Search in sources :

Example 6 with AuthorizationRequest

use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.

the class Authorizable method authorize.

/**
 * Authorizes the current user for the specified action on the specified resource. This method does imply the user is
 * directly accessing the specified resource.
 *
 * @param authorizer authorizer
 * @param action action
 * @param user user
 * @param resourceContext resource context
 */
default void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
    if (user == null) {
        throw new AccessDeniedException("Unknown user.");
    }
    final Map<String, String> userContext;
    if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
        userContext = new HashMap<>();
        userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
    } else {
        userContext = null;
    }
    final Resource resource = getResource();
    final Resource requestedResource = getRequestedResource();
    final AuthorizationRequest request = new AuthorizationRequest.Builder().identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(true).action(action).resource(resource).requestedResource(requestedResource).resourceContext(resourceContext).userContext(userContext).explanationSupplier(() -> {
        // build the safe explanation
        final StringBuilder safeDescription = new StringBuilder("Unable to ");
        if (RequestAction.READ.equals(action)) {
            safeDescription.append("view ");
        } else {
            safeDescription.append("modify ");
        }
        safeDescription.append(resource.getSafeDescription()).append(".");
        return safeDescription.toString();
    }).build();
    final AuthorizationResult result = authorizer.authorize(request);
    if (Result.ResourceNotFound.equals(result.getResult())) {
        final Authorizable parent = getParentAuthorizable();
        if (parent == null) {
            final AuthorizationResult failure = AuthorizationResult.denied("No applicable policies could be found.");
            // audit authorization request
            if (authorizer instanceof AuthorizationAuditor) {
                ((AuthorizationAuditor) authorizer).auditAccessAttempt(request, failure);
            }
            // denied
            throw new AccessDeniedException(failure.getExplanation());
        } else {
            // create a custom authorizable to override the safe description but still defer to the parent authorizable
            final Authorizable parentProxy = new Authorizable() {

                @Override
                public Authorizable getParentAuthorizable() {
                    return parent.getParentAuthorizable();
                }

                @Override
                public Resource getRequestedResource() {
                    return requestedResource;
                }

                @Override
                public Resource getResource() {
                    final Resource parentResource = parent.getResource();
                    return new Resource() {

                        @Override
                        public String getIdentifier() {
                            return parentResource.getIdentifier();
                        }

                        @Override
                        public String getName() {
                            return parentResource.getName();
                        }

                        @Override
                        public String getSafeDescription() {
                            return resource.getSafeDescription();
                        }
                    };
                }
            };
            parentProxy.authorize(authorizer, action, user, resourceContext);
        }
    } else if (Result.Denied.equals(result.getResult())) {
        throw new AccessDeniedException(result.getExplanation());
    }
}
Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) Resource(org.apache.nifi.authorization.Resource) AuthorizationAuditor(org.apache.nifi.authorization.AuthorizationAuditor) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)

Example 7 with AuthorizationRequest

use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.

the class TestStandardRootGroupPort method createRootGroupPort.

private RootGroupPort createRootGroupPort(NiFiProperties nifiProperties) {
    final BulletinRepository bulletinRepository = mock(BulletinRepository.class);
    final ProcessScheduler processScheduler = null;
    final Authorizer authorizer = mock(Authorizer.class);
    doAnswer(invocation -> {
        final AuthorizationRequest request = invocation.getArgumentAt(0, AuthorizationRequest.class);
        if ("node1@nifi.test".equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        }
        return AuthorizationResult.denied();
    }).when(authorizer).authorize(any(AuthorizationRequest.class));
    final ProcessGroup processGroup = mock(ProcessGroup.class);
    doReturn("process-group-id").when(processGroup).getIdentifier();
    return new StandardRootGroupPort("id", "name", processGroup, TransferDirection.SEND, ConnectableType.INPUT_PORT, authorizer, bulletinRepository, processScheduler, true, nifiProperties);
}
Also used : BulletinRepository(org.apache.nifi.reporting.BulletinRepository) ProcessScheduler(org.apache.nifi.controller.ProcessScheduler) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) Authorizer(org.apache.nifi.authorization.Authorizer) ProcessGroup(org.apache.nifi.groups.ProcessGroup)

Example 8 with AuthorizationRequest

use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.

the class DataAuthorizableTest method setup.

@Before
public void setup() {
    testProcessorAuthorizable = mock(Authorizable.class);
    when(testProcessorAuthorizable.getParentAuthorizable()).thenReturn(null);
    when(testProcessorAuthorizable.getResource()).thenReturn(ResourceFactory.getComponentResource(ResourceType.Processor, "id", "name"));
    testAuthorizer = mock(Authorizer.class);
    when(testAuthorizer.authorize(any(AuthorizationRequest.class))).then(invocation -> {
        final AuthorizationRequest request = invocation.getArgumentAt(0, AuthorizationRequest.class);
        if (IDENTITY_1.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        } else if (PROXY_1.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        } else if (PROXY_2.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        }
        return AuthorizationResult.denied();
    });
    testDataAuthorizable = new DataAuthorizable(testProcessorAuthorizable);
}
Also used : AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) Authorizer(org.apache.nifi.authorization.Authorizer) Before(org.junit.Before)

Example 9 with AuthorizationRequest

use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.

the class TestRangerNiFiAuthorizer method testResourceNotFound.

@Test
public void testResourceNotFound() {
    final String systemResource = "/system";
    final RequestAction action = RequestAction.WRITE;
    final String user = "admin";
    // the incoming NiFi request to test
    final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
    // the expected Ranger resource and request that are created
    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
    final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
    expectedRangerRequest.setResource(resource);
    expectedRangerRequest.setAction(request.getAction().name());
    expectedRangerRequest.setAccessType(request.getAction().name());
    expectedRangerRequest.setUser(request.getIdentity());
    // no result processor should be provided used non-direct access
    when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)), notNull(RangerAccessResultProcessor.class))).thenReturn(notAllowedResult);
    // return false when checking if a policy exists for the resource
    when(rangerBasePlugin.doesPolicyExist(systemResource, action)).thenReturn(false);
    final AuthorizationResult result = authorizer.authorize(request);
    assertEquals(AuthorizationResult.resourceNotFound().getResult(), result.getResult());
}
Also used : RangerAccessResultProcessor(org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor) RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RequestAction(org.apache.nifi.authorization.RequestAction) HashMap(java.util.HashMap) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) Test(org.junit.Test)

Example 10 with AuthorizationRequest

use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.

the class TestRangerNiFiAuthorizer method testApprovedWithDirectAccess.

@Test
public void testApprovedWithDirectAccess() {
    final String systemResource = "/system";
    final RequestAction action = RequestAction.WRITE;
    final String user = "admin";
    final String clientIp = "192.168.1.1";
    final Map<String, String> userContext = new HashMap<>();
    userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), clientIp);
    // the incoming NiFi request to test
    final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).userContext(userContext).accessAttempt(true).anonymous(false).build();
    // the expected Ranger resource and request that are created
    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
    final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
    expectedRangerRequest.setResource(resource);
    expectedRangerRequest.setAction(request.getAction().name());
    expectedRangerRequest.setAccessType(request.getAction().name());
    expectedRangerRequest.setUser(request.getIdentity());
    expectedRangerRequest.setClientIPAddress(clientIp);
    // a non-null result processor should be used for direct access
    when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(allowedResult);
    final AuthorizationResult result = authorizer.authorize(request);
    assertEquals(AuthorizationResult.approved().getResult(), result.getResult());
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RequestAction(org.apache.nifi.authorization.RequestAction) HashMap(java.util.HashMap) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) Test(org.junit.Test)

Aggregations

AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)17 AuthorizationResult (org.apache.nifi.authorization.AuthorizationResult)10 Test (org.junit.Test)8 HashMap (java.util.HashMap)6 Authorizer (org.apache.nifi.authorization.Authorizer)6 RequestAction (org.apache.nifi.authorization.RequestAction)5 RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)5 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)5 Resource (org.apache.nifi.authorization.Resource)3 NiFiUserDetails (org.apache.nifi.authorization.user.NiFiUserDetails)3 Builder (org.apache.nifi.authorization.user.StandardNiFiUser.Builder)3 NiFiAuthenticationToken (org.apache.nifi.web.security.token.NiFiAuthenticationToken)3 Before (org.junit.Before)3 ArgumentMatcher (org.mockito.ArgumentMatcher)3 Authentication (org.springframework.security.core.Authentication)3 AuditService (org.apache.nifi.admin.service.AuditService)2 AuthorizerConfigurationContext (org.apache.nifi.authorization.AuthorizerConfigurationContext)2 AuthorizerInitializationContext (org.apache.nifi.authorization.AuthorizerInitializationContext)2 FlowController (org.apache.nifi.controller.FlowController)2 BulletinRepository (org.apache.nifi.reporting.BulletinRepository)2