Examples with Resource org.apache.nifi.authorization.Resource used on opensource projects

Search in sources :

Example 6 with Resource

use of org.apache.nifi.authorization.Resource in project nifi by apache.

the class TestRangerNiFiAuthorizer method testIntegration.

@Test
@Ignore
public void testIntegration() {
    final AuthorizerInitializationContext initializationContext = Mockito.mock(AuthorizerInitializationContext.class);
    final AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class);
    when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP))).thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml"));
    when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP))).thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml"));
    Authorizer authorizer = new RangerNiFiAuthorizer();
    try {
        authorizer.initialize(initializationContext);
        authorizer.onConfigured(configurationContext);
        final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new Resource() {

            @Override
            public String getIdentifier() {
                return "/system";
            }

            @Override
            public String getName() {
                return "/system";
            }

            @Override
            public String getSafeDescription() {
                return "system";
            }
        }).action(RequestAction.WRITE).identity("admin").resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
        final AuthorizationResult result = authorizer.authorize(request);
        Assert.assertEquals(AuthorizationResult.denied().getResult(), result.getResult());
    } finally {
        authorizer.preDestruction();
    }
}
Also used : AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) HashMap(java.util.HashMap) Authorizer(org.apache.nifi.authorization.Authorizer) Resource(org.apache.nifi.authorization.Resource) MockPropertyValue(org.apache.nifi.util.MockPropertyValue) AuthorizerInitializationContext(org.apache.nifi.authorization.AuthorizerInitializationContext) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) AuthorizerConfigurationContext(org.apache.nifi.authorization.AuthorizerConfigurationContext) Ignore(org.junit.Ignore) Test(org.junit.Test)

Example 7 with Resource

use of org.apache.nifi.authorization.Resource in project nifi by apache.

the class Authorizable method checkAuthorization.

/**
 * Returns the result of an authorization request for the specified user for the specified action on the specified
 * resource. This method does not imply the user is directly attempting to access the specified resource. If the user is
 * attempting a direct access use Authorizable.authorize().
 *
 * @param authorizer authorizer
 * @param action action
 * @param user user
 * @return is authorized
 */
default AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
    if (user == null) {
        return AuthorizationResult.denied("Unknown user.");
    }
    final Map<String, String> userContext;
    if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
        userContext = new HashMap<>();
        userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
    } else {
        userContext = null;
    }
    final Resource resource = getResource();
    final Resource requestedResource = getRequestedResource();
    final AuthorizationRequest request = new AuthorizationRequest.Builder().identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(false).action(action).resource(resource).requestedResource(requestedResource).resourceContext(resourceContext).userContext(userContext).explanationSupplier(() -> {
        // build the safe explanation
        final StringBuilder safeDescription = new StringBuilder("Unable to ");
        if (RequestAction.READ.equals(action)) {
            safeDescription.append("view ");
        } else {
            safeDescription.append("modify ");
        }
        safeDescription.append(resource.getSafeDescription()).append(".");
        return safeDescription.toString();
    }).build();
    // perform the authorization
    final AuthorizationResult result = authorizer.authorize(request);
    // verify the results
    if (Result.ResourceNotFound.equals(result.getResult())) {
        final Authorizable parent = getParentAuthorizable();
        if (parent == null) {
            return AuthorizationResult.denied("No applicable policies could be found.");
        } else {
            // create a custom authorizable to override the safe description but still defer to the parent authorizable
            final Authorizable parentProxy = new Authorizable() {

                @Override
                public Authorizable getParentAuthorizable() {
                    return parent.getParentAuthorizable();
                }

                @Override
                public Resource getRequestedResource() {
                    return requestedResource;
                }

                @Override
                public Resource getResource() {
                    final Resource parentResource = parent.getResource();
                    return new Resource() {

                        @Override
                        public String getIdentifier() {
                            return parentResource.getIdentifier();
                        }

                        @Override
                        public String getName() {
                            return parentResource.getName();
                        }

                        @Override
                        public String getSafeDescription() {
                            return resource.getSafeDescription();
                        }
                    };
                }
            };
            return parentProxy.checkAuthorization(authorizer, action, user, resourceContext);
        }
    } else {
        return result;
    }
}
Also used : AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) Resource(org.apache.nifi.authorization.Resource) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)

Example 8 with Resource

use of org.apache.nifi.authorization.Resource in project nifi by apache.

the class Authorizable method authorize.

/**
 * Authorizes the current user for the specified action on the specified resource. This method does imply the user is
 * directly accessing the specified resource.
 *
 * @param authorizer authorizer
 * @param action action
 * @param user user
 * @param resourceContext resource context
 */
default void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
    if (user == null) {
        throw new AccessDeniedException("Unknown user.");
    }
    final Map<String, String> userContext;
    if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
        userContext = new HashMap<>();
        userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
    } else {
        userContext = null;
    }
    final Resource resource = getResource();
    final Resource requestedResource = getRequestedResource();
    final AuthorizationRequest request = new AuthorizationRequest.Builder().identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(true).action(action).resource(resource).requestedResource(requestedResource).resourceContext(resourceContext).userContext(userContext).explanationSupplier(() -> {
        // build the safe explanation
        final StringBuilder safeDescription = new StringBuilder("Unable to ");
        if (RequestAction.READ.equals(action)) {
            safeDescription.append("view ");
        } else {
            safeDescription.append("modify ");
        }
        safeDescription.append(resource.getSafeDescription()).append(".");
        return safeDescription.toString();
    }).build();
    final AuthorizationResult result = authorizer.authorize(request);
    if (Result.ResourceNotFound.equals(result.getResult())) {
        final Authorizable parent = getParentAuthorizable();
        if (parent == null) {
            final AuthorizationResult failure = AuthorizationResult.denied("No applicable policies could be found.");
            // audit authorization request
            if (authorizer instanceof AuthorizationAuditor) {
                ((AuthorizationAuditor) authorizer).auditAccessAttempt(request, failure);
            }
            // denied
            throw new AccessDeniedException(failure.getExplanation());
        } else {
            // create a custom authorizable to override the safe description but still defer to the parent authorizable
            final Authorizable parentProxy = new Authorizable() {

                @Override
                public Authorizable getParentAuthorizable() {
                    return parent.getParentAuthorizable();
                }

                @Override
                public Resource getRequestedResource() {
                    return requestedResource;
                }

                @Override
                public Resource getResource() {
                    final Resource parentResource = parent.getResource();
                    return new Resource() {

                        @Override
                        public String getIdentifier() {
                            return parentResource.getIdentifier();
                        }

                        @Override
                        public String getName() {
                            return parentResource.getName();
                        }

                        @Override
                        public String getSafeDescription() {
                            return resource.getSafeDescription();
                        }
                    };
                }
            };
            parentProxy.authorize(authorizer, action, user, resourceContext);
        }
    } else if (Result.Denied.equals(result.getResult())) {
        throw new AccessDeniedException(result.getExplanation());
    }
}
Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) Resource(org.apache.nifi.authorization.Resource) AuthorizationAuditor(org.apache.nifi.authorization.AuthorizationAuditor) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)

Example 9 with Resource

use of org.apache.nifi.authorization.Resource in project nifi by apache.

the class StandardNiFiServiceFacade method deleteAccessPolicy.

@Override
public AccessPolicyEntity deleteAccessPolicy(final Revision revision, final String accessPolicyId) {
    final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(accessPolicyId);
    final ComponentReferenceEntity componentReference = createComponentReferenceEntity(accessPolicy.getResource());
    final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizableLookup.getAccessPolicyById(accessPolicyId));
    final Set<TenantEntity> userGroups = accessPolicy != null ? accessPolicy.getGroups().stream().map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet()) : null;
    final Set<TenantEntity> users = accessPolicy != null ? accessPolicy.getUsers().stream().map(mapUserIdToTenantEntity()).collect(Collectors.toSet()) : null;
    final AccessPolicyDTO snapshot = deleteComponent(revision, new Resource() {

        @Override
        public String getIdentifier() {
            return accessPolicy.getResource();
        }

        @Override
        public String getName() {
            return accessPolicy.getResource();
        }

        @Override
        public String getSafeDescription() {
            return "Policy " + accessPolicyId;
        }
    }, () -> accessPolicyDAO.deleteAccessPolicy(accessPolicyId), // no need to clean up any policies as it's already been removed above
    false, dtoFactory.createAccessPolicyDto(accessPolicy, userGroups, users, componentReference));
    return entityFactory.createAccessPolicyEntity(snapshot, null, permissions);
}
Also used : ComponentReferenceEntity(org.apache.nifi.web.api.entity.ComponentReferenceEntity) TenantEntity(org.apache.nifi.web.api.entity.TenantEntity) PermissionsDTO(org.apache.nifi.web.api.dto.PermissionsDTO) EnforcePolicyPermissionsThroughBaseResource(org.apache.nifi.authorization.resource.EnforcePolicyPermissionsThroughBaseResource) Resource(org.apache.nifi.authorization.Resource) AccessPolicyDTO(org.apache.nifi.web.api.dto.AccessPolicyDTO) AccessPolicy(org.apache.nifi.authorization.AccessPolicy)

Example 10 with Resource

use of org.apache.nifi.authorization.Resource in project nifi by apache.

the class StandardNiFiServiceFacade method getResources.

@Override
public List<ResourceDTO> getResources() {
    final List<Resource> resources = controllerFacade.getResources();
    final List<ResourceDTO> resourceDtos = new ArrayList<>(resources.size());
    for (final Resource resource : resources) {
        resourceDtos.add(dtoFactory.createResourceDto(resource));
    }
    return resourceDtos;
}
Also used : EnforcePolicyPermissionsThroughBaseResource(org.apache.nifi.authorization.resource.EnforcePolicyPermissionsThroughBaseResource) Resource(org.apache.nifi.authorization.Resource) ArrayList(java.util.ArrayList) ResourceDTO(org.apache.nifi.web.api.dto.ResourceDTO)

Aggregations

Resource (org.apache.nifi.authorization.Resource)14 EnforcePolicyPermissionsThroughBaseResource (org.apache.nifi.authorization.resource.EnforcePolicyPermissionsThroughBaseResource)8 AccessPolicy (org.apache.nifi.authorization.AccessPolicy)7 ArrayList (java.util.ArrayList)6 HashSet (java.util.HashSet)6 RequestAction (org.apache.nifi.authorization.RequestAction)6 HashMap (java.util.HashMap)5 LinkedHashSet (java.util.LinkedHashSet)5 AccessDeniedException (org.apache.nifi.authorization.AccessDeniedException)5 AuthorizationResult (org.apache.nifi.authorization.AuthorizationResult)5 IOException (java.io.IOException)4 WebApplicationException (javax.ws.rs.WebApplicationException)4 AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)4 ProcessGroup (org.apache.nifi.groups.ProcessGroup)4 RemoteProcessGroup (org.apache.nifi.groups.RemoteProcessGroup)4 VersionedProcessGroup (org.apache.nifi.registry.flow.VersionedProcessGroup)4 Arrays (java.util.Arrays)3 Collection (java.util.Collection)3 Collections (java.util.Collections)3 Comparator (java.util.Comparator)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial