Example 6 with AuthorizationResult
use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.
the class VolatileProvenanceRepository method isAuthorized.
public boolean isAuthorized(final ProvenanceEventRecord event, final NiFiUser user) {
if (authorizer == null || user == null) {
return true;
}
final Authorizable eventAuthorizable;
try {
if (event.isRemotePortType()) {
eventAuthorizable = resourceFactory.createRemoteDataAuthorizable(event.getComponentId());
} else {
eventAuthorizable = resourceFactory.createLocalDataAuthorizable(event.getComponentId());
}
} catch (final ResourceNotFoundException rnfe) {
return false;
}
final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, event.getAttributes());
return Result.Approved.equals(result.getResult());
}
Also used :
Authorizable(org.apache.nifi.authorization.resource.Authorizable)
ResourceNotFoundException(org.apache.nifi.web.ResourceNotFoundException)
AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)
Example 7 with AuthorizationResult
use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.
the class TestRangerNiFiAuthorizer method testDenied.
@Test
public void testDenied() {
final String systemResource = "/system";
final RequestAction action = RequestAction.WRITE;
final String user = "admin";
// the incoming NiFi request to test
final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
// the expected Ranger resource and request that are created
final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
expectedRangerRequest.setResource(resource);
expectedRangerRequest.setAction(request.getAction().name());
expectedRangerRequest.setAccessType(request.getAction().name());
expectedRangerRequest.setUser(request.getIdentity());
// no result processor should be provided used non-direct access
when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(notAllowedResult);
// return true when checking if a policy exists for the resource
when(rangerBasePlugin.doesPolicyExist(systemResource, action)).thenReturn(true);
final AuthorizationResult result = authorizer.authorize(request);
assertEquals(AuthorizationResult.denied().getResult(), result.getResult());
}
Also used :
RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)
AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest)
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
RequestAction(org.apache.nifi.authorization.RequestAction)
HashMap(java.util.HashMap)
AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)
Test(org.junit.Test)
Example 8 with AuthorizationResult
use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.
the class TestRangerNiFiAuthorizer method runRangerAdminTest.
private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) {
configurationContext = createMockConfigContext();
final String rangerAdminIdentity = "ranger-admin";
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP))).thenReturn(new MockPropertyValue(rangerAdminIdentity));
rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
authorizer.onConfigured(configurationContext);
final RequestAction action = RequestAction.WRITE;
// the incoming NiFi request to test
final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(resourceIdentifier, resourceIdentifier)).action(action).identity(rangerAdminIdentity).resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
// the expected Ranger resource and request that are created
final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);
final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
expectedRangerRequest.setResource(resource);
expectedRangerRequest.setAction(request.getAction().name());
expectedRangerRequest.setAccessType(request.getAction().name());
expectedRangerRequest.setUser(request.getIdentity());
// return true when checking if a policy exists for the resource
when(rangerBasePlugin.doesPolicyExist(resourceIdentifier, action)).thenReturn(true);
// a non-null result processor should be used for direct access
when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(notAllowedResult);
final AuthorizationResult result = authorizer.authorize(request);
assertEquals(expectedResult, result.getResult());
}
Also used :
RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)
AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest)
RequestAction(org.apache.nifi.authorization.RequestAction)
HashMap(java.util.HashMap)
MockPropertyValue(org.apache.nifi.util.MockPropertyValue)
AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
Example 9 with AuthorizationResult
use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.
the class TestRangerNiFiAuthorizer method testIntegration.
@Test
@Ignore
public void testIntegration() {
final AuthorizerInitializationContext initializationContext = Mockito.mock(AuthorizerInitializationContext.class);
final AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class);
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP))).thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml"));
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP))).thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml"));
Authorizer authorizer = new RangerNiFiAuthorizer();
try {
authorizer.initialize(initializationContext);
authorizer.onConfigured(configurationContext);
final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new Resource() {
@Override
public String getIdentifier() {
return "/system";
}
@Override
public String getName() {
return "/system";
}
@Override
public String getSafeDescription() {
return "system";
}
}).action(RequestAction.WRITE).identity("admin").resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
final AuthorizationResult result = authorizer.authorize(request);
Assert.assertEquals(AuthorizationResult.denied().getResult(), result.getResult());
} finally {
authorizer.preDestruction();
}
}
Also used :
AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest)
HashMap(java.util.HashMap)
Authorizer(org.apache.nifi.authorization.Authorizer)
Resource(org.apache.nifi.authorization.Resource)
MockPropertyValue(org.apache.nifi.util.MockPropertyValue)
AuthorizerInitializationContext(org.apache.nifi.authorization.AuthorizerInitializationContext)
AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)
AuthorizerConfigurationContext(org.apache.nifi.authorization.AuthorizerConfigurationContext)
Ignore(org.junit.Ignore)
Test(org.junit.Test)
Example 10 with AuthorizationResult
use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.
the class Authorizable method checkAuthorization.
/**
* Returns the result of an authorization request for the specified user for the specified action on the specified
* resource. This method does not imply the user is directly attempting to access the specified resource. If the user is
* attempting a direct access use Authorizable.authorize().
*
* @param authorizer authorizer
* @param action action
* @param user user
* @return is authorized
*/
default AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
if (user == null) {
return AuthorizationResult.denied("Unknown user.");
}
final Map<String, String> userContext;
if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
userContext = new HashMap<>();
userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
} else {
userContext = null;
}
final Resource resource = getResource();
final Resource requestedResource = getRequestedResource();
final AuthorizationRequest request = new AuthorizationRequest.Builder().identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(false).action(action).resource(resource).requestedResource(requestedResource).resourceContext(resourceContext).userContext(userContext).explanationSupplier(() -> {
// build the safe explanation
final StringBuilder safeDescription = new StringBuilder("Unable to ");
if (RequestAction.READ.equals(action)) {
safeDescription.append("view ");
} else {
safeDescription.append("modify ");
}
safeDescription.append(resource.getSafeDescription()).append(".");
return safeDescription.toString();
}).build();
// perform the authorization
final AuthorizationResult result = authorizer.authorize(request);
// verify the results
if (Result.ResourceNotFound.equals(result.getResult())) {
final Authorizable parent = getParentAuthorizable();
if (parent == null) {
return AuthorizationResult.denied("No applicable policies could be found.");
} else {
// create a custom authorizable to override the safe description but still defer to the parent authorizable
final Authorizable parentProxy = new Authorizable() {
@Override
public Authorizable getParentAuthorizable() {
return parent.getParentAuthorizable();
}
@Override
public Resource getRequestedResource() {
return requestedResource;
}
@Override
public Resource getResource() {
final Resource parentResource = parent.getResource();
return new Resource() {
@Override
public String getIdentifier() {
return parentResource.getIdentifier();
}
@Override
public String getName() {
return parentResource.getName();
}
@Override
public String getSafeDescription() {
return resource.getSafeDescription();
}
};
}
};
return parentProxy.checkAuthorization(authorizer, action, user, resourceContext);
}
} else {
return result;
}
}
Also used :
AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest)
Resource(org.apache.nifi.authorization.Resource)
AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)
Aggregations
AuthorizationResult (org.apache.nifi.authorization.AuthorizationResult)26
AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)11
Test (org.junit.Test)9
Authorizable (org.apache.nifi.authorization.resource.Authorizable)8
HashMap (java.util.HashMap)7
RequestAction (org.apache.nifi.authorization.RequestAction)7
NiFiUser (org.apache.nifi.authorization.user.NiFiUser)6
ResourceNotFoundException (org.apache.nifi.web.ResourceNotFoundException)5
RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)5
RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)5
FlowChangeAction (org.apache.nifi.action.FlowChangeAction)3
AccessDeniedException (org.apache.nifi.authorization.AccessDeniedException)3
Resource (org.apache.nifi.authorization.Resource)3
Builder (org.apache.nifi.authorization.user.StandardNiFiUser.Builder)3
ArrayList (java.util.ArrayList)2
Action (org.apache.nifi.action.Action)2
Authorizer (org.apache.nifi.authorization.Authorizer)2
History (org.apache.nifi.history.History)2
HistoryQuery (org.apache.nifi.history.HistoryQuery)2
MockPropertyValue (org.apache.nifi.util.MockPropertyValue)2
