Example 11 with AuthorizationAccessException
use of org.apache.nifi.authorization.exception.AuthorizationAccessException in project nifi by apache.
the class StandardManagedAuthorizer method getFingerprint.
@Override
public String getFingerprint() throws AuthorizationAccessException {
XMLStreamWriter writer = null;
final StringWriter out = new StringWriter();
try {
writer = XML_OUTPUT_FACTORY.createXMLStreamWriter(out);
writer.writeStartDocument();
writer.writeStartElement("managedAuthorizations");
writer.writeStartElement(ACCESS_POLICY_PROVIDER_ELEMENT);
if (accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
writer.writeCharacters(((ConfigurableAccessPolicyProvider) accessPolicyProvider).getFingerprint());
}
writer.writeEndElement();
writer.writeStartElement(USER_GROUP_PROVIDER_ELEMENT);
if (userGroupProvider instanceof ConfigurableUserGroupProvider) {
writer.writeCharacters(((ConfigurableUserGroupProvider) userGroupProvider).getFingerprint());
}
writer.writeEndElement();
writer.writeEndElement();
writer.writeEndDocument();
writer.flush();
} catch (XMLStreamException e) {
throw new AuthorizationAccessException("Unable to generate fingerprint", e);
} finally {
if (writer != null) {
try {
writer.close();
} catch (XMLStreamException e) {
// nothing to do here
}
}
}
return out.toString();
}
Also used :
AuthorizationAccessException(org.apache.nifi.authorization.exception.AuthorizationAccessException)
StringWriter(java.io.StringWriter)
XMLStreamException(javax.xml.stream.XMLStreamException)
XMLStreamWriter(javax.xml.stream.XMLStreamWriter)
Example 12 with AuthorizationAccessException
use of org.apache.nifi.authorization.exception.AuthorizationAccessException in project nifi by apache.
the class AuthorizerFactory method installIntegrityChecks.
public static Authorizer installIntegrityChecks(final Authorizer baseAuthorizer) {
Authorizer authorizer;
if (baseAuthorizer instanceof ManagedAuthorizer) {
final ManagedAuthorizer baseManagedAuthorizer = (ManagedAuthorizer) baseAuthorizer;
authorizer = new ManagedAuthorizer() {
@Override
public String getFingerprint() throws AuthorizationAccessException {
return baseManagedAuthorizer.getFingerprint();
}
@Override
public void inheritFingerprint(String fingerprint) throws AuthorizationAccessException {
baseManagedAuthorizer.inheritFingerprint(fingerprint);
}
@Override
public void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
baseManagedAuthorizer.checkInheritability(proposedFingerprint);
}
@Override
public AccessPolicyProvider getAccessPolicyProvider() {
final AccessPolicyProvider baseAccessPolicyProvider = baseManagedAuthorizer.getAccessPolicyProvider();
if (baseAccessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
final ConfigurableAccessPolicyProvider baseConfigurableAccessPolicyProvider = (ConfigurableAccessPolicyProvider) baseAccessPolicyProvider;
return new ConfigurableAccessPolicyProvider() {
@Override
public String getFingerprint() throws AuthorizationAccessException {
return baseConfigurableAccessPolicyProvider.getFingerprint();
}
@Override
public void inheritFingerprint(String fingerprint) throws AuthorizationAccessException {
baseConfigurableAccessPolicyProvider.inheritFingerprint(fingerprint);
}
@Override
public void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
baseConfigurableAccessPolicyProvider.checkInheritability(proposedFingerprint);
}
@Override
public AccessPolicy addAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
if (policyExists(baseConfigurableAccessPolicyProvider, accessPolicy)) {
throw new IllegalStateException(String.format("Found multiple policies for '%s' with '%s'.", accessPolicy.getResource(), accessPolicy.getAction()));
}
return baseConfigurableAccessPolicyProvider.addAccessPolicy(accessPolicy);
}
@Override
public boolean isConfigurable(AccessPolicy accessPolicy) {
return baseConfigurableAccessPolicyProvider.isConfigurable(accessPolicy);
}
@Override
public AccessPolicy updateAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
if (!baseConfigurableAccessPolicyProvider.isConfigurable(accessPolicy)) {
throw new IllegalArgumentException("The specified access policy is not support modification.");
}
return baseConfigurableAccessPolicyProvider.updateAccessPolicy(accessPolicy);
}
@Override
public AccessPolicy deleteAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
if (!baseConfigurableAccessPolicyProvider.isConfigurable(accessPolicy)) {
throw new IllegalArgumentException("The specified access policy is not support modification.");
}
return baseConfigurableAccessPolicyProvider.deleteAccessPolicy(accessPolicy);
}
@Override
public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
return baseConfigurableAccessPolicyProvider.getAccessPolicies();
}
@Override
public AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException {
return baseConfigurableAccessPolicyProvider.getAccessPolicy(identifier);
}
@Override
public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) throws AuthorizationAccessException {
return baseConfigurableAccessPolicyProvider.getAccessPolicy(resourceIdentifier, action);
}
@Override
public UserGroupProvider getUserGroupProvider() {
final UserGroupProvider baseUserGroupProvider = baseConfigurableAccessPolicyProvider.getUserGroupProvider();
if (baseUserGroupProvider instanceof ConfigurableUserGroupProvider) {
final ConfigurableUserGroupProvider baseConfigurableUserGroupProvider = (ConfigurableUserGroupProvider) baseUserGroupProvider;
return new ConfigurableUserGroupProvider() {
@Override
public String getFingerprint() throws AuthorizationAccessException {
return baseConfigurableUserGroupProvider.getFingerprint();
}
@Override
public void inheritFingerprint(String fingerprint) throws AuthorizationAccessException {
baseConfigurableUserGroupProvider.inheritFingerprint(fingerprint);
}
@Override
public void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
baseConfigurableUserGroupProvider.checkInheritability(proposedFingerprint);
}
@Override
public User addUser(User user) throws AuthorizationAccessException {
if (tenantExists(baseConfigurableUserGroupProvider, user.getIdentifier(), user.getIdentity())) {
throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", user.getIdentity()));
}
return baseConfigurableUserGroupProvider.addUser(user);
}
@Override
public boolean isConfigurable(User user) {
return baseConfigurableUserGroupProvider.isConfigurable(user);
}
@Override
public User updateUser(User user) throws AuthorizationAccessException {
if (tenantExists(baseConfigurableUserGroupProvider, user.getIdentifier(), user.getIdentity())) {
throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", user.getIdentity()));
}
if (!baseConfigurableUserGroupProvider.isConfigurable(user)) {
throw new IllegalArgumentException("The specified user does not support modification.");
}
return baseConfigurableUserGroupProvider.updateUser(user);
}
@Override
public User deleteUser(User user) throws AuthorizationAccessException {
if (!baseConfigurableUserGroupProvider.isConfigurable(user)) {
throw new IllegalArgumentException("The specified user does not support modification.");
}
return baseConfigurableUserGroupProvider.deleteUser(user);
}
@Override
public Group addGroup(Group group) throws AuthorizationAccessException {
if (tenantExists(baseConfigurableUserGroupProvider, group.getIdentifier(), group.getName())) {
throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", group.getName()));
}
if (!allGroupUsersExist(baseConfigurableUserGroupProvider, group)) {
throw new IllegalStateException(String.format("Cannot create group '%s' with users that don't exist.", group.getName()));
}
return baseConfigurableUserGroupProvider.addGroup(group);
}
@Override
public boolean isConfigurable(Group group) {
return baseConfigurableUserGroupProvider.isConfigurable(group);
}
@Override
public Group updateGroup(Group group) throws AuthorizationAccessException {
if (tenantExists(baseConfigurableUserGroupProvider, group.getIdentifier(), group.getName())) {
throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", group.getName()));
}
if (!allGroupUsersExist(baseConfigurableUserGroupProvider, group)) {
throw new IllegalStateException(String.format("Cannot update group '%s' to add users that don't exist.", group.getName()));
}
if (!baseConfigurableUserGroupProvider.isConfigurable(group)) {
throw new IllegalArgumentException("The specified group does not support modification.");
}
return baseConfigurableUserGroupProvider.updateGroup(group);
}
@Override
public Group deleteGroup(Group group) throws AuthorizationAccessException {
if (!baseConfigurableUserGroupProvider.isConfigurable(group)) {
throw new IllegalArgumentException("The specified group does not support modification.");
}
return baseConfigurableUserGroupProvider.deleteGroup(group);
}
@Override
public Set<User> getUsers() throws AuthorizationAccessException {
return baseConfigurableUserGroupProvider.getUsers();
}
@Override
public User getUser(String identifier) throws AuthorizationAccessException {
return baseConfigurableUserGroupProvider.getUser(identifier);
}
@Override
public User getUserByIdentity(String identity) throws AuthorizationAccessException {
return baseConfigurableUserGroupProvider.getUserByIdentity(identity);
}
@Override
public Set<Group> getGroups() throws AuthorizationAccessException {
return baseConfigurableUserGroupProvider.getGroups();
}
@Override
public Group getGroup(String identifier) throws AuthorizationAccessException {
return baseConfigurableUserGroupProvider.getGroup(identifier);
}
@Override
public UserAndGroups getUserAndGroups(String identity) throws AuthorizationAccessException {
return baseConfigurableUserGroupProvider.getUserAndGroups(identity);
}
@Override
public void initialize(UserGroupProviderInitializationContext initializationContext) throws AuthorizerCreationException {
baseConfigurableUserGroupProvider.initialize(initializationContext);
}
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
baseConfigurableUserGroupProvider.onConfigured(configurationContext);
}
@Override
public void preDestruction() throws AuthorizerDestructionException {
baseConfigurableUserGroupProvider.preDestruction();
}
};
} else {
return baseUserGroupProvider;
}
}
@Override
public void initialize(AccessPolicyProviderInitializationContext initializationContext) throws AuthorizerCreationException {
baseConfigurableAccessPolicyProvider.initialize(initializationContext);
}
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
baseConfigurableAccessPolicyProvider.onConfigured(configurationContext);
}
@Override
public void preDestruction() throws AuthorizerDestructionException {
baseConfigurableAccessPolicyProvider.preDestruction();
}
};
} else {
return baseAccessPolicyProvider;
}
}
@Override
public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
final AuthorizationResult result = baseAuthorizer.authorize(request);
// audit the authorization request
audit(baseAuthorizer, request, result);
return result;
}
@Override
public void initialize(AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException {
baseManagedAuthorizer.initialize(initializationContext);
}
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
baseManagedAuthorizer.onConfigured(configurationContext);
final AccessPolicyProvider accessPolicyProvider = baseManagedAuthorizer.getAccessPolicyProvider();
final UserGroupProvider userGroupProvider = accessPolicyProvider.getUserGroupProvider();
// ensure that only one policy per resource-action exists
for (AccessPolicy accessPolicy : accessPolicyProvider.getAccessPolicies()) {
if (policyExists(accessPolicyProvider, accessPolicy)) {
throw new AuthorizerCreationException(String.format("Found multiple policies for '%s' with '%s'.", accessPolicy.getResource(), accessPolicy.getAction()));
}
}
// ensure that only one group exists per identity
for (User user : userGroupProvider.getUsers()) {
if (tenantExists(userGroupProvider, user.getIdentifier(), user.getIdentity())) {
throw new AuthorizerCreationException(String.format("Found multiple users/user groups with identity '%s'.", user.getIdentity()));
}
}
// ensure that only one group exists per identity
for (Group group : userGroupProvider.getGroups()) {
if (tenantExists(userGroupProvider, group.getIdentifier(), group.getName())) {
throw new AuthorizerCreationException(String.format("Found multiple users/user groups with name '%s'.", group.getName()));
}
}
}
@Override
public void preDestruction() throws AuthorizerDestructionException {
baseManagedAuthorizer.preDestruction();
}
};
} else {
authorizer = new Authorizer() {
@Override
public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
final AuthorizationResult result = baseAuthorizer.authorize(request);
// audit the authorization request
audit(baseAuthorizer, request, result);
return result;
}
@Override
public void initialize(AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException {
baseAuthorizer.initialize(initializationContext);
}
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
baseAuthorizer.onConfigured(configurationContext);
}
@Override
public void preDestruction() throws AuthorizerDestructionException {
baseAuthorizer.preDestruction();
}
};
}
// conditionally add support for the audit methods
if (baseAuthorizer instanceof AuthorizationAuditor) {
final AuthorizationAuditorInvocationHandler invocationHandler = new AuthorizationAuditorInvocationHandler(authorizer, (AuthorizationAuditor) baseAuthorizer);
final List<Class<?>> interfaceList = ClassUtils.getAllInterfaces(authorizer.getClass());
interfaceList.add(AuthorizationAuditor.class);
final Class<?>[] interfaces = interfaceList.toArray(new Class<?>[interfaceList.size()]);
authorizer = (Authorizer) Proxy.newProxyInstance(authorizer.getClass().getClassLoader(), interfaces, invocationHandler);
}
return authorizer;
}
Also used :
Set(java.util.Set)
AuthorizationAccessException(org.apache.nifi.authorization.exception.AuthorizationAccessException)
AuthorizerCreationException(org.apache.nifi.authorization.exception.AuthorizerCreationException)
UninheritableAuthorizationsException(org.apache.nifi.authorization.exception.UninheritableAuthorizationsException)
AuthorizerDestructionException(org.apache.nifi.authorization.exception.AuthorizerDestructionException)
Example 13 with AuthorizationAccessException
use of org.apache.nifi.authorization.exception.AuthorizationAccessException in project nifi by apache.
the class ManagedRangerAuthorizer method parseFingerprint.
private final String parseFingerprint(final String fingerprint) throws AuthorizationAccessException {
final byte[] fingerprintBytes = fingerprint.getBytes(StandardCharsets.UTF_8);
try (final ByteArrayInputStream in = new ByteArrayInputStream(fingerprintBytes)) {
final DocumentBuilder docBuilder = DOCUMENT_BUILDER_FACTORY.newDocumentBuilder();
final Document document = docBuilder.parse(in);
final Element rootElement = document.getDocumentElement();
final NodeList userGroupProviderList = rootElement.getElementsByTagName(USER_GROUP_PROVIDER_ELEMENT);
if (userGroupProviderList.getLength() != 1) {
throw new AuthorizationAccessException(String.format("Only one %s element is allowed: %s", USER_GROUP_PROVIDER_ELEMENT, fingerprint));
}
final Node userGroupProvider = userGroupProviderList.item(0);
return userGroupProvider.getTextContent();
} catch (SAXException | ParserConfigurationException | IOException e) {
throw new AuthorizationAccessException("Unable to parse fingerprint", e);
}
}
Also used :
AuthorizationAccessException(org.apache.nifi.authorization.exception.AuthorizationAccessException)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
Element(org.w3c.dom.Element)
NodeList(org.w3c.dom.NodeList)
Node(org.w3c.dom.Node)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
IOException(java.io.IOException)
Document(org.w3c.dom.Document)
SAXException(org.xml.sax.SAXException)
Example 14 with AuthorizationAccessException
use of org.apache.nifi.authorization.exception.AuthorizationAccessException in project nifi by apache.
the class LdapUserGroupProvider method load.
/**
* Reloads the tenants.
*/
private void load(final ContextSource contextSource) {
// create the ldapTemplate based on the context source. use a single source context to use the same connection
// to support paging when configured
final SingleContextSource singleContextSource = new SingleContextSource(contextSource.getReadOnlyContext());
final LdapTemplate ldapTemplate = new LdapTemplate(singleContextSource);
try {
final List<User> userList = new ArrayList<>();
final List<Group> groupList = new ArrayList<>();
// group dn -> user identifiers lookup
final Map<String, Set<String>> groupToUserIdentifierMappings = new HashMap<>();
// user dn -> user lookup
final Map<String, User> userLookup = new HashMap<>();
if (performUserSearch) {
// search controls
final SearchControls userControls = new SearchControls();
userControls.setSearchScope(userSearchScope.ordinal());
// consider paging support for users
final DirContextProcessor userProcessor;
if (pageSize == null) {
userProcessor = new NullDirContextProcessor();
} else {
userProcessor = new PagedResultsDirContextProcessor(pageSize);
}
// looking for objects matching the user object class
final AndFilter userFilter = new AndFilter();
userFilter.and(new EqualsFilter("objectClass", userObjectClass));
// if a filter has been provided by the user, we add it to the filter
if (StringUtils.isNotBlank(userSearchFilter)) {
userFilter.and(new HardcodedFilter(userSearchFilter));
}
do {
userList.addAll(ldapTemplate.search(userSearchBase, userFilter.encode(), userControls, new AbstractContextMapper<User>() {
@Override
protected User doMapFromContext(DirContextOperations ctx) {
// get the user identity
final String identity = getUserIdentity(ctx);
// build the user
final User user = new User.Builder().identifierGenerateFromSeed(identity).identity(identity).build();
// store the user for group member later
userLookup.put(getReferencedUserValue(ctx), user);
if (StringUtils.isNotBlank(userGroupNameAttribute)) {
final Attribute attributeGroups = ctx.getAttributes().get(userGroupNameAttribute);
if (attributeGroups == null) {
logger.warn("User group name attribute [" + userGroupNameAttribute + "] does not exist. Ignoring group membership.");
} else {
try {
final NamingEnumeration<String> groupValues = (NamingEnumeration<String>) attributeGroups.getAll();
while (groupValues.hasMoreElements()) {
// store the group -> user identifier mapping
groupToUserIdentifierMappings.computeIfAbsent(groupValues.next(), g -> new HashSet<>()).add(user.getIdentifier());
}
} catch (NamingException e) {
throw new AuthorizationAccessException("Error while retrieving user group name attribute [" + userIdentityAttribute + "].");
}
}
}
return user;
}
}, userProcessor));
} while (hasMorePages(userProcessor));
}
if (performGroupSearch) {
final SearchControls groupControls = new SearchControls();
groupControls.setSearchScope(groupSearchScope.ordinal());
// consider paging support for groups
final DirContextProcessor groupProcessor;
if (pageSize == null) {
groupProcessor = new NullDirContextProcessor();
} else {
groupProcessor = new PagedResultsDirContextProcessor(pageSize);
}
// looking for objects matching the group object class
AndFilter groupFilter = new AndFilter();
groupFilter.and(new EqualsFilter("objectClass", groupObjectClass));
// if a filter has been provided by the user, we add it to the filter
if (StringUtils.isNotBlank(groupSearchFilter)) {
groupFilter.and(new HardcodedFilter(groupSearchFilter));
}
do {
groupList.addAll(ldapTemplate.search(groupSearchBase, groupFilter.encode(), groupControls, new AbstractContextMapper<Group>() {
@Override
protected Group doMapFromContext(DirContextOperations ctx) {
final String dn = ctx.getDn().toString();
// get the group identity
final String name = getGroupName(ctx);
// get the value of this group that may associate it to users
final String referencedGroupValue = getReferencedGroupValue(ctx);
if (!StringUtils.isBlank(groupMemberAttribute)) {
Attribute attributeUsers = ctx.getAttributes().get(groupMemberAttribute);
if (attributeUsers == null) {
logger.warn("Group member attribute [" + groupMemberAttribute + "] does not exist. Ignoring group membership.");
} else {
try {
final NamingEnumeration<String> userValues = (NamingEnumeration<String>) attributeUsers.getAll();
while (userValues.hasMoreElements()) {
final String userValue = userValues.next();
if (performUserSearch) {
// find the user by it's referenced attribute and add the identifier to this group
final User user = userLookup.get(userValue);
// ensure the user is known
if (user != null) {
groupToUserIdentifierMappings.computeIfAbsent(referencedGroupValue, g -> new HashSet<>()).add(user.getIdentifier());
} else {
logger.warn(String.format("%s contains member %s but that user was not found while searching users. Ignoring group membership.", name, userValue));
}
} else {
// since performUserSearch is false, then the referenced group attribute must be blank... the user value must be the dn
final String userDn = userValue;
final String userIdentity;
if (useDnForUserIdentity) {
// use the user value to avoid the unnecessary look up
userIdentity = userDn;
} else {
// lookup the user to extract the user identity
userIdentity = getUserIdentity((DirContextAdapter) ldapTemplate.lookup(userDn));
}
// build the user
final User user = new User.Builder().identifierGenerateFromSeed(userIdentity).identity(userIdentity).build();
// add this user
userList.add(user);
groupToUserIdentifierMappings.computeIfAbsent(referencedGroupValue, g -> new HashSet<>()).add(user.getIdentifier());
}
}
} catch (NamingException e) {
throw new AuthorizationAccessException("Error while retrieving group name attribute [" + groupNameAttribute + "].");
}
}
}
// build this group
final Group.Builder groupBuilder = new Group.Builder().identifierGenerateFromSeed(name).name(name);
// add all users that were associated with this referenced group attribute
if (groupToUserIdentifierMappings.containsKey(referencedGroupValue)) {
groupToUserIdentifierMappings.remove(referencedGroupValue).forEach(userIdentifier -> groupBuilder.addUser(userIdentifier));
}
return groupBuilder.build();
}
}, groupProcessor));
} while (hasMorePages(groupProcessor));
// any remaining groupDn's were referenced by a user but not found while searching groups
groupToUserIdentifierMappings.forEach((referencedGroupValue, userIdentifiers) -> {
logger.warn(String.format("[%s] are members of %s but that group was not found while searching users. Ignoring group membership.", StringUtils.join(userIdentifiers, ", "), referencedGroupValue));
});
} else {
// since performGroupSearch is false, then the referenced user attribute must be blank... the group value must be the dn
// groups are not being searched so lookup any groups identified while searching users
groupToUserIdentifierMappings.forEach((groupDn, userIdentifiers) -> {
final String groupName;
if (useDnForGroupName) {
// use the dn to avoid the unnecessary look up
groupName = groupDn;
} else {
groupName = getGroupName((DirContextAdapter) ldapTemplate.lookup(groupDn));
}
// define the group
final Group.Builder groupBuilder = new Group.Builder().identifierGenerateFromSeed(groupName).name(groupName);
// add each user
userIdentifiers.forEach(userIdentifier -> groupBuilder.addUser(userIdentifier));
// build the group
groupList.add(groupBuilder.build());
});
}
// record the updated tenants
tenants.set(new TenantHolder(new HashSet<>(userList), new HashSet<>(groupList)));
} finally {
singleContextSource.destroy();
}
}
Also used :
SSLContext(javax.net.ssl.SSLContext)
AbstractContextMapper(org.springframework.ldap.core.support.AbstractContextMapper)
AndFilter(org.springframework.ldap.filter.AndFilter)
LoggerFactory(org.slf4j.LoggerFactory)
LdapTemplate(org.springframework.ldap.core.LdapTemplate)
NamingException(javax.naming.NamingException)
KeyStoreException(java.security.KeyStoreException)
StringUtils(org.apache.commons.lang3.StringUtils)
PropertyValue(org.apache.nifi.components.PropertyValue)
UserGroupProvider(org.apache.nifi.authorization.UserGroupProvider)
Attribute(javax.naming.directory.Attribute)
Map(java.util.Map)
AuthorizerCreationException(org.apache.nifi.authorization.exception.AuthorizerCreationException)
DirContextAdapter(org.springframework.ldap.core.DirContextAdapter)
ThreadFactory(java.util.concurrent.ThreadFactory)
LdapContextSource(org.springframework.ldap.core.support.LdapContextSource)
Set(java.util.Set)
AuthorizerConfigurationContext(org.apache.nifi.authorization.AuthorizerConfigurationContext)
KeyManagementException(java.security.KeyManagementException)
HardcodedFilter(org.springframework.ldap.filter.HardcodedFilter)
Executors(java.util.concurrent.Executors)
User(org.apache.nifi.authorization.User)
UserAndGroups(org.apache.nifi.authorization.UserAndGroups)
List(java.util.List)
ClientAuth(org.apache.nifi.security.util.SslContextFactory.ClientAuth)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
NamingEnumeration(javax.naming.NamingEnumeration)
SingleContextSource(org.springframework.ldap.core.support.SingleContextSource)
UserGroupProviderInitializationContext(org.apache.nifi.authorization.UserGroupProviderInitializationContext)
DirContextOperations(org.springframework.ldap.core.DirContextOperations)
LdapsSocketFactory(org.apache.nifi.ldap.LdapsSocketFactory)
PagedResultsDirContextProcessor(org.springframework.ldap.control.PagedResultsDirContextProcessor)
NullDirContextProcessor(org.springframework.ldap.core.LdapTemplate.NullDirContextProcessor)
DirContextProcessor(org.springframework.ldap.core.DirContextProcessor)
HashMap(java.util.HashMap)
Group(org.apache.nifi.authorization.Group)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
SearchControls(javax.naming.directory.SearchControls)
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
SimpleDirContextAuthenticationStrategy(org.springframework.ldap.core.support.SimpleDirContextAuthenticationStrategy)
AuthorizerContext(org.apache.nifi.authorization.annotation.AuthorizerContext)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
ScheduledExecutorService(java.util.concurrent.ScheduledExecutorService)
AbstractTlsDirContextAuthenticationStrategy(org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy)
DefaultTlsDirContextAuthenticationStrategy(org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy)
Context(javax.naming.Context)
IdentityMapping(org.apache.nifi.authorization.util.IdentityMapping)
ProviderDestructionException(org.apache.nifi.authentication.exception.ProviderDestructionException)
IdentityMappingUtil(org.apache.nifi.authorization.util.IdentityMappingUtil)
Logger(org.slf4j.Logger)
ContextSource(org.springframework.ldap.core.ContextSource)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
TimeUnit(java.util.concurrent.TimeUnit)
EqualsFilter(org.springframework.ldap.filter.EqualsFilter)
ReferralStrategy(org.apache.nifi.ldap.ReferralStrategy)
FormatUtils(org.apache.nifi.util.FormatUtils)
NiFiProperties(org.apache.nifi.util.NiFiProperties)
SslContextFactory(org.apache.nifi.security.util.SslContextFactory)
AuthorizationAccessException(org.apache.nifi.authorization.exception.AuthorizationAccessException)
LdapAuthenticationStrategy(org.apache.nifi.ldap.LdapAuthenticationStrategy)
Collections(java.util.Collections)
Group(org.apache.nifi.authorization.Group)
User(org.apache.nifi.authorization.User)
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
Attribute(javax.naming.directory.Attribute)
ArrayList(java.util.ArrayList)
NamingEnumeration(javax.naming.NamingEnumeration)
PagedResultsDirContextProcessor(org.springframework.ldap.control.PagedResultsDirContextProcessor)
NullDirContextProcessor(org.springframework.ldap.core.LdapTemplate.NullDirContextProcessor)
DirContextProcessor(org.springframework.ldap.core.DirContextProcessor)
PagedResultsDirContextProcessor(org.springframework.ldap.control.PagedResultsDirContextProcessor)
LdapTemplate(org.springframework.ldap.core.LdapTemplate)
AuthorizationAccessException(org.apache.nifi.authorization.exception.AuthorizationAccessException)
DirContextAdapter(org.springframework.ldap.core.DirContextAdapter)
SearchControls(javax.naming.directory.SearchControls)
NamingException(javax.naming.NamingException)
EqualsFilter(org.springframework.ldap.filter.EqualsFilter)
HashSet(java.util.HashSet)
SingleContextSource(org.springframework.ldap.core.support.SingleContextSource)
NullDirContextProcessor(org.springframework.ldap.core.LdapTemplate.NullDirContextProcessor)
HardcodedFilter(org.springframework.ldap.filter.HardcodedFilter)
AndFilter(org.springframework.ldap.filter.AndFilter)
AbstractContextMapper(org.springframework.ldap.core.support.AbstractContextMapper)
DirContextOperations(org.springframework.ldap.core.DirContextOperations)
Example 15 with AuthorizationAccessException
use of org.apache.nifi.authorization.exception.AuthorizationAccessException in project nifi by apache.
the class AbstractPolicyBasedAuthorizer method getFingerprint.
/**
* Returns a fingerprint representing the authorizations managed by this authorizer. The fingerprint will be
* used for comparison to determine if two policy-based authorizers represent a compatible set of users,
* groups, and policies.
*
* @return the fingerprint for this Authorizer
*/
@Override
public final String getFingerprint() throws AuthorizationAccessException {
final List<User> users = getSortedUsers();
final List<Group> groups = getSortedGroups();
final List<AccessPolicy> policies = getSortedAccessPolicies();
XMLStreamWriter writer = null;
final StringWriter out = new StringWriter();
try {
writer = XML_OUTPUT_FACTORY.createXMLStreamWriter(out);
writer.writeStartDocument();
writer.writeStartElement("authorizations");
for (User user : users) {
writeUser(writer, user);
}
for (Group group : groups) {
writeGroup(writer, group);
}
for (AccessPolicy policy : policies) {
writePolicy(writer, policy);
}
writer.writeEndElement();
writer.writeEndDocument();
writer.flush();
} catch (XMLStreamException e) {
throw new AuthorizationAccessException("Unable to generate fingerprint", e);
} finally {
if (writer != null) {
try {
writer.close();
} catch (XMLStreamException e) {
// nothing to do here
}
}
}
return out.toString();
}
Also used :
AuthorizationAccessException(org.apache.nifi.authorization.exception.AuthorizationAccessException)
StringWriter(java.io.StringWriter)
XMLStreamException(javax.xml.stream.XMLStreamException)
XMLStreamWriter(javax.xml.stream.XMLStreamWriter)
Aggregations
AuthorizationAccessException (org.apache.nifi.authorization.exception.AuthorizationAccessException)17
IOException (java.io.IOException)7
ArrayList (java.util.ArrayList)6
DocumentBuilder (javax.xml.parsers.DocumentBuilder)6
ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)6
ByteArrayInputStream (java.io.ByteArrayInputStream)5
StringWriter (java.io.StringWriter)5
Document (org.w3c.dom.Document)5
Element (org.w3c.dom.Element)5
XMLStreamException (javax.xml.stream.XMLStreamException)4
XMLStreamWriter (javax.xml.stream.XMLStreamWriter)4
AuthorizerCreationException (org.apache.nifi.authorization.exception.AuthorizerCreationException)4
Node (org.w3c.dom.Node)4
NodeList (org.w3c.dom.NodeList)4
SAXException (org.xml.sax.SAXException)4
KeyManagementException (java.security.KeyManagementException)2
KeyStoreException (java.security.KeyStoreException)2
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2
UnrecoverableKeyException (java.security.UnrecoverableKeyException)2
CertificateException (java.security.cert.CertificateException)2
