Example 6 with AccessPolicy
use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.
the class StandardPolicyBasedAuthorizerDAO method getAccessPolicy.
@Override
public AccessPolicy getAccessPolicy(final RequestAction requestAction, final Authorizable authorizable) {
final String resource = authorizable.getResource().getIdentifier();
final AccessPolicy accessPolicy = findAccessPolicy(requestAction, authorizable.getResource().getIdentifier());
if (accessPolicy == null) {
final Authorizable parentAuthorizable = authorizable.getParentAuthorizable();
if (parentAuthorizable == null) {
throw new ResourceNotFoundException(String.format("Unable to find access policy for %s on %s", requestAction.toString(), resource));
} else {
return getAccessPolicy(requestAction, parentAuthorizable);
}
}
return accessPolicy;
}
Also used :
Authorizable(org.apache.nifi.authorization.resource.Authorizable)
ResourceNotFoundException(org.apache.nifi.web.ResourceNotFoundException)
AccessPolicy(org.apache.nifi.authorization.AccessPolicy)
Example 7 with AccessPolicy
use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.
the class AccessPolicyAuditor method removePolicyAdvice.
/**
* Audits the removal of a policy via deleteAccessPolicy().
*
* @param proceedingJoinPoint join point
* @param policyId policy id
* @param accessPolicyDAO dao
* @throws Throwable ex
*/
@Around("within(org.apache.nifi.web.dao.AccessPolicyDAO+) && " + "execution(org.apache.nifi.authorization.AccessPolicy deleteAccessPolicy(java.lang.String)) && " + "args(policyId) && " + "target(accessPolicyDAO)")
public AccessPolicy removePolicyAdvice(ProceedingJoinPoint proceedingJoinPoint, String policyId, AccessPolicyDAO accessPolicyDAO) throws Throwable {
// get the policy before removing it
AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(policyId);
// remove the policy
final AccessPolicy removedAccessPolicy = (AccessPolicy) proceedingJoinPoint.proceed();
// if no exceptions were thrown, add removal actions...
// audit the policy removal
final Action action = generateAuditRecord(accessPolicy, Operation.Remove);
// save the actions
if (action != null) {
saveAction(action, logger);
}
return removedAccessPolicy;
}
Also used :
FlowChangeAction(org.apache.nifi.action.FlowChangeAction)
Action(org.apache.nifi.action.Action)
AccessPolicy(org.apache.nifi.authorization.AccessPolicy)
Around(org.aspectj.lang.annotation.Around)
Example 8 with AccessPolicy
use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.
the class TestFlowController method setup.
@Before
public void setup() {
flowFileEventRepo = Mockito.mock(FlowFileEventRepository.class);
auditService = Mockito.mock(AuditService.class);
final Map<String, String> otherProps = new HashMap<>();
otherProps.put(NiFiProperties.PROVENANCE_REPO_IMPLEMENTATION_CLASS, MockProvenanceRepository.class.getName());
otherProps.put("nifi.remote.input.socket.port", "");
otherProps.put("nifi.remote.input.secure", "");
nifiProperties = NiFiProperties.createBasicNiFiProperties(propsFile, otherProps);
encryptor = StringEncryptor.createEncryptor(nifiProperties);
// use the system bundle
systemBundle = SystemBundle.create(nifiProperties);
ExtensionManager.discoverExtensions(systemBundle, Collections.emptySet());
User user1 = new User.Builder().identifier("user-id-1").identity("user-1").build();
User user2 = new User.Builder().identifier("user-id-2").identity("user-2").build();
Group group1 = new Group.Builder().identifier("group-id-1").name("group-1").addUser(user1.getIdentifier()).build();
Group group2 = new Group.Builder().identifier("group-id-2").name("group-2").build();
AccessPolicy policy1 = new AccessPolicy.Builder().identifier("policy-id-1").resource("resource1").action(RequestAction.READ).addUser(user1.getIdentifier()).addUser(user2.getIdentifier()).build();
AccessPolicy policy2 = new AccessPolicy.Builder().identifier("policy-id-2").resource("resource2").action(RequestAction.READ).addGroup(group1.getIdentifier()).addGroup(group2.getIdentifier()).addUser(user1.getIdentifier()).addUser(user2.getIdentifier()).build();
Set<Group> groups1 = new LinkedHashSet<>();
groups1.add(group1);
groups1.add(group2);
Set<User> users1 = new LinkedHashSet<>();
users1.add(user1);
users1.add(user2);
Set<AccessPolicy> policies1 = new LinkedHashSet<>();
policies1.add(policy1);
policies1.add(policy2);
authorizer = new MockPolicyBasedAuthorizer(groups1, users1, policies1);
variableRegistry = new FileBasedVariableRegistry(nifiProperties.getVariableRegistryPropertiesPaths());
bulletinRepo = Mockito.mock(BulletinRepository.class);
controller = FlowController.createStandaloneInstance(flowFileEventRepo, nifiProperties, authorizer, auditService, encryptor, bulletinRepo, variableRegistry, Mockito.mock(FlowRegistryClient.class));
}
Also used :
LinkedHashSet(java.util.LinkedHashSet)
ProcessGroup(org.apache.nifi.groups.ProcessGroup)
Group(org.apache.nifi.authorization.Group)
BulletinRepository(org.apache.nifi.reporting.BulletinRepository)
User(org.apache.nifi.authorization.User)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
AccessPolicy(org.apache.nifi.authorization.AccessPolicy)
FlowFileEventRepository(org.apache.nifi.controller.repository.FlowFileEventRepository)
MockProvenanceRepository(org.apache.nifi.provenance.MockProvenanceRepository)
MockPolicyBasedAuthorizer(org.apache.nifi.authorization.MockPolicyBasedAuthorizer)
AuditService(org.apache.nifi.admin.service.AuditService)
FileBasedVariableRegistry(org.apache.nifi.registry.variable.FileBasedVariableRegistry)
Before(org.junit.Before)
Example 9 with AccessPolicy
use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.
the class RangerBasePluginWithPolicies method createPolicyLookup.
private PolicyLookup createPolicyLookup(final ServicePolicies servicePolicies) {
final Map<String, AccessPolicy> policiesByIdentifier = new HashMap<>();
final Map<String, Map<RequestAction, AccessPolicy>> policiesByResource = new HashMap<>();
logger.info("Converting Ranger ServicePolicies model into NiFi policy model for viewing purposes in NiFi UI.");
servicePolicies.getPolicies().stream().forEach(policy -> {
// only consider policies that are enabled
if (Boolean.TRUE.equals(policy.getIsEnabled())) {
// get all the resources for this policy - excludes/recursive support disabled
final Set<String> resources = policy.getResources().values().stream().filter(resource -> {
final boolean isMissingResource;
final boolean isWildcard;
if (resource.getValues() == null) {
isMissingResource = true;
isWildcard = false;
} else {
isMissingResource = false;
isWildcard = resource.getValues().stream().anyMatch(value -> value.contains(WILDCARD_ASTERISK));
}
final boolean isExclude = Boolean.TRUE.equals(resource.getIsExcludes());
final boolean isRecursive = Boolean.TRUE.equals(resource.getIsRecursive());
if (isMissingResource) {
logger.warn("Encountered resources missing values. Skipping policy for viewing purposes. Will still be used for access decisions.");
}
if (isWildcard) {
logger.warn(String.format("Resources [%s] include a wildcard value. Skipping policy for viewing purposes. " + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
}
if (isExclude) {
logger.warn(String.format("Resources [%s] marked as an exclude policy. Skipping policy for viewing purposes. " + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
}
if (isRecursive) {
logger.warn(String.format("Resources [%s] marked as a recursive policy. Skipping policy for viewing purposes. " + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
}
return !isMissingResource && !isWildcard && !isExclude && !isRecursive;
}).flatMap(resource -> resource.getValues().stream()).collect(Collectors.toSet());
policy.getPolicyItems().forEach(policyItem -> {
// get all the users for this policy item, excluding unknown users
final Set<String> userIds = policyItem.getUsers().stream().map(userIdentity -> getUser(userIdentity)).filter(Objects::nonNull).map(user -> user.getIdentifier()).collect(Collectors.toSet());
// get all groups for this policy item, excluding unknown groups
final Set<String> groupIds = policyItem.getGroups().stream().map(groupName -> getGroup(groupName)).filter(Objects::nonNull).map(group -> group.getIdentifier()).collect(Collectors.toSet());
// check if this policy item is a delegate admin
final boolean isDelegateAdmin = Boolean.TRUE.equals(policyItem.getDelegateAdmin());
policyItem.getAccesses().forEach(access -> {
try {
// interpret the request action
final RequestAction action = RequestAction.valueOf(access.getType());
// function for creating an access policy
final Function<String, AccessPolicy> createPolicy = resource -> new AccessPolicy.Builder().identifierGenerateFromSeed(resource + access.getType()).resource(resource).action(action).addUsers(userIds).addGroups(groupIds).build();
resources.forEach(resource -> {
// create the access policy for the specified resource
final AccessPolicy accessPolicy = createPolicy.apply(resource);
policiesByIdentifier.put(accessPolicy.getIdentifier(), accessPolicy);
policiesByResource.computeIfAbsent(resource, r -> new HashMap<>()).put(action, accessPolicy);
// if this is a delegate admin, also create the admin policy for the specified resource
if (isDelegateAdmin) {
// build the admin resource identifier
final String adminResource;
if (resource.startsWith("/")) {
adminResource = "/policies" + resource;
} else {
adminResource = "/policies/" + resource;
}
final AccessPolicy adminAccessPolicy = createPolicy.apply(adminResource);
policiesByIdentifier.put(adminAccessPolicy.getIdentifier(), adminAccessPolicy);
policiesByResource.computeIfAbsent(adminResource, ar -> new HashMap<>()).put(action, adminAccessPolicy);
}
});
} catch (final IllegalArgumentException e) {
logger.warn(String.format("Unrecognized request action '%s'. Skipping policy for viewing purposes. Will still be used for access decisions.", access.getType()));
}
});
});
}
});
return new PolicyLookup(policiesByIdentifier, policiesByResource);
}
Also used :
Logger(org.slf4j.Logger)
RequestAction(org.apache.nifi.authorization.RequestAction)
LoggerFactory(org.slf4j.LoggerFactory)
Set(java.util.Set)
HashMap(java.util.HashMap)
Group(org.apache.nifi.authorization.Group)
StringUtils(org.apache.nifi.util.StringUtils)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
Function(java.util.function.Function)
Collectors(java.util.stream.Collectors)
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
User(org.apache.nifi.authorization.User)
UserGroupProvider(org.apache.nifi.authorization.UserGroupProvider)
HashSet(java.util.HashSet)
Objects(java.util.Objects)
AccessPolicy(org.apache.nifi.authorization.AccessPolicy)
RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin)
Map(java.util.Map)
AuthorizationAccessException(org.apache.nifi.authorization.exception.AuthorizationAccessException)
Collections(java.util.Collections)
HashMap(java.util.HashMap)
RequestAction(org.apache.nifi.authorization.RequestAction)
AccessPolicy(org.apache.nifi.authorization.AccessPolicy)
Objects(java.util.Objects)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 10 with AccessPolicy
use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.
the class TestRangerBasePluginWithPolicies method testPoliciesWithUserGroupProvider.
@Test
public void testPoliciesWithUserGroupProvider() {
// unknown according to user group provider
final String user1 = "user-1";
// known according to user group provider
final String user2 = "user-2";
// unknown according to user group provider
final String group1 = "group-1";
// known according to user group provider
final String group2 = "group-2";
final UserGroupProvider userGroupProvider = new UserGroupProvider() {
@Override
public Set<User> getUsers() throws AuthorizationAccessException {
return Stream.of(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build()).collect(Collectors.toSet());
}
@Override
public User getUser(String identifier) throws AuthorizationAccessException {
final User u2 = new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
if (u2.getIdentifier().equals(identifier)) {
return u2;
} else {
return null;
}
}
@Override
public User getUserByIdentity(String identity) throws AuthorizationAccessException {
if (user2.equals(identity)) {
return new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
} else {
return null;
}
}
@Override
public Set<Group> getGroups() throws AuthorizationAccessException {
return Stream.of(new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build()).collect(Collectors.toSet());
}
@Override
public Group getGroup(String identifier) throws AuthorizationAccessException {
final Group g2 = new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build();
if (g2.getIdentifier().equals(identifier)) {
return g2;
} else {
return null;
}
}
@Override
public UserAndGroups getUserAndGroups(String identity) throws AuthorizationAccessException {
if (user2.equals(identity)) {
return new UserAndGroups() {
@Override
public User getUser() {
return new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
}
@Override
public Set<Group> getGroups() {
return Collections.EMPTY_SET;
}
};
} else {
return null;
}
}
@Override
public void initialize(UserGroupProviderInitializationContext initializationContext) throws AuthorizerCreationException {
}
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
}
@Override
public void preDestruction() throws AuthorizerDestructionException {
}
};
final String resourceIdentifier1 = "/resource-1";
RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicyItem policy1Item = new RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
policy1Item.setGroups(Stream.of(group2).collect(Collectors.toList()));
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final String resourceIdentifier2 = "/resource-2";
RangerPolicyResource resource2 = new RangerPolicyResource(resourceIdentifier2);
final Map<String, RangerPolicyResource> policy2Resources = new HashMap<>();
policy2Resources.put(resourceIdentifier2, resource2);
final RangerPolicyItem policy2Item = new RangerPolicyItem();
policy2Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ"), new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
policy2Item.setUsers(Stream.of(user2).collect(Collectors.toList()));
policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
final RangerPolicy policy2 = new RangerPolicy();
policy2.setResources(policy2Resources);
policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
policies.add(policy2);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi", userGroupProvider);
pluginWithPolicies.setPolicies(servicePolicies);
// ensure the two ranger policies converted into 3 nifi access policies
final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
assertEquals(3, accessPolicies.size());
// resource 1 -> read but no write
assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
// read
final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
assertNotNull(readResource1);
assertTrue(accessPolicies.contains(readResource1));
assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
assertTrue(readResource1.getUsers().isEmpty());
assertEquals(1, readResource1.getGroups().size());
assertTrue(readResource1.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build().getIdentifier()));
// but no write
assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
// resource 2 -> read and write
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
// read
final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(readResource2);
assertTrue(accessPolicies.contains(readResource2));
assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
assertEquals(1, readResource2.getUsers().size());
assertTrue(readResource2.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build().getIdentifier()));
assertTrue(readResource2.getGroups().isEmpty());
// and write
final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(writeResource2);
assertTrue(accessPolicies.contains(writeResource2));
assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
assertEquals(1, writeResource2.getUsers().size());
assertTrue(writeResource2.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build().getIdentifier()));
assertTrue(writeResource2.getGroups().isEmpty());
}
Also used :
Group(org.apache.nifi.authorization.Group)
User(org.apache.nifi.authorization.User)
UserGroupProviderInitializationContext(org.apache.nifi.authorization.UserGroupProviderInitializationContext)
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
HashMap(java.util.HashMap)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
AccessPolicy(org.apache.nifi.authorization.AccessPolicy)
UserAndGroups(org.apache.nifi.authorization.UserAndGroups)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
UserGroupProvider(org.apache.nifi.authorization.UserGroupProvider)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
AuthorizerConfigurationContext(org.apache.nifi.authorization.AuthorizerConfigurationContext)
Test(org.junit.Test)
Aggregations
AccessPolicy (org.apache.nifi.authorization.AccessPolicy)21
HashMap (java.util.HashMap)9
ArrayList (java.util.ArrayList)8
Group (org.apache.nifi.authorization.Group)8
Resource (org.apache.nifi.authorization.Resource)8
User (org.apache.nifi.authorization.User)8
RequestAction (org.apache.nifi.authorization.RequestAction)7
LinkedHashSet (java.util.LinkedHashSet)6
Action (org.apache.nifi.action.Action)6
HashSet (java.util.HashSet)5
FlowChangeAction (org.apache.nifi.action.FlowChangeAction)5
Authorizable (org.apache.nifi.authorization.resource.Authorizable)5
EnforcePolicyPermissionsThroughBaseResource (org.apache.nifi.authorization.resource.EnforcePolicyPermissionsThroughBaseResource)5
BulletinRepository (org.apache.nifi.reporting.BulletinRepository)5
ComponentReferenceEntity (org.apache.nifi.web.api.entity.ComponentReferenceEntity)5
Collections (java.util.Collections)4
Date (java.util.Date)4
LinkedHashMap (java.util.LinkedHashMap)4
WebApplicationException (javax.ws.rs.WebApplicationException)4
AuditService (org.apache.nifi.admin.service.AuditService)4
