Java Code Examples for org.apache.nifi.authorization.user.NiFiUser#getIdentity()

@Override
public void doFilter(final ServletRequest req, final ServletResponse resp, final FilterChain filterChain)
        throws IOException, ServletException {

    final HttpServletRequest request = (HttpServletRequest) req;

    // only log http requests has https requests are logged elsewhere
    if ("http".equalsIgnoreCase(request.getScheme())) {
        final NiFiUser user = NiFiUserUtils.getNiFiUser();

        // get the user details for the log message
        String identity = "<no user found>";
        if (user != null) {
            identity = user.getIdentity();
        }

        // log the request attempt - response details will be logged later
        logger.info(String.format("Attempting request for (%s) %s %s (source ip: %s)", identity, request.getMethod(),
                request.getRequestURL().toString(), request.getRemoteAddr()));
    }

    // continue the filter chain
    filterChain.doFilter(req, resp);
}
 

@Override
public AsyncLineageSubmission retrieveLineageSubmission(final String lineageIdentifier, final NiFiUser user) {
    final AsyncLineageSubmission submission = lineageSubmissionMap.get(lineageIdentifier);
    final String userId = submission.getSubmitterIdentity();

    if (user == null && userId == null) {
        return submission;
    }

    if (user == null) {
        throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because no user id was provided in the lineage request.");
    }

    if (userId == null || userId.equals(user.getIdentity())) {
        return submission;
    }

    throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because " + user.getIdentity() + " is not the user who submitted the request.");
}
 

@Override
public void doFilter(final ServletRequest req, final ServletResponse resp, final FilterChain filterChain)
        throws IOException, ServletException {

    final HttpServletRequest request = (HttpServletRequest) req;

    // only log http requests has https requests are logged elsewhere
    if ("http".equalsIgnoreCase(request.getScheme())) {
        final NiFiUser user = NiFiUserUtils.getNiFiUser();

        // get the user details for the log message
        String identity = "<no user found>";
        if (user != null) {
            identity = user.getIdentity();
        }

        // log the request attempt - response details will be logged later
        logger.info(String.format("Attempting request for (%s) %s %s (source ip: %s)", identity, request.getMethod(),
                request.getRequestURL().toString(), request.getRemoteAddr()));
    }

    // continue the filter chain
    filterChain.doFilter(req, resp);
}
 

@Override
public QuerySubmission retrieveQuerySubmission(final String queryIdentifier, final NiFiUser user) {
    final QuerySubmission submission = querySubmissionMap.get(queryIdentifier);

    final String userId = submission.getSubmitterIdentity();

    if (user == null && userId == null) {
        return submission;
    }

    if (user == null) {
        throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because no user id was provided in the provenance request.");
    }

    if (userId == null || userId.equals(user.getIdentity())) {
        return submission;
    }

    throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because " + user.getIdentity() + " is not the user who submitted the request.");
}
 

@Override
public void deleteNode(final String nodeId) {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    if (user == null) {
        throw new WebApplicationException(new Throwable("Unable to access details for current user."));
    }

    final String userDn = user.getIdentity();
    final NodeIdentifier nodeIdentifier = clusterCoordinator.getNodeIdentifier(nodeId);
    if (nodeIdentifier == null) {
        throw new UnknownNodeException("Cannot remove Node with ID " + nodeId + " because it is not part of the cluster");
    }

    final NodeConnectionStatus nodeConnectionStatus = clusterCoordinator.getConnectionStatus(nodeIdentifier);
    if (!nodeConnectionStatus.getState().equals(NodeConnectionState.DISCONNECTED)) {
        throw new IllegalNodeDeletionException("Cannot remove Node with ID " + nodeId + " because it is not disconnected, current state = " + nodeConnectionStatus.getState());
    }

    clusterCoordinator.removeNode(nodeIdentifier, userDn);
    heartbeatMonitor.removeHeartbeat(nodeIdentifier);
}
 

@Override
public ComputeLineageSubmission retrieveLineageSubmission(String lineageIdentifier, final NiFiUser user) {
    final ComputeLineageSubmission submission = lineageSubmissionMap.get(lineageIdentifier);
    final String userId = submission.getSubmitterIdentity();

    if (user == null && userId == null) {
        return submission;
    }

    if (user == null) {
        throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because no user id was provided in the lineage request.");
    }

    if (userId == null || userId.equals(user.getIdentity())) {
        return submission;
    }

    throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because " + user.getIdentity() + " is not the user who submitted the request.");
}
 

@Override
public QuerySubmission retrieveQuerySubmission(final String queryIdentifier, final NiFiUser user) {
    final QuerySubmission submission = querySubmissionMap.get(queryIdentifier);
    final String userId = submission.getSubmitterIdentity();

    if (user == null && userId == null) {
        return submission;
    }

    if (user == null) {
        throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because no user id was provided in the provenance request.");
    }

    if (userId == null || userId.equals(user.getIdentity())) {
        return submission;
    }

    throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because " + user.getIdentity() + " is not the user who submitted the request.");
}
 

@Override
public AsyncLineageSubmission retrieveLineageSubmission(final String lineageIdentifier, final NiFiUser user) {
    final AsyncLineageSubmission submission = lineageSubmissionMap.get(lineageIdentifier);
    final String userId = submission.getSubmitterIdentity();

    if (user == null && userId == null) {
        return submission;
    }

    if (user == null) {
        throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because no user id was provided");
    }

    if (userId == null || userId.equals(user.getIdentity())) {
        return submission;
    }

    throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because " + user.getIdentity() + " is not the user who submitted the request");
}
 

@Override
public QuerySubmission retrieveQuerySubmission(final String queryIdentifier, final NiFiUser user) {
    final QuerySubmission submission = querySubmissionMap.get(queryIdentifier);

    final String userId = submission.getSubmitterIdentity();

    if (user == null && userId == null) {
        return submission;
    }

    if (user == null) {
        throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because no user id was provided");
    }

    if (userId == null || userId.equals(user.getIdentity())) {
        return submission;
    }

    throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because " + user.getIdentity() + " is not the user who submitted the request");
}
 

@Override
public ComputeLineageSubmission retrieveLineageSubmission(String lineageIdentifier, final NiFiUser user) {
    final ComputeLineageSubmission submission = lineageSubmissionMap.get(lineageIdentifier);
    final String userId = submission.getSubmitterIdentity();

    if (user == null && userId == null) {
        return submission;
    }

    if (user == null) {
        throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because no user id was provided in the lineage request.");
    }

    if (userId == null || userId.equals(user.getIdentity())) {
        return submission;
    }

    throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because " + user.getIdentity() + " is not the user who submitted the request.");
}
 

@Override
public QuerySubmission retrieveQuerySubmission(final String queryIdentifier, final NiFiUser user) {
    final QuerySubmission submission = querySubmissionMap.get(queryIdentifier);

    final String userId = submission.getSubmitterIdentity();

    if (user == null && userId == null) {
        return submission;
    }

    if (user == null) {
        throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because no user id was provided in the provenance request.");
    }

    if (userId == null || userId.equals(user.getIdentity())) {
        return submission;
    }

    throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because " + user.getIdentity() + " is not the user who submitted the request.");
}
 

@Override
public AsyncLineageSubmission retrieveLineageSubmission(final String lineageIdentifier, final NiFiUser user) {
    final AsyncLineageSubmission submission = lineageSubmissionMap.get(lineageIdentifier);
    final String userId = submission.getSubmitterIdentity();

    if (user == null && userId == null) {
        return submission;
    }

    if (user == null) {
        throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because no user id was provided in the lineage request.");
    }

    if (userId == null || userId.equals(user.getIdentity())) {
        return submission;
    }

    throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because " + user.getIdentity() + " is not the user who submitted the request.");
}
 

private AsyncLineageSubmission submitLineageComputation(final Collection<String> flowFileUuids, final NiFiUser user, final LineageComputationType computationType, final Long eventId) {
    final String userId = user == null ? null : user.getIdentity();
    final AsyncLineageSubmission result = new AsyncLineageSubmission(computationType, eventId, flowFileUuids, 1, userId);
    lineageSubmissionMap.put(result.getLineageIdentifier(), result);

    final Filter<ProvenanceEventRecord> filter = new Filter<ProvenanceEventRecord>() {
        @Override
        public boolean select(final ProvenanceEventRecord event) {
            if (!isAuthorized(event, user)) {
                return false;
            }

            if (flowFileUuids.contains(event.getFlowFileUuid())) {
                return true;
            }

            for (final String parentId : event.getParentUuids()) {
                if (flowFileUuids.contains(parentId)) {
                    return true;
                }
            }

            for (final String childId : event.getChildUuids()) {
                if (flowFileUuids.contains(childId)) {
                    return true;
                }
            }

            return false;
        }
    };

    queryExecService.submit(new ComputeLineageRunnable(ringBuffer, filter, result));

    return result;
}
 

/**
 * Creates a single use access token for accessing a NiFi UI extension.
 *
 * @param httpServletRequest the servlet request
 * @return A token (string)
 */
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.TEXT_PLAIN)
@Path("/ui-extension-token")
@ApiOperation(
        value = "Creates a single use access token for accessing a NiFi UI extension.",
        notes = "The token returned is a base64 encoded string. It is valid for a single request up to five minutes from being issued. " +
                "It is used as a query parameter name 'access_token'.",
        response = String.class
)
@ApiResponses(
        value = {
                @ApiResponse(code = 403, message = "Client is not authorized to make this request."),
                @ApiResponse(code = 409, message = "Unable to create the download token because NiFi is not in the appropriate state. " +
                        "(i.e. may not have any tokens to grant or be configured to support username/password login)"),
                @ApiResponse(code = 500, message = "Unable to create download token because an unexpected error occurred.")
        }
)
public Response createUiExtensionToken(@Context HttpServletRequest httpServletRequest) {
    // only support access tokens when communicating over HTTPS
    if (!httpServletRequest.isSecure()) {
        throw new IllegalStateException("UI extension access tokens are only issued over HTTPS.");
    }

    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    if (user == null) {
        throw new AccessDeniedException("No user authenticated in the request.");
    }

    final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(user.getIdentity());

    // generate otp for response
    final String token = otpService.generateUiExtensionToken(authenticationToken);

    // build the response
    final URI uri = URI.create(generateResourceUri("access", "ui-extension-token"));
    return generateCreatedResponse(uri, token).build();
}
 

private AsyncLineageSubmission submitLineageComputation(final Collection<String> flowFileUuids, final NiFiUser user, final LineageComputationType computationType,
        final Long eventId, final long startTimestamp, final long endTimestamp) {
    final List<File> indexDirs = indexConfig.getIndexDirectories(startTimestamp, endTimestamp);
    final AsyncLineageSubmission result = new AsyncLineageSubmission(computationType, eventId, flowFileUuids, indexDirs.size(), user.getIdentity());
    lineageSubmissionMap.put(result.getLineageIdentifier(), result);

    for (final File indexDir : indexDirs) {
        queryExecService.submit(new ComputeLineageRunnable(flowFileUuids, user, result, indexDir));
    }

    return result;
}
 

/**
 * Creates a single use access token for downloading FlowFile content.
 *
 * @param httpServletRequest the servlet request
 * @return A token (string)
 */
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.TEXT_PLAIN)
@Path("/download-token")
@ApiOperation(
        value = "Creates a single use access token for downloading FlowFile content.",
        notes = "The token returned is a base64 encoded string. It is valid for a single request up to five minutes from being issued. " +
                "It is used as a query parameter name 'access_token'.",
        response = String.class
)
@ApiResponses(
        value = {
                @ApiResponse(code = 403, message = "Client is not authorized to make this request."),
                @ApiResponse(code = 409, message = "Unable to create the download token because NiFi is not in the appropriate state. " +
                        "(i.e. may not have any tokens to grant or be configured to support username/password login)"),
                @ApiResponse(code = 500, message = "Unable to create download token because an unexpected error occurred.")
        }
)
public Response createDownloadToken(@Context HttpServletRequest httpServletRequest) {
    // only support access tokens when communicating over HTTPS
    if (!httpServletRequest.isSecure()) {
        throw new IllegalStateException("Download tokens are only issued over HTTPS.");
    }

    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    if (user == null) {
        throw new AccessDeniedException("No user authenticated in the request.");
    }

    final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(user.getIdentity());

    // generate otp for response
    final String token = otpService.generateDownloadToken(authenticationToken);

    // build the response
    final URI uri = URI.create(generateResourceUri("access", "download-token"));
    return generateCreatedResponse(uri, token).build();
}
 

@Override
public ComputeLineageSubmission submitLineageComputation(final long eventId, final NiFiUser user) {
    final ProvenanceEventRecord event = getEvent(eventId);
    if (event == null) {
        final String userId = user == null ? null : user.getIdentity();
        final AsyncLineageSubmission result = new AsyncLineageSubmission(LineageComputationType.FLOWFILE_LINEAGE, eventId, Collections.emptySet(), 1, userId);
        result.getResult().setError("Could not find event with ID " + eventId);
        lineageSubmissionMap.put(result.getLineageIdentifier(), result);
        return result;
    }

    return submitLineageComputation(Collections.singleton(event.getFlowFileUuid()), user, LineageComputationType.FLOWFILE_LINEAGE, eventId);
}
 

private AsyncLineageSubmission submitLineageComputation(final Collection<String> flowFileUuids, final NiFiUser user, final LineageComputationType computationType,
        final Long eventId, final long startTimestamp, final long endTimestamp) {
    final List<File> indexDirs = indexConfig.getIndexDirectories(startTimestamp, endTimestamp);
    final AsyncLineageSubmission result = new AsyncLineageSubmission(computationType, eventId, flowFileUuids, indexDirs.size(), user == null ? null : user.getIdentity());
    lineageSubmissionMap.put(result.getLineageIdentifier(), result);

    for (final File indexDir : indexDirs) {
        queryExecService.submit(new ComputeLineageRunnable(flowFileUuids, user, result, indexDir));
    }

    return result;
}
 

private Peer constructPeer(final HttpServletRequest req, final InputStream inputStream,
                           final OutputStream outputStream, final String portId, final String transactionId) {
    String clientHostName = req.getRemoteHost();
    try {
        // req.getRemoteHost returns IP address, try to resolve hostname to be consistent with RAW protocol.
        final InetAddress clientAddress = InetAddress.getByName(clientHostName);
        clientHostName = clientAddress.getHostName();
    } catch (UnknownHostException e) {
        logger.info("Failed to resolve client hostname {}, due to {}", clientHostName, e.getMessage());
    }
    final int clientPort = req.getRemotePort();

    final PeerDescription peerDescription = new PeerDescription(clientHostName, clientPort, req.isSecure());

    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    final String userDn = user == null ? null : user.getIdentity();
    final HttpServerCommunicationsSession commSession = new HttpServerCommunicationsSession(inputStream, outputStream, transactionId, userDn);

    boolean useCompression = false;
    final String useCompressionStr = req.getHeader(HANDSHAKE_PROPERTY_USE_COMPRESSION);
    if (!isEmpty(useCompressionStr) && Boolean.valueOf(useCompressionStr)) {
        useCompression = true;
    }

    final String requestExpiration = req.getHeader(HANDSHAKE_PROPERTY_REQUEST_EXPIRATION);
    final String batchCount = req.getHeader(HANDSHAKE_PROPERTY_BATCH_COUNT);
    final String batchSize = req.getHeader(HANDSHAKE_PROPERTY_BATCH_SIZE);
    final String batchDuration = req.getHeader(HANDSHAKE_PROPERTY_BATCH_DURATION);

    commSession.putHandshakeParam(HandshakeProperty.PORT_IDENTIFIER, portId);
    commSession.putHandshakeParam(HandshakeProperty.GZIP, String.valueOf(useCompression));

    if (!isEmpty(requestExpiration)) {
        commSession.putHandshakeParam(REQUEST_EXPIRATION_MILLIS, requestExpiration);
    }
    if (!isEmpty(batchCount)) {
        commSession.putHandshakeParam(BATCH_COUNT, batchCount);
    }
    if (!isEmpty(batchSize)) {
        commSession.putHandshakeParam(BATCH_SIZE, batchSize);
    }
    if (!isEmpty(batchDuration)) {
        commSession.putHandshakeParam(BATCH_DURATION, batchDuration);
    }

    if (peerDescription.isSecure()) {
        final NiFiUser nifiUser = NiFiUserUtils.getNiFiUser();
        logger.debug("initiating peer, nifiUser={}", nifiUser);
        commSession.setUserDn(nifiUser.getIdentity());
    }

    // TODO: Followed how SocketRemoteSiteListener define peerUrl and clusterUrl, but it can be more meaningful values, especially for clusterUrl.
    final String peerUrl = "nifi://" + clientHostName + ":" + clientPort;
    final String clusterUrl = "nifi://localhost:" + req.getLocalPort();

    return new Peer(peerDescription, commSession, peerUrl, clusterUrl);
}
 

@Override
public String getCurrentUserIdentity() {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    authorizeFlowAccess(user);
    return user.getIdentity();
}