use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.
the class TestRangerBasePluginWithPolicies method testPoliciesWithoutUserGroupProvider.
@Test
public void testPoliciesWithoutUserGroupProvider() {
final String user1 = "user-1";
final String group1 = "group-1";
final String resourceIdentifier1 = "/resource-1";
RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicyItem policy1Item = new RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final String resourceIdentifier2 = "/resource-2";
RangerPolicyResource resource2 = new RangerPolicyResource(resourceIdentifier2);
final Map<String, RangerPolicyResource> policy2Resources = new HashMap<>();
policy2Resources.put(resourceIdentifier2, resource2);
final RangerPolicyItem policy2Item = new RangerPolicyItem();
policy2Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ"), new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
final RangerPolicy policy2 = new RangerPolicy();
policy2.setResources(policy2Resources);
policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
policies.add(policy2);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
pluginWithPolicies.setPolicies(servicePolicies);
// ensure the two ranger policies converted into 3 nifi access policies
final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
assertEquals(3, accessPolicies.size());
// resource 1 -> read but no write
assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
// read
final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
assertNotNull(readResource1);
assertTrue(accessPolicies.contains(readResource1));
assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
assertEquals(1, readResource1.getUsers().size());
assertTrue(readResource1.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user1).identity(user1).build().getIdentifier()));
assertTrue(readResource1.getGroups().isEmpty());
// but no write
assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
// resource 2 -> read and write
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
// read
final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(readResource2);
assertTrue(accessPolicies.contains(readResource2));
assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
assertTrue(readResource2.getUsers().isEmpty());
assertEquals(1, readResource2.getGroups().size());
assertTrue(readResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
// and write
final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(writeResource2);
assertTrue(accessPolicies.contains(writeResource2));
assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
assertTrue(writeResource2.getUsers().isEmpty());
assertEquals(1, writeResource2.getGroups().size());
assertTrue(writeResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
// resource 3 -> no read or write
assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.WRITE));
assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.READ));
// no read or write
assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.WRITE));
assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.READ));
}
use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.
the class StandardNiFiServiceFacade method deleteAccessPolicy.
@Override
public AccessPolicyEntity deleteAccessPolicy(final Revision revision, final String accessPolicyId) {
final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(accessPolicyId);
final ComponentReferenceEntity componentReference = createComponentReferenceEntity(accessPolicy.getResource());
final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizableLookup.getAccessPolicyById(accessPolicyId));
final Set<TenantEntity> userGroups = accessPolicy != null ? accessPolicy.getGroups().stream().map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet()) : null;
final Set<TenantEntity> users = accessPolicy != null ? accessPolicy.getUsers().stream().map(mapUserIdToTenantEntity()).collect(Collectors.toSet()) : null;
final AccessPolicyDTO snapshot = deleteComponent(revision, new Resource() {
@Override
public String getIdentifier() {
return accessPolicy.getResource();
}
@Override
public String getName() {
return accessPolicy.getResource();
}
@Override
public String getSafeDescription() {
return "Policy " + accessPolicyId;
}
}, () -> accessPolicyDAO.deleteAccessPolicy(accessPolicyId), // no need to clean up any policies as it's already been removed above
false, dtoFactory.createAccessPolicyDto(accessPolicy, userGroups, users, componentReference));
return entityFactory.createAccessPolicyEntity(snapshot, null, permissions);
}
use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.
the class StandardNiFiServiceFacade method cleanUpPolicies.
/**
* Clean up the policies for the specified component resource.
*
* @param componentResource the resource for the component
*/
private void cleanUpPolicies(final Resource componentResource) {
// ensure the authorizer supports configuration
if (accessPolicyDAO.supportsConfigurableAuthorizer()) {
final List<Resource> resources = new ArrayList<>();
resources.add(componentResource);
resources.add(ResourceFactory.getDataResource(componentResource));
resources.add(ResourceFactory.getDataTransferResource(componentResource));
resources.add(ResourceFactory.getPolicyResource(componentResource));
for (final Resource resource : resources) {
for (final RequestAction action : RequestAction.values()) {
try {
// since the component is being deleted, also delete any relevant access policies
final AccessPolicy readPolicy = accessPolicyDAO.getAccessPolicy(action, resource.getIdentifier());
if (readPolicy != null) {
accessPolicyDAO.deleteAccessPolicy(readPolicy.getIdentifier());
}
} catch (final Exception e) {
logger.warn(String.format("Unable to remove access policy for %s %s after component removal.", action, resource.getIdentifier()), e);
}
}
}
}
}
use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.
the class TestStandardReportingContext method setup.
@Before
public void setup() {
flowFileEventRepo = Mockito.mock(FlowFileEventRepository.class);
auditService = Mockito.mock(AuditService.class);
final Map<String, String> otherProps = new HashMap<>();
otherProps.put(NiFiProperties.PROVENANCE_REPO_IMPLEMENTATION_CLASS, MockProvenanceRepository.class.getName());
otherProps.put("nifi.remote.input.socket.port", "");
otherProps.put("nifi.remote.input.secure", "");
nifiProperties = NiFiProperties.createBasicNiFiProperties(propsFile, otherProps);
encryptor = StringEncryptor.createEncryptor(nifiProperties);
// use the system bundle
systemBundle = SystemBundle.create(nifiProperties);
ExtensionManager.discoverExtensions(systemBundle, Collections.emptySet());
User user1 = new User.Builder().identifier("user-id-1").identity("user-1").build();
User user2 = new User.Builder().identifier("user-id-2").identity("user-2").build();
Group group1 = new Group.Builder().identifier("group-id-1").name("group-1").addUser(user1.getIdentifier()).build();
Group group2 = new Group.Builder().identifier("group-id-2").name("group-2").build();
AccessPolicy policy1 = new AccessPolicy.Builder().identifier("policy-id-1").resource("resource1").action(RequestAction.READ).addUser(user1.getIdentifier()).addUser(user2.getIdentifier()).build();
AccessPolicy policy2 = new AccessPolicy.Builder().identifier("policy-id-2").resource("resource2").action(RequestAction.READ).addGroup(group1.getIdentifier()).addGroup(group2.getIdentifier()).addUser(user1.getIdentifier()).addUser(user2.getIdentifier()).build();
Set<Group> groups1 = new LinkedHashSet<>();
groups1.add(group1);
groups1.add(group2);
Set<User> users1 = new LinkedHashSet<>();
users1.add(user1);
users1.add(user2);
Set<AccessPolicy> policies1 = new LinkedHashSet<>();
policies1.add(policy1);
policies1.add(policy2);
authorizer = new MockPolicyBasedAuthorizer(groups1, users1, policies1);
variableRegistry = new FileBasedVariableRegistry(nifiProperties.getVariableRegistryPropertiesPaths());
flowRegistry = Mockito.mock(FlowRegistryClient.class);
bulletinRepo = Mockito.mock(BulletinRepository.class);
controller = FlowController.createStandaloneInstance(flowFileEventRepo, nifiProperties, authorizer, auditService, encryptor, bulletinRepo, variableRegistry, flowRegistry);
}
use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.
the class AccessPolicyAuditor method createAccessPolicyAdvice.
/**
* Audits the creation of policies via createAccessPolicy().
*
* This method only needs to be run 'after returning'. However, in Java 7 the order in which these methods are returned from Class.getDeclaredMethods (even though there is no order guaranteed)
* seems to differ from Java 6. SpringAOP depends on this ordering to determine advice precedence. By normalizing all advice into Around advice we can alleviate this issue.
*
* @param proceedingJoinPoint join point
* @return node
* @throws Throwable ex
*/
@Around("within(org.apache.nifi.web.dao.AccessPolicyDAO+) && " + "execution(org.apache.nifi.authorization.AccessPolicy createAccessPolicy(org.apache.nifi.web.api.dto.AccessPolicyDTO))")
public AccessPolicy createAccessPolicyAdvice(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
// create the access policy
AccessPolicy policy = (AccessPolicy) proceedingJoinPoint.proceed();
// if no exceptions were thrown, add the policy action...
final Action action = generateAuditRecord(policy, Operation.Add);
// save the actions
if (action != null) {
saveAction(action, logger);
}
return policy;
}
Aggregations