use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.
the class Authorizable method authorize.
/**
* Authorizes the current user for the specified action on the specified resource. This method does imply the user is
* directly accessing the specified resource.
*
* @param authorizer authorizer
* @param action action
* @param user user
* @param resourceContext resource context
*/
default void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
if (user == null) {
throw new AccessDeniedException("Unknown user.");
}
final Map<String, String> userContext;
if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
userContext = new HashMap<>();
userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
} else {
userContext = null;
}
final Resource resource = getResource();
final Resource requestedResource = getRequestedResource();
final AuthorizationRequest request = new AuthorizationRequest.Builder().identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(true).action(action).resource(resource).requestedResource(requestedResource).resourceContext(resourceContext).userContext(userContext).explanationSupplier(() -> {
// build the safe explanation
final StringBuilder safeDescription = new StringBuilder("Unable to ");
if (RequestAction.READ.equals(action)) {
safeDescription.append("view ");
} else {
safeDescription.append("modify ");
}
safeDescription.append(resource.getSafeDescription()).append(".");
return safeDescription.toString();
}).build();
final AuthorizationResult result = authorizer.authorize(request);
if (Result.ResourceNotFound.equals(result.getResult())) {
final Authorizable parent = getParentAuthorizable();
if (parent == null) {
final AuthorizationResult failure = AuthorizationResult.denied("No applicable policies could be found.");
// audit authorization request
if (authorizer instanceof AuthorizationAuditor) {
((AuthorizationAuditor) authorizer).auditAccessAttempt(request, failure);
}
// denied
throw new AccessDeniedException(failure.getExplanation());
} else {
// create a custom authorizable to override the safe description but still defer to the parent authorizable
final Authorizable parentProxy = new Authorizable() {
@Override
public Authorizable getParentAuthorizable() {
return parent.getParentAuthorizable();
}
@Override
public Resource getRequestedResource() {
return requestedResource;
}
@Override
public Resource getResource() {
final Resource parentResource = parent.getResource();
return new Resource() {
@Override
public String getIdentifier() {
return parentResource.getIdentifier();
}
@Override
public String getName() {
return parentResource.getName();
}
@Override
public String getSafeDescription() {
return resource.getSafeDescription();
}
};
}
};
parentProxy.authorize(authorizer, action, user, resourceContext);
}
} else if (Result.Denied.equals(result.getResult())) {
throw new AccessDeniedException(result.getExplanation());
}
}
use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.
the class DataAuthorizableTest method testCheckAuthorizationUserChain.
@Test
public void testCheckAuthorizationUserChain() {
final NiFiUser proxy2 = new Builder().identity(PROXY_2).build();
final NiFiUser proxy1 = new Builder().identity(PROXY_1).chain(proxy2).build();
final NiFiUser user = new Builder().identity(IDENTITY_1).chain(proxy1).build();
final AuthorizationResult result = testDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);
assertEquals(Result.Approved, result.getResult());
verify(testAuthorizer, times(3)).authorize(any(AuthorizationRequest.class));
verifyAuthorizeForUser(IDENTITY_1);
verifyAuthorizeForUser(PROXY_1);
verifyAuthorizeForUser(PROXY_2);
}
use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.
the class DataAuthorizableTest method testCheckAuthorizationUnauthorizedUser.
@Test
public void testCheckAuthorizationUnauthorizedUser() {
final NiFiUser user = new Builder().identity("unknown").build();
final AuthorizationResult result = testDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);
assertEquals(Result.Denied, result.getResult());
}
use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.
the class DataAuthorizableTest method testCheckAuthorizationUser.
@Test
public void testCheckAuthorizationUser() {
final NiFiUser user = new Builder().identity(IDENTITY_1).build();
final AuthorizationResult result = testDataAuthorizable.checkAuthorization(testAuthorizer, RequestAction.READ, user, null);
assertEquals(Result.Approved, result.getResult());
verify(testAuthorizer, times(1)).authorize(argThat(new ArgumentMatcher<AuthorizationRequest>() {
@Override
public boolean matches(Object o) {
return IDENTITY_1.equals(((AuthorizationRequest) o).getIdentity());
}
}));
}
use of org.apache.nifi.authorization.AuthorizationResult in project nifi by apache.
the class DataAuthorizable method checkAuthorization.
@Override
public AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
if (user == null) {
return AuthorizationResult.denied("Unknown user.");
}
AuthorizationResult result = null;
// authorize each element in the chain
NiFiUser chainedUser = user;
do {
try {
// perform the current user authorization
result = Authorizable.super.checkAuthorization(authorizer, action, chainedUser, resourceContext);
// if authorization is not approved, reject
if (!Result.Approved.equals(result.getResult())) {
return result;
}
// go to the next user in the chain
chainedUser = chainedUser.getChain();
} catch (final ResourceNotFoundException e) {
result = AuthorizationResult.denied("Unknown source component.");
}
} while (chainedUser != null);
if (result == null) {
result = AuthorizationResult.denied();
}
return result;
}
Aggregations