Examples with Policy org.apache.nifi.authorization.file.generated.Policy used on opensource projects

Example 1 with Policy

use of org.apache.nifi.authorization.file.generated.Policy in project nifi by apache.

the class FileAccessPolicyProvider method deleteAccessPolicy.

@Override
public synchronized AccessPolicy deleteAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
    if (accessPolicy == null) {
        throw new IllegalArgumentException("AccessPolicy cannot be null");
    }
    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Authorizations authorizations = holder.getAuthorizations();
    // find the matching Policy and remove it
    boolean deletedPolicy = false;
    Iterator<Policy> policyIter = authorizations.getPolicies().getPolicy().iterator();
    while (policyIter.hasNext()) {
        final Policy policy = policyIter.next();
        if (policy.getIdentifier().equals(accessPolicy.getIdentifier())) {
            policyIter.remove();
            deletedPolicy = true;
            break;
        }
    }
    // never found a matching Policy so return null
    if (!deletedPolicy) {
        return null;
    }
    saveAndRefreshHolder(authorizations);
    return accessPolicy;
}

Example 2 with Policy

use of org.apache.nifi.authorization.file.generated.Policy in project nifi by apache.

the class FileAccessPolicyProvider method createJAXBPolicy.

private Policy createJAXBPolicy(final AccessPolicy accessPolicy) {
    final Policy policy = new Policy();
    policy.setIdentifier(accessPolicy.getIdentifier());
    policy.setResource(accessPolicy.getResource());
    switch(accessPolicy.getAction()) {
        case READ:
            policy.setAction(READ_CODE);
            break;
        case WRITE:
            policy.setAction(WRITE_CODE);
            break;
        default:
            break;
    }
    transferUsersAndGroups(accessPolicy, policy);
    return policy;
}

Example 3 with Policy

use of org.apache.nifi.authorization.file.generated.Policy in project nifi by apache.

the class FileAccessPolicyProvider method addUserToAccessPolicy.

/**
 * Creates and adds an access policy for the given resource, identity, and actions to the specified authorizations.
 *
 * @param authorizations the Authorizations instance to add the policy to
 * @param resource the resource for the policy
 * @param userIdentifier the identifier for the user to add to the policy
 * @param action the action for the policy
 */
private void addUserToAccessPolicy(final Authorizations authorizations, final String resource, final String userIdentifier, final String action) {
    // first try to find an existing policy for the given resource and action
    Policy foundPolicy = null;
    for (Policy policy : authorizations.getPolicies().getPolicy()) {
        if (policy.getResource().equals(resource) && policy.getAction().equals(action)) {
            foundPolicy = policy;
            break;
        }
    }
    if (foundPolicy == null) {
        // if we didn't find an existing policy create a new one
        final String uuidSeed = resource + action;
        final AccessPolicy.Builder builder = new AccessPolicy.Builder().identifierGenerateFromSeed(uuidSeed).resource(resource).addUser(userIdentifier);
        if (action.equals(READ_CODE)) {
            builder.action(RequestAction.READ);
        } else if (action.equals(WRITE_CODE)) {
            builder.action(RequestAction.WRITE);
        } else {
            throw new IllegalStateException("Unknown Policy Action: " + action);
        }
        final AccessPolicy accessPolicy = builder.build();
        final Policy jaxbPolicy = createJAXBPolicy(accessPolicy);
        authorizations.getPolicies().getPolicy().add(jaxbPolicy);
    } else {
        // otherwise add the user to the existing policy
        Policy.User policyUser = new Policy.User();
        policyUser.setIdentifier(userIdentifier);
        foundPolicy.getUser().add(policyUser);
    }
}

Example 4 with Policy

use of org.apache.nifi.authorization.file.generated.Policy in project nifi by apache.

the class FileAccessPolicyProvider method convertLegacyAuthorizedUsers.

/**
 * Unmarshalls an existing authorized-users.xml and converts the object model to the new model.
 *
 * @param authorizations the current Authorizations instance that policies will be added to
 * @throws AuthorizerCreationException if the legacy authorized users file that was provided does not exist
 * @throws JAXBException if the legacy authorized users file that was provided could not be unmarshalled
 */
private void convertLegacyAuthorizedUsers(final Authorizations authorizations) throws AuthorizerCreationException, JAXBException {
    final File authorizedUsersFile = new File(legacyAuthorizedUsersFile);
    if (!authorizedUsersFile.exists()) {
        throw new AuthorizerCreationException("Legacy Authorized Users File '" + legacyAuthorizedUsersFile + "' does not exists");
    }
    final Unmarshaller unmarshaller = JAXB_USERS_CONTEXT.createUnmarshaller();
    unmarshaller.setSchema(usersSchema);
    final XMLStreamReader xsr;
    try {
        xsr = XmlUtils.createSafeReader(new StreamSource(authorizedUsersFile));
    } catch (XMLStreamException e) {
        logger.error("Encountered an error reading authorized users file: ", e);
        throw new JAXBException("Error reading authorized users file", e);
    }
    final JAXBElement<Users> element = unmarshaller.unmarshal(xsr, org.apache.nifi.user.generated.Users.class);
    final org.apache.nifi.user.generated.Users users = element.getValue();
    if (users.getUser().isEmpty()) {
        logger.info("Legacy Authorized Users File contained no users, nothing to convert");
        return;
    }
    // get all the user DNs into a list
    List<String> userIdentities = new ArrayList<>();
    for (org.apache.nifi.user.generated.User legacyUser : users.getUser()) {
        userIdentities.add(IdentityMappingUtil.mapIdentity(legacyUser.getDn(), identityMappings));
    }
    // sort the list and pull out the first identity
    Collections.sort(userIdentities);
    final String seedIdentity = userIdentities.get(0);
    // create mapping from Role to access policies
    final Map<Role, Set<RoleAccessPolicy>> roleAccessPolicies = RoleAccessPolicy.getMappings(rootGroupId);
    final List<Policy> allPolicies = new ArrayList<>();
    for (org.apache.nifi.user.generated.User legacyUser : users.getUser()) {
        // create the identifier of the new user based on the DN
        final String legacyUserDn = IdentityMappingUtil.mapIdentity(legacyUser.getDn(), identityMappings);
        final User user = userGroupProvider.getUserByIdentity(legacyUserDn);
        if (user == null) {
            throw new AuthorizerCreationException("Unable to locate legacy user " + legacyUserDn + " to seed policies.");
        }
        // create policies based on the given role
        for (org.apache.nifi.user.generated.Role jaxbRole : legacyUser.getRole()) {
            Role role = Role.valueOf(jaxbRole.getName());
            Set<RoleAccessPolicy> policies = roleAccessPolicies.get(role);
            for (RoleAccessPolicy roleAccessPolicy : policies) {
                // get the matching policy, or create a new one
                Policy policy = getOrCreatePolicy(allPolicies, seedIdentity, roleAccessPolicy.getResource(), roleAccessPolicy.getAction());
                // add the user to the policy if it doesn't exist
                addUserToPolicy(user.getIdentifier(), policy);
            }
        }
    }
    // convert any access controls on ports to the appropriate policies
    for (PortDTO portDTO : ports) {
        final Resource resource;
        if (portDTO.getType() != null && portDTO.getType().equals("inputPort")) {
            resource = ResourceFactory.getDataTransferResource(ResourceFactory.getComponentResource(ResourceType.InputPort, portDTO.getId(), portDTO.getName()));
        } else {
            resource = ResourceFactory.getDataTransferResource(ResourceFactory.getComponentResource(ResourceType.OutputPort, portDTO.getId(), portDTO.getName()));
        }
        if (portDTO.getUserAccessControl() != null) {
            for (String userAccessControl : portDTO.getUserAccessControl()) {
                // need to perform the identity mapping on the access control so it matches the identities in the User objects
                final String mappedUserAccessControl = IdentityMappingUtil.mapIdentity(userAccessControl, identityMappings);
                final User foundUser = userGroupProvider.getUserByIdentity(mappedUserAccessControl);
                // couldn't find the user matching the access control so log a warning and skip
                if (foundUser == null) {
                    logger.warn("Found port with user access control for {} but no user exists with this identity, skipping...", new Object[] { mappedUserAccessControl });
                    continue;
                }
                // we found the user so create the appropriate policy and add the user to it
                Policy policy = getOrCreatePolicy(allPolicies, seedIdentity, resource.getIdentifier(), WRITE_CODE);
                addUserToPolicy(foundUser.getIdentifier(), policy);
            }
        }
        if (portDTO.getGroupAccessControl() != null) {
            for (String groupAccessControl : portDTO.getGroupAccessControl()) {
                // find a group where the name is the groupAccessControl
                Group foundGroup = null;
                for (Group group : userGroupProvider.getGroups()) {
                    if (group.getName().equals(groupAccessControl)) {
                        foundGroup = group;
                        break;
                    }
                }
                // couldn't find the group matching the access control so log a warning and skip
                if (foundGroup == null) {
                    logger.warn("Found port with group access control for {} but no group exists with this name, skipping...", new Object[] { groupAccessControl });
                    continue;
                }
                // we found the group so create the appropriate policy and add all the users to it
                Policy policy = getOrCreatePolicy(allPolicies, seedIdentity, resource.getIdentifier(), WRITE_CODE);
                addGroupToPolicy(IdentifierUtil.getIdentifier(groupAccessControl), policy);
            }
        }
    }
    authorizations.getPolicies().getPolicy().addAll(allPolicies);
}

Example 5 with Policy

use of org.apache.nifi.authorization.file.generated.Policy in project nifi by apache.

the class FileAccessPolicyProvider method addAccessPolicy.

@Override
public synchronized AccessPolicy addAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
    if (accessPolicy == null) {
        throw new IllegalArgumentException("AccessPolicy cannot be null");
    }
    // create the new JAXB Policy
    final Policy policy = createJAXBPolicy(accessPolicy);
    // add the new Policy to the top-level list of policies
    final AuthorizationsHolder holder = authorizationsHolder.get();
    final Authorizations authorizations = holder.getAuthorizations();
    authorizations.getPolicies().getPolicy().add(policy);
    saveAndRefreshHolder(authorizations);
    return authorizationsHolder.get().getPoliciesById().get(accessPolicy.getIdentifier());
}