org.apache.nifi.authorization.AuthorizationResult Java Examples

/**
 * Authorizes access to data transfers.
 * <p>
 * Note: Protected for testing purposes
 */
protected void authorizeDataTransfer(final AuthorizableLookup lookup, final ResourceType resourceType, final String identifier) {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();

    // ensure the resource type is correct
    if (!ResourceType.InputPort.equals(resourceType) && !ResourceType.OutputPort.equals(resourceType)) {
        throw new IllegalArgumentException("The resource must be an Input or Output Port.");
    }

    // get the authorizable
    final PublicPortAuthorizable authorizable;
    if (ResourceType.InputPort.equals(resourceType)) {
        authorizable = lookup.getPublicInputPort(identifier);
    } else {
        authorizable = lookup.getPublicOutputPort(identifier);
    }

    // perform the authorization
    final AuthorizationResult authorizationResult = authorizable.checkAuthorization(user);
    if (!Result.Approved.equals(authorizationResult.getResult())) {
        throw new AccessDeniedException(authorizationResult.getExplanation());
    }
}
 

@Before
public void setup() {
    Authorizable testProcessorAuthorizable;
    testProcessorAuthorizable = mock(Authorizable.class);
    when(testProcessorAuthorizable.getParentAuthorizable()).thenReturn(null);
    when(testProcessorAuthorizable.getResource()).thenReturn(ResourceFactory.getComponentResource(ResourceType.Processor, "id", "name"));

    testAuthorizer = mock(Authorizer.class);
    when(testAuthorizer.authorize(any(AuthorizationRequest.class))).then(invocation -> {
        final AuthorizationRequest request = invocation.getArgument(0);

        if (IDENTITY_1.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        }

        return AuthorizationResult.denied();
    });

    testProvenanceDataAuthorizable = new ProvenanceDataAuthorizable(testProcessorAuthorizable);
}
 

private RootGroupPort createRootGroupPort(NiFiProperties nifiProperties) {
    final BulletinRepository bulletinRepository = mock(BulletinRepository.class);
    final ProcessScheduler processScheduler = null;

    final Authorizer authorizer = mock(Authorizer.class);
    doAnswer(invocation -> {
        final AuthorizationRequest request = invocation.getArgumentAt(0, AuthorizationRequest.class);
        if ("[email protected]".equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        }
        return AuthorizationResult.denied();
    }).when(authorizer).authorize(any(AuthorizationRequest.class));

    final ProcessGroup processGroup = mock(ProcessGroup.class);
    doReturn("process-group-id").when(processGroup).getIdentifier();

    return new StandardRootGroupPort("id", "name", processGroup,
            TransferDirection.SEND, ConnectableType.INPUT_PORT, authorizer, bulletinRepository,
            processScheduler, true, nifiProperties);
}
 

public boolean isAuthorized(final ProvenanceEventRecord event, final NiFiUser user) {
    if (authorizer == null) {
        return true;
    }

    final Authorizable eventAuthorizable;
    try {
        if (event.isRemotePortType()) {
            eventAuthorizable = resourceFactory.createRemoteDataAuthorizable(event.getComponentId());
        } else {
            eventAuthorizable = resourceFactory.createLocalDataAuthorizable(event.getComponentId());
        }
    } catch (final ResourceNotFoundException rnfe) {
        return false;
    }

    final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, event.getAttributes());
    return Result.Approved.equals(result.getResult());
}
 

public boolean isAuthorized(final ProvenanceEventRecord event, final NiFiUser user) {
    if (authorizer == null || user == null) {
        return true;
    }

    final Authorizable eventAuthorizable;
    try {
        if (event.isRemotePortType()) {
            eventAuthorizable = resourceFactory.createRemoteDataAuthorizable(event.getComponentId());
        } else {
            eventAuthorizable = resourceFactory.createLocalDataAuthorizable(event.getComponentId());
        }
    } catch (final ResourceNotFoundException rnfe) {
        return false;
    }

    final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, event.getAttributes());
    return Result.Approved.equals(result.getResult());
}
 

@Override
public boolean isAuthorized(final ProvenanceEventRecord event) {
    if (authorizer == null || user == null) {
        return true;
    }

    final Authorizable eventAuthorizable;
    try {
        if (event.isRemotePortType()) {
            eventAuthorizable = resourceFactory.createRemoteDataAuthorizable(event.getComponentId());
        } else {
            eventAuthorizable = resourceFactory.createLocalDataAuthorizable(event.getComponentId());
        }
    } catch (final ResourceNotFoundException rnfe) {
        return false;
    }

    final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, event.getAttributes());
    return Result.Approved.equals(result.getResult());
}
 

@Override
public ActionEntity getAction(final Integer actionId) {
    // get the action
    final Action action = auditService.getAction(actionId);

    // ensure the action was found
    if (action == null) {
        throw new ResourceNotFoundException(String.format("Unable to find action with id '%s'.", actionId));
    }

    final AuthorizationResult result = authorizeAction(action);
    final boolean authorized = Result.Approved.equals(result.getResult());
    if (!authorized) {
        throw new AccessDeniedException(result.getExplanation());
    }

    // return the action
    return entityFactory.createActionEntity(dtoFactory.createActionDto(action), authorized);
}
 

/**
 * Authorizes access to data transfers.
 * <p>
 * Note: Protected for testing purposes
 */
protected void authorizeDataTransfer(final AuthorizableLookup lookup, final ResourceType resourceType, final String identifier) {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();

    // ensure the resource type is correct
    if (!ResourceType.InputPort.equals(resourceType) && !ResourceType.OutputPort.equals(resourceType)) {
        throw new IllegalArgumentException("The resource must be an Input or Output Port.");
    }

    // get the authorizable
    final RootGroupPortAuthorizable authorizable;
    if (ResourceType.InputPort.equals(resourceType)) {
        authorizable = lookup.getRootGroupInputPort(identifier);
    } else {
        authorizable = lookup.getRootGroupOutputPort(identifier);
    }

    // perform the authorization
    final AuthorizationResult authorizationResult = authorizable.checkAuthorization(user);
    if (!Result.Approved.equals(authorizationResult.getResult())) {
        throw new AccessDeniedException(authorizationResult.getExplanation());
    }
}
 

private void authorizeSystem() {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();

    final Map<String, String> userContext;
    if (!StringUtils.isBlank(user.getClientAddress())) {
        userContext = new HashMap<>();
        userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
    } else {
        userContext = null;
    }

    final AuthorizationRequest request = new AuthorizationRequest.Builder()
            .resource(ResourceFactory.getSystemResource())
            .identity(user.getIdentity())
            .anonymous(user.isAnonymous())
            .accessAttempt(true)
            .action(RequestAction.READ)
            .userContext(userContext)
            .explanationSupplier(() -> "Unable to view system diagnostics.")
            .build();

    final AuthorizationResult result = authorizer.authorize(request);
    if (!Result.Approved.equals(result.getResult())) {
        throw new AccessDeniedException(result.getExplanation());
    }
}
 

private void authorizeProvenanceRequest() {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();

    final Map<String, String> userContext;
    if (!StringUtils.isBlank(user.getClientAddress())) {
        userContext = new HashMap<>();
        userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
    } else {
        userContext = null;
    }

    final AuthorizationRequest request = new AuthorizationRequest.Builder()
            .resource(ResourceFactory.getProvenanceResource())
            .identity(user.getIdentity())
            .anonymous(user.isAnonymous())
            .accessAttempt(true)
            .action(RequestAction.READ)
            .userContext(userContext)
            .explanationSupplier(() -> "Unable to query provenance.")
            .build();

    final AuthorizationResult result = authorizer.authorize(request);
    if (!Result.Approved.equals(result.getResult())) {
        throw new AccessDeniedException(result.getExplanation());
    }
}
 

private void authorizeResource() {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();

    final Map<String, String> userContext;
    if (!StringUtils.isBlank(user.getClientAddress())) {
        userContext = new HashMap<>();
        userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
    } else {
        userContext = null;
    }

    final AuthorizationRequest request = new AuthorizationRequest.Builder()
            .resource(ResourceFactory.getResourceResource())
            .identity(user.getIdentity())
            .anonymous(user.isAnonymous())
            .accessAttempt(true)
            .action(RequestAction.READ)
            .userContext(userContext)
            .explanationSupplier(() -> "Unable to retrieve resources.")
            .build();

    final AuthorizationResult result = authorizer.authorize(request);
    if (!Result.Approved.equals(result.getResult())) {
        throw new AccessDeniedException(result.getExplanation());
    }
}
 

@Override
public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
    // allow proxy
    if (ResourceFactory.getProxyResource().getIdentifier().equals(request.getResource().getIdentifier()) && PROXY_DN.equals(request.getIdentity())) {
        return AuthorizationResult.approved();
    }

    // read access
    if (READ_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.READ.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    // write access
    if (WRITE_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.WRITE.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    return AuthorizationResult.denied();
}
 

/**
 * Authorizes access to replay a specified provenance event.
 *
 * @param event event
 */
private AuthorizationResult checkAuthorizationForReplay(final ProvenanceEventRecord event) {
    // if the connection id isn't specified, then the replay wouldn't be available anyways and we have nothing to authorize against so deny it`
    if (event.getSourceQueueIdentifier() == null) {
        return AuthorizationResult.denied("The connection id in the provenance event is unknown.");
    }

    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    final Authorizable dataAuthorizable;
    if (event.isRemotePortType()) {
        dataAuthorizable = flowController.createRemoteDataAuthorizable(event.getComponentId());
    } else {
        dataAuthorizable = flowController.createLocalDataAuthorizable(event.getComponentId());
    }

    final Map<String, String> eventAttributes = event.getAttributes();

    // ensure we can read the data
    final AuthorizationResult result = dataAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, eventAttributes);
    if (!Result.Approved.equals(result.getResult())) {
        return result;
    }

    // ensure we can write the data
    return dataAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user, eventAttributes);
}
 

private PublicPort createPublicPort(NiFiProperties nifiProperties) {
    final BulletinRepository bulletinRepository = mock(BulletinRepository.class);
    final ProcessScheduler processScheduler = null;

    final Authorizer authorizer = mock(Authorizer.class);
    doAnswer(invocation -> {
        final AuthorizationRequest request = invocation.getArgument(0);
        if ("[email protected]".equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        } else if ("[email protected]".equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        }
        return AuthorizationResult.denied();
    }).when(authorizer).authorize(any(AuthorizationRequest.class));

    final ProcessGroup processGroup = mock(ProcessGroup.class);
    doReturn("process-group-id").when(processGroup).getIdentifier();

    final StandardPublicPort port = new StandardPublicPort("id", "name",
        TransferDirection.SEND, ConnectableType.INPUT_PORT, authorizer, bulletinRepository, processScheduler, true,
        nifiProperties.getBoredYieldDuration(), IdentityMappingUtil.getIdentityMappings(nifiProperties));
    port.setProcessGroup(processGroup);
    return port;
}
 

@Override
default AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
    // if this is a modification request and the reporting task is restricted ensure the user has elevated privileges. if this
    // is not a modification request, we just want to use the normal rules
    if (RequestAction.WRITE.equals(action) && isRestricted()) {
        final Set<Authorizable> restrictedComponentsAuthorizables = RestrictedComponentsAuthorizableFactory.getRestrictedComponentsAuthorizable(getComponentClass());

        for (final Authorizable restrictedComponentsAuthorizable : restrictedComponentsAuthorizables) {
            final AuthorizationResult result = restrictedComponentsAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user, resourceContext);
            if (Result.Denied.equals(result.getResult())) {
                return result;
            }
        }
    }

    // defer to the base authorization check
    return ComponentAuthorizable.super.checkAuthorization(authorizer, action, user, resourceContext);
}
 

/**
 * Authorizes access to replay a specified provenance event. Whether to check read data permission can be specified. The context this
 * method is invoked may have already verified these permissions. Using a flag here as it forces the caller to acknowledge this fact
 * limiting the possibility of overlooking it.
 *
 * @param event event
 * @param checkReadDataPermissions whether to verify read data permissions
 */
private AuthorizationResult checkAuthorizationForReplay(final ProvenanceEventRecord event, final boolean checkReadDataPermissions) {
    // if the connection id isn't specified, then the replay wouldn't be available anyways and we have nothing to authorize against so deny it`
    if (event.getSourceQueueIdentifier() == null) {
        return AuthorizationResult.denied("The connection id in the provenance event is unknown.");
    }

    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    final Authorizable dataAuthorizable = getDataAuthorizable(event);

    final Map<String, String> eventAttributes = event.getAttributes();

    if (checkReadDataPermissions) {
        // ensure we can read the data
        final AuthorizationResult result = dataAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, eventAttributes);
        if (!Result.Approved.equals(result.getResult())) {
            return result;
        }
    }

    // ensure we can write the data; read the data should have been checked already
    return dataAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user, eventAttributes);
}
 

@Override
public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) {
    final RangerAccessResult rangerResult;
    synchronized (resultLookup) {
        rangerResult = resultLookup.remove(request);
    }

    if (rangerResult != null && rangerResult.getIsAudited()) {
        AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult);

        // update the event with the originally requested resource
        event.setResourceType(RANGER_NIFI_RESOURCE_NAME);
        event.setResourcePath(request.getRequestedResource().getIdentifier());

        defaultAuditHandler.logAuthzAudit(event);
    }
}
 

@Override
public boolean isAuthorized(final ProvenanceEventRecord event) {
    if (authorizer == null || user == null) {
        return true;
    }

    final Authorizable eventAuthorizable;
    try {
        eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId());
    } catch (final ResourceNotFoundException rnfe) {
        return false;
    }

    final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user);
    return Result.Approved.equals(result.getResult());
}
 

@Override
public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
    // allow proxy
    if (ResourceFactory.getProxyResource().getIdentifier().equals(request.getResource().getIdentifier()) && PROXY_DN.equals(request.getIdentity())) {
        return AuthorizationResult.approved();
    }

    // read access
    if (READ_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.READ.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    // write access
    if (WRITE_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.WRITE.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    return AuthorizationResult.denied();
}
 

public boolean isAuthorized(final ProvenanceEventRecord event, final NiFiUser user) {
    if (authorizer == null || user == null) {
        return true;
    }

    final Authorizable eventAuthorizable;
    try {
        if (event.isRemotePortType()) {
            eventAuthorizable = resourceFactory.createRemoteDataAuthorizable(event.getComponentId());
        } else {
            eventAuthorizable = resourceFactory.createLocalDataAuthorizable(event.getComponentId());
        }
    } catch (final ResourceNotFoundException rnfe) {
        return false;
    }

    final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, event.getAttributes());
    return Result.Approved.equals(result.getResult());
}
 

@Before
public void setup() {
    testProcessorAuthorizable = mock(Authorizable.class);
    when(testProcessorAuthorizable.getParentAuthorizable()).thenReturn(null);
    when(testProcessorAuthorizable.getResource()).thenReturn(ResourceFactory.getComponentResource(ResourceType.Processor, "id", "name"));

    testAuthorizer = mock(Authorizer.class);
    when(testAuthorizer.authorize(any(AuthorizationRequest.class))).then(invocation -> {
        final AuthorizationRequest request = invocation.getArgumentAt(0, AuthorizationRequest.class);

        if (IDENTITY_1.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        } else if (PROXY_1.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        } else if (PROXY_2.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        }

        return AuthorizationResult.denied();
    });

    testDataAuthorizable = new DataAuthorizable(testProcessorAuthorizable);
}
 

@Before
public void setup() {
    testProcessorAuthorizable = mock(Authorizable.class);
    when(testProcessorAuthorizable.getParentAuthorizable()).thenReturn(null);
    when(testProcessorAuthorizable.getResource()).thenReturn(ResourceFactory.getComponentResource(ResourceType.Processor, "id", "name"));

    testAuthorizer = mock(Authorizer.class);
    when(testAuthorizer.authorize(any(AuthorizationRequest.class))).then(invocation -> {
        final AuthorizationRequest request = invocation.getArgument(0);

        if (IDENTITY_1.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        } else if (PROXY_1.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        } else if (PROXY_2.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        }

        return AuthorizationResult.denied();
    });

    testDataAuthorizable = new DataAuthorizable(testProcessorAuthorizable);
}
 

public boolean isAuthorized(final ProvenanceEventRecord event, final NiFiUser user) {
    if (authorizer == null || user == null) {
        return true;
    }

    final Authorizable eventAuthorizable;
    try {
        eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId());
    } catch (final ResourceNotFoundException rnfe) {
        return false;
    }

    final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user);
    return Result.Approved.equals(result.getResult());
}
 

@Override
public AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
    if (user == null) {
        return AuthorizationResult.denied("Unknown user.");
    }

    AuthorizationResult result = null;

    // authorize each element in the chain
    NiFiUser chainedUser = user;
    do {
        try {
            // perform the current user authorization
            result = Authorizable.super.checkAuthorization(authorizer, action, chainedUser, resourceContext);

            // if authorization is not approved, reject
            if (!Result.Approved.equals(result.getResult())) {
                return result;
            }

            // go to the next user in the chain
            chainedUser = chainedUser.getChain();
        } catch (final ResourceNotFoundException e) {
            result = AuthorizationResult.denied("Unknown source component.");
        }
    } while (chainedUser != null);

    if (result == null) {
        result = AuthorizationResult.denied();
    }

    return result;
}
 

@Override
public HistoryDTO getActions(final HistoryQueryDTO historyQueryDto) {
    // extract the query criteria
    final HistoryQuery historyQuery = new HistoryQuery();
    historyQuery.setStartDate(historyQueryDto.getStartDate());
    historyQuery.setEndDate(historyQueryDto.getEndDate());
    historyQuery.setSourceId(historyQueryDto.getSourceId());
    historyQuery.setUserIdentity(historyQueryDto.getUserIdentity());
    historyQuery.setOffset(historyQueryDto.getOffset());
    historyQuery.setCount(historyQueryDto.getCount());
    historyQuery.setSortColumn(historyQueryDto.getSortColumn());
    historyQuery.setSortOrder(historyQueryDto.getSortOrder());

    // perform the query
    final History history = auditService.getActions(historyQuery);

    // only retain authorized actions
    final HistoryDTO historyDto = dtoFactory.createHistoryDto(history);
    if (history.getActions() != null) {
        final List<ActionEntity> actionEntities = new ArrayList<>();
        for (final Action action : history.getActions()) {
            final AuthorizationResult result = authorizeAction(action);
            actionEntities.add(entityFactory.createActionEntity(dtoFactory.createActionDto(action), Result.Approved.equals(result.getResult())));
        }
        historyDto.setActions(actionEntities);
    }

    // create the response
    return historyDto;
}
 

@Test
public void testCheckAuthorizationUser() {
    final NiFiUser user = new StandardNiFiUser(IDENTITY_1);
    final AuthorizationResult result = testDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);

    assertEquals(Result.Approved, result.getResult());
    verify(testAuthorizer, times(1)).authorize(argThat(new ArgumentMatcher<AuthorizationRequest>() {
        @Override
        public boolean matches(Object o) {
            return IDENTITY_1.equals(((AuthorizationRequest) o).getIdentity());
        }
    }));
}
 

@Test
public void testCheckAuthorizationUserChain() {
    final NiFiUser proxy2 = new StandardNiFiUser(PROXY_2);
    final NiFiUser proxy1 = new StandardNiFiUser(PROXY_1, proxy2);
    final NiFiUser user = new StandardNiFiUser(IDENTITY_1, proxy1);
    final AuthorizationResult result = testDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);

    assertEquals(Result.Approved, result.getResult());
    verify(testAuthorizer, times(3)).authorize(any(AuthorizationRequest.class));
    verifyAuthorizeForUser(IDENTITY_1);
    verifyAuthorizeForUser(PROXY_1);
    verifyAuthorizeForUser(PROXY_2);
}
 

@Test
public void testCheckAuthorizationUserChain() {
    final NiFiUser proxy2 = new Builder().identity(PROXY_2).build();
    final NiFiUser proxy1 = new Builder().identity(PROXY_1).chain(proxy2).build();
    final NiFiUser user = new Builder().identity(IDENTITY_1).chain(proxy1).build();
    final AuthorizationResult result = testDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);

    assertEquals(Result.Approved, result.getResult());
    verify(testAuthorizer, times(3)).authorize(any(AuthorizationRequest.class));
    verifyAuthorizeForUser(IDENTITY_1);
    verifyAuthorizeForUser(PROXY_1);
    verifyAuthorizeForUser(PROXY_2);
}
 

/**
 * Authorizes access to data for a specified provenance event.
 *
 * @param event event
 */
private AuthorizationResult checkAuthorizationForData(ProvenanceEventRecord event) {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    final Authorizable dataAuthorizable = getDataAuthorizable(event);

    final Map<String, String> eventAttributes = event.getAttributes();

    // ensure we can read the data
    return dataAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, eventAttributes);
}
 

@Test
public void testCheckAuthorizationUser() {
    final NiFiUser user = new Builder().identity(IDENTITY_1).build();
    final AuthorizationResult result = testProvenanceDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);

    assertEquals(Result.Approved, result.getResult());
    verify(testAuthorizer, times(1)).authorize(argThat(o -> IDENTITY_1.equals(o.getIdentity())));
}