Example 11 with AccessDeniedException
use of org.apache.nifi.authorization.AccessDeniedException in project nifi by apache.
the class StandardNiFiServiceFacade method getAction.
@Override
public ActionEntity getAction(final Integer actionId) {
// get the action
final Action action = auditService.getAction(actionId);
// ensure the action was found
if (action == null) {
throw new ResourceNotFoundException(String.format("Unable to find action with id '%s'.", actionId));
}
final AuthorizationResult result = authorizeAction(action);
final boolean authorized = Result.Approved.equals(result.getResult());
if (!authorized) {
throw new AccessDeniedException(result.getExplanation());
}
// return the action
return entityFactory.createActionEntity(dtoFactory.createActionDto(action), authorized);
}
Also used :
FlowChangeAction(org.apache.nifi.action.FlowChangeAction)
RequestAction(org.apache.nifi.authorization.RequestAction)
Action(org.apache.nifi.action.Action)
AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException)
AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)
Example 12 with AccessDeniedException
use of org.apache.nifi.authorization.AccessDeniedException in project nifi by apache.
the class StandardNiFiContentAccess method getContent.
@Override
public DownloadableContent getContent(final ContentRequestContext request) {
// if clustered, send request to cluster manager
if (properties.isClustered() && clusterCoordinator != null && clusterCoordinator.isConnected()) {
// get the URI
URI dataUri;
try {
dataUri = new URI(request.getDataUri());
} catch (final URISyntaxException use) {
throw new ClusterRequestException(use);
}
// set the request parameters
final MultivaluedMap<String, String> parameters = new MultivaluedHashMap();
parameters.add(CLIENT_ID_PARAM, request.getClientId());
// set the headers
final Map<String, String> headers = new HashMap<>();
// ensure we were able to detect the cluster node id
if (request.getClusterNodeId() == null) {
throw new IllegalArgumentException("Unable to determine the which node has the content.");
}
// get the target node and ensure it exists
final NodeIdentifier nodeId = clusterCoordinator.getNodeIdentifier(request.getClusterNodeId());
// replicate the request to the cluster coordinator, indicating the target node
NodeResponse nodeResponse;
try {
headers.put(RequestReplicator.REPLICATION_TARGET_NODE_UUID_HEADER, nodeId.getId());
final NodeIdentifier coordinatorNode = clusterCoordinator.getElectedActiveCoordinatorNode();
if (coordinatorNode == null) {
throw new NoClusterCoordinatorException();
}
final Set<NodeIdentifier> coordinatorNodes = Collections.singleton(coordinatorNode);
nodeResponse = requestReplicator.replicate(coordinatorNodes, HttpMethod.GET, dataUri, parameters, headers, false, true).awaitMergedResponse();
} catch (InterruptedException e) {
throw new IllegalClusterStateException("Interrupted while waiting for a response from node");
}
final Response clientResponse = nodeResponse.getClientResponse();
final MultivaluedMap<String, String> responseHeaders = clientResponse.getStringHeaders();
// ensure an appropriate response
if (Response.Status.NOT_FOUND.getStatusCode() == clientResponse.getStatusInfo().getStatusCode()) {
throw new ResourceNotFoundException(clientResponse.readEntity(String.class));
} else if (Response.Status.FORBIDDEN.getStatusCode() == clientResponse.getStatusInfo().getStatusCode() || Response.Status.UNAUTHORIZED.getStatusCode() == clientResponse.getStatusInfo().getStatusCode()) {
throw new AccessDeniedException(clientResponse.readEntity(String.class));
} else if (Response.Status.OK.getStatusCode() != clientResponse.getStatusInfo().getStatusCode()) {
throw new IllegalStateException(clientResponse.readEntity(String.class));
}
// get the file name
final String contentDisposition = responseHeaders.getFirst("Content-Disposition");
final String filename = StringUtils.substringBetween(contentDisposition, "filename=\"", "\"");
// get the content type
final String contentType = responseHeaders.getFirst("Content-Type");
// create the downloadable content
return new DownloadableContent(filename, contentType, nodeResponse.getInputStream());
} else {
// example URIs:
// http://localhost:8080/nifi-api/provenance/events/{id}/content/{input|output}
// http://localhost:8080/nifi-api/flowfile-queues/{uuid}/flowfiles/{uuid}/content
// get just the context path for comparison
final String dataUri = StringUtils.substringAfter(request.getDataUri(), "/nifi-api");
if (StringUtils.isBlank(dataUri)) {
throw new IllegalArgumentException("The specified data reference URI is not valid.");
}
// flowfile listing content
final Matcher flowFileMatcher = FLOWFILE_CONTENT_URI_PATTERN.matcher(dataUri);
if (flowFileMatcher.matches()) {
final String connectionId = flowFileMatcher.group(1);
final String flowfileId = flowFileMatcher.group(2);
return getFlowFileContent(connectionId, flowfileId, dataUri);
}
// provenance event content
final Matcher provenanceMatcher = PROVENANCE_CONTENT_URI_PATTERN.matcher(dataUri);
if (provenanceMatcher.matches()) {
try {
final Long eventId = Long.parseLong(provenanceMatcher.group(1));
final ContentDirection direction = ContentDirection.valueOf(provenanceMatcher.group(2).toUpperCase());
return getProvenanceEventContent(eventId, dataUri, direction);
} catch (final IllegalArgumentException iae) {
throw new IllegalArgumentException("The specified data reference URI is not valid.");
}
}
// invalid uri
throw new IllegalArgumentException("The specified data reference URI is not valid.");
}
}
Also used :
AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException)
HashMap(java.util.HashMap)
MultivaluedHashMap(javax.ws.rs.core.MultivaluedHashMap)
Matcher(java.util.regex.Matcher)
IllegalClusterStateException(org.apache.nifi.cluster.manager.exception.IllegalClusterStateException)
NodeResponse(org.apache.nifi.cluster.manager.NodeResponse)
URISyntaxException(java.net.URISyntaxException)
URI(java.net.URI)
MultivaluedHashMap(javax.ws.rs.core.MultivaluedHashMap)
Response(javax.ws.rs.core.Response)
NodeResponse(org.apache.nifi.cluster.manager.NodeResponse)
NoClusterCoordinatorException(org.apache.nifi.cluster.exception.NoClusterCoordinatorException)
ContentDirection(org.apache.nifi.controller.repository.claim.ContentDirection)
NodeIdentifier(org.apache.nifi.cluster.protocol.NodeIdentifier)
Example 13 with AccessDeniedException
use of org.apache.nifi.authorization.AccessDeniedException in project nifi by apache.
the class DataAuthorizable method authorize.
@Override
public void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
if (user == null) {
throw new AccessDeniedException("Unknown user.");
}
// authorize each element in the chain
NiFiUser chainedUser = user;
do {
try {
// perform the current user authorization
Authorizable.super.authorize(authorizer, action, chainedUser, resourceContext);
// go to the next user in the chain
chainedUser = chainedUser.getChain();
} catch (final ResourceNotFoundException e) {
throw new AccessDeniedException("Unknown source component.");
}
} while (chainedUser != null);
}
Also used :
AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException)
NiFiUser(org.apache.nifi.authorization.user.NiFiUser)
ResourceNotFoundException(org.apache.nifi.web.ResourceNotFoundException)
Example 14 with AccessDeniedException
use of org.apache.nifi.authorization.AccessDeniedException in project nifi by apache.
the class TestPersistentProvenanceRepository method testNotAuthorizedGetSpecificEvent.
@Test
public void testNotAuthorizedGetSpecificEvent() throws IOException {
assumeFalse(isWindowsEnvironment());
final RepositoryConfiguration config = createConfiguration();
config.setMaxRecordLife(5, TimeUnit.MINUTES);
config.setMaxStorageCapacity(1024L * 1024L);
config.setMaxEventFileLife(500, TimeUnit.MILLISECONDS);
config.setMaxEventFileCapacity(1024L * 1024L);
config.setSearchableFields(new ArrayList<>(SearchableFields.getStandardFields()));
// force new index to be created for each rollover
config.setDesiredIndexSize(10);
final AccessDeniedException expectedException = new AccessDeniedException("Unit Test - Intentionally Thrown");
repo = new PersistentProvenanceRepository(config, DEFAULT_ROLLOVER_MILLIS) {
@Override
public void authorize(ProvenanceEventRecord event, NiFiUser user) {
throw expectedException;
}
};
repo.initialize(getEventReporter(), null, null, IdentifierLookup.EMPTY);
final String uuid = "00000000-0000-0000-0000-000000000000";
final Map<String, String> attributes = new HashMap<>();
attributes.put("abc", "xyz");
attributes.put("xyz", "abc");
attributes.put("filename", "file-" + uuid);
final ProvenanceEventBuilder builder = new StandardProvenanceEventRecord.Builder();
builder.setEventTime(System.currentTimeMillis());
builder.setEventType(ProvenanceEventType.RECEIVE);
builder.setTransitUri("nifi://unit-test");
builder.fromFlowFile(createFlowFile(3L, 3000L, attributes));
builder.setComponentId("1234");
builder.setComponentType("dummy processor");
for (int i = 0; i < 10; i++) {
attributes.put("uuid", "00000000-0000-0000-0000-00000000000" + i);
builder.fromFlowFile(createFlowFile(i, 3000L, attributes));
// make sure the events are destroyed when we call purge
builder.setEventTime(10L);
repo.registerEvent(builder.build());
}
repo.waitForRollover();
try {
repo.getEvent(0L, null);
Assert.fail("getEvent() did not throw an Exception");
} catch (final Exception e) {
Assert.assertSame(expectedException, e);
}
}
Also used :
AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException)
NiFiUser(org.apache.nifi.authorization.user.NiFiUser)
HashMap(java.util.HashMap)
InvocationTargetException(java.lang.reflect.InvocationTargetException)
ParseException(org.apache.lucene.queryparser.classic.ParseException)
AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException)
IOException(java.io.IOException)
Test(org.junit.Test)
Example 15 with AccessDeniedException
use of org.apache.nifi.authorization.AccessDeniedException in project nifi by apache.
the class TestLuceneEventIndex method testUnauthorizedEventsGetPlaceholdersForExpandChildren.
@Test(timeout = 60000)
public void testUnauthorizedEventsGetPlaceholdersForExpandChildren() throws InterruptedException {
assumeFalse(isWindowsEnvironment());
final RepositoryConfiguration repoConfig = createConfig(1);
repoConfig.setDesiredIndexSize(1L);
final IndexManager indexManager = new SimpleIndexManager(repoConfig);
final ArrayListEventStore eventStore = new ArrayListEventStore();
final LuceneEventIndex index = new LuceneEventIndex(repoConfig, indexManager, 3, EventReporter.NO_OP);
index.initialize(eventStore);
final ProvenanceEventRecord firstEvent = createEvent("4444");
final Map<String, String> previousAttributes = new HashMap<>();
previousAttributes.put("uuid", "4444");
final Map<String, String> updatedAttributes = new HashMap<>();
updatedAttributes.put("updated", "true");
final ProvenanceEventRecord fork = new StandardProvenanceEventRecord.Builder().setEventType(ProvenanceEventType.FORK).setAttributes(previousAttributes, updatedAttributes).addChildFlowFile("1234").setComponentId("component-1").setComponentType("unit test").setEventId(idGenerator.getAndIncrement()).setEventTime(System.currentTimeMillis()).setFlowFileEntryDate(System.currentTimeMillis()).setFlowFileUUID("4444").setLineageStartDate(System.currentTimeMillis()).setCurrentContentClaim("container", "section", "unit-test-id", 0L, 1024L).build();
index.addEvents(eventStore.addEvent(firstEvent).getStorageLocations());
index.addEvents(eventStore.addEvent(fork).getStorageLocations());
for (int i = 0; i < 3; i++) {
final ProvenanceEventRecord event = createEvent("1234");
final StorageResult storageResult = eventStore.addEvent(event);
index.addEvents(storageResult.getStorageLocations());
}
final NiFiUser user = createUser();
final EventAuthorizer allowForkEvents = new EventAuthorizer() {
@Override
public boolean isAuthorized(ProvenanceEventRecord event) {
return event.getEventType() == ProvenanceEventType.FORK;
}
@Override
public void authorize(ProvenanceEventRecord event) throws AccessDeniedException {
}
};
List<LineageNode> nodes = Collections.emptyList();
while (nodes.size() < 5) {
final ComputeLineageSubmission submission = index.submitExpandChildren(1L, user, allowForkEvents);
assertTrue(submission.getResult().awaitCompletion(5, TimeUnit.SECONDS));
nodes = submission.getResult().getNodes();
Thread.sleep(25L);
}
assertEquals(5, nodes.size());
assertEquals(1L, nodes.stream().filter(n -> n.getNodeType() == LineageNodeType.FLOWFILE_NODE).count());
assertEquals(4L, nodes.stream().filter(n -> n.getNodeType() == LineageNodeType.PROVENANCE_EVENT_NODE).count());
final Map<ProvenanceEventType, List<LineageNode>> eventMap = nodes.stream().filter(n -> n.getNodeType() == LineageNodeType.PROVENANCE_EVENT_NODE).collect(Collectors.groupingBy(n -> ((ProvenanceEventLineageNode) n).getEventType()));
assertEquals(2, eventMap.size());
assertEquals(1, eventMap.get(ProvenanceEventType.FORK).size());
assertEquals(3, eventMap.get(ProvenanceEventType.UNKNOWN).size());
}
Also used :
BeforeClass(org.junit.BeforeClass)
Query(org.apache.nifi.provenance.search.Query)
Assume.assumeFalse(org.junit.Assume.assumeFalse)
AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException)
SearchableFields(org.apache.nifi.provenance.SearchableFields)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
Answer(org.mockito.stubbing.Answer)
InvocationOnMock(org.mockito.invocation.InvocationOnMock)
QueryResult(org.apache.nifi.provenance.search.QueryResult)
StorageResult(org.apache.nifi.provenance.store.StorageResult)
NiFiUser(org.apache.nifi.authorization.user.NiFiUser)
ProvenanceEventRecord(org.apache.nifi.provenance.ProvenanceEventRecord)
TestName(org.junit.rules.TestName)
Map(java.util.Map)
EventStore(org.apache.nifi.provenance.store.EventStore)
LineageNode(org.apache.nifi.provenance.lineage.LineageNode)
QuerySubmission(org.apache.nifi.provenance.search.QuerySubmission)
StorageSummary(org.apache.nifi.provenance.serialization.StorageSummary)
ProvenanceEventType(org.apache.nifi.provenance.ProvenanceEventType)
Assert.assertNotNull(org.junit.Assert.assertNotNull)
Set(java.util.Set)
Assert.assertTrue(org.junit.Assert.assertTrue)
Test(org.junit.Test)
IOException(java.io.IOException)
UUID(java.util.UUID)
Collectors(java.util.stream.Collectors)
StandardProvenanceEventRecord(org.apache.nifi.provenance.StandardProvenanceEventRecord)
SimpleIndexManager(org.apache.nifi.provenance.lucene.SimpleIndexManager)
File(java.io.File)
TimeUnit(java.util.concurrent.TimeUnit)
Mockito(org.mockito.Mockito)
AtomicLong(java.util.concurrent.atomic.AtomicLong)
List(java.util.List)
Rule(org.junit.Rule)
Assert.assertNull(org.junit.Assert.assertNull)
EventReporter(org.apache.nifi.events.EventReporter)
ComputeLineageSubmission(org.apache.nifi.provenance.lineage.ComputeLineageSubmission)
RepositoryConfiguration(org.apache.nifi.provenance.RepositoryConfiguration)
ProvenanceEventLineageNode(org.apache.nifi.provenance.lineage.ProvenanceEventLineageNode)
IndexManager(org.apache.nifi.provenance.lucene.IndexManager)
ArrayListEventStore(org.apache.nifi.provenance.store.ArrayListEventStore)
Collections(java.util.Collections)
EventAuthorizer(org.apache.nifi.provenance.authorization.EventAuthorizer)
SearchTerms(org.apache.nifi.provenance.search.SearchTerms)
Assert.assertEquals(org.junit.Assert.assertEquals)
LineageNodeType(org.apache.nifi.provenance.lineage.LineageNodeType)
NiFiUser(org.apache.nifi.authorization.user.NiFiUser)
HashMap(java.util.HashMap)
EventAuthorizer(org.apache.nifi.provenance.authorization.EventAuthorizer)
ComputeLineageSubmission(org.apache.nifi.provenance.lineage.ComputeLineageSubmission)
SimpleIndexManager(org.apache.nifi.provenance.lucene.SimpleIndexManager)
ArrayListEventStore(org.apache.nifi.provenance.store.ArrayListEventStore)
SimpleIndexManager(org.apache.nifi.provenance.lucene.SimpleIndexManager)
IndexManager(org.apache.nifi.provenance.lucene.IndexManager)
ProvenanceEventLineageNode(org.apache.nifi.provenance.lineage.ProvenanceEventLineageNode)
ProvenanceEventRecord(org.apache.nifi.provenance.ProvenanceEventRecord)
StandardProvenanceEventRecord(org.apache.nifi.provenance.StandardProvenanceEventRecord)
ArrayList(java.util.ArrayList)
List(java.util.List)
LineageNode(org.apache.nifi.provenance.lineage.LineageNode)
ProvenanceEventLineageNode(org.apache.nifi.provenance.lineage.ProvenanceEventLineageNode)
RepositoryConfiguration(org.apache.nifi.provenance.RepositoryConfiguration)
ProvenanceEventType(org.apache.nifi.provenance.ProvenanceEventType)
StorageResult(org.apache.nifi.provenance.store.StorageResult)
Test(org.junit.Test)
Aggregations
AccessDeniedException (org.apache.nifi.authorization.AccessDeniedException)26
NiFiUser (org.apache.nifi.authorization.user.NiFiUser)12
ApiOperation (io.swagger.annotations.ApiOperation)6
ApiResponses (io.swagger.annotations.ApiResponses)6
QuerySubmission (org.apache.nifi.provenance.search.QuerySubmission)6
Test (org.junit.Test)6
URI (java.net.URI)5
ArrayList (java.util.ArrayList)5
HashMap (java.util.HashMap)5
Consumes (javax.ws.rs.Consumes)5
Produces (javax.ws.rs.Produces)5
ProvenanceEventRecord (org.apache.nifi.provenance.ProvenanceEventRecord)5
RepositoryConfiguration (org.apache.nifi.provenance.RepositoryConfiguration)5
StandardProvenanceEventRecord (org.apache.nifi.provenance.StandardProvenanceEventRecord)5
EventAuthorizer (org.apache.nifi.provenance.authorization.EventAuthorizer)5
IOException (java.io.IOException)4
Path (javax.ws.rs.Path)4
Collections (java.util.Collections)3
List (java.util.List)3
Map (java.util.Map)3
