Example 6 with AuthorizationRequest
use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.
the class Authorizable method authorize.
/**
* Authorizes the current user for the specified action on the specified resource. This method does imply the user is
* directly accessing the specified resource.
*
* @param authorizer authorizer
* @param action action
* @param user user
* @param resourceContext resource context
*/
default void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
if (user == null) {
throw new AccessDeniedException("Unknown user.");
}
final Map<String, String> userContext;
if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
userContext = new HashMap<>();
userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
} else {
userContext = null;
}
final Resource resource = getResource();
final Resource requestedResource = getRequestedResource();
final AuthorizationRequest request = new AuthorizationRequest.Builder().identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(true).action(action).resource(resource).requestedResource(requestedResource).resourceContext(resourceContext).userContext(userContext).explanationSupplier(() -> {
// build the safe explanation
final StringBuilder safeDescription = new StringBuilder("Unable to ");
if (RequestAction.READ.equals(action)) {
safeDescription.append("view ");
} else {
safeDescription.append("modify ");
}
safeDescription.append(resource.getSafeDescription()).append(".");
return safeDescription.toString();
}).build();
final AuthorizationResult result = authorizer.authorize(request);
if (Result.ResourceNotFound.equals(result.getResult())) {
final Authorizable parent = getParentAuthorizable();
if (parent == null) {
final AuthorizationResult failure = AuthorizationResult.denied("No applicable policies could be found.");
// audit authorization request
if (authorizer instanceof AuthorizationAuditor) {
((AuthorizationAuditor) authorizer).auditAccessAttempt(request, failure);
}
// denied
throw new AccessDeniedException(failure.getExplanation());
} else {
// create a custom authorizable to override the safe description but still defer to the parent authorizable
final Authorizable parentProxy = new Authorizable() {
@Override
public Authorizable getParentAuthorizable() {
return parent.getParentAuthorizable();
}
@Override
public Resource getRequestedResource() {
return requestedResource;
}
@Override
public Resource getResource() {
final Resource parentResource = parent.getResource();
return new Resource() {
@Override
public String getIdentifier() {
return parentResource.getIdentifier();
}
@Override
public String getName() {
return parentResource.getName();
}
@Override
public String getSafeDescription() {
return resource.getSafeDescription();
}
};
}
};
parentProxy.authorize(authorizer, action, user, resourceContext);
}
} else if (Result.Denied.equals(result.getResult())) {
throw new AccessDeniedException(result.getExplanation());
}
}
Also used :
AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException)
AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest)
Resource(org.apache.nifi.authorization.Resource)
AuthorizationAuditor(org.apache.nifi.authorization.AuthorizationAuditor)
AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)
Example 7 with AuthorizationRequest
use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.
the class TestStandardRootGroupPort method createRootGroupPort.
private RootGroupPort createRootGroupPort(NiFiProperties nifiProperties) {
final BulletinRepository bulletinRepository = mock(BulletinRepository.class);
final ProcessScheduler processScheduler = null;
final Authorizer authorizer = mock(Authorizer.class);
doAnswer(invocation -> {
final AuthorizationRequest request = invocation.getArgumentAt(0, AuthorizationRequest.class);
if ("node1@nifi.test".equals(request.getIdentity())) {
return AuthorizationResult.approved();
}
return AuthorizationResult.denied();
}).when(authorizer).authorize(any(AuthorizationRequest.class));
final ProcessGroup processGroup = mock(ProcessGroup.class);
doReturn("process-group-id").when(processGroup).getIdentifier();
return new StandardRootGroupPort("id", "name", processGroup, TransferDirection.SEND, ConnectableType.INPUT_PORT, authorizer, bulletinRepository, processScheduler, true, nifiProperties);
}
Also used :
BulletinRepository(org.apache.nifi.reporting.BulletinRepository)
ProcessScheduler(org.apache.nifi.controller.ProcessScheduler)
AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest)
Authorizer(org.apache.nifi.authorization.Authorizer)
ProcessGroup(org.apache.nifi.groups.ProcessGroup)
Example 8 with AuthorizationRequest
use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.
the class DataAuthorizableTest method setup.
@Before
public void setup() {
testProcessorAuthorizable = mock(Authorizable.class);
when(testProcessorAuthorizable.getParentAuthorizable()).thenReturn(null);
when(testProcessorAuthorizable.getResource()).thenReturn(ResourceFactory.getComponentResource(ResourceType.Processor, "id", "name"));
testAuthorizer = mock(Authorizer.class);
when(testAuthorizer.authorize(any(AuthorizationRequest.class))).then(invocation -> {
final AuthorizationRequest request = invocation.getArgumentAt(0, AuthorizationRequest.class);
if (IDENTITY_1.equals(request.getIdentity())) {
return AuthorizationResult.approved();
} else if (PROXY_1.equals(request.getIdentity())) {
return AuthorizationResult.approved();
} else if (PROXY_2.equals(request.getIdentity())) {
return AuthorizationResult.approved();
}
return AuthorizationResult.denied();
});
testDataAuthorizable = new DataAuthorizable(testProcessorAuthorizable);
}
Also used :
AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest)
Authorizer(org.apache.nifi.authorization.Authorizer)
Before(org.junit.Before)
Example 9 with AuthorizationRequest
use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.
the class TestRangerNiFiAuthorizer method testResourceNotFound.
@Test
public void testResourceNotFound() {
final String systemResource = "/system";
final RequestAction action = RequestAction.WRITE;
final String user = "admin";
// the incoming NiFi request to test
final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
// the expected Ranger resource and request that are created
final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
expectedRangerRequest.setResource(resource);
expectedRangerRequest.setAction(request.getAction().name());
expectedRangerRequest.setAccessType(request.getAction().name());
expectedRangerRequest.setUser(request.getIdentity());
// no result processor should be provided used non-direct access
when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)), notNull(RangerAccessResultProcessor.class))).thenReturn(notAllowedResult);
// return false when checking if a policy exists for the resource
when(rangerBasePlugin.doesPolicyExist(systemResource, action)).thenReturn(false);
final AuthorizationResult result = authorizer.authorize(request);
assertEquals(AuthorizationResult.resourceNotFound().getResult(), result.getResult());
}
Also used :
RangerAccessResultProcessor(org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor)
RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)
AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest)
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
RequestAction(org.apache.nifi.authorization.RequestAction)
HashMap(java.util.HashMap)
AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)
Test(org.junit.Test)
Example 10 with AuthorizationRequest
use of org.apache.nifi.authorization.AuthorizationRequest in project nifi by apache.
the class TestRangerNiFiAuthorizer method testApprovedWithDirectAccess.
@Test
public void testApprovedWithDirectAccess() {
final String systemResource = "/system";
final RequestAction action = RequestAction.WRITE;
final String user = "admin";
final String clientIp = "192.168.1.1";
final Map<String, String> userContext = new HashMap<>();
userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), clientIp);
// the incoming NiFi request to test
final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).userContext(userContext).accessAttempt(true).anonymous(false).build();
// the expected Ranger resource and request that are created
final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
expectedRangerRequest.setResource(resource);
expectedRangerRequest.setAction(request.getAction().name());
expectedRangerRequest.setAccessType(request.getAction().name());
expectedRangerRequest.setUser(request.getIdentity());
expectedRangerRequest.setClientIPAddress(clientIp);
// a non-null result processor should be used for direct access
when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(allowedResult);
final AuthorizationResult result = authorizer.authorize(request);
assertEquals(AuthorizationResult.approved().getResult(), result.getResult());
}
Also used :
RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)
AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest)
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
RequestAction(org.apache.nifi.authorization.RequestAction)
HashMap(java.util.HashMap)
AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)
Test(org.junit.Test)
Aggregations
AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)17
AuthorizationResult (org.apache.nifi.authorization.AuthorizationResult)10
Test (org.junit.Test)8
HashMap (java.util.HashMap)6
Authorizer (org.apache.nifi.authorization.Authorizer)6
RequestAction (org.apache.nifi.authorization.RequestAction)5
RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)5
RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)5
Resource (org.apache.nifi.authorization.Resource)3
NiFiUserDetails (org.apache.nifi.authorization.user.NiFiUserDetails)3
Builder (org.apache.nifi.authorization.user.StandardNiFiUser.Builder)3
NiFiAuthenticationToken (org.apache.nifi.web.security.token.NiFiAuthenticationToken)3
Before (org.junit.Before)3
ArgumentMatcher (org.mockito.ArgumentMatcher)3
Authentication (org.springframework.security.core.Authentication)3
AuditService (org.apache.nifi.admin.service.AuditService)2
AuthorizerConfigurationContext (org.apache.nifi.authorization.AuthorizerConfigurationContext)2
AuthorizerInitializationContext (org.apache.nifi.authorization.AuthorizerInitializationContext)2
FlowController (org.apache.nifi.controller.FlowController)2
BulletinRepository (org.apache.nifi.reporting.BulletinRepository)2
