepository.COMPONENT_DETAIL_NAME, processorId);
statusHistory.getComponentDetails().put(ComponentStatusRepository.COMPONENT_DETAIL_TYPE, "Processor");
}
return statusHistory;
}
Example #2
| Source File: ResourceResource.java From localization_nifi with Apache License 2.0 | 6 votes |
|
private void authorizeResource() {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final Map<String, String> userContext;
if (!StringUtils.isBlank(user.getClientAddress())) {
userContext = new HashMap<>();
userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
} else {
userContext = null;
}
final AuthorizationRequest request = new AuthorizationRequest.Builder()
.resource(ResourceFactory.getResourceResource())
.identity(user.getIdentity())
.anonymous(user.isAnonymous())
.accessAttempt(true)
.action(RequestAction.READ)
.userContext(userContext)
.explanationSupplier(() -> "Unable to retrieve resources.")
.build();
final AuthorizationResult result = authorizer.authorize(request);
if (!Result.Approved.equals(result.getResult())) {
throw new AccessDeniedException(result.getExplanation());
}
}
Example #3
| Source File: VolatileAccessPolicyProvider.java From nifi with Apache License 2.0 | 6 votes |
|
public synchronized void revokeAccess(final String user, final String resourceIdentifier, final RequestAction action) {
final AccessPolicy existingPolicy = getAccessPolicy(resourceIdentifier, action);
if (existingPolicy == null) {
return;
}
final AccessPolicy policy= new AccessPolicy.Builder()
.addUsers(existingPolicy.getUsers())
.removeUser(user)
.action(action)
.identifier(existingPolicy.getIdentifier())
.resource(resourceIdentifier)
.build();
accessPolicies.remove(existingPolicy);
accessPolicies.add(policy);
}
Example #4
| Source File: ControllerFacade.java From localization_nifi with Apache License 2.0 | 6 votes |
|
/**
* Returns the status history for the specified remote process group.
*
* @param remoteProcessGroupId remote process group id
* @return status history
*/
public StatusHistoryDTO getRemoteProcessGroupStatusHistory(final String remoteProcessGroupId) {
final ProcessGroup root = flowController.getGroup(flowController.getRootGroupId());
final RemoteProcessGroup remoteProcessGroup = root.findRemoteProcessGroup(remoteProcessGroupId);
// ensure the output port was found
if (remoteProcessGroup == null) {
throw new ResourceNotFoundException(String.format("Unable to locate remote process group with id '%s'.", remoteProcessGroupId));
}
final StatusHistoryDTO statusHistory = flowController.getRemoteProcessGroupStatusHistory(remoteProcessGroupId);
// if not authorized
if (!remoteProcessGroup.isAuthorized(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser())) {
statusHistory.getComponentDetails().put(ComponentStatusRepository.COMPONENT_DETAIL_NAME, remoteProcessGroupId);
statusHistory.getComponentDetails().remove(ComponentStatusRepository.COMPONENT_DETAIL_URI);
}
return statusHistory;
}
Example #5
| Source File: StandardPolicyBasedAuthorizerDAO.java From nifi with Apache License 2.0 | 6 votes |
|
@Override
public AccessPolicy getAccessPolicy(final RequestAction requestAction, final Authorizable authorizable) {
final String resource = authorizable.getResource().getIdentifier();
final AccessPolicy accessPolicy = findAccessPolicy(requestAction, authorizable.getResource().getIdentifier());
if (accessPolicy == null) {
final Authorizable parentAuthorizable = authorizable.getParentAuthorizable();
if (parentAuthorizable == null) {
throw new ResourceNotFoundException(String.format("Unable to find access policy for %s on %s", requestAction.toString(), resource));
} else {
return getAccessPolicy(requestAction, parentAuthorizable);
}
}
return accessPolicy;
}
Example #6
| Source File: SnippetUtils.java From nifi with Apache License 2.0 | 6 votes |
|
/**
* Attempts to roll back all policies for the specified component. This includes the component resource, data resource
* for the component, view provenance resource for the component, data transfer resource for the component, and policy resource for the component.
*
* @param componentResource component resource
*/
private void rollbackClonedPolicy(final Resource componentResource) {
if (!accessPolicyDAO.supportsConfigurableAuthorizer()) {
return;
}
final List<Resource> resources = new ArrayList<>();
resources.add(componentResource);
resources.add(ResourceFactory.getDataResource(componentResource));
resources.add(ResourceFactory.getProvenanceDataResource(componentResource));
resources.add(ResourceFactory.getDataTransferResource(componentResource));
resources.add(ResourceFactory.getPolicyResource(componentResource));
for (final Resource resource : resources) {
for (final RequestAction action : RequestAction.values()) {
final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(action, resource.getIdentifier());
if (accessPolicy != null) {
try {
accessPolicyDAO.deleteAccessPolicy(accessPolicy.getIdentifier());
} catch (final Exception e) {
logger.warn(String.format("Unable to clean up cloned access policy for %s %s after failed copy/paste action.", action, componentResource.getIdentifier()), e);
}
}
}
}
}
Example #7
| Source File: SnippetResource.java From localization_nifi with Apache License 2.0 | 6 votes |
|
/**
* Authorizes the specified snippet request with the specified request action. This method is used when creating a snippet. Because we do not know what
* the snippet will be used for, we just ensure the user has permissions to each selected component. Some actions may require additional permissions
* (including referenced services) but those will be enforced when the snippet is used.
*
* @param authorizer authorizer
* @param lookup lookup
* @param action action
*/
private void authorizeSnippetRequest(final SnippetDTO snippetRequest, final Authorizer authorizer, final AuthorizableLookup lookup, final RequestAction action) {
final Consumer<Authorizable> authorize = authorizable -> authorizable.authorize(authorizer, action, NiFiUserUtils.getNiFiUser());
// note - we are not authorizing templates or controller services as they are not considered when using this snippet
snippetRequest.getProcessGroups().keySet().stream().map(id -> lookup.getProcessGroup(id)).forEach(processGroupAuthorizable -> {
// we are not checking referenced services since we do not know how this snippet will be used. these checks should be performed
// in a subsequent action with this snippet
authorizeProcessGroup(processGroupAuthorizable, authorizer, lookup, action, false, false, false, false);
});
snippetRequest.getRemoteProcessGroups().keySet().stream().map(id -> lookup.getRemoteProcessGroup(id)).forEach(authorize);
snippetRequest.getProcessors().keySet().stream().map(id -> lookup.getProcessor(id).getAuthorizable()).forEach(authorize);
snippetRequest.getInputPorts().keySet().stream().map(id -> lookup.getInputPort(id)).forEach(authorize);
snippetRequest.getOutputPorts().keySet().stream().map(id -> lookup.getOutputPort(id)).forEach(authorize);
snippetRequest.getConnections().keySet().stream().map(id -> lookup.getConnection(id).getAuthorizable()).forEach(authorize);
snippetRequest.getFunnels().keySet().stream().map(id -> lookup.getFunnel(id)).forEach(authorize);
snippetRequest.getLabels().keySet().stream().map(id -> lookup.getLabel(id)).forEach(authorize);
}
Example #8
| Source File: UserEventAuthorizer.java From localization_nifi with Apache License 2.0 | 6 votes |
|
@Override
public boolean isAuthorized(final ProvenanceEventRecord event) {
if (authorizer == null || user == null) {
return true;
}
final Authorizable eventAuthorizable;
try {
if (event.isRemotePortType()) {
eventAuthorizable = resourceFactory.createRemoteDataAuthorizable(event.getComponentId());
} else {
eventAuthorizable = resourceFactory.createLocalDataAuthorizable(event.getComponentId());
}
} catch (final ResourceNotFoundException rnfe) {
return false;
}
final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, event.getAttributes());
return Result.Approved.equals(result.getResult());
}
Example #9
| Source File: SnippetUtils.java From localization_nifi with Apache License 2.0 | 6 votes |
|
/**
* Attempts to roll back all policies for the specified component. This includes the component resource, data resource
* for the component, data transfer resource for the component, and policy resource for the component.
*
* @param componentResource component resource
*/
private void rollbackClonedPolicy(final Resource componentResource) {
if (!accessPolicyDAO.supportsConfigurableAuthorizer()) {
return;
}
final List<Resource> resources = new ArrayList<>();
resources.add(componentResource);
resources.add(ResourceFactory.getDataResource(componentResource));
resources.add(ResourceFactory.getDataTransferResource(componentResource));
resources.add(ResourceFactory.getPolicyResource(componentResource));
for (final Resource resource : resources) {
for (final RequestAction action : RequestAction.values()) {
final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(action, resource.getIdentifier());
if (accessPolicy != null) {
try {
accessPolicyDAO.deleteAccessPolicy(accessPolicy.getIdentifier());
} catch (final Exception e) {
logger.warn(String.format("Unable to clean up cloned access policy for %s %s after failed copy/paste action.", action, componentResource.getIdentifier()), e);
}
}
}
}
}
Example #10
| Source File: FlowResource.java From localization_nifi with Apache License 2.0 | 5 votes |
|
/**
* Authorizes access to the flow.
*/
private void authorizeFlow() {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final Map<String, String> userContext;
if (!StringUtils.isBlank(user.getClientAddress())) {
userContext = new HashMap<>();
userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
} else {
userContext = null;
}
final AuthorizationRequest request = new AuthorizationRequest.Builder()
.resource(ResourceFactory.getFlowResource())
.identity(user.getIdentity())
.anonymous(user.isAnonymous())
.accessAttempt(true)
.action(RequestAction.READ)
.userContext(userContext)
.explanationSupplier(() -> "Unable to view the user interface.")
.build();
final AuthorizationResult result = authorizer.authorize(request);
if (!Result.Approved.equals(result.getResult())) {
throw new AccessDeniedException(result.getExplanation());
}
}
Example #11
| Source File: ConfiguredComponent.java From localization_nifi with Apache License 2.0 | 5 votes |
|
@Override
default AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
// if this is a modification request and the reporting task is restricted ensure the user has elevated privileges. if this
// is not a modification request, we just want to use the normal rules
if (RequestAction.WRITE.equals(action) && isRestricted()) {
final RestrictedComponentsAuthorizable restrictedComponentsAuthorizable = new RestrictedComponentsAuthorizable();
final AuthorizationResult result = restrictedComponentsAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user, resourceContext);
if (Result.Denied.equals(result.getResult())) {
return result;
}
}
// defer to the base authorization check
return ComponentAuthorizable.super.checkAuthorization(authorizer, action, user, resourceContext);
}
Example #12
| Source File: ControllerSearchServiceTest.java From nifi with Apache License 2.0 | 5 votes |
|
private void givenSingleProcessGroupIsSetUp() {
final ProcessGroup root = givenProcessGroup(PROCESS_GROUP_ROOT, true, Collections.emptySet(), Collections.emptySet());
final ProcessorNode processorNode = Mockito.mock(ProcessorNode.class);
Mockito.when(processorNode.isAuthorized(authorizer, RequestAction.READ, user)).thenReturn(true);
Mockito.when(root.getProcessors()).thenReturn(Collections.singletonList(processorNode));
final Connection connection = Mockito.mock(Connection.class);
Mockito.when(connection.isAuthorized(authorizer, RequestAction.READ, user)).thenReturn(true);
Mockito.when(root.getConnections()).thenReturn(new HashSet<>(Arrays.asList(connection)));
final RemoteProcessGroup remoteProcessGroup = Mockito.mock(RemoteProcessGroup.class);
Mockito.when(remoteProcessGroup.isAuthorized(authorizer, RequestAction.READ, user)).thenReturn(true);
Mockito.when(root.getRemoteProcessGroups()).thenReturn(new HashSet<>(Arrays.asList(remoteProcessGroup)));
final Port port = Mockito.mock(Port.class);
Mockito.when(port.isAuthorized(authorizer, RequestAction.READ, user)).thenReturn(true);
Mockito.when(root.getInputPorts()).thenReturn(new HashSet<>(Arrays.asList(port)));
Mockito.when(root.getOutputPorts()).thenReturn(new HashSet<>(Arrays.asList(port)));
final Funnel funnel = Mockito.mock(Funnel.class);
Mockito.when(funnel.isAuthorized(authorizer, RequestAction.READ, user)).thenReturn(true);
Mockito.when(root.getFunnels()).thenReturn(new HashSet<>(Arrays.asList(funnel)));
final Label label = Mockito.mock(Label.class);
Mockito.when(label.isAuthorized(authorizer, RequestAction.READ, user)).thenReturn(true);
Mockito.when(root.getLabels()).thenReturn(new HashSet<>(Arrays.asList(label)));
}
Example #13
| Source File: RangerBasePluginWithPolicies.java From nifi with Apache License 2.0 | 5 votes |
|
private AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) throws AuthorizationAccessException {
if (policiesByResource == null) {
return null;
}
final Map<RequestAction, AccessPolicy> policiesForResource = policiesByResource.get(resourceIdentifier);
if (policiesForResource != null) {
return policiesForResource.get(action);
}
return null;
}
Example #14
| Source File: TestRangerBasePluginWithPolicies.java From nifi with Apache License 2.0 | 5 votes |
|
@Test
public void testDelegateAdmin() {
final String user1 = "user-1";
final String resourceIdentifier1 = "/resource-1";
RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicyItem policy1Item = new RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ"), new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
policy1Item.setDelegateAdmin(true);
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
pluginWithPolicies.setPolicies(servicePolicies);
assertEquals(4, pluginWithPolicies.getAccessPolicies().size());
assertNotNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ));
assertNotNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
assertNotNull(pluginWithPolicies.getAccessPolicy("/policies" + resourceIdentifier1, RequestAction.READ));
assertNotNull(pluginWithPolicies.getAccessPolicy("/policies" + resourceIdentifier1, RequestAction.WRITE));
}
Example #15
| Source File: UserEventAuthorizer.java From localization_nifi with Apache License 2.0 | 5 votes |
|
@Override
public void authorize(final ProvenanceEventRecord event) {
if (authorizer == null) {
return;
}
final Authorizable eventAuthorizable;
if (event.isRemotePortType()) {
eventAuthorizable = resourceFactory.createRemoteDataAuthorizable(event.getComponentId());
} else {
eventAuthorizable = resourceFactory.createLocalDataAuthorizable(event.getComponentId());
}
eventAuthorizable.authorize(authorizer, RequestAction.READ, user, event.getAttributes());
}
Example #16
| Source File: StandardConnection.java From localization_nifi with Apache License 2.0 | 5 votes |
|
@Override
public void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
if (user == null) {
throw new AccessDeniedException("Unknown user.");
}
getSourceAuthorizable().authorize(authorizer, action, user, resourceContext);
getDestinationAuthorizable().authorize(authorizer, action, user, resourceContext);
}
Example #17
| Source File: StandardNiFiServiceFacade.java From localization_nifi with Apache License 2.0 | 5 votes |
|
/**
* Ensures the specified user has permission to access the specified port. This method does
* not utilize the DataTransferAuthorizable as that will enforce the entire chain is
* authorized for the transfer. This method is only invoked when obtaining the site to site
* details so the entire chain isn't necessary.
*/
private boolean isUserAuthorized(final NiFiUser user, final RootGroupPort port) {
final boolean isSiteToSiteSecure = Boolean.TRUE.equals(properties.isSiteToSiteSecure());
// if site to site is not secure, allow all users
if (!isSiteToSiteSecure) {
return true;
}
final Map<String, String> userContext;
if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
userContext = new HashMap<>();
userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
} else {
userContext = null;
}
final AuthorizationRequest request = new AuthorizationRequest.Builder()
.resource(ResourceFactory.getDataTransferResource(port.getResource()))
.identity(user.getIdentity())
.anonymous(user.isAnonymous())
.accessAttempt(false)
.action(RequestAction.WRITE)
.userContext(userContext)
.explanationSupplier(() -> "Unable to retrieve port details.")
.build();
final AuthorizationResult result = authorizer.authorize(request);
return Result.Approved.equals(result.getResult());
}
Example #18
| Source File: RangerBasePluginWithPolicies.java From nifi with Apache License 2.0 | 5 votes |
|
/**
* Determines if a policy exists for the given resource.
*
* @param resourceIdentifier the id of the resource
*
* @return true if a policy exists for the given resource, false otherwise
*/
public boolean doesPolicyExist(final String resourceIdentifier, final RequestAction requestAction) {
if (resourceIdentifier == null) {
return false;
}
final PolicyLookup policyLookup = policies.get();
return policyLookup.getAccessPolicy(resourceIdentifier, requestAction) != null;
}
Example #19
| Source File: DtoFactory.java From localization_nifi with Apache License 2.0 | 5 votes |
|
/**
* Creates a ConnectableDTO from the specified Connectable.
*
* @param connectable connectable
* @return dto
*/
public ConnectableDTO createConnectableDto(final Connectable connectable) {
if (connectable == null) {
return null;
}
boolean isAuthorized = connectable.isAuthorized(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
final ConnectableDTO dto = new ConnectableDTO();
dto.setId(connectable.getIdentifier());
dto.setName(isAuthorized ? connectable.getName() : connectable.getIdentifier());
dto.setType(connectable.getConnectableType().name());
if (connectable instanceof RemoteGroupPort) {
final RemoteGroupPort remoteGroupPort = (RemoteGroupPort) connectable;
final RemoteProcessGroup remoteGroup = remoteGroupPort.getRemoteProcessGroup();
dto.setGroupId(remoteGroup.getIdentifier());
dto.setRunning(remoteGroupPort.isTargetRunning());
dto.setTransmitting(remoteGroupPort.isRunning());
dto.setExists(remoteGroupPort.getTargetExists());
if (isAuthorized) {
dto.setComments(remoteGroup.getComments());
}
} else {
dto.setGroupId(connectable.getProcessGroup().getIdentifier());
dto.setRunning(connectable.isRunning());
if (isAuthorized) {
dto.setComments(connectable.getComments());
}
}
return dto;
}
Example #20
| Source File: OperationAuthorizable.java From nifi with Apache License 2.0 | 5 votes |
|
/**
* <p>Authorize the request operation action with the resource using base authorizable and operation authorizable combination.</p>
*
* <p>This method authorizes the request with the base authorizable first with WRITE action. If the request is allowed, then finish authorization.
* If the base authorizable denies the request, then it checks if the user has WRITE permission for '/operation/{componentType}/{id}'.</p>
*/
public static void authorizeOperation(final Authorizable baseAuthorizable, final Authorizer authorizer, final NiFiUser user) {
try {
baseAuthorizable.authorize(authorizer, RequestAction.WRITE, user);
} catch (AccessDeniedException e) {
logger.debug("Authorization failed with {}. Try authorizing with OperationAuthorizable.", baseAuthorizable, e);
// Always use WRITE action for operation.
new OperationAuthorizable(baseAuthorizable).authorize(authorizer, RequestAction.WRITE, user);
}
}
Example #21
| Source File: VolatileAccessPolicyProvider.java From nifi with Apache License 2.0 | 5 votes |
|
@Override
public synchronized AccessPolicy getAccessPolicy(final String resourceIdentifier, final RequestAction action) throws AuthorizationAccessException {
return accessPolicies.stream()
.filter(policy -> Objects.equals(policy.getResource(), resourceIdentifier))
.filter(policy -> Objects.equals(policy.getAction(), action))
.findAny()
.orElse(null);
}
Example #22
| Source File: StandardPolicyBasedAuthorizerDAO.java From nifi with Apache License 2.0 | 5 votes |
|
private AccessPolicy buildAccessPolicy(final String identifier, final String resource, final RequestAction action, final AccessPolicyDTO accessPolicyDTO) {
final Set<TenantEntity> userGroups = accessPolicyDTO.getUserGroups();
final Set<TenantEntity> users = accessPolicyDTO.getUsers();
final AccessPolicy.Builder builder = new AccessPolicy.Builder()
.identifier(identifier)
.resource(resource);
if (userGroups != null) {
builder.addGroups(userGroups.stream().map(ComponentEntity::getId).collect(Collectors.toSet()));
}
if (users != null) {
builder.addUsers(users.stream().map(ComponentEntity::getId).collect(Collectors.toSet()));
}
builder.action(action);
return builder.build();
}
Example #23
| Source File: DataAuthorizableTest.java From nifi with Apache License 2.0 | 5 votes |
|
@Test
public void testCheckAuthorizationUser() {
final NiFiUser user = new Builder().identity(IDENTITY_1).build();
final AuthorizationResult result = testDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);
assertEquals(Result.Approved, result.getResult());
verify(testAuthorizer, times(1)).authorize(argThat(o -> IDENTITY_1.equals(o.getIdentity())));
}
Example #24
| Source File: DataAuthorizableTest.java From nifi with Apache License 2.0 | 5 votes |
|
@Test
public void testCheckAuthorizationUserChain() {
final NiFiUser proxy2 = new Builder().identity(PROXY_2).build();
final NiFiUser proxy1 = new Builder().identity(PROXY_1).chain(proxy2).build();
final NiFiUser user = new Builder().identity(IDENTITY_1).chain(proxy1).build();
final AuthorizationResult result = testDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);
assertEquals(Result.Approved, result.getResult());
verify(testAuthorizer, times(3)).authorize(any(AuthorizationRequest.class));
verifyAuthorizeForUser(IDENTITY_1);
verifyAuthorizeForUser(PROXY_1);
verifyAuthorizeForUser(PROXY_2);
}
Example #25
| Source File: ControllerResource.java From localization_nifi with Apache License 2.0 | 5 votes |
|
/**
* Retrieves the configuration for this NiFi.
*
* @return A controllerConfigurationEntity.
*/
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("config")
@ApiOperation(
value = "Retrieves the configuration for this NiFi Controller",
response = ControllerConfigurationEntity.class,
authorizations = {
@Authorization(value = "Read - /controller", type = "")
}
)
@ApiResponses(
value = {
@ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."),
@ApiResponse(code = 401, message = "Client could not be authenticated."),
@ApiResponse(code = 403, message = "Client is not authorized to make this request."),
@ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.")
}
)
public Response getControllerConfig() {
authorizeController(RequestAction.READ);
if (isReplicateRequest()) {
return replicate(HttpMethod.GET);
}
final ControllerConfigurationEntity entity = serviceFacade.getControllerConfiguration();
return clusterContext(generateOkResponse(entity)).build();
}
Example #26
| Source File: ApplicationResource.java From nifi with Apache License 2.0 | 5 votes |
|
/**
* Authorizes the specified Snippet with the specified request action.
*
* @param authorizer authorizer
* @param lookup lookup
* @param action action
*/
protected void authorizeSnippet(final SnippetAuthorizable snippet, final Authorizer authorizer, final AuthorizableLookup lookup, final RequestAction action,
final boolean authorizeReferencedServices, final boolean authorizeTransitiveServices, final boolean authorizeParameterReferences) {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final Consumer<Authorizable> authorize = authorizable -> authorizable.authorize(authorizer, action, user);
// authorize each component in the specified snippet
snippet.getSelectedProcessGroups().forEach(processGroupAuthorizable -> {
// note - we are not authorizing templates or controller services as they are not considered when using this snippet. however,
// referenced services are considered so those are explicitly authorized when authorizing a processor
authorizeProcessGroup(processGroupAuthorizable, authorizer, lookup, action, authorizeReferencedServices,
false, false, authorizeTransitiveServices, authorizeParameterReferences);
});
snippet.getSelectedRemoteProcessGroups().forEach(authorize);
snippet.getSelectedProcessors().forEach(processorAuthorizable -> {
// authorize the processor
authorize.accept(processorAuthorizable.getAuthorizable());
// authorize any referenced services if necessary
if (authorizeReferencedServices) {
AuthorizeControllerServiceReference.authorizeControllerServiceReferences(processorAuthorizable, authorizer, lookup, authorizeTransitiveServices);
}
// authorize any parameter usage
if (authorizeParameterReferences) {
AuthorizeParameterReference.authorizeParameterReferences(processorAuthorizable, authorizer, processorAuthorizable.getParameterContext(), user);
}
});
snippet.getSelectedInputPorts().forEach(authorize);
snippet.getSelectedOutputPorts().forEach(authorize);
snippet.getSelectedConnections().forEach(connAuth -> authorize.accept(connAuth.getAuthorizable()));
snippet.getSelectedFunnels().forEach(authorize);
snippet.getSelectedLabels().forEach(authorize);
}
Example #27
| Source File: DataAuthorizableTest.java From localization_nifi with Apache License 2.0 | 5 votes |
|
@Test
public void testCheckAuthorizationUser() {
final NiFiUser user = new StandardNiFiUser(IDENTITY_1);
final AuthorizationResult result = testDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);
assertEquals(Result.Approved, result.getResult());
verify(testAuthorizer, times(1)).authorize(argThat(new ArgumentMatcher<AuthorizationRequest>() {
@Override
public boolean matches(Object o) {
return IDENTITY_1.equals(((AuthorizationRequest) o).getIdentity());
}
}));
}
Example #28
| Source File: DataAuthorizableTest.java From nifi with Apache License 2.0 | 5 votes |
|
@Test
public void testAuthorizedUser() {
final NiFiUser user = new Builder().identity(IDENTITY_1).build();
testDataAuthorizable.authorize(testAuthorizer, RequestAction.READ, user, null);
verify(testAuthorizer, times(1)).authorize(argThat(o -> IDENTITY_1.equals(o.getIdentity())));
}
Example #29
| Source File: UserEventAuthorizer.java From nifi with Apache License 2.0 | 5 votes |
|
@Override
public void authorize(final ProvenanceEventRecord event) {
if (authorizer == null) {
return;
}
final Authorizable eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId());
eventAuthorizable.authorize(authorizer, RequestAction.READ, user);
}
Example #30
| Source File: ControllerServiceResource.java From localization_nifi with Apache License 2.0 | 4 votes |
|
/**
* Clears the state for a controller service.
*
* @param httpServletRequest servlet request
* @param id The id of the controller service
* @return a componentStateEntity
*/
@POST
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{id}/state/clear-requests")
@ApiOperation(
value = "Clears the state for a controller service",
response = ComponentStateDTO.class,
authorizations = {
@Authorization(value = "Write - /controller-services/{uuid}", type = "")
}
)
@ApiResponses(
value = {
@ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."),
@ApiResponse(code = 401, message = "Client could not be authenticated."),
@ApiResponse(code = 403, message = "Client is not authorized to make this request."),
@ApiResponse(code = 404, message = "The specified resource could not be found."),
@ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.")
}
)
public Response clearState(
@Context HttpServletRequest httpServletRequest,
@ApiParam(
value = "The controller service id.",
required = true
)
@PathParam("id") final String id) {
if (isReplicateRequest()) {
return replicate(HttpMethod.POST);
}
final ControllerServiceEntity requestControllerServiceEntity = new ControllerServiceEntity();
requestControllerServiceEntity.setId(id);
return withWriteLock(
serviceFacade,
requestControllerServiceEntity,
lookup -> {
final Authorizable controllerService = lookup.getControllerService(id).getAuthorizable();
controllerService.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
},
() -> serviceFacade.verifyCanClearControllerServiceState(id),
(controllerServiceEntity) -> {
// get the component state
serviceFacade.clearControllerServiceState(controllerServiceEntity.getId());
// generate the response entity
final ComponentStateEntity entity = new ComponentStateEntity();
// generate the response
return clusterContext(generateOkResponse(entity)).build();
}
);
}
