Search in sources :

Example 11 with AccessPolicy

use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.

the class TestRangerBasePluginWithPolicies method testPoliciesWithoutUserGroupProvider.

@Test
public void testPoliciesWithoutUserGroupProvider() {
    final String user1 = "user-1";
    final String group1 = "group-1";
    final String resourceIdentifier1 = "/resource-1";
    RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
    final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
    policy1Resources.put(resourceIdentifier1, resource1);
    final RangerPolicyItem policy1Item = new RangerPolicyItem();
    policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
    policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
    final RangerPolicy policy1 = new RangerPolicy();
    policy1.setResources(policy1Resources);
    policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
    final String resourceIdentifier2 = "/resource-2";
    RangerPolicyResource resource2 = new RangerPolicyResource(resourceIdentifier2);
    final Map<String, RangerPolicyResource> policy2Resources = new HashMap<>();
    policy2Resources.put(resourceIdentifier2, resource2);
    final RangerPolicyItem policy2Item = new RangerPolicyItem();
    policy2Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ"), new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
    policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
    final RangerPolicy policy2 = new RangerPolicy();
    policy2.setResources(policy2Resources);
    policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
    final List<RangerPolicy> policies = new ArrayList<>();
    policies.add(policy1);
    policies.add(policy2);
    final RangerServiceDef serviceDef = new RangerServiceDef();
    serviceDef.setName("nifi");
    final ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setPolicies(policies);
    servicePolicies.setServiceDef(serviceDef);
    // set all the policies in the plugin
    final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
    pluginWithPolicies.setPolicies(servicePolicies);
    // ensure the two ranger policies converted into 3 nifi access policies
    final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
    assertEquals(3, accessPolicies.size());
    // resource 1 -> read but no write
    assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
    assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
    // read
    final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
    assertNotNull(readResource1);
    assertTrue(accessPolicies.contains(readResource1));
    assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
    assertEquals(1, readResource1.getUsers().size());
    assertTrue(readResource1.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user1).identity(user1).build().getIdentifier()));
    assertTrue(readResource1.getGroups().isEmpty());
    // but no write
    assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
    // resource 2 -> read and write
    assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
    assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
    // read
    final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
    assertNotNull(readResource2);
    assertTrue(accessPolicies.contains(readResource2));
    assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
    assertTrue(readResource2.getUsers().isEmpty());
    assertEquals(1, readResource2.getGroups().size());
    assertTrue(readResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
    // and write
    final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
    assertNotNull(writeResource2);
    assertTrue(accessPolicies.contains(writeResource2));
    assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
    assertTrue(writeResource2.getUsers().isEmpty());
    assertEquals(1, writeResource2.getGroups().size());
    assertTrue(writeResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
    // resource 3 -> no read or write
    assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.WRITE));
    assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.READ));
    // no read or write
    assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.WRITE));
    assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.READ));
}
Also used : ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) HashMap(java.util.HashMap) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) ArrayList(java.util.ArrayList) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) AccessPolicy(org.apache.nifi.authorization.AccessPolicy) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) Test(org.junit.Test)

Example 12 with AccessPolicy

use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.

the class StandardNiFiServiceFacade method deleteAccessPolicy.

@Override
public AccessPolicyEntity deleteAccessPolicy(final Revision revision, final String accessPolicyId) {
    final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(accessPolicyId);
    final ComponentReferenceEntity componentReference = createComponentReferenceEntity(accessPolicy.getResource());
    final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizableLookup.getAccessPolicyById(accessPolicyId));
    final Set<TenantEntity> userGroups = accessPolicy != null ? accessPolicy.getGroups().stream().map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet()) : null;
    final Set<TenantEntity> users = accessPolicy != null ? accessPolicy.getUsers().stream().map(mapUserIdToTenantEntity()).collect(Collectors.toSet()) : null;
    final AccessPolicyDTO snapshot = deleteComponent(revision, new Resource() {

        @Override
        public String getIdentifier() {
            return accessPolicy.getResource();
        }

        @Override
        public String getName() {
            return accessPolicy.getResource();
        }

        @Override
        public String getSafeDescription() {
            return "Policy " + accessPolicyId;
        }
    }, () -> accessPolicyDAO.deleteAccessPolicy(accessPolicyId), // no need to clean up any policies as it's already been removed above
    false, dtoFactory.createAccessPolicyDto(accessPolicy, userGroups, users, componentReference));
    return entityFactory.createAccessPolicyEntity(snapshot, null, permissions);
}
Also used : ComponentReferenceEntity(org.apache.nifi.web.api.entity.ComponentReferenceEntity) TenantEntity(org.apache.nifi.web.api.entity.TenantEntity) PermissionsDTO(org.apache.nifi.web.api.dto.PermissionsDTO) EnforcePolicyPermissionsThroughBaseResource(org.apache.nifi.authorization.resource.EnforcePolicyPermissionsThroughBaseResource) Resource(org.apache.nifi.authorization.Resource) AccessPolicyDTO(org.apache.nifi.web.api.dto.AccessPolicyDTO) AccessPolicy(org.apache.nifi.authorization.AccessPolicy)

Example 13 with AccessPolicy

use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.

the class StandardNiFiServiceFacade method cleanUpPolicies.

/**
 * Clean up the policies for the specified component resource.
 *
 * @param componentResource the resource for the component
 */
private void cleanUpPolicies(final Resource componentResource) {
    // ensure the authorizer supports configuration
    if (accessPolicyDAO.supportsConfigurableAuthorizer()) {
        final List<Resource> resources = new ArrayList<>();
        resources.add(componentResource);
        resources.add(ResourceFactory.getDataResource(componentResource));
        resources.add(ResourceFactory.getDataTransferResource(componentResource));
        resources.add(ResourceFactory.getPolicyResource(componentResource));
        for (final Resource resource : resources) {
            for (final RequestAction action : RequestAction.values()) {
                try {
                    // since the component is being deleted, also delete any relevant access policies
                    final AccessPolicy readPolicy = accessPolicyDAO.getAccessPolicy(action, resource.getIdentifier());
                    if (readPolicy != null) {
                        accessPolicyDAO.deleteAccessPolicy(readPolicy.getIdentifier());
                    }
                } catch (final Exception e) {
                    logger.warn(String.format("Unable to remove access policy for %s %s after component removal.", action, resource.getIdentifier()), e);
                }
            }
        }
    }
}
Also used : RequestAction(org.apache.nifi.authorization.RequestAction) EnforcePolicyPermissionsThroughBaseResource(org.apache.nifi.authorization.resource.EnforcePolicyPermissionsThroughBaseResource) Resource(org.apache.nifi.authorization.Resource) ArrayList(java.util.ArrayList) AccessPolicy(org.apache.nifi.authorization.AccessPolicy) NiFiRegistryException(org.apache.nifi.registry.client.NiFiRegistryException) IOException(java.io.IOException) UnknownNodeException(org.apache.nifi.cluster.manager.exception.UnknownNodeException) IllegalNodeDeletionException(org.apache.nifi.cluster.manager.exception.IllegalNodeDeletionException) WebApplicationException(javax.ws.rs.WebApplicationException) AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) ExpiredRevisionClaimException(org.apache.nifi.web.revision.ExpiredRevisionClaimException)

Example 14 with AccessPolicy

use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.

the class TestStandardReportingContext method setup.

@Before
public void setup() {
    flowFileEventRepo = Mockito.mock(FlowFileEventRepository.class);
    auditService = Mockito.mock(AuditService.class);
    final Map<String, String> otherProps = new HashMap<>();
    otherProps.put(NiFiProperties.PROVENANCE_REPO_IMPLEMENTATION_CLASS, MockProvenanceRepository.class.getName());
    otherProps.put("nifi.remote.input.socket.port", "");
    otherProps.put("nifi.remote.input.secure", "");
    nifiProperties = NiFiProperties.createBasicNiFiProperties(propsFile, otherProps);
    encryptor = StringEncryptor.createEncryptor(nifiProperties);
    // use the system bundle
    systemBundle = SystemBundle.create(nifiProperties);
    ExtensionManager.discoverExtensions(systemBundle, Collections.emptySet());
    User user1 = new User.Builder().identifier("user-id-1").identity("user-1").build();
    User user2 = new User.Builder().identifier("user-id-2").identity("user-2").build();
    Group group1 = new Group.Builder().identifier("group-id-1").name("group-1").addUser(user1.getIdentifier()).build();
    Group group2 = new Group.Builder().identifier("group-id-2").name("group-2").build();
    AccessPolicy policy1 = new AccessPolicy.Builder().identifier("policy-id-1").resource("resource1").action(RequestAction.READ).addUser(user1.getIdentifier()).addUser(user2.getIdentifier()).build();
    AccessPolicy policy2 = new AccessPolicy.Builder().identifier("policy-id-2").resource("resource2").action(RequestAction.READ).addGroup(group1.getIdentifier()).addGroup(group2.getIdentifier()).addUser(user1.getIdentifier()).addUser(user2.getIdentifier()).build();
    Set<Group> groups1 = new LinkedHashSet<>();
    groups1.add(group1);
    groups1.add(group2);
    Set<User> users1 = new LinkedHashSet<>();
    users1.add(user1);
    users1.add(user2);
    Set<AccessPolicy> policies1 = new LinkedHashSet<>();
    policies1.add(policy1);
    policies1.add(policy2);
    authorizer = new MockPolicyBasedAuthorizer(groups1, users1, policies1);
    variableRegistry = new FileBasedVariableRegistry(nifiProperties.getVariableRegistryPropertiesPaths());
    flowRegistry = Mockito.mock(FlowRegistryClient.class);
    bulletinRepo = Mockito.mock(BulletinRepository.class);
    controller = FlowController.createStandaloneInstance(flowFileEventRepo, nifiProperties, authorizer, auditService, encryptor, bulletinRepo, variableRegistry, flowRegistry);
}
Also used : LinkedHashSet(java.util.LinkedHashSet) Group(org.apache.nifi.authorization.Group) BulletinRepository(org.apache.nifi.reporting.BulletinRepository) User(org.apache.nifi.authorization.User) HashMap(java.util.HashMap) FlowRegistryClient(org.apache.nifi.registry.flow.FlowRegistryClient) AccessPolicy(org.apache.nifi.authorization.AccessPolicy) FlowFileEventRepository(org.apache.nifi.controller.repository.FlowFileEventRepository) MockProvenanceRepository(org.apache.nifi.provenance.MockProvenanceRepository) MockPolicyBasedAuthorizer(org.apache.nifi.authorization.MockPolicyBasedAuthorizer) AuditService(org.apache.nifi.admin.service.AuditService) FileBasedVariableRegistry(org.apache.nifi.registry.variable.FileBasedVariableRegistry) Before(org.junit.Before)

Example 15 with AccessPolicy

use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.

the class AccessPolicyAuditor method createAccessPolicyAdvice.

/**
 * Audits the creation of policies via createAccessPolicy().
 *
 * This method only needs to be run 'after returning'. However, in Java 7 the order in which these methods are returned from Class.getDeclaredMethods (even though there is no order guaranteed)
 * seems to differ from Java 6. SpringAOP depends on this ordering to determine advice precedence. By normalizing all advice into Around advice we can alleviate this issue.
 *
 * @param proceedingJoinPoint join point
 * @return node
 * @throws Throwable ex
 */
@Around("within(org.apache.nifi.web.dao.AccessPolicyDAO+) && " + "execution(org.apache.nifi.authorization.AccessPolicy createAccessPolicy(org.apache.nifi.web.api.dto.AccessPolicyDTO))")
public AccessPolicy createAccessPolicyAdvice(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
    // create the access policy
    AccessPolicy policy = (AccessPolicy) proceedingJoinPoint.proceed();
    // if no exceptions were thrown, add the policy action...
    final Action action = generateAuditRecord(policy, Operation.Add);
    // save the actions
    if (action != null) {
        saveAction(action, logger);
    }
    return policy;
}
Also used : FlowChangeAction(org.apache.nifi.action.FlowChangeAction) Action(org.apache.nifi.action.Action) AccessPolicy(org.apache.nifi.authorization.AccessPolicy) Around(org.aspectj.lang.annotation.Around)

Aggregations

AccessPolicy (org.apache.nifi.authorization.AccessPolicy)21 HashMap (java.util.HashMap)9 ArrayList (java.util.ArrayList)8 Group (org.apache.nifi.authorization.Group)8 Resource (org.apache.nifi.authorization.Resource)8 User (org.apache.nifi.authorization.User)8 RequestAction (org.apache.nifi.authorization.RequestAction)7 LinkedHashSet (java.util.LinkedHashSet)6 Action (org.apache.nifi.action.Action)6 HashSet (java.util.HashSet)5 FlowChangeAction (org.apache.nifi.action.FlowChangeAction)5 Authorizable (org.apache.nifi.authorization.resource.Authorizable)5 EnforcePolicyPermissionsThroughBaseResource (org.apache.nifi.authorization.resource.EnforcePolicyPermissionsThroughBaseResource)5 BulletinRepository (org.apache.nifi.reporting.BulletinRepository)5 ComponentReferenceEntity (org.apache.nifi.web.api.entity.ComponentReferenceEntity)5 Collections (java.util.Collections)4 Date (java.util.Date)4 LinkedHashMap (java.util.LinkedHashMap)4 WebApplicationException (javax.ws.rs.WebApplicationException)4 AuditService (org.apache.nifi.admin.service.AuditService)4