Example 26 with AccessDeniedException
use of org.apache.nifi.authorization.AccessDeniedException in project nifi by apache.
the class X509AuthenticationProvider method authenticate.
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
final X509AuthenticationRequestToken request = (X509AuthenticationRequestToken) authentication;
// attempt to authenticate if certificates were found
final AuthenticationResponse authenticationResponse;
try {
authenticationResponse = certificateIdentityProvider.authenticate(request.getCertificates());
} catch (final IllegalArgumentException iae) {
throw new InvalidAuthenticationException(iae.getMessage(), iae);
}
if (StringUtils.isBlank(request.getProxiedEntitiesChain())) {
final String mappedIdentity = mapIdentity(authenticationResponse.getIdentity());
return new NiFiAuthenticationToken(new NiFiUserDetails(new Builder().identity(mappedIdentity).groups(getUserGroups(mappedIdentity)).clientAddress(request.getClientAddress()).build()));
} else {
// build the entire proxy chain if applicable - <end-user><proxy1><proxy2>
final List<String> proxyChain = new ArrayList<>(ProxiedEntitiesUtils.tokenizeProxiedEntitiesChain(request.getProxiedEntitiesChain()));
proxyChain.add(authenticationResponse.getIdentity());
// add the chain as appropriate to each proxy
NiFiUser proxy = null;
for (final ListIterator<String> chainIter = proxyChain.listIterator(proxyChain.size()); chainIter.hasPrevious(); ) {
String identity = chainIter.previous();
// determine if the user is anonymous
final boolean isAnonymous = StringUtils.isBlank(identity);
if (isAnonymous) {
identity = StandardNiFiUser.ANONYMOUS_IDENTITY;
} else {
identity = mapIdentity(identity);
}
final Set<String> groups = getUserGroups(identity);
// Only set the client address for client making the request because we don't know the clientAddress of the proxied entities
String clientAddress = (proxy == null) ? request.getClientAddress() : null;
proxy = createUser(identity, groups, proxy, clientAddress, isAnonymous);
if (chainIter.hasPrevious()) {
try {
PROXY_AUTHORIZABLE.authorize(authorizer, RequestAction.WRITE, proxy);
} catch (final AccessDeniedException e) {
throw new UntrustedProxyException(String.format("Untrusted proxy %s", identity));
}
}
}
return new NiFiAuthenticationToken(new NiFiUserDetails(proxy));
}
}
Also used :
AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException)
StandardNiFiUser(org.apache.nifi.authorization.user.StandardNiFiUser)
NiFiUser(org.apache.nifi.authorization.user.NiFiUser)
Builder(org.apache.nifi.authorization.user.StandardNiFiUser.Builder)
ArrayList(java.util.ArrayList)
AuthenticationResponse(org.apache.nifi.authentication.AuthenticationResponse)
InvalidAuthenticationException(org.apache.nifi.web.security.InvalidAuthenticationException)
NiFiAuthenticationToken(org.apache.nifi.web.security.token.NiFiAuthenticationToken)
UntrustedProxyException(org.apache.nifi.web.security.UntrustedProxyException)
NiFiUserDetails(org.apache.nifi.authorization.user.NiFiUserDetails)
Aggregations
AccessDeniedException (org.apache.nifi.authorization.AccessDeniedException)26
NiFiUser (org.apache.nifi.authorization.user.NiFiUser)12
ApiOperation (io.swagger.annotations.ApiOperation)6
ApiResponses (io.swagger.annotations.ApiResponses)6
QuerySubmission (org.apache.nifi.provenance.search.QuerySubmission)6
Test (org.junit.Test)6
URI (java.net.URI)5
ArrayList (java.util.ArrayList)5
HashMap (java.util.HashMap)5
Consumes (javax.ws.rs.Consumes)5
Produces (javax.ws.rs.Produces)5
ProvenanceEventRecord (org.apache.nifi.provenance.ProvenanceEventRecord)5
RepositoryConfiguration (org.apache.nifi.provenance.RepositoryConfiguration)5
StandardProvenanceEventRecord (org.apache.nifi.provenance.StandardProvenanceEventRecord)5
EventAuthorizer (org.apache.nifi.provenance.authorization.EventAuthorizer)5
IOException (java.io.IOException)4
Path (javax.ws.rs.Path)4
Collections (java.util.Collections)3
List (java.util.List)3
Map (java.util.Map)3
