Search in sources :

Example 1 with AuthorizationRequest

use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.

the class StandardNiFiServiceFacade method isUserAuthorized.

/**
 * Ensures the specified user has permission to access the specified port. This method does
 * not utilize the DataTransferAuthorizable as that will enforce the entire chain is
 * authorized for the transfer. This method is only invoked when obtaining the site to site
 * details so the entire chain isn't necessary.
 */
private boolean isUserAuthorized(final NiFiUser user, final RootGroupPort port) {
    final boolean isSiteToSiteSecure = Boolean.TRUE.equals(properties.isSiteToSiteSecure());
    // if site to site is not secure, allow all users
    if (!isSiteToSiteSecure) {
        return true;
    }
    final Map<String, String> userContext;
    if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
        userContext = new HashMap<>();
        userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
    } else {
        userContext = null;
    }
    final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(ResourceFactory.getDataTransferResource(port.getResource())).identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(false).action(RequestAction.WRITE).userContext(userContext).explanationSupplier(() -> "Unable to retrieve port details.").build();
    final AuthorizationResult result = authorizer.authorize(request);
    return Result.Approved.equals(result.getResult());
}
Also used : AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)

Example 2 with AuthorizationRequest

use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.

the class TestRangerNiFiAuthorizer method testDenied.

@Test
public void testDenied() {
    final String systemResource = "/system";
    final RequestAction action = RequestAction.WRITE;
    final String user = "admin";
    // the incoming NiFi request to test
    final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
    // the expected Ranger resource and request that are created
    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
    final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
    expectedRangerRequest.setResource(resource);
    expectedRangerRequest.setAction(request.getAction().name());
    expectedRangerRequest.setAccessType(request.getAction().name());
    expectedRangerRequest.setUser(request.getIdentity());
    // no result processor should be provided used non-direct access
    when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(notAllowedResult);
    // return true when checking if a policy exists for the resource
    when(rangerBasePlugin.doesPolicyExist(systemResource, action)).thenReturn(true);
    final AuthorizationResult result = authorizer.authorize(request);
    assertEquals(AuthorizationResult.denied().getResult(), result.getResult());
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RequestAction(org.apache.nifi.authorization.RequestAction) HashMap(java.util.HashMap) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) Test(org.junit.Test)

Example 3 with AuthorizationRequest

use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.

the class TestRangerNiFiAuthorizer method runRangerAdminTest.

private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) {
    configurationContext = createMockConfigContext();
    final String rangerAdminIdentity = "ranger-admin";
    when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP))).thenReturn(new MockPropertyValue(rangerAdminIdentity));
    rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
    authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
    authorizer.onConfigured(configurationContext);
    final RequestAction action = RequestAction.WRITE;
    // the incoming NiFi request to test
    final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(resourceIdentifier, resourceIdentifier)).action(action).identity(rangerAdminIdentity).resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
    // the expected Ranger resource and request that are created
    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);
    final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
    expectedRangerRequest.setResource(resource);
    expectedRangerRequest.setAction(request.getAction().name());
    expectedRangerRequest.setAccessType(request.getAction().name());
    expectedRangerRequest.setUser(request.getIdentity());
    // return true when checking if a policy exists for the resource
    when(rangerBasePlugin.doesPolicyExist(resourceIdentifier, action)).thenReturn(true);
    // a non-null result processor should be used for direct access
    when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(notAllowedResult);
    final AuthorizationResult result = authorizer.authorize(request);
    assertEquals(expectedResult, result.getResult());
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) RequestAction(org.apache.nifi.authorization.RequestAction) HashMap(java.util.HashMap) MockPropertyValue(org.apache.nifi.util.MockPropertyValue) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)

Example 4 with AuthorizationRequest

use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.

the class TestRangerNiFiAuthorizer method testIntegration.

@Test
@Ignore
public void testIntegration() {
    final AuthorizerInitializationContext initializationContext = Mockito.mock(AuthorizerInitializationContext.class);
    final AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class);
    when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP))).thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml"));
    when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP))).thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml"));
    Authorizer authorizer = new RangerNiFiAuthorizer();
    try {
        authorizer.initialize(initializationContext);
        authorizer.onConfigured(configurationContext);
        final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new Resource() {

            @Override
            public String getIdentifier() {
                return "/system";
            }

            @Override
            public String getName() {
                return "/system";
            }

            @Override
            public String getSafeDescription() {
                return "system";
            }
        }).action(RequestAction.WRITE).identity("admin").resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
        final AuthorizationResult result = authorizer.authorize(request);
        Assert.assertEquals(AuthorizationResult.denied().getResult(), result.getResult());
    } finally {
        authorizer.preDestruction();
    }
}
Also used : AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) HashMap(java.util.HashMap) Authorizer(org.apache.nifi.authorization.Authorizer) Resource(org.apache.nifi.authorization.Resource) MockPropertyValue(org.apache.nifi.util.MockPropertyValue) AuthorizerInitializationContext(org.apache.nifi.authorization.AuthorizerInitializationContext) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) AuthorizerConfigurationContext(org.apache.nifi.authorization.AuthorizerConfigurationContext) Ignore(org.junit.Ignore) Test(org.junit.Test)

Example 5 with AuthorizationRequest

use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.

the class Authorizable method checkAuthorization.

/**
 * Returns the result of an authorization request for the specified user for the specified action on the specified
 * resource. This method does not imply the user is directly attempting to access the specified resource. If the user is
 * attempting a direct access use Authorizable.authorize().
 *
 * @param authorizer authorizer
 * @param action action
 * @param user user
 * @return is authorized
 */
default AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
    if (user == null) {
        return AuthorizationResult.denied("Unknown user.");
    }
    final Map<String, String> userContext;
    if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
        userContext = new HashMap<>();
        userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
    } else {
        userContext = null;
    }
    final Resource resource = getResource();
    final Resource requestedResource = getRequestedResource();
    final AuthorizationRequest request = new AuthorizationRequest.Builder().identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(false).action(action).resource(resource).requestedResource(requestedResource).resourceContext(resourceContext).userContext(userContext).explanationSupplier(() -> {
        // build the safe explanation
        final StringBuilder safeDescription = new StringBuilder("Unable to ");
        if (RequestAction.READ.equals(action)) {
            safeDescription.append("view ");
        } else {
            safeDescription.append("modify ");
        }
        safeDescription.append(resource.getSafeDescription()).append(".");
        return safeDescription.toString();
    }).build();
    // perform the authorization
    final AuthorizationResult result = authorizer.authorize(request);
    // verify the results
    if (Result.ResourceNotFound.equals(result.getResult())) {
        final Authorizable parent = getParentAuthorizable();
        if (parent == null) {
            return AuthorizationResult.denied("No applicable policies could be found.");
        } else {
            // create a custom authorizable to override the safe description but still defer to the parent authorizable
            final Authorizable parentProxy = new Authorizable() {

                @Override
                public Authorizable getParentAuthorizable() {
                    return parent.getParentAuthorizable();
                }

                @Override
                public Resource getRequestedResource() {
                    return requestedResource;
                }

                @Override
                public Resource getResource() {
                    final Resource parentResource = parent.getResource();
                    return new Resource() {

                        @Override
                        public String getIdentifier() {
                            return parentResource.getIdentifier();
                        }

                        @Override
                        public String getName() {
                            return parentResource.getName();
                        }

                        @Override
                        public String getSafeDescription() {
                            return resource.getSafeDescription();
                        }
                    };
                }
            };
            return parentProxy.checkAuthorization(authorizer, action, user, resourceContext);
        }
    } else {
        return result;
    }
}
Also used : AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) Resource(org.apache.nifi.authorization.Resource) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)

Aggregations

AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)17 AuthorizationResult (org.apache.nifi.authorization.AuthorizationResult)10 Test (org.junit.Test)8 HashMap (java.util.HashMap)6 Authorizer (org.apache.nifi.authorization.Authorizer)6 RequestAction (org.apache.nifi.authorization.RequestAction)5 RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)5 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)5 Resource (org.apache.nifi.authorization.Resource)3 NiFiUserDetails (org.apache.nifi.authorization.user.NiFiUserDetails)3 Builder (org.apache.nifi.authorization.user.StandardNiFiUser.Builder)3 NiFiAuthenticationToken (org.apache.nifi.web.security.token.NiFiAuthenticationToken)3 Before (org.junit.Before)3 ArgumentMatcher (org.mockito.ArgumentMatcher)3 Authentication (org.springframework.security.core.Authentication)3 AuditService (org.apache.nifi.admin.service.AuditService)2 AuthorizerConfigurationContext (org.apache.nifi.authorization.AuthorizerConfigurationContext)2 AuthorizerInitializationContext (org.apache.nifi.authorization.AuthorizerInitializationContext)2 FlowController (org.apache.nifi.controller.FlowController)2 BulletinRepository (org.apache.nifi.reporting.BulletinRepository)2