use of org.apache.nifi.authorization.UserAndGroups in project nifi by apache.
the class LdapUserGroupProviderTest method testSearchUsersWithGroupingAndGroupName.
@Test
public void testSearchUsersWithGroupingAndGroupName() throws Exception {
final AuthorizerConfigurationContext configurationContext = getBaseConfiguration(USER_SEARCH_BASE, null);
when(configurationContext.getProperty(PROP_USER_IDENTITY_ATTRIBUTE)).thenReturn(new StandardPropertyValue("uid", null));
// using description in lieu of memberof
when(configurationContext.getProperty(PROP_USER_GROUP_ATTRIBUTE)).thenReturn(new StandardPropertyValue("description", null));
when(configurationContext.getProperty(PROP_GROUP_NAME_ATTRIBUTE)).thenReturn(new StandardPropertyValue("cn", null));
ldapUserGroupProvider.onConfigured(configurationContext);
assertEquals(8, ldapUserGroupProvider.getUsers().size());
assertEquals(2, ldapUserGroupProvider.getGroups().size());
final UserAndGroups userAndGroups = ldapUserGroupProvider.getUserAndGroups("user4");
assertNotNull(userAndGroups.getUser());
assertEquals(1, userAndGroups.getGroups().size());
assertEquals("team1", userAndGroups.getGroups().iterator().next().getName());
}
use of org.apache.nifi.authorization.UserAndGroups in project nifi by apache.
the class TestRangerBasePluginWithPolicies method testPoliciesWithUserGroupProvider.
@Test
public void testPoliciesWithUserGroupProvider() {
// unknown according to user group provider
final String user1 = "user-1";
// known according to user group provider
final String user2 = "user-2";
// unknown according to user group provider
final String group1 = "group-1";
// known according to user group provider
final String group2 = "group-2";
final UserGroupProvider userGroupProvider = new UserGroupProvider() {
@Override
public Set<User> getUsers() throws AuthorizationAccessException {
return Stream.of(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build()).collect(Collectors.toSet());
}
@Override
public User getUser(String identifier) throws AuthorizationAccessException {
final User u2 = new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
if (u2.getIdentifier().equals(identifier)) {
return u2;
} else {
return null;
}
}
@Override
public User getUserByIdentity(String identity) throws AuthorizationAccessException {
if (user2.equals(identity)) {
return new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
} else {
return null;
}
}
@Override
public Set<Group> getGroups() throws AuthorizationAccessException {
return Stream.of(new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build()).collect(Collectors.toSet());
}
@Override
public Group getGroup(String identifier) throws AuthorizationAccessException {
final Group g2 = new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build();
if (g2.getIdentifier().equals(identifier)) {
return g2;
} else {
return null;
}
}
@Override
public UserAndGroups getUserAndGroups(String identity) throws AuthorizationAccessException {
if (user2.equals(identity)) {
return new UserAndGroups() {
@Override
public User getUser() {
return new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
}
@Override
public Set<Group> getGroups() {
return Collections.EMPTY_SET;
}
};
} else {
return null;
}
}
@Override
public void initialize(UserGroupProviderInitializationContext initializationContext) throws AuthorizerCreationException {
}
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
}
@Override
public void preDestruction() throws AuthorizerDestructionException {
}
};
final String resourceIdentifier1 = "/resource-1";
RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicyItem policy1Item = new RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
policy1Item.setGroups(Stream.of(group2).collect(Collectors.toList()));
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final String resourceIdentifier2 = "/resource-2";
RangerPolicyResource resource2 = new RangerPolicyResource(resourceIdentifier2);
final Map<String, RangerPolicyResource> policy2Resources = new HashMap<>();
policy2Resources.put(resourceIdentifier2, resource2);
final RangerPolicyItem policy2Item = new RangerPolicyItem();
policy2Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ"), new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
policy2Item.setUsers(Stream.of(user2).collect(Collectors.toList()));
policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
final RangerPolicy policy2 = new RangerPolicy();
policy2.setResources(policy2Resources);
policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
policies.add(policy2);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi", userGroupProvider);
pluginWithPolicies.setPolicies(servicePolicies);
// ensure the two ranger policies converted into 3 nifi access policies
final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
assertEquals(3, accessPolicies.size());
// resource 1 -> read but no write
assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
// read
final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
assertNotNull(readResource1);
assertTrue(accessPolicies.contains(readResource1));
assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
assertTrue(readResource1.getUsers().isEmpty());
assertEquals(1, readResource1.getGroups().size());
assertTrue(readResource1.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build().getIdentifier()));
// but no write
assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
// resource 2 -> read and write
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
// read
final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(readResource2);
assertTrue(accessPolicies.contains(readResource2));
assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
assertEquals(1, readResource2.getUsers().size());
assertTrue(readResource2.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build().getIdentifier()));
assertTrue(readResource2.getGroups().isEmpty());
// and write
final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(writeResource2);
assertTrue(accessPolicies.contains(writeResource2));
assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
assertEquals(1, writeResource2.getUsers().size());
assertTrue(writeResource2.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build().getIdentifier()));
assertTrue(writeResource2.getGroups().isEmpty());
}
use of org.apache.nifi.authorization.UserAndGroups in project nifi by apache.
the class UserGroupUtil method getUserGroups.
/**
* Gets the groups for the user with the specified identity. Returns null if the authorizer is not able to load user groups.
*
* @param authorizer the authorizer to load the groups from
* @param userIdentity the user identity
* @return the listing of groups for the user
*/
public static Set<String> getUserGroups(final Authorizer authorizer, final String userIdentity) {
if (authorizer instanceof ManagedAuthorizer) {
final ManagedAuthorizer managedAuthorizer = (ManagedAuthorizer) authorizer;
final UserGroupProvider userGroupProvider = managedAuthorizer.getAccessPolicyProvider().getUserGroupProvider();
final UserAndGroups userAndGroups = userGroupProvider.getUserAndGroups(userIdentity);
final Set<Group> userGroups = userAndGroups.getGroups();
if (userGroups == null || userGroups.isEmpty()) {
return Collections.EMPTY_SET;
} else {
return userAndGroups.getGroups().stream().map(group -> group.getName()).collect(Collectors.toSet());
}
} else {
return null;
}
}
use of org.apache.nifi.authorization.UserAndGroups in project nifi by apache.
the class LdapUserGroupProviderTest method testSearchUsersWithGroupingNoGroupName.
@Test
public void testSearchUsersWithGroupingNoGroupName() throws Exception {
final AuthorizerConfigurationContext configurationContext = getBaseConfiguration(USER_SEARCH_BASE, null);
when(configurationContext.getProperty(PROP_USER_IDENTITY_ATTRIBUTE)).thenReturn(new StandardPropertyValue("uid", null));
// using description in lieu of memberof
when(configurationContext.getProperty(PROP_USER_GROUP_ATTRIBUTE)).thenReturn(new StandardPropertyValue("description", null));
ldapUserGroupProvider.onConfigured(configurationContext);
assertEquals(8, ldapUserGroupProvider.getUsers().size());
assertEquals(2, ldapUserGroupProvider.getGroups().size());
final UserAndGroups userAndGroups = ldapUserGroupProvider.getUserAndGroups("user4");
assertNotNull(userAndGroups.getUser());
assertEquals(1, userAndGroups.getGroups().size());
assertEquals("cn=team1,ou=groups,o=nifi", userAndGroups.getGroups().iterator().next().getName());
}
Aggregations