Examples with RequestAction org.apache.nifi.authorization.RequestAction used on opensource projects

Example 6 with RequestAction

use of org.apache.nifi.authorization.RequestAction in project nifi by apache.

the class TestRangerNiFiAuthorizer method testApprovedWithDirectAccess.

@Test
public void testApprovedWithDirectAccess() {
    final String systemResource = "/system";
    final RequestAction action = RequestAction.WRITE;
    final String user = "admin";
    final String clientIp = "192.168.1.1";
    final Map<String, String> userContext = new HashMap<>();
    userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), clientIp);
    // the incoming NiFi request to test
    final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).userContext(userContext).accessAttempt(true).anonymous(false).build();
    // the expected Ranger resource and request that are created
    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
    final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
    expectedRangerRequest.setResource(resource);
    expectedRangerRequest.setAction(request.getAction().name());
    expectedRangerRequest.setAccessType(request.getAction().name());
    expectedRangerRequest.setUser(request.getIdentity());
    expectedRangerRequest.setClientIPAddress(clientIp);
    // a non-null result processor should be used for direct access
    when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(allowedResult);
    final AuthorizationResult result = authorizer.authorize(request);
    assertEquals(AuthorizationResult.approved().getResult(), result.getResult());
}

Example 7 with RequestAction

use of org.apache.nifi.authorization.RequestAction in project nifi by apache.

the class TestRangerNiFiAuthorizer method testApprovedWithNonDirectAccess.

@Test
public void testApprovedWithNonDirectAccess() {
    final String systemResource = "/system";
    final RequestAction action = RequestAction.WRITE;
    final String user = "admin";
    // the incoming NiFi request to test
    final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).accessAttempt(false).anonymous(false).build();
    // the expected Ranger resource and request that are created
    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
    final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
    expectedRangerRequest.setResource(resource);
    expectedRangerRequest.setAction(request.getAction().name());
    expectedRangerRequest.setAccessType(request.getAction().name());
    expectedRangerRequest.setUser(request.getIdentity());
    // no result processor should be provided used non-direct access
    when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(allowedResult);
    final AuthorizationResult result = authorizer.authorize(request);
    assertEquals(AuthorizationResult.approved().getResult(), result.getResult());
}

Example 8 with RequestAction

use of org.apache.nifi.authorization.RequestAction in project nifi by apache.

the class AccessPolicyResource method getAccessPolicyForResource.

// -----------------
// get access policy
// -----------------
/**
 * Retrieves the specified access policy.
 *
 * @return An accessPolicyEntity.
 */
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{action}/{resource: .+}")
@ApiOperation(value = "Gets an access policy for the specified action and resource", notes = "Will return the effective policy if no component specific policy exists for the specified action and resource. " + "Must have Read permissions to the policy with the desired action and resource. Permissions for the policy that is " + "returned will be indicated in the response. This means the client could be authorized to get the policy for a " + "given component but the effective policy may be inherited from an ancestor Process Group. If the client does not " + "have permissions to that policy, the response will not include the policy and the permissions in the response " + "will be marked accordingly. If the client does not have permissions to the policy of the desired action and resource " + "a 403 response will be returned.", response = AccessPolicyEntity.class, authorizations = { @Authorization(value = "Read - /policies/{resource}") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response getAccessPolicyForResource(@ApiParam(value = "The request action.", allowableValues = "read, write", required = true) @PathParam("action") final String action, @ApiParam(value = "The resource of the policy.", required = true) @PathParam("resource") String rawResource) {
    // ensure we're running with a configurable authorizer
    if (!AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)) {
        throw new IllegalStateException(AccessPolicyDAO.MSG_NON_MANAGED_AUTHORIZER);
    }
    // parse the action and resource type
    final RequestAction requestAction = RequestAction.valueOfValue(action);
    final String resource = "/" + rawResource;
    if (isReplicateRequest()) {
        return replicate(HttpMethod.GET);
    }
    // authorize access
    serviceFacade.authorizeAccess(lookup -> {
        final Authorizable accessPolicy = lookup.getAccessPolicyByResource(resource);
        accessPolicy.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
    });
    // get the access policy
    final AccessPolicyEntity entity = serviceFacade.getAccessPolicy(requestAction, resource);
    populateRemainingAccessPolicyEntityContent(entity);
    return generateOkResponse(entity).build();
}

Example 9 with RequestAction

use of org.apache.nifi.authorization.RequestAction in project nifi by apache.

the class SnippetUtils method rollbackClonedPolicy.

/**
 * Attempts to roll back all policies for the specified component. This includes the component resource, data resource
 * for the component, data transfer resource for the component, and policy resource for the component.
 *
 * @param componentResource component resource
 */
private void rollbackClonedPolicy(final Resource componentResource) {
    if (!accessPolicyDAO.supportsConfigurableAuthorizer()) {
        return;
    }
    final List<Resource> resources = new ArrayList<>();
    resources.add(componentResource);
    resources.add(ResourceFactory.getDataResource(componentResource));
    resources.add(ResourceFactory.getDataTransferResource(componentResource));
    resources.add(ResourceFactory.getPolicyResource(componentResource));
    for (final Resource resource : resources) {
        for (final RequestAction action : RequestAction.values()) {
            final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(action, resource.getIdentifier());
            if (accessPolicy != null) {
                try {
                    accessPolicyDAO.deleteAccessPolicy(accessPolicy.getIdentifier());
                } catch (final Exception e) {
                    logger.warn(String.format("Unable to clean up cloned access policy for %s %s after failed copy/paste action.", action, componentResource.getIdentifier()), e);
                }
            }
        }
    }
}

Example 10 with RequestAction

use of org.apache.nifi.authorization.RequestAction in project nifi by apache.

the class SnippetUtils method cloneComponentSpecificPolicies.

/**
 * Clones all the component specified policies for the specified original component. This will include the component resource, data resource
 * for the component, data transfer resource for the component, and policy resource for the component.
 *
 * @param originalComponentResource original component resource
 * @param clonedComponentResource cloned component resource
 * @param idGenerationSeed id generation seed
 */
private void cloneComponentSpecificPolicies(final Resource originalComponentResource, final Resource clonedComponentResource, final String idGenerationSeed) {
    if (!accessPolicyDAO.supportsConfigurableAuthorizer()) {
        return;
    }
    final Map<Resource, Resource> resources = new HashMap<>();
    resources.put(originalComponentResource, clonedComponentResource);
    resources.put(ResourceFactory.getDataResource(originalComponentResource), ResourceFactory.getDataResource(clonedComponentResource));
    resources.put(ResourceFactory.getDataTransferResource(originalComponentResource), ResourceFactory.getDataTransferResource(clonedComponentResource));
    resources.put(ResourceFactory.getPolicyResource(originalComponentResource), ResourceFactory.getPolicyResource(clonedComponentResource));
    for (final Entry<Resource, Resource> entry : resources.entrySet()) {
        final Resource originalResource = entry.getKey();
        final Resource cloneResource = entry.getValue();
        for (final RequestAction action : RequestAction.values()) {
            final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(action, originalResource.getIdentifier());
            // if there is a component specific policy we want to clone it for the new component
            if (accessPolicy != null) {
                final AccessPolicyDTO cloneAccessPolicy = new AccessPolicyDTO();
                cloneAccessPolicy.setId(generateId(accessPolicy.getIdentifier(), idGenerationSeed, true));
                cloneAccessPolicy.setAction(accessPolicy.getAction().toString());
                cloneAccessPolicy.setResource(cloneResource.getIdentifier());
                final Set<TenantEntity> users = new HashSet<>();
                accessPolicy.getUsers().forEach(userId -> {
                    final TenantEntity entity = new TenantEntity();
                    entity.setId(userId);
                    users.add(entity);
                });
                cloneAccessPolicy.setUsers(users);
                final Set<TenantEntity> groups = new HashSet<>();
                accessPolicy.getGroups().forEach(groupId -> {
                    final TenantEntity entity = new TenantEntity();
                    entity.setId(groupId);
                    groups.add(entity);
                });
                cloneAccessPolicy.setUserGroups(groups);
                // create the access policy for the cloned policy
                accessPolicyDAO.createAccessPolicy(cloneAccessPolicy);
            }
        }
    }
}