Examples with Authorizable - org.apache.nifi.authorization.resource.Authorizable

Example 86 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class StandardNiFiWebConfigurationContext method saveActions.

@Override
public void saveActions(final NiFiWebRequestContext requestContext, final Collection<ConfigurationAction> configurationActions) {
    Objects.requireNonNull(configurationActions, "Actions cannot be null.");
    // ensure the path could be
    if (requestContext.getExtensionType() == null) {
        throw new IllegalArgumentException("The UI extension type must be specified.");
    }
    Component componentType = null;
    switch(requestContext.getExtensionType()) {
        case ProcessorConfiguration:
            // authorize access
            serviceFacade.authorizeAccess(lookup -> {
                final Authorizable authorizable = lookup.getProcessor(requestContext.getId()).getAuthorizable();
                authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
            });
            componentType = Component.Processor;
            break;
        case ControllerServiceConfiguration:
            // authorize access
            serviceFacade.authorizeAccess(lookup -> {
                final Authorizable authorizable = lookup.getControllerService(requestContext.getId()).getAuthorizable();
                authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
            });
            componentType = Component.ControllerService;
            break;
        case ReportingTaskConfiguration:
            // authorize access
            serviceFacade.authorizeAccess(lookup -> {
                final Authorizable authorizable = lookup.getReportingTask(requestContext.getId()).getAuthorizable();
                authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
            });
            componentType = Component.ReportingTask;
            break;
    }
    if (componentType == null) {
        throw new IllegalArgumentException("UI extension type must support Processor, ControllerService, or ReportingTask configuration.");
    }
    // - when running standalone or cluster ncm - actions from custom UIs are stored locally
    // - clustered nodes do not serve custom UIs directly to users so they should never be invoking this method
    final Date now = new Date();
    final Collection<Action> actions = new HashSet<>(configurationActions.size());
    for (final ConfigurationAction configurationAction : configurationActions) {
        final FlowChangeExtensionDetails extensionDetails = new FlowChangeExtensionDetails();
        extensionDetails.setType(configurationAction.getType());
        final FlowChangeConfigureDetails configureDetails = new FlowChangeConfigureDetails();
        configureDetails.setName(configurationAction.getName());
        configureDetails.setPreviousValue(configurationAction.getPreviousValue());
        configureDetails.setValue(configurationAction.getValue());
        final FlowChangeAction action = new FlowChangeAction();
        action.setTimestamp(now);
        action.setSourceId(configurationAction.getId());
        action.setSourceName(configurationAction.getName());
        action.setSourceType(componentType);
        action.setOperation(Operation.Configure);
        action.setUserIdentity(getCurrentUserIdentity());
        action.setComponentDetails(extensionDetails);
        action.setActionDetails(configureDetails);
        actions.add(action);
    }
    if (!actions.isEmpty()) {
        try {
            // record the operations
            auditService.addActions(actions);
        } catch (final Throwable t) {
            logger.warn("Unable to record actions: " + t.getMessage());
            if (logger.isDebugEnabled()) {
                logger.warn(StringUtils.EMPTY, t);
            }
        }
    }
}

Also used : Action(org.apache.nifi.action.Action) FlowChangeAction(org.apache.nifi.action.FlowChangeAction) RequestAction(org.apache.nifi.authorization.RequestAction) FlowChangeConfigureDetails(org.apache.nifi.action.details.FlowChangeConfigureDetails) FlowChangeExtensionDetails(org.apache.nifi.action.component.details.FlowChangeExtensionDetails) ComponentAuthorizable(org.apache.nifi.authorization.ComponentAuthorizable) Authorizable(org.apache.nifi.authorization.resource.Authorizable) Component(org.apache.nifi.action.Component) Date(java.util.Date) HashSet(java.util.HashSet) FlowChangeAction(org.apache.nifi.action.FlowChangeAction)

Example 87 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class AccessPolicyResource method getAccessPolicyForResource.

// -----------------
// get access policy
// -----------------
/**
 * Retrieves the specified access policy.
 *
 * @return An accessPolicyEntity.
 */
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{action}/{resource: .+}")
@ApiOperation(value = "Gets an access policy for the specified action and resource", notes = "Will return the effective policy if no component specific policy exists for the specified action and resource. " + "Must have Read permissions to the policy with the desired action and resource. Permissions for the policy that is " + "returned will be indicated in the response. This means the client could be authorized to get the policy for a " + "given component but the effective policy may be inherited from an ancestor Process Group. If the client does not " + "have permissions to that policy, the response will not include the policy and the permissions in the response " + "will be marked accordingly. If the client does not have permissions to the policy of the desired action and resource " + "a 403 response will be returned.", response = AccessPolicyEntity.class, authorizations = { @Authorization(value = "Read - /policies/{resource}") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response getAccessPolicyForResource(@ApiParam(value = "The request action.", allowableValues = "read, write", required = true) @PathParam("action") final String action, @ApiParam(value = "The resource of the policy.", required = true) @PathParam("resource") String rawResource) {
    // ensure we're running with a configurable authorizer
    if (!AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)) {
        throw new IllegalStateException(AccessPolicyDAO.MSG_NON_MANAGED_AUTHORIZER);
    }
    // parse the action and resource type
    final RequestAction requestAction = RequestAction.valueOfValue(action);
    final String resource = "/" + rawResource;
    if (isReplicateRequest()) {
        return replicate(HttpMethod.GET);
    }
    // authorize access
    serviceFacade.authorizeAccess(lookup -> {
        final Authorizable accessPolicy = lookup.getAccessPolicyByResource(resource);
        accessPolicy.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
    });
    // get the access policy
    final AccessPolicyEntity entity = serviceFacade.getAccessPolicy(requestAction, resource);
    populateRemainingAccessPolicyEntityContent(entity);
    return generateOkResponse(entity).build();
}

Also used : RequestAction(org.apache.nifi.authorization.RequestAction) Authorizable(org.apache.nifi.authorization.resource.Authorizable) AccessPolicyEntity(org.apache.nifi.web.api.entity.AccessPolicyEntity) Path(javax.ws.rs.Path) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 88 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class AccessPolicyResource method createAccessPolicy.

// -----------------------
// manage an access policy
// -----------------------
/**
 * Creates a new access policy.
 *
 * @param httpServletRequest request
 * @param requestAccessPolicyEntity An accessPolicyEntity.
 * @return An accessPolicyEntity.
 */
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "Creates an access policy", response = AccessPolicyEntity.class, authorizations = { @Authorization(value = "Write - /policies/{resource}") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response createAccessPolicy(@Context final HttpServletRequest httpServletRequest, @ApiParam(value = "The access policy configuration details.", required = true) final AccessPolicyEntity requestAccessPolicyEntity) {
    // ensure we're running with a configurable authorizer
    if (!AuthorizerCapabilityDetection.isConfigurableAccessPolicyProvider(authorizer)) {
        throw new IllegalStateException(AccessPolicyDAO.MSG_NON_CONFIGURABLE_POLICIES);
    }
    if (requestAccessPolicyEntity == null || requestAccessPolicyEntity.getComponent() == null) {
        throw new IllegalArgumentException("Access policy details must be specified.");
    }
    if (requestAccessPolicyEntity.getRevision() == null || (requestAccessPolicyEntity.getRevision().getVersion() == null || requestAccessPolicyEntity.getRevision().getVersion() != 0)) {
        throw new IllegalArgumentException("A revision of 0 must be specified when creating a new Policy.");
    }
    final AccessPolicyDTO requestAccessPolicy = requestAccessPolicyEntity.getComponent();
    if (requestAccessPolicy.getId() != null) {
        throw new IllegalArgumentException("Access policy ID cannot be specified.");
    }
    if (requestAccessPolicy.getResource() == null) {
        throw new IllegalArgumentException("Access policy resource must be specified.");
    }
    // ensure this is a valid action
    RequestAction.valueOfValue(requestAccessPolicy.getAction());
    if (isReplicateRequest()) {
        return replicate(HttpMethod.POST, requestAccessPolicyEntity);
    }
    // handle expects request (usually from the cluster manager)
    return withWriteLock(serviceFacade, requestAccessPolicyEntity, lookup -> {
        final Authorizable accessPolicies = lookup.getAccessPolicyByResource(requestAccessPolicy.getResource());
        accessPolicies.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
    }, null, accessPolicyEntity -> {
        final AccessPolicyDTO accessPolicy = accessPolicyEntity.getComponent();
        // set the access policy id as appropriate
        accessPolicy.setId(generateUuid());
        // get revision from the config
        final RevisionDTO revisionDTO = accessPolicyEntity.getRevision();
        Revision revision = new Revision(revisionDTO.getVersion(), revisionDTO.getClientId(), accessPolicyEntity.getComponent().getId());
        // create the access policy and generate the json
        final AccessPolicyEntity entity = serviceFacade.createAccessPolicy(revision, accessPolicyEntity.getComponent());
        populateRemainingAccessPolicyEntityContent(entity);
        // build the response
        return generateCreatedResponse(URI.create(entity.getUri()), entity).build();
    });
}

Also used : Revision(org.apache.nifi.web.Revision) Authorizable(org.apache.nifi.authorization.resource.Authorizable) AccessPolicyDTO(org.apache.nifi.web.api.dto.AccessPolicyDTO) RevisionDTO(org.apache.nifi.web.api.dto.RevisionDTO) AccessPolicyEntity(org.apache.nifi.web.api.entity.AccessPolicyEntity) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 89 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class AccessPolicyResource method updateAccessPolicy.

/**
 * Updates an access policy.
 *
 * @param httpServletRequest request
 * @param id                 The id of the access policy to update.
 * @param requestAccessPolicyEntity An accessPolicyEntity.
 * @return An accessPolicyEntity.
 */
@PUT
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@Path("{id}")
@ApiOperation(value = "Updates a access policy", response = AccessPolicyEntity.class, authorizations = { @Authorization(value = "Write - /policies/{resource}") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response updateAccessPolicy(@Context final HttpServletRequest httpServletRequest, @ApiParam(value = "The access policy id.", required = true) @PathParam("id") final String id, @ApiParam(value = "The access policy configuration details.", required = true) final AccessPolicyEntity requestAccessPolicyEntity) {
    // ensure we're running with a configurable authorizer
    if (!AuthorizerCapabilityDetection.isConfigurableAccessPolicyProvider(authorizer)) {
        throw new IllegalStateException(AccessPolicyDAO.MSG_NON_CONFIGURABLE_POLICIES);
    }
    if (requestAccessPolicyEntity == null || requestAccessPolicyEntity.getComponent() == null) {
        throw new IllegalArgumentException("Access policy details must be specified.");
    }
    if (requestAccessPolicyEntity.getRevision() == null) {
        throw new IllegalArgumentException("Revision must be specified.");
    }
    // ensure the ids are the same
    final AccessPolicyDTO requestAccessPolicyDTO = requestAccessPolicyEntity.getComponent();
    if (!id.equals(requestAccessPolicyDTO.getId())) {
        throw new IllegalArgumentException(String.format("The access policy id (%s) in the request body does not equal the " + "access policy id of the requested resource (%s).", requestAccessPolicyDTO.getId(), id));
    }
    if (isReplicateRequest()) {
        return replicate(HttpMethod.PUT, requestAccessPolicyEntity);
    }
    // Extract the revision
    final Revision requestRevision = getRevision(requestAccessPolicyEntity, id);
    return withWriteLock(serviceFacade, requestAccessPolicyEntity, requestRevision, lookup -> {
        Authorizable authorizable = lookup.getAccessPolicyById(id);
        authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
    }, null, (revision, accessPolicyEntity) -> {
        final AccessPolicyDTO accessPolicyDTO = accessPolicyEntity.getComponent();
        // update the access policy
        final AccessPolicyEntity entity = serviceFacade.updateAccessPolicy(revision, accessPolicyDTO);
        populateRemainingAccessPolicyEntityContent(entity);
        return generateOkResponse(entity).build();
    });
}

Also used : Revision(org.apache.nifi.web.Revision) Authorizable(org.apache.nifi.authorization.resource.Authorizable) AccessPolicyDTO(org.apache.nifi.web.api.dto.AccessPolicyDTO) AccessPolicyEntity(org.apache.nifi.web.api.entity.AccessPolicyEntity) Path(javax.ws.rs.Path) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) ApiOperation(io.swagger.annotations.ApiOperation) PUT(javax.ws.rs.PUT) ApiResponses(io.swagger.annotations.ApiResponses)

Example 90 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class ControllerResource method authorizeController.

/**
 * Authorizes access to the flow.
 */
private void authorizeController(final RequestAction action) {
    serviceFacade.authorizeAccess(lookup -> {
        final Authorizable controller = lookup.getController();
        controller.authorize(authorizer, action, NiFiUserUtils.getNiFiUser());
    });
}

Also used : ComponentAuthorizable(org.apache.nifi.authorization.ComponentAuthorizable) Authorizable(org.apache.nifi.authorization.resource.Authorizable)

Aggregations

Authorizable (org.apache.nifi.authorization.resource.Authorizable)140 ApiOperation (io.swagger.annotations.ApiOperation)96 ApiResponses (io.swagger.annotations.ApiResponses)96 Consumes (javax.ws.rs.Consumes)96 Produces (javax.ws.rs.Produces)96 Path (javax.ws.rs.Path)95 ComponentAuthorizable (org.apache.nifi.authorization.ComponentAuthorizable)53 GET (javax.ws.rs.GET)46 Revision (org.apache.nifi.web.Revision)44 ProcessGroupAuthorizable (org.apache.nifi.authorization.ProcessGroupAuthorizable)33 SnippetAuthorizable (org.apache.nifi.authorization.SnippetAuthorizable)28 TemplateContentsAuthorizable (org.apache.nifi.authorization.TemplateContentsAuthorizable)28 POST (javax.ws.rs.POST)24 NiFiUser (org.apache.nifi.authorization.user.NiFiUser)21 ResourceNotFoundException (org.apache.nifi.web.ResourceNotFoundException)21 DELETE (javax.ws.rs.DELETE)20 PUT (javax.ws.rs.PUT)20 RevisionDTO (org.apache.nifi.web.api.dto.RevisionDTO)19 PositionDTO (org.apache.nifi.web.api.dto.PositionDTO)18 PortEntity (org.apache.nifi.web.api.entity.PortEntity)15