Examples with AccessDeniedException - org.apache.nifi.authorization.AccessDeniedException

Example 1 with AccessDeniedException

use of org.apache.nifi.authorization.AccessDeniedException in project nifi by apache.

the class AccessResource method createUiExtensionToken.

/**
 * Creates a single use access token for accessing a NiFi UI extension.
 *
 * @param httpServletRequest the servlet request
 * @return A token (string)
 */
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.TEXT_PLAIN)
@Path("/ui-extension-token")
@ApiOperation(value = "Creates a single use access token for accessing a NiFi UI extension.", notes = "The token returned is a base64 encoded string. It is valid for a single request up to five minutes from being issued. " + "It is used as a query parameter name 'access_token'.", response = String.class)
@ApiResponses(value = { @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 409, message = "Unable to create the download token because NiFi is not in the appropriate state. " + "(i.e. may not have any tokens to grant or be configured to support username/password login)"), @ApiResponse(code = 500, message = "Unable to create download token because an unexpected error occurred.") })
public Response createUiExtensionToken(@Context HttpServletRequest httpServletRequest) {
    // only support access tokens when communicating over HTTPS
    if (!httpServletRequest.isSecure()) {
        throw new IllegalStateException("UI extension access tokens are only issued over HTTPS.");
    }
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    if (user == null) {
        throw new AccessDeniedException("No user authenticated in the request.");
    }
    final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(user.getIdentity());
    // generate otp for response
    final String token = otpService.generateUiExtensionToken(authenticationToken);
    // build the response
    final URI uri = URI.create(generateResourceUri("access", "ui-extension-token"));
    return generateCreatedResponse(uri, token).build();
}

Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) OtpAuthenticationToken(org.apache.nifi.web.security.token.OtpAuthenticationToken) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) URI(java.net.URI) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 2 with AccessDeniedException

use of org.apache.nifi.authorization.AccessDeniedException in project nifi by apache.

the class DataTransferResource method authorizeDataTransfer.

/**
 * Authorizes access to data transfers.
 * <p>
 * Note: Protected for testing purposes
 */
protected void authorizeDataTransfer(final AuthorizableLookup lookup, final ResourceType resourceType, final String identifier) {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    // ensure the resource type is correct
    if (!ResourceType.InputPort.equals(resourceType) && !ResourceType.OutputPort.equals(resourceType)) {
        throw new IllegalArgumentException("The resource must be an Input or Output Port.");
    }
    // get the authorizable
    final RootGroupPortAuthorizable authorizable;
    if (ResourceType.InputPort.equals(resourceType)) {
        authorizable = lookup.getRootGroupInputPort(identifier);
    } else {
        authorizable = lookup.getRootGroupOutputPort(identifier);
    }
    // perform the authorization
    final AuthorizationResult authorizationResult = authorizable.checkAuthorization(user);
    if (!Result.Approved.equals(authorizationResult.getResult())) {
        throw new AccessDeniedException(authorizationResult.getExplanation());
    }
}

Also used : RootGroupPortAuthorizable(org.apache.nifi.authorization.RootGroupPortAuthorizable) AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)

Example 3 with AccessDeniedException

use of org.apache.nifi.authorization.AccessDeniedException in project nifi by apache.

the class ControllerFacade method authorizeReplay.

/**
 * Authorizes access to replay a specified provenance event.
 *
 * @param event event
 */
private void authorizeReplay(final ProvenanceEventRecord event) {
    // if the connection id isn't specified, then the replay wouldn't be available anyways and we have nothing to authorize against so deny it`
    if (event.getSourceQueueIdentifier() == null) {
        throw new AccessDeniedException("The connection id in the provenance event is unknown.");
    }
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    final Authorizable dataAuthorizable;
    if (event.isRemotePortType()) {
        dataAuthorizable = flowController.createRemoteDataAuthorizable(event.getComponentId());
    } else {
        dataAuthorizable = flowController.createLocalDataAuthorizable(event.getComponentId());
    }
    // ensure we can read and write the data
    final Map<String, String> eventAttributes = event.getAttributes();
    dataAuthorizable.authorize(authorizer, RequestAction.READ, user, eventAttributes);
    dataAuthorizable.authorize(authorizer, RequestAction.WRITE, user, eventAttributes);
}

Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) Authorizable(org.apache.nifi.authorization.resource.Authorizable)

Example 4 with AccessDeniedException

use of org.apache.nifi.authorization.AccessDeniedException in project nifi by apache.

the class TestLuceneEventIndex method testUnauthorizedEventsGetFilteredForQuery.

@Test(timeout = 60000)
public void testUnauthorizedEventsGetFilteredForQuery() throws InterruptedException {
    assumeFalse(isWindowsEnvironment());
    final RepositoryConfiguration repoConfig = createConfig(1);
    repoConfig.setDesiredIndexSize(1L);
    final IndexManager indexManager = new SimpleIndexManager(repoConfig);
    final ArrayListEventStore eventStore = new ArrayListEventStore();
    final LuceneEventIndex index = new LuceneEventIndex(repoConfig, indexManager, 3, EventReporter.NO_OP);
    index.initialize(eventStore);
    for (int i = 0; i < 3; i++) {
        final ProvenanceEventRecord event = createEvent("1234");
        final StorageResult storageResult = eventStore.addEvent(event);
        index.addEvents(storageResult.getStorageLocations());
    }
    final Query query = new Query(UUID.randomUUID().toString());
    final EventAuthorizer authorizer = new EventAuthorizer() {

        @Override
        public boolean isAuthorized(ProvenanceEventRecord event) {
            return event.getEventId() % 2 == 0;
        }

        @Override
        public void authorize(ProvenanceEventRecord event) throws AccessDeniedException {
            throw new AccessDeniedException();
        }
    };
    List<ProvenanceEventRecord> events = Collections.emptyList();
    while (events.size() < 2) {
        final QuerySubmission submission = index.submitQuery(query, authorizer, "unit test");
        assertTrue(submission.getResult().awaitCompletion(5, TimeUnit.SECONDS));
        events = submission.getResult().getMatchingEvents();
        Thread.sleep(25L);
    }
    assertEquals(2, events.size());
}

Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) QuerySubmission(org.apache.nifi.provenance.search.QuerySubmission) Query(org.apache.nifi.provenance.search.Query) EventAuthorizer(org.apache.nifi.provenance.authorization.EventAuthorizer) SimpleIndexManager(org.apache.nifi.provenance.lucene.SimpleIndexManager) ArrayListEventStore(org.apache.nifi.provenance.store.ArrayListEventStore) SimpleIndexManager(org.apache.nifi.provenance.lucene.SimpleIndexManager) IndexManager(org.apache.nifi.provenance.lucene.IndexManager) ProvenanceEventRecord(org.apache.nifi.provenance.ProvenanceEventRecord) StandardProvenanceEventRecord(org.apache.nifi.provenance.StandardProvenanceEventRecord) RepositoryConfiguration(org.apache.nifi.provenance.RepositoryConfiguration) StorageResult(org.apache.nifi.provenance.store.StorageResult) Test(org.junit.Test)

Example 5 with AccessDeniedException

use of org.apache.nifi.authorization.AccessDeniedException in project nifi by apache.

the class TestLuceneEventIndex method testUnauthorizedEventsGetPlaceholdersForFindParents.

@Test(timeout = 60000)
public void testUnauthorizedEventsGetPlaceholdersForFindParents() throws InterruptedException {
    assumeFalse(isWindowsEnvironment());
    final RepositoryConfiguration repoConfig = createConfig(1);
    repoConfig.setDesiredIndexSize(1L);
    final IndexManager indexManager = new SimpleIndexManager(repoConfig);
    final ArrayListEventStore eventStore = new ArrayListEventStore();
    final LuceneEventIndex index = new LuceneEventIndex(repoConfig, indexManager, 3, EventReporter.NO_OP);
    index.initialize(eventStore);
    final ProvenanceEventRecord firstEvent = createEvent("4444");
    final Map<String, String> previousAttributes = new HashMap<>();
    previousAttributes.put("uuid", "4444");
    final Map<String, String> updatedAttributes = new HashMap<>();
    updatedAttributes.put("updated", "true");
    final ProvenanceEventRecord join = new StandardProvenanceEventRecord.Builder().setEventType(ProvenanceEventType.JOIN).setAttributes(previousAttributes, updatedAttributes).addParentUuid("4444").addChildFlowFile("1234").setComponentId("component-1").setComponentType("unit test").setEventId(idGenerator.getAndIncrement()).setEventTime(System.currentTimeMillis()).setFlowFileEntryDate(System.currentTimeMillis()).setFlowFileUUID("1234").setLineageStartDate(System.currentTimeMillis()).setCurrentContentClaim("container", "section", "unit-test-id", 0L, 1024L).build();
    index.addEvents(eventStore.addEvent(firstEvent).getStorageLocations());
    index.addEvents(eventStore.addEvent(join).getStorageLocations());
    for (int i = 0; i < 3; i++) {
        final ProvenanceEventRecord event = createEvent("1234");
        final StorageResult storageResult = eventStore.addEvent(event);
        index.addEvents(storageResult.getStorageLocations());
    }
    final NiFiUser user = createUser();
    final EventAuthorizer allowJoinEvents = new EventAuthorizer() {

        @Override
        public boolean isAuthorized(ProvenanceEventRecord event) {
            return event.getEventType() == ProvenanceEventType.JOIN;
        }

        @Override
        public void authorize(ProvenanceEventRecord event) throws AccessDeniedException {
        }
    };
    List<LineageNode> nodes = Collections.emptyList();
    while (nodes.size() < 2) {
        final ComputeLineageSubmission submission = index.submitExpandParents(1L, user, allowJoinEvents);
        assertTrue(submission.getResult().awaitCompletion(5, TimeUnit.SECONDS));
        nodes = submission.getResult().getNodes();
        Thread.sleep(25L);
    }
    assertEquals(2, nodes.size());
    final Map<ProvenanceEventType, List<LineageNode>> eventMap = nodes.stream().filter(n -> n.getNodeType() == LineageNodeType.PROVENANCE_EVENT_NODE).collect(Collectors.groupingBy(n -> ((ProvenanceEventLineageNode) n).getEventType()));
    assertEquals(2, eventMap.size());
    assertEquals(1, eventMap.get(ProvenanceEventType.JOIN).size());
    assertEquals(1, eventMap.get(ProvenanceEventType.UNKNOWN).size());
    assertEquals("4444", eventMap.get(ProvenanceEventType.UNKNOWN).get(0).getFlowFileUuid());
}

Also used : BeforeClass(org.junit.BeforeClass) Query(org.apache.nifi.provenance.search.Query) Assume.assumeFalse(org.junit.Assume.assumeFalse) AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) SearchableFields(org.apache.nifi.provenance.SearchableFields) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Answer(org.mockito.stubbing.Answer) InvocationOnMock(org.mockito.invocation.InvocationOnMock) QueryResult(org.apache.nifi.provenance.search.QueryResult) StorageResult(org.apache.nifi.provenance.store.StorageResult) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) ProvenanceEventRecord(org.apache.nifi.provenance.ProvenanceEventRecord) TestName(org.junit.rules.TestName) Map(java.util.Map) EventStore(org.apache.nifi.provenance.store.EventStore) LineageNode(org.apache.nifi.provenance.lineage.LineageNode) QuerySubmission(org.apache.nifi.provenance.search.QuerySubmission) StorageSummary(org.apache.nifi.provenance.serialization.StorageSummary) ProvenanceEventType(org.apache.nifi.provenance.ProvenanceEventType) Assert.assertNotNull(org.junit.Assert.assertNotNull) Set(java.util.Set) Assert.assertTrue(org.junit.Assert.assertTrue) Test(org.junit.Test) IOException(java.io.IOException) UUID(java.util.UUID) Collectors(java.util.stream.Collectors) StandardProvenanceEventRecord(org.apache.nifi.provenance.StandardProvenanceEventRecord) SimpleIndexManager(org.apache.nifi.provenance.lucene.SimpleIndexManager) File(java.io.File) TimeUnit(java.util.concurrent.TimeUnit) Mockito(org.mockito.Mockito) AtomicLong(java.util.concurrent.atomic.AtomicLong) List(java.util.List) Rule(org.junit.Rule) Assert.assertNull(org.junit.Assert.assertNull) EventReporter(org.apache.nifi.events.EventReporter) ComputeLineageSubmission(org.apache.nifi.provenance.lineage.ComputeLineageSubmission) RepositoryConfiguration(org.apache.nifi.provenance.RepositoryConfiguration) ProvenanceEventLineageNode(org.apache.nifi.provenance.lineage.ProvenanceEventLineageNode) IndexManager(org.apache.nifi.provenance.lucene.IndexManager) ArrayListEventStore(org.apache.nifi.provenance.store.ArrayListEventStore) Collections(java.util.Collections) EventAuthorizer(org.apache.nifi.provenance.authorization.EventAuthorizer) SearchTerms(org.apache.nifi.provenance.search.SearchTerms) Assert.assertEquals(org.junit.Assert.assertEquals) LineageNodeType(org.apache.nifi.provenance.lineage.LineageNodeType) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) HashMap(java.util.HashMap) EventAuthorizer(org.apache.nifi.provenance.authorization.EventAuthorizer) ComputeLineageSubmission(org.apache.nifi.provenance.lineage.ComputeLineageSubmission) SimpleIndexManager(org.apache.nifi.provenance.lucene.SimpleIndexManager) ArrayListEventStore(org.apache.nifi.provenance.store.ArrayListEventStore) SimpleIndexManager(org.apache.nifi.provenance.lucene.SimpleIndexManager) IndexManager(org.apache.nifi.provenance.lucene.IndexManager) StandardProvenanceEventRecord(org.apache.nifi.provenance.StandardProvenanceEventRecord) ProvenanceEventLineageNode(org.apache.nifi.provenance.lineage.ProvenanceEventLineageNode) ProvenanceEventRecord(org.apache.nifi.provenance.ProvenanceEventRecord) StandardProvenanceEventRecord(org.apache.nifi.provenance.StandardProvenanceEventRecord) ArrayList(java.util.ArrayList) List(java.util.List) LineageNode(org.apache.nifi.provenance.lineage.LineageNode) ProvenanceEventLineageNode(org.apache.nifi.provenance.lineage.ProvenanceEventLineageNode) RepositoryConfiguration(org.apache.nifi.provenance.RepositoryConfiguration) ProvenanceEventType(org.apache.nifi.provenance.ProvenanceEventType) StorageResult(org.apache.nifi.provenance.store.StorageResult) Test(org.junit.Test)

Aggregations

AccessDeniedException (org.apache.nifi.authorization.AccessDeniedException)26 NiFiUser (org.apache.nifi.authorization.user.NiFiUser)12 ApiOperation (io.swagger.annotations.ApiOperation)6 ApiResponses (io.swagger.annotations.ApiResponses)6 QuerySubmission (org.apache.nifi.provenance.search.QuerySubmission)6 Test (org.junit.Test)6 URI (java.net.URI)5 ArrayList (java.util.ArrayList)5 HashMap (java.util.HashMap)5 Consumes (javax.ws.rs.Consumes)5 Produces (javax.ws.rs.Produces)5 ProvenanceEventRecord (org.apache.nifi.provenance.ProvenanceEventRecord)5 RepositoryConfiguration (org.apache.nifi.provenance.RepositoryConfiguration)5 StandardProvenanceEventRecord (org.apache.nifi.provenance.StandardProvenanceEventRecord)5 EventAuthorizer (org.apache.nifi.provenance.authorization.EventAuthorizer)5 IOException (java.io.IOException)4 Path (javax.ws.rs.Path)4 Collections (java.util.Collections)3 List (java.util.List)3 Map (java.util.Map)3