Examples with AccessPolicy org.apache.nifi.authorization.AccessPolicy used on opensource projects

Example 16 with AccessPolicy

use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.

the class AccessPolicyAuditor method updateAccessPolicyAdvice.

/**
 * Audits the configuration of a single policy.
 *
 * @param proceedingJoinPoint join point
 * @param accessPolicyDTO dto
 * @param accessPolicyDAO dao
 * @return node
 * @throws Throwable ex
 */
@Around("within(org.apache.nifi.web.dao.AccessPolicyDAO+) && " + "execution(org.apache.nifi.authorization.AccessPolicy updateAccessPolicy(org.apache.nifi.web.api.dto.AccessPolicyDTO)) && " + "args(accessPolicyDTO) && " + "target(accessPolicyDAO)")
public AccessPolicy updateAccessPolicyAdvice(ProceedingJoinPoint proceedingJoinPoint, AccessPolicyDTO accessPolicyDTO, AccessPolicyDAO accessPolicyDAO) throws Throwable {
    // determine the initial values for each property/setting that's changing
    AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(accessPolicyDTO.getId());
    final Map<String, String> values = extractConfiguredPropertyValues(accessPolicy, accessPolicyDTO);
    // update the policy state
    final AccessPolicy updatedAccessPolicy = (AccessPolicy) proceedingJoinPoint.proceed();
    // if no exceptions were thrown, add the policy action...
    accessPolicy = accessPolicyDAO.getAccessPolicy(updatedAccessPolicy.getIdentifier());
    // get the current user
    NiFiUser user = NiFiUserUtils.getNiFiUser();
    // ensure the user was found
    if (user != null) {
        // determine the updated values
        Map<String, String> updatedValues = extractConfiguredPropertyValues(accessPolicy, accessPolicyDTO);
        // create a policy action
        Date actionTimestamp = new Date();
        Collection<Action> actions = new ArrayList<>();
        // go through each updated value
        for (String property : updatedValues.keySet()) {
            String newValue = updatedValues.get(property);
            String oldValue = values.get(property);
            Operation operation = null;
            // determine the type of operation
            if (oldValue == null || newValue == null || !newValue.equals(oldValue)) {
                operation = Operation.Configure;
            }
            // create a configuration action accordingly
            if (operation != null) {
                final FlowChangeConfigureDetails actionDetails = new FlowChangeConfigureDetails();
                actionDetails.setName(property);
                actionDetails.setValue(newValue);
                actionDetails.setPreviousValue(oldValue);
                // create a configuration action
                FlowChangeAction configurationAction = new FlowChangeAction();
                configurationAction.setUserIdentity(user.getIdentity());
                configurationAction.setOperation(operation);
                configurationAction.setTimestamp(actionTimestamp);
                configurationAction.setSourceId(accessPolicy.getIdentifier());
                configurationAction.setSourceName(formatPolicyName(accessPolicy));
                configurationAction.setSourceType(Component.AccessPolicy);
                configurationAction.setActionDetails(actionDetails);
                actions.add(configurationAction);
            }
        }
        // ensure there are actions to record
        if (!actions.isEmpty()) {
            // save the actions
            saveActions(actions, logger);
        }
    }
    return updatedAccessPolicy;
}

Example 17 with AccessPolicy

use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.

the class StandardNiFiServiceFacade method updateUser.

@Override
public UserEntity updateUser(final Revision revision, final UserDTO userDTO) {
    final Authorizable usersAuthorizable = authorizableLookup.getTenant();
    final Set<Group> groups = userGroupDAO.getUserGroupsForUser(userDTO.getId());
    final Set<AccessPolicy> policies = userGroupDAO.getAccessPoliciesForUser(userDTO.getId());
    final RevisionUpdate<UserDTO> snapshot = updateComponent(revision, usersAuthorizable, () -> userDAO.updateUser(userDTO), user -> {
        final Set<TenantEntity> tenantEntities = groups.stream().map(g -> g.getIdentifier()).map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet());
        final Set<AccessPolicySummaryEntity> policyEntities = policies.stream().map(ap -> createAccessPolicySummaryEntity(ap)).collect(Collectors.toSet());
        return dtoFactory.createUserDto(user, tenantEntities, policyEntities);
    });
    final PermissionsDTO permissions = dtoFactory.createPermissionsDto(usersAuthorizable);
    return entityFactory.createUserEntity(snapshot.getComponent(), dtoFactory.createRevisionDTO(snapshot.getLastModification()), permissions);
}

Example 18 with AccessPolicy

use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.

the class StandardPolicyBasedAuthorizerDAO method deleteUser.

@Override
public User deleteUser(final String userId) {
    if (userGroupProvider instanceof ConfigurableUserGroupProvider) {
        final ConfigurableUserGroupProvider configurableUserGroupProvider = (ConfigurableUserGroupProvider) userGroupProvider;
        final User user = getUser(userId);
        final User removedUser = configurableUserGroupProvider.deleteUser(user);
        // ensure the user was removed
        if (removedUser == null) {
            throw new ResourceNotFoundException(String.format("Unable to find user with id '%s'.", userId));
        }
        // remove any references to the user being deleted from policies if possible
        if (accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
            for (AccessPolicy policy : accessPolicyProvider.getAccessPolicies()) {
                final ConfigurableAccessPolicyProvider configurableAccessPolicyProvider = (ConfigurableAccessPolicyProvider) accessPolicyProvider;
                // ensure this policy contains a reference to the user and this policy is configurable (check proactively to prevent an exception)
                if (policy.getUsers().contains(removedUser.getIdentifier()) && configurableAccessPolicyProvider.isConfigurable(policy)) {
                    final AccessPolicy.Builder builder = new AccessPolicy.Builder(policy).removeUser(removedUser.getIdentifier());
                    configurableAccessPolicyProvider.updateAccessPolicy(builder.build());
                }
            }
        }
        return removedUser;
    } else {
        throw new IllegalStateException(MSG_NON_CONFIGURABLE_USERS);
    }
}

Example 19 with AccessPolicy

use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.

the class StandardPolicyBasedAuthorizerDAO method deleteUserGroup.

@Override
public Group deleteUserGroup(final String userGroupId) {
    if (userGroupProvider instanceof ConfigurableUserGroupProvider) {
        final ConfigurableUserGroupProvider configurableUserGroupProvider = (ConfigurableUserGroupProvider) userGroupProvider;
        final Group group = getUserGroup(userGroupId);
        final Group removedGroup = configurableUserGroupProvider.deleteGroup(group);
        // ensure the user was removed
        if (removedGroup == null) {
            throw new ResourceNotFoundException(String.format("Unable to find user group with id '%s'.", removedGroup));
        }
        // remove any references to the user group being deleted from policies if possible
        if (accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
            for (AccessPolicy policy : accessPolicyProvider.getAccessPolicies()) {
                final ConfigurableAccessPolicyProvider configurableAccessPolicyProvider = (ConfigurableAccessPolicyProvider) accessPolicyProvider;
                // ensure this policy contains a reference to the user group and this policy is configurable (check proactively to prevent an exception)
                if (policy.getGroups().contains(removedGroup.getIdentifier()) && configurableAccessPolicyProvider.isConfigurable(policy)) {
                    final AccessPolicy.Builder builder = new AccessPolicy.Builder(policy).removeGroup(removedGroup.getIdentifier());
                    configurableAccessPolicyProvider.updateAccessPolicy(builder.build());
                }
            }
        }
        return removedGroup;
    } else {
        throw new IllegalStateException(MSG_NON_CONFIGURABLE_USERS);
    }
}

Example 20 with AccessPolicy

use of org.apache.nifi.authorization.AccessPolicy in project nifi by apache.

the class SnippetUtils method rollbackClonedPolicy.

/**
 * Attempts to roll back all policies for the specified component. This includes the component resource, data resource
 * for the component, data transfer resource for the component, and policy resource for the component.
 *
 * @param componentResource component resource
 */
private void rollbackClonedPolicy(final Resource componentResource) {
    if (!accessPolicyDAO.supportsConfigurableAuthorizer()) {
        return;
    }
    final List<Resource> resources = new ArrayList<>();
    resources.add(componentResource);
    resources.add(ResourceFactory.getDataResource(componentResource));
    resources.add(ResourceFactory.getDataTransferResource(componentResource));
    resources.add(ResourceFactory.getPolicyResource(componentResource));
    for (final Resource resource : resources) {
        for (final RequestAction action : RequestAction.values()) {
            final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(action, resource.getIdentifier());
            if (accessPolicy != null) {
                try {
                    accessPolicyDAO.deleteAccessPolicy(accessPolicy.getIdentifier());
                } catch (final Exception e) {
                    logger.warn(String.format("Unable to clean up cloned access policy for %s %s after failed copy/paste action.", action, componentResource.getIdentifier()), e);
                }
            }
        }
    }
}