Examples with AuthorizationResult org.apache.nifi.authorization.AuthorizationResult used on opensource projects

Search in sources :

Example 1 with AuthorizationResult

use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.

the class StandardNiFiServiceFacade method isUserAuthorized.

/**
 * Ensures the specified user has permission to access the specified port. This method does
 * not utilize the DataTransferAuthorizable as that will enforce the entire chain is
 * authorized for the transfer. This method is only invoked when obtaining the site to site
 * details so the entire chain isn't necessary.
 */
private boolean isUserAuthorized(final NiFiUser user, final RootGroupPort port) {
    final boolean isSiteToSiteSecure = Boolean.TRUE.equals(properties.isSiteToSiteSecure());
    // if site to site is not secure, allow all users
    if (!isSiteToSiteSecure) {
        return true;
    }
    final Map<String, String> userContext;
    if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
        userContext = new HashMap<>();
        userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
    } else {
        userContext = null;
    }
    final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(ResourceFactory.getDataTransferResource(port.getResource())).identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(false).action(RequestAction.WRITE).userContext(userContext).explanationSupplier(() -> "Unable to retrieve port details.").build();
    final AuthorizationResult result = authorizer.authorize(request);
    return Result.Approved.equals(result.getResult());
}
Also used : AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)

Example 2 with AuthorizationResult

use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.

the class StandardNiFiServiceFacade method authorizeBulletin.

private boolean authorizeBulletin(final Bulletin bulletin) {
    final String sourceId = bulletin.getSourceId();
    final ComponentType type = bulletin.getSourceType();
    final Authorizable authorizable;
    try {
        switch(type) {
            case PROCESSOR:
                authorizable = authorizableLookup.getProcessor(sourceId).getAuthorizable();
                break;
            case REPORTING_TASK:
                authorizable = authorizableLookup.getReportingTask(sourceId).getAuthorizable();
                break;
            case CONTROLLER_SERVICE:
                authorizable = authorizableLookup.getControllerService(sourceId).getAuthorizable();
                break;
            case FLOW_CONTROLLER:
                authorizable = controllerFacade;
                break;
            case INPUT_PORT:
                authorizable = authorizableLookup.getInputPort(sourceId);
                break;
            case OUTPUT_PORT:
                authorizable = authorizableLookup.getOutputPort(sourceId);
                break;
            case REMOTE_PROCESS_GROUP:
                authorizable = authorizableLookup.getRemoteProcessGroup(sourceId);
                break;
            default:
                throw new WebApplicationException(Response.serverError().entity("An unexpected type of component is the source of this bulletin.").build());
        }
    } catch (final ResourceNotFoundException e) {
        // if the underlying component is gone, disallow
        return false;
    }
    // perform the authorization
    final AuthorizationResult result = authorizable.checkAuthorization(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
    return Result.Approved.equals(result.getResult());
}
Also used : ComponentType(org.apache.nifi.reporting.ComponentType) WebApplicationException(javax.ws.rs.WebApplicationException) Authorizable(org.apache.nifi.authorization.resource.Authorizable) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)

Example 3 with AuthorizationResult

use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.

the class StandardNiFiServiceFacade method getActions.

@Override
public HistoryDTO getActions(final HistoryQueryDTO historyQueryDto) {
    // extract the query criteria
    final HistoryQuery historyQuery = new HistoryQuery();
    historyQuery.setStartDate(historyQueryDto.getStartDate());
    historyQuery.setEndDate(historyQueryDto.getEndDate());
    historyQuery.setSourceId(historyQueryDto.getSourceId());
    historyQuery.setUserIdentity(historyQueryDto.getUserIdentity());
    historyQuery.setOffset(historyQueryDto.getOffset());
    historyQuery.setCount(historyQueryDto.getCount());
    historyQuery.setSortColumn(historyQueryDto.getSortColumn());
    historyQuery.setSortOrder(historyQueryDto.getSortOrder());
    // perform the query
    final History history = auditService.getActions(historyQuery);
    // only retain authorized actions
    final HistoryDTO historyDto = dtoFactory.createHistoryDto(history);
    if (history.getActions() != null) {
        final List<ActionEntity> actionEntities = new ArrayList<>();
        for (final Action action : history.getActions()) {
            final AuthorizationResult result = authorizeAction(action);
            actionEntities.add(entityFactory.createActionEntity(dtoFactory.createActionDto(action), Result.Approved.equals(result.getResult())));
        }
        historyDto.setActions(actionEntities);
    }
    // create the response
    return historyDto;
}
Also used : HistoryDTO(org.apache.nifi.web.api.dto.action.HistoryDTO) PropertyHistoryDTO(org.apache.nifi.web.api.dto.PropertyHistoryDTO) ComponentHistoryDTO(org.apache.nifi.web.api.dto.ComponentHistoryDTO) StatusHistoryDTO(org.apache.nifi.web.api.dto.status.StatusHistoryDTO) FlowChangeAction(org.apache.nifi.action.FlowChangeAction) RequestAction(org.apache.nifi.authorization.RequestAction) Action(org.apache.nifi.action.Action) HistoryQuery(org.apache.nifi.history.HistoryQuery) ArrayList(java.util.ArrayList) History(org.apache.nifi.history.History) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) ActionEntity(org.apache.nifi.web.api.entity.ActionEntity)

Example 4 with AuthorizationResult

use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.

the class DataTransferResource method authorizeDataTransfer.

/**
 * Authorizes access to data transfers.
 * <p>
 * Note: Protected for testing purposes
 */
protected void authorizeDataTransfer(final AuthorizableLookup lookup, final ResourceType resourceType, final String identifier) {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    // ensure the resource type is correct
    if (!ResourceType.InputPort.equals(resourceType) && !ResourceType.OutputPort.equals(resourceType)) {
        throw new IllegalArgumentException("The resource must be an Input or Output Port.");
    }
    // get the authorizable
    final RootGroupPortAuthorizable authorizable;
    if (ResourceType.InputPort.equals(resourceType)) {
        authorizable = lookup.getRootGroupInputPort(identifier);
    } else {
        authorizable = lookup.getRootGroupOutputPort(identifier);
    }
    // perform the authorization
    final AuthorizationResult authorizationResult = authorizable.checkAuthorization(user);
    if (!Result.Approved.equals(authorizationResult.getResult())) {
        throw new AccessDeniedException(authorizationResult.getExplanation());
    }
}
Also used : RootGroupPortAuthorizable(org.apache.nifi.authorization.RootGroupPortAuthorizable) AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)

Example 5 with AuthorizationResult

use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.

the class ControllerFacade method createProvenanceEventDto.

/**
 * Creates a ProvenanceEventDTO for the specified ProvenanceEventRecord.
 *
 * @param event event
 * @return event
 */
private ProvenanceEventDTO createProvenanceEventDto(final ProvenanceEventRecord event, final boolean summarize) {
    final ProvenanceEventDTO dto = new ProvenanceEventDTO();
    dto.setId(String.valueOf(event.getEventId()));
    dto.setEventId(event.getEventId());
    dto.setEventTime(new Date(event.getEventTime()));
    dto.setEventType(event.getEventType().name());
    dto.setFlowFileUuid(event.getFlowFileUuid());
    dto.setFileSize(FormatUtils.formatDataSize(event.getFileSize()));
    dto.setFileSizeBytes(event.getFileSize());
    dto.setComponentId(event.getComponentId());
    dto.setComponentType(event.getComponentType());
    // sets the component details if it can find the component still in the flow
    setComponentDetails(dto);
    // only include all details if not summarizing
    if (!summarize) {
        // convert the attributes
        final Comparator<AttributeDTO> attributeComparator = new Comparator<AttributeDTO>() {

            @Override
            public int compare(AttributeDTO a1, AttributeDTO a2) {
                return Collator.getInstance(Locale.US).compare(a1.getName(), a2.getName());
            }
        };
        final SortedSet<AttributeDTO> attributes = new TreeSet<>(attributeComparator);
        final Map<String, String> updatedAttrs = event.getUpdatedAttributes();
        final Map<String, String> previousAttrs = event.getPreviousAttributes();
        // add previous attributes that haven't been modified.
        for (final Map.Entry<String, String> entry : previousAttrs.entrySet()) {
            // don't add any attributes that have been updated; we will do that next
            if (updatedAttrs.containsKey(entry.getKey())) {
                continue;
            }
            final AttributeDTO attribute = new AttributeDTO();
            attribute.setName(entry.getKey());
            attribute.setValue(entry.getValue());
            attribute.setPreviousValue(entry.getValue());
            attributes.add(attribute);
        }
        // Add all of the update attributes
        for (final Map.Entry<String, String> entry : updatedAttrs.entrySet()) {
            final AttributeDTO attribute = new AttributeDTO();
            attribute.setName(entry.getKey());
            attribute.setValue(entry.getValue());
            attribute.setPreviousValue(previousAttrs.get(entry.getKey()));
            attributes.add(attribute);
        }
        // additional event details
        dto.setAlternateIdentifierUri(event.getAlternateIdentifierUri());
        dto.setAttributes(attributes);
        dto.setTransitUri(event.getTransitUri());
        dto.setSourceSystemFlowFileId(event.getSourceSystemFlowFileIdentifier());
        dto.setRelationship(event.getRelationship());
        dto.setDetails(event.getDetails());
        final ContentAvailability contentAvailability = flowController.getContentAvailability(event);
        // content
        dto.setContentEqual(contentAvailability.isContentSame());
        dto.setInputContentAvailable(contentAvailability.isInputAvailable());
        dto.setInputContentClaimSection(event.getPreviousContentClaimSection());
        dto.setInputContentClaimContainer(event.getPreviousContentClaimContainer());
        dto.setInputContentClaimIdentifier(event.getPreviousContentClaimIdentifier());
        dto.setInputContentClaimOffset(event.getPreviousContentClaimOffset());
        dto.setInputContentClaimFileSizeBytes(event.getPreviousFileSize());
        dto.setOutputContentAvailable(contentAvailability.isOutputAvailable());
        dto.setOutputContentClaimSection(event.getContentClaimSection());
        dto.setOutputContentClaimContainer(event.getContentClaimContainer());
        dto.setOutputContentClaimIdentifier(event.getContentClaimIdentifier());
        dto.setOutputContentClaimOffset(event.getContentClaimOffset());
        dto.setOutputContentClaimFileSize(FormatUtils.formatDataSize(event.getFileSize()));
        dto.setOutputContentClaimFileSizeBytes(event.getFileSize());
        // format the previous file sizes if possible
        if (event.getPreviousFileSize() != null) {
            dto.setInputContentClaimFileSize(FormatUtils.formatDataSize(event.getPreviousFileSize()));
        }
        // determine if authorized for event replay
        final AuthorizationResult replayAuthorized = checkAuthorizationForReplay(event);
        // replay
        dto.setReplayAvailable(contentAvailability.isReplayable() && Result.Approved.equals(replayAuthorized.getResult()));
        dto.setReplayExplanation(contentAvailability.isReplayable() && !Result.Approved.equals(replayAuthorized.getResult()) ? replayAuthorized.getExplanation() : contentAvailability.getReasonNotReplayable());
        dto.setSourceConnectionIdentifier(event.getSourceQueueIdentifier());
        // event duration
        if (event.getEventDuration() >= 0) {
            dto.setEventDuration(event.getEventDuration());
        }
        // lineage duration
        if (event.getLineageStartDate() > 0) {
            final long lineageDuration = event.getEventTime() - event.getLineageStartDate();
            dto.setLineageDuration(lineageDuration);
        }
        // parent uuids
        final List<String> parentUuids = new ArrayList<>(event.getParentUuids());
        Collections.sort(parentUuids, Collator.getInstance(Locale.US));
        dto.setParentUuids(parentUuids);
        // child uuids
        final List<String> childUuids = new ArrayList<>(event.getChildUuids());
        Collections.sort(childUuids, Collator.getInstance(Locale.US));
        dto.setChildUuids(childUuids);
    }
    return dto;
}
Also used : ArrayList(java.util.ArrayList) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) Date(java.util.Date) Comparator(java.util.Comparator) AttributeDTO(org.apache.nifi.web.api.dto.provenance.AttributeDTO) ContentAvailability(org.apache.nifi.controller.ContentAvailability) ProvenanceEventDTO(org.apache.nifi.web.api.dto.provenance.ProvenanceEventDTO) TreeSet(java.util.TreeSet) Map(java.util.Map) HashMap(java.util.HashMap)

Aggregations

AuthorizationResult (org.apache.nifi.authorization.AuthorizationResult)26 AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)11 Test (org.junit.Test)9 Authorizable (org.apache.nifi.authorization.resource.Authorizable)8 HashMap (java.util.HashMap)7 RequestAction (org.apache.nifi.authorization.RequestAction)7 NiFiUser (org.apache.nifi.authorization.user.NiFiUser)6 ResourceNotFoundException (org.apache.nifi.web.ResourceNotFoundException)5 RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)5 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)5 FlowChangeAction (org.apache.nifi.action.FlowChangeAction)3 AccessDeniedException (org.apache.nifi.authorization.AccessDeniedException)3 Resource (org.apache.nifi.authorization.Resource)3 Builder (org.apache.nifi.authorization.user.StandardNiFiUser.Builder)3 ArrayList (java.util.ArrayList)2 Action (org.apache.nifi.action.Action)2 Authorizer (org.apache.nifi.authorization.Authorizer)2 History (org.apache.nifi.history.History)2 HistoryQuery (org.apache.nifi.history.HistoryQuery)2 MockPropertyValue (org.apache.nifi.util.MockPropertyValue)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial