Search in sources :

Example 1 with AuthorizerDestructionException

use of org.apache.nifi.authorization.exception.AuthorizerDestructionException in project nifi by apache.

the class RangerNiFiAuthorizer method preDestruction.

@Override
public void preDestruction() throws AuthorizerDestructionException {
    if (nifiPlugin != null) {
        try {
            nifiPlugin.cleanup();
            nifiPlugin = null;
        } catch (Throwable t) {
            throw new AuthorizerDestructionException("Error cleaning up RangerBasePlugin", t);
        }
    }
}
Also used : AuthorizerDestructionException(org.apache.nifi.authorization.exception.AuthorizerDestructionException)

Example 2 with AuthorizerDestructionException

use of org.apache.nifi.authorization.exception.AuthorizerDestructionException in project nifi by apache.

the class AuthorizerFactory method installIntegrityChecks.

public static Authorizer installIntegrityChecks(final Authorizer baseAuthorizer) {
    Authorizer authorizer;
    if (baseAuthorizer instanceof ManagedAuthorizer) {
        final ManagedAuthorizer baseManagedAuthorizer = (ManagedAuthorizer) baseAuthorizer;
        authorizer = new ManagedAuthorizer() {

            @Override
            public String getFingerprint() throws AuthorizationAccessException {
                return baseManagedAuthorizer.getFingerprint();
            }

            @Override
            public void inheritFingerprint(String fingerprint) throws AuthorizationAccessException {
                baseManagedAuthorizer.inheritFingerprint(fingerprint);
            }

            @Override
            public void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
                baseManagedAuthorizer.checkInheritability(proposedFingerprint);
            }

            @Override
            public AccessPolicyProvider getAccessPolicyProvider() {
                final AccessPolicyProvider baseAccessPolicyProvider = baseManagedAuthorizer.getAccessPolicyProvider();
                if (baseAccessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
                    final ConfigurableAccessPolicyProvider baseConfigurableAccessPolicyProvider = (ConfigurableAccessPolicyProvider) baseAccessPolicyProvider;
                    return new ConfigurableAccessPolicyProvider() {

                        @Override
                        public String getFingerprint() throws AuthorizationAccessException {
                            return baseConfigurableAccessPolicyProvider.getFingerprint();
                        }

                        @Override
                        public void inheritFingerprint(String fingerprint) throws AuthorizationAccessException {
                            baseConfigurableAccessPolicyProvider.inheritFingerprint(fingerprint);
                        }

                        @Override
                        public void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
                            baseConfigurableAccessPolicyProvider.checkInheritability(proposedFingerprint);
                        }

                        @Override
                        public AccessPolicy addAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
                            if (policyExists(baseConfigurableAccessPolicyProvider, accessPolicy)) {
                                throw new IllegalStateException(String.format("Found multiple policies for '%s' with '%s'.", accessPolicy.getResource(), accessPolicy.getAction()));
                            }
                            return baseConfigurableAccessPolicyProvider.addAccessPolicy(accessPolicy);
                        }

                        @Override
                        public boolean isConfigurable(AccessPolicy accessPolicy) {
                            return baseConfigurableAccessPolicyProvider.isConfigurable(accessPolicy);
                        }

                        @Override
                        public AccessPolicy updateAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
                            if (!baseConfigurableAccessPolicyProvider.isConfigurable(accessPolicy)) {
                                throw new IllegalArgumentException("The specified access policy is not support modification.");
                            }
                            return baseConfigurableAccessPolicyProvider.updateAccessPolicy(accessPolicy);
                        }

                        @Override
                        public AccessPolicy deleteAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
                            if (!baseConfigurableAccessPolicyProvider.isConfigurable(accessPolicy)) {
                                throw new IllegalArgumentException("The specified access policy is not support modification.");
                            }
                            return baseConfigurableAccessPolicyProvider.deleteAccessPolicy(accessPolicy);
                        }

                        @Override
                        public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
                            return baseConfigurableAccessPolicyProvider.getAccessPolicies();
                        }

                        @Override
                        public AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException {
                            return baseConfigurableAccessPolicyProvider.getAccessPolicy(identifier);
                        }

                        @Override
                        public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) throws AuthorizationAccessException {
                            return baseConfigurableAccessPolicyProvider.getAccessPolicy(resourceIdentifier, action);
                        }

                        @Override
                        public UserGroupProvider getUserGroupProvider() {
                            final UserGroupProvider baseUserGroupProvider = baseConfigurableAccessPolicyProvider.getUserGroupProvider();
                            if (baseUserGroupProvider instanceof ConfigurableUserGroupProvider) {
                                final ConfigurableUserGroupProvider baseConfigurableUserGroupProvider = (ConfigurableUserGroupProvider) baseUserGroupProvider;
                                return new ConfigurableUserGroupProvider() {

                                    @Override
                                    public String getFingerprint() throws AuthorizationAccessException {
                                        return baseConfigurableUserGroupProvider.getFingerprint();
                                    }

                                    @Override
                                    public void inheritFingerprint(String fingerprint) throws AuthorizationAccessException {
                                        baseConfigurableUserGroupProvider.inheritFingerprint(fingerprint);
                                    }

                                    @Override
                                    public void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
                                        baseConfigurableUserGroupProvider.checkInheritability(proposedFingerprint);
                                    }

                                    @Override
                                    public User addUser(User user) throws AuthorizationAccessException {
                                        if (tenantExists(baseConfigurableUserGroupProvider, user.getIdentifier(), user.getIdentity())) {
                                            throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", user.getIdentity()));
                                        }
                                        return baseConfigurableUserGroupProvider.addUser(user);
                                    }

                                    @Override
                                    public boolean isConfigurable(User user) {
                                        return baseConfigurableUserGroupProvider.isConfigurable(user);
                                    }

                                    @Override
                                    public User updateUser(User user) throws AuthorizationAccessException {
                                        if (tenantExists(baseConfigurableUserGroupProvider, user.getIdentifier(), user.getIdentity())) {
                                            throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", user.getIdentity()));
                                        }
                                        if (!baseConfigurableUserGroupProvider.isConfigurable(user)) {
                                            throw new IllegalArgumentException("The specified user does not support modification.");
                                        }
                                        return baseConfigurableUserGroupProvider.updateUser(user);
                                    }

                                    @Override
                                    public User deleteUser(User user) throws AuthorizationAccessException {
                                        if (!baseConfigurableUserGroupProvider.isConfigurable(user)) {
                                            throw new IllegalArgumentException("The specified user does not support modification.");
                                        }
                                        return baseConfigurableUserGroupProvider.deleteUser(user);
                                    }

                                    @Override
                                    public Group addGroup(Group group) throws AuthorizationAccessException {
                                        if (tenantExists(baseConfigurableUserGroupProvider, group.getIdentifier(), group.getName())) {
                                            throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", group.getName()));
                                        }
                                        if (!allGroupUsersExist(baseConfigurableUserGroupProvider, group)) {
                                            throw new IllegalStateException(String.format("Cannot create group '%s' with users that don't exist.", group.getName()));
                                        }
                                        return baseConfigurableUserGroupProvider.addGroup(group);
                                    }

                                    @Override
                                    public boolean isConfigurable(Group group) {
                                        return baseConfigurableUserGroupProvider.isConfigurable(group);
                                    }

                                    @Override
                                    public Group updateGroup(Group group) throws AuthorizationAccessException {
                                        if (tenantExists(baseConfigurableUserGroupProvider, group.getIdentifier(), group.getName())) {
                                            throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", group.getName()));
                                        }
                                        if (!allGroupUsersExist(baseConfigurableUserGroupProvider, group)) {
                                            throw new IllegalStateException(String.format("Cannot update group '%s' to add users that don't exist.", group.getName()));
                                        }
                                        if (!baseConfigurableUserGroupProvider.isConfigurable(group)) {
                                            throw new IllegalArgumentException("The specified group does not support modification.");
                                        }
                                        return baseConfigurableUserGroupProvider.updateGroup(group);
                                    }

                                    @Override
                                    public Group deleteGroup(Group group) throws AuthorizationAccessException {
                                        if (!baseConfigurableUserGroupProvider.isConfigurable(group)) {
                                            throw new IllegalArgumentException("The specified group does not support modification.");
                                        }
                                        return baseConfigurableUserGroupProvider.deleteGroup(group);
                                    }

                                    @Override
                                    public Set<User> getUsers() throws AuthorizationAccessException {
                                        return baseConfigurableUserGroupProvider.getUsers();
                                    }

                                    @Override
                                    public User getUser(String identifier) throws AuthorizationAccessException {
                                        return baseConfigurableUserGroupProvider.getUser(identifier);
                                    }

                                    @Override
                                    public User getUserByIdentity(String identity) throws AuthorizationAccessException {
                                        return baseConfigurableUserGroupProvider.getUserByIdentity(identity);
                                    }

                                    @Override
                                    public Set<Group> getGroups() throws AuthorizationAccessException {
                                        return baseConfigurableUserGroupProvider.getGroups();
                                    }

                                    @Override
                                    public Group getGroup(String identifier) throws AuthorizationAccessException {
                                        return baseConfigurableUserGroupProvider.getGroup(identifier);
                                    }

                                    @Override
                                    public UserAndGroups getUserAndGroups(String identity) throws AuthorizationAccessException {
                                        return baseConfigurableUserGroupProvider.getUserAndGroups(identity);
                                    }

                                    @Override
                                    public void initialize(UserGroupProviderInitializationContext initializationContext) throws AuthorizerCreationException {
                                        baseConfigurableUserGroupProvider.initialize(initializationContext);
                                    }

                                    @Override
                                    public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
                                        baseConfigurableUserGroupProvider.onConfigured(configurationContext);
                                    }

                                    @Override
                                    public void preDestruction() throws AuthorizerDestructionException {
                                        baseConfigurableUserGroupProvider.preDestruction();
                                    }
                                };
                            } else {
                                return baseUserGroupProvider;
                            }
                        }

                        @Override
                        public void initialize(AccessPolicyProviderInitializationContext initializationContext) throws AuthorizerCreationException {
                            baseConfigurableAccessPolicyProvider.initialize(initializationContext);
                        }

                        @Override
                        public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
                            baseConfigurableAccessPolicyProvider.onConfigured(configurationContext);
                        }

                        @Override
                        public void preDestruction() throws AuthorizerDestructionException {
                            baseConfigurableAccessPolicyProvider.preDestruction();
                        }
                    };
                } else {
                    return baseAccessPolicyProvider;
                }
            }

            @Override
            public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
                final AuthorizationResult result = baseAuthorizer.authorize(request);
                // audit the authorization request
                audit(baseAuthorizer, request, result);
                return result;
            }

            @Override
            public void initialize(AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException {
                baseManagedAuthorizer.initialize(initializationContext);
            }

            @Override
            public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
                baseManagedAuthorizer.onConfigured(configurationContext);
                final AccessPolicyProvider accessPolicyProvider = baseManagedAuthorizer.getAccessPolicyProvider();
                final UserGroupProvider userGroupProvider = accessPolicyProvider.getUserGroupProvider();
                // ensure that only one policy per resource-action exists
                for (AccessPolicy accessPolicy : accessPolicyProvider.getAccessPolicies()) {
                    if (policyExists(accessPolicyProvider, accessPolicy)) {
                        throw new AuthorizerCreationException(String.format("Found multiple policies for '%s' with '%s'.", accessPolicy.getResource(), accessPolicy.getAction()));
                    }
                }
                // ensure that only one group exists per identity
                for (User user : userGroupProvider.getUsers()) {
                    if (tenantExists(userGroupProvider, user.getIdentifier(), user.getIdentity())) {
                        throw new AuthorizerCreationException(String.format("Found multiple users/user groups with identity '%s'.", user.getIdentity()));
                    }
                }
                // ensure that only one group exists per identity
                for (Group group : userGroupProvider.getGroups()) {
                    if (tenantExists(userGroupProvider, group.getIdentifier(), group.getName())) {
                        throw new AuthorizerCreationException(String.format("Found multiple users/user groups with name '%s'.", group.getName()));
                    }
                }
            }

            @Override
            public void preDestruction() throws AuthorizerDestructionException {
                baseManagedAuthorizer.preDestruction();
            }
        };
    } else {
        authorizer = new Authorizer() {

            @Override
            public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
                final AuthorizationResult result = baseAuthorizer.authorize(request);
                // audit the authorization request
                audit(baseAuthorizer, request, result);
                return result;
            }

            @Override
            public void initialize(AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException {
                baseAuthorizer.initialize(initializationContext);
            }

            @Override
            public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
                baseAuthorizer.onConfigured(configurationContext);
            }

            @Override
            public void preDestruction() throws AuthorizerDestructionException {
                baseAuthorizer.preDestruction();
            }
        };
    }
    // conditionally add support for the audit methods
    if (baseAuthorizer instanceof AuthorizationAuditor) {
        final AuthorizationAuditorInvocationHandler invocationHandler = new AuthorizationAuditorInvocationHandler(authorizer, (AuthorizationAuditor) baseAuthorizer);
        final List<Class<?>> interfaceList = ClassUtils.getAllInterfaces(authorizer.getClass());
        interfaceList.add(AuthorizationAuditor.class);
        final Class<?>[] interfaces = interfaceList.toArray(new Class<?>[interfaceList.size()]);
        authorizer = (Authorizer) Proxy.newProxyInstance(authorizer.getClass().getClassLoader(), interfaces, invocationHandler);
    }
    return authorizer;
}
Also used : Set(java.util.Set) AuthorizationAccessException(org.apache.nifi.authorization.exception.AuthorizationAccessException) AuthorizerCreationException(org.apache.nifi.authorization.exception.AuthorizerCreationException) UninheritableAuthorizationsException(org.apache.nifi.authorization.exception.UninheritableAuthorizationsException) AuthorizerDestructionException(org.apache.nifi.authorization.exception.AuthorizerDestructionException)

Example 3 with AuthorizerDestructionException

use of org.apache.nifi.authorization.exception.AuthorizerDestructionException in project nifi-minifi by apache.

the class MiNiFiServer method start.

public void start() {
    try {
        logger.info("Loading Flow...");
        FlowFileEventRepository flowFileEventRepository = new RingBufferEventRepository(5);
        AuditService auditService = new StandardAuditService();
        Authorizer authorizer = new Authorizer() {

            @Override
            public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
                return AuthorizationResult.approved();
            }

            @Override
            public void initialize(AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException {
            // do nothing
            }

            @Override
            public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
            // do nothing
            }

            @Override
            public void preDestruction() throws AuthorizerDestructionException {
            // do nothing
            }
        };
        final String sensitivePropAlgorithmVal = props.getProperty(StringEncryptor.NF_SENSITIVE_PROPS_ALGORITHM);
        final String sensitivePropProviderVal = props.getProperty(StringEncryptor.NF_SENSITIVE_PROPS_PROVIDER);
        final String sensitivePropValueNifiPropVar = props.getProperty(StringEncryptor.NF_SENSITIVE_PROPS_KEY, DEFAULT_SENSITIVE_PROPS_KEY);
        StringEncryptor encryptor = StringEncryptor.createEncryptor(sensitivePropAlgorithmVal, sensitivePropProviderVal, sensitivePropValueNifiPropVar);
        VariableRegistry variableRegistry = new FileBasedVariableRegistry(props.getVariableRegistryPropertiesPaths());
        BulletinRepository bulletinRepository = new VolatileBulletinRepository();
        FlowController flowController = FlowController.createStandaloneInstance(flowFileEventRepository, props, authorizer, auditService, encryptor, bulletinRepository, variableRegistry, new StandardFlowRegistryClient());
        flowService = StandardFlowService.createStandaloneInstance(flowController, props, encryptor, // revision manager
        null, authorizer);
        // start and load the flow
        flowService.start();
        flowService.load(null);
        flowController.onFlowInitialized(true);
        flowController.getGroup(flowController.getRootGroupId()).startProcessing();
        this.flowController = flowController;
        logger.info("Flow loaded successfully.");
    } catch (Exception e) {
        // ensure the flow service is terminated
        if (flowService != null && flowService.isRunning()) {
            flowService.stop(false);
        }
        startUpFailure(new Exception("Unable to load flow due to: " + e, e));
    }
}
Also used : VolatileBulletinRepository(org.apache.nifi.events.VolatileBulletinRepository) VolatileBulletinRepository(org.apache.nifi.events.VolatileBulletinRepository) BulletinRepository(org.apache.nifi.reporting.BulletinRepository) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) FileBasedVariableRegistry(org.apache.nifi.util.FileBasedVariableRegistry) VariableRegistry(org.apache.nifi.registry.VariableRegistry) StatusRequestException(org.apache.nifi.minifi.status.StatusRequestException) AuthorizerCreationException(org.apache.nifi.authorization.exception.AuthorizerCreationException) AuthorizerDestructionException(org.apache.nifi.authorization.exception.AuthorizerDestructionException) AuthorizationAccessException(org.apache.nifi.authorization.exception.AuthorizationAccessException) RingBufferEventRepository(org.apache.nifi.controller.repository.metrics.RingBufferEventRepository) FlowFileEventRepository(org.apache.nifi.controller.repository.FlowFileEventRepository) Authorizer(org.apache.nifi.authorization.Authorizer) StringEncryptor(org.apache.nifi.encrypt.StringEncryptor) FlowController(org.apache.nifi.controller.FlowController) AuthorizerInitializationContext(org.apache.nifi.authorization.AuthorizerInitializationContext) StandardFlowRegistryClient(org.apache.nifi.registry.flow.StandardFlowRegistryClient) StandardAuditService(org.apache.nifi.admin.service.impl.StandardAuditService) AuditService(org.apache.nifi.admin.service.AuditService) StandardAuditService(org.apache.nifi.admin.service.impl.StandardAuditService) AuthorizerConfigurationContext(org.apache.nifi.authorization.AuthorizerConfigurationContext) FileBasedVariableRegistry(org.apache.nifi.util.FileBasedVariableRegistry)

Aggregations

AuthorizerDestructionException (org.apache.nifi.authorization.exception.AuthorizerDestructionException)3 AuthorizationAccessException (org.apache.nifi.authorization.exception.AuthorizationAccessException)2 AuthorizerCreationException (org.apache.nifi.authorization.exception.AuthorizerCreationException)2 Set (java.util.Set)1 AuditService (org.apache.nifi.admin.service.AuditService)1 StandardAuditService (org.apache.nifi.admin.service.impl.StandardAuditService)1 AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)1 Authorizer (org.apache.nifi.authorization.Authorizer)1 AuthorizerConfigurationContext (org.apache.nifi.authorization.AuthorizerConfigurationContext)1 AuthorizerInitializationContext (org.apache.nifi.authorization.AuthorizerInitializationContext)1 UninheritableAuthorizationsException (org.apache.nifi.authorization.exception.UninheritableAuthorizationsException)1 FlowController (org.apache.nifi.controller.FlowController)1 FlowFileEventRepository (org.apache.nifi.controller.repository.FlowFileEventRepository)1 RingBufferEventRepository (org.apache.nifi.controller.repository.metrics.RingBufferEventRepository)1 StringEncryptor (org.apache.nifi.encrypt.StringEncryptor)1 VolatileBulletinRepository (org.apache.nifi.events.VolatileBulletinRepository)1 StatusRequestException (org.apache.nifi.minifi.status.StatusRequestException)1 VariableRegistry (org.apache.nifi.registry.VariableRegistry)1 StandardFlowRegistryClient (org.apache.nifi.registry.flow.StandardFlowRegistryClient)1 BulletinRepository (org.apache.nifi.reporting.BulletinRepository)1