Search in sources :

Example 11 with AuthorizationResult

use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.

the class Authorizable method authorize.

/**
 * Authorizes the current user for the specified action on the specified resource. This method does imply the user is
 * directly accessing the specified resource.
 *
 * @param authorizer authorizer
 * @param action action
 * @param user user
 * @param resourceContext resource context
 */
default void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
    if (user == null) {
        throw new AccessDeniedException("Unknown user.");
    }
    final Map<String, String> userContext;
    if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
        userContext = new HashMap<>();
        userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
    } else {
        userContext = null;
    }
    final Resource resource = getResource();
    final Resource requestedResource = getRequestedResource();
    final AuthorizationRequest request = new AuthorizationRequest.Builder().identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(true).action(action).resource(resource).requestedResource(requestedResource).resourceContext(resourceContext).userContext(userContext).explanationSupplier(() -> {
        // build the safe explanation
        final StringBuilder safeDescription = new StringBuilder("Unable to ");
        if (RequestAction.READ.equals(action)) {
            safeDescription.append("view ");
        } else {
            safeDescription.append("modify ");
        }
        safeDescription.append(resource.getSafeDescription()).append(".");
        return safeDescription.toString();
    }).build();
    final AuthorizationResult result = authorizer.authorize(request);
    if (Result.ResourceNotFound.equals(result.getResult())) {
        final Authorizable parent = getParentAuthorizable();
        if (parent == null) {
            final AuthorizationResult failure = AuthorizationResult.denied("No applicable policies could be found.");
            // audit authorization request
            if (authorizer instanceof AuthorizationAuditor) {
                ((AuthorizationAuditor) authorizer).auditAccessAttempt(request, failure);
            }
            // denied
            throw new AccessDeniedException(failure.getExplanation());
        } else {
            // create a custom authorizable to override the safe description but still defer to the parent authorizable
            final Authorizable parentProxy = new Authorizable() {

                @Override
                public Authorizable getParentAuthorizable() {
                    return parent.getParentAuthorizable();
                }

                @Override
                public Resource getRequestedResource() {
                    return requestedResource;
                }

                @Override
                public Resource getResource() {
                    final Resource parentResource = parent.getResource();
                    return new Resource() {

                        @Override
                        public String getIdentifier() {
                            return parentResource.getIdentifier();
                        }

                        @Override
                        public String getName() {
                            return parentResource.getName();
                        }

                        @Override
                        public String getSafeDescription() {
                            return resource.getSafeDescription();
                        }
                    };
                }
            };
            parentProxy.authorize(authorizer, action, user, resourceContext);
        }
    } else if (Result.Denied.equals(result.getResult())) {
        throw new AccessDeniedException(result.getExplanation());
    }
}
Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) Resource(org.apache.nifi.authorization.Resource) AuthorizationAuditor(org.apache.nifi.authorization.AuthorizationAuditor) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)

Example 12 with AuthorizationResult

use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.

the class DataAuthorizableTest method testCheckAuthorizationUserChain.

@Test
public void testCheckAuthorizationUserChain() {
    final NiFiUser proxy2 = new Builder().identity(PROXY_2).build();
    final NiFiUser proxy1 = new Builder().identity(PROXY_1).chain(proxy2).build();
    final NiFiUser user = new Builder().identity(IDENTITY_1).chain(proxy1).build();
    final AuthorizationResult result = testDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);
    assertEquals(Result.Approved, result.getResult());
    verify(testAuthorizer, times(3)).authorize(any(AuthorizationRequest.class));
    verifyAuthorizeForUser(IDENTITY_1);
    verifyAuthorizeForUser(PROXY_1);
    verifyAuthorizeForUser(PROXY_2);
}
Also used : AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) Builder(org.apache.nifi.authorization.user.StandardNiFiUser.Builder) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) Test(org.junit.Test)

Example 13 with AuthorizationResult

use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.

the class DataAuthorizableTest method testCheckAuthorizationUnauthorizedUser.

@Test
public void testCheckAuthorizationUnauthorizedUser() {
    final NiFiUser user = new Builder().identity("unknown").build();
    final AuthorizationResult result = testDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);
    assertEquals(Result.Denied, result.getResult());
}
Also used : NiFiUser(org.apache.nifi.authorization.user.NiFiUser) Builder(org.apache.nifi.authorization.user.StandardNiFiUser.Builder) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) Test(org.junit.Test)

Example 14 with AuthorizationResult

use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.

the class DataAuthorizableTest method testCheckAuthorizationUser.

@Test
public void testCheckAuthorizationUser() {
    final NiFiUser user = new Builder().identity(IDENTITY_1).build();
    final AuthorizationResult result = testDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);
    assertEquals(Result.Approved, result.getResult());
    verify(testAuthorizer, times(1)).authorize(argThat(new ArgumentMatcher<AuthorizationRequest>() {

        @Override
        public boolean matches(Object o) {
            return IDENTITY_1.equals(((AuthorizationRequest) o).getIdentity());
        }
    }));
}
Also used : NiFiUser(org.apache.nifi.authorization.user.NiFiUser) Builder(org.apache.nifi.authorization.user.StandardNiFiUser.Builder) ArgumentMatcher(org.mockito.ArgumentMatcher) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) Test(org.junit.Test)

Example 15 with AuthorizationResult

use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.

the class DataAuthorizable method checkAuthorization.

@Override
public AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
    if (user == null) {
        return AuthorizationResult.denied("Unknown user.");
    }
    AuthorizationResult result = null;
    // authorize each element in the chain
    NiFiUser chainedUser = user;
    do {
        try {
            // perform the current user authorization
            result = Authorizable.super.checkAuthorization(authorizer, action, chainedUser, resourceContext);
            // if authorization is not approved, reject
            if (!Result.Approved.equals(result.getResult())) {
                return result;
            }
            // go to the next user in the chain
            chainedUser = chainedUser.getChain();
        } catch (final ResourceNotFoundException e) {
            result = AuthorizationResult.denied("Unknown source component.");
        }
    } while (chainedUser != null);
    if (result == null) {
        result = AuthorizationResult.denied();
    }
    return result;
}
Also used : NiFiUser(org.apache.nifi.authorization.user.NiFiUser) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) ResourceNotFoundException(org.apache.nifi.web.ResourceNotFoundException)

Aggregations

AuthorizationResult (org.apache.nifi.authorization.AuthorizationResult)26 AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)11 Test (org.junit.Test)9 Authorizable (org.apache.nifi.authorization.resource.Authorizable)8 HashMap (java.util.HashMap)7 RequestAction (org.apache.nifi.authorization.RequestAction)7 NiFiUser (org.apache.nifi.authorization.user.NiFiUser)6 ResourceNotFoundException (org.apache.nifi.web.ResourceNotFoundException)5 RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)5 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)5 FlowChangeAction (org.apache.nifi.action.FlowChangeAction)3 AccessDeniedException (org.apache.nifi.authorization.AccessDeniedException)3 Resource (org.apache.nifi.authorization.Resource)3 Builder (org.apache.nifi.authorization.user.StandardNiFiUser.Builder)3 ArrayList (java.util.ArrayList)2 Action (org.apache.nifi.action.Action)2 Authorizer (org.apache.nifi.authorization.Authorizer)2 History (org.apache.nifi.history.History)2 HistoryQuery (org.apache.nifi.history.HistoryQuery)2 MockPropertyValue (org.apache.nifi.util.MockPropertyValue)2