Search in sources :

Example 21 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class AccessPolicyResource method getAccessPolicy.

/**
 * Retrieves the specified access policy.
 *
 * @param id The id of the access policy to retrieve
 * @return An accessPolicyEntity.
 */
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{id}")
@ApiOperation(value = "Gets an access policy", response = AccessPolicyEntity.class, authorizations = { @Authorization(value = "Read - /policies/{resource}") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response getAccessPolicy(@ApiParam(value = "The access policy id.", required = true) @PathParam("id") final String id) {
    // ensure we're running with a configurable authorizer
    if (!AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)) {
        throw new IllegalStateException(AccessPolicyDAO.MSG_NON_MANAGED_AUTHORIZER);
    }
    if (isReplicateRequest()) {
        return replicate(HttpMethod.GET);
    }
    // authorize access
    serviceFacade.authorizeAccess(lookup -> {
        Authorizable authorizable = lookup.getAccessPolicyById(id);
        authorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
    });
    // get the access policy
    final AccessPolicyEntity entity = serviceFacade.getAccessPolicy(id);
    populateRemainingAccessPolicyEntityContent(entity);
    return generateOkResponse(entity).build();
}
Also used : Authorizable(org.apache.nifi.authorization.resource.Authorizable) AccessPolicyEntity(org.apache.nifi.web.api.entity.AccessPolicyEntity) Path(javax.ws.rs.Path) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 22 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class AccessPolicyResource method removeAccessPolicy.

/**
 * Removes the specified access policy.
 *
 * @param httpServletRequest request
 * @param version            The revision is used to verify the client is working with
 *                           the latest version of the flow.
 * @param clientId           Optional client id. If the client id is not specified, a
 *                           new one will be generated. This value (whether specified or generated) is
 *                           included in the response.
 * @param id                 The id of the access policy to remove.
 * @return A entity containing the client id and an updated revision.
 */
@DELETE
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{id}")
@ApiOperation(value = "Deletes an access policy", response = AccessPolicyEntity.class, authorizations = { @Authorization(value = "Write - /policies/{resource}"), @Authorization(value = "Write - Policy of the parent resource - /policies/{resource}") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response removeAccessPolicy(@Context final HttpServletRequest httpServletRequest, @ApiParam(value = "The revision is used to verify the client is working with the latest version of the flow.", required = false) @QueryParam(VERSION) final LongParameter version, @ApiParam(value = "If the client id is not specified, new one will be generated. This value (whether specified or generated) is included in the response.", required = false) @QueryParam(CLIENT_ID) @DefaultValue(StringUtils.EMPTY) final ClientIdParameter clientId, @ApiParam(value = "The access policy id.", required = true) @PathParam("id") final String id) {
    // ensure we're running with a configurable authorizer
    if (!AuthorizerCapabilityDetection.isConfigurableAccessPolicyProvider(authorizer)) {
        throw new IllegalStateException(AccessPolicyDAO.MSG_NON_CONFIGURABLE_POLICIES);
    }
    if (isReplicateRequest()) {
        return replicate(HttpMethod.DELETE);
    }
    final AccessPolicyEntity requestAccessPolicyEntity = new AccessPolicyEntity();
    requestAccessPolicyEntity.setId(id);
    // handle expects request (usually from the cluster manager)
    final Revision requestRevision = new Revision(version == null ? null : version.getLong(), clientId.getClientId(), id);
    return withWriteLock(serviceFacade, requestAccessPolicyEntity, requestRevision, lookup -> {
        final Authorizable accessPolicy = lookup.getAccessPolicyById(id);
        // ensure write permission to the access policy
        accessPolicy.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
        // ensure write permission to the policy for the parent process group
        accessPolicy.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
    }, null, (revision, accessPolicyEntity) -> {
        // delete the specified access policy
        final AccessPolicyEntity entity = serviceFacade.deleteAccessPolicy(revision, accessPolicyEntity.getId());
        return generateOkResponse(entity).build();
    });
}
Also used : Revision(org.apache.nifi.web.Revision) Authorizable(org.apache.nifi.authorization.resource.Authorizable) AccessPolicyEntity(org.apache.nifi.web.api.entity.AccessPolicyEntity) Path(javax.ws.rs.Path) DELETE(javax.ws.rs.DELETE) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 23 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class ConnectionResource method getConnection.

/**
 * Retrieves the specified connection.
 *
 * @param id The id of the connection.
 * @return A connectionEntity.
 * @throws InterruptedException if interrupted
 */
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("/{id}")
@ApiOperation(value = "Gets a connection", response = ConnectionEntity.class, authorizations = { @Authorization(value = "Read Source - /{component-type}/{uuid}"), @Authorization(value = "Read Destination - /{component-type}/{uuid}") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response getConnection(@ApiParam(value = "The connection id.", required = true) @PathParam("id") final String id) throws InterruptedException {
    if (isReplicateRequest()) {
        return replicate(HttpMethod.GET);
    }
    // authorize access
    serviceFacade.authorizeAccess(lookup -> {
        // ensure read access to this connection (checks source and destination)
        final Authorizable authorizable = lookup.getConnection(id).getAuthorizable();
        authorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
    });
    // get the specified relationship
    ConnectionEntity entity = serviceFacade.getConnection(id);
    populateRemainingConnectionEntityContent(entity);
    // generate the response
    return generateOkResponse(entity).build();
}
Also used : Authorizable(org.apache.nifi.authorization.resource.Authorizable) ConnectionAuthorizable(org.apache.nifi.authorization.ConnectionAuthorizable) ConnectionEntity(org.apache.nifi.web.api.entity.ConnectionEntity) Path(javax.ws.rs.Path) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 24 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class ConnectionResource method deleteConnection.

/**
 * Removes the specified connection.
 *
 * @param httpServletRequest request
 * @param version            The revision is used to verify the client is working with the latest version of the flow.
 * @param clientId           Optional client id. If the client id is not specified, a new one will be generated. This value (whether specified or generated) is included in the response.
 * @param id                 The id of the connection.
 * @return An Entity containing the client id and an updated revision.
 * @throws InterruptedException if interrupted
 */
@DELETE
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("/{id}")
@ApiOperation(value = "Deletes a connection", response = ConnectionEntity.class, authorizations = { @Authorization(value = "Write Source - /{component-type}/{uuid}"), @Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}"), @Authorization(value = "Write Destination - /{component-type}/{uuid}") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response deleteConnection(@Context HttpServletRequest httpServletRequest, @ApiParam(value = "The revision is used to verify the client is working with the latest version of the flow.", required = false) @QueryParam(VERSION) final LongParameter version, @ApiParam(value = "If the client id is not specified, new one will be generated. This value (whether specified or generated) is included in the response.", required = false) @QueryParam(CLIENT_ID) @DefaultValue(StringUtils.EMPTY) final ClientIdParameter clientId, @ApiParam(value = "The connection id.", required = true) @PathParam("id") final String id) throws InterruptedException {
    if (isReplicateRequest()) {
        return replicate(HttpMethod.DELETE);
    }
    // determine the specified version
    final Long clientVersion = version == null ? null : version.getLong();
    final Revision requestRevision = new Revision(clientVersion, clientId.getClientId(), id);
    final ConnectionEntity requestConnectionEntity = new ConnectionEntity();
    requestConnectionEntity.setId(id);
    // get the current user
    return withWriteLock(serviceFacade, requestConnectionEntity, requestRevision, lookup -> {
        // verifies write access to the source and destination
        final Authorizable authorizable = lookup.getConnection(id).getAuthorizable();
        // ensure write permission to the connection
        authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
        // ensure write permission to the parent process group
        authorizable.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
    }, () -> serviceFacade.verifyDeleteConnection(id), (revision, connectionEntity) -> {
        // delete the connection
        final ConnectionEntity entity = serviceFacade.deleteConnection(revision, connectionEntity.getId());
        // generate the response
        return generateOkResponse(entity).build();
    });
}
Also used : Revision(org.apache.nifi.web.Revision) Authorizable(org.apache.nifi.authorization.resource.Authorizable) ConnectionAuthorizable(org.apache.nifi.authorization.ConnectionAuthorizable) ConnectionEntity(org.apache.nifi.web.api.entity.ConnectionEntity) Path(javax.ws.rs.Path) DELETE(javax.ws.rs.DELETE) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 25 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class ConnectionResource method updateConnection.

/**
 * Updates the specified connection.
 *
 * @param httpServletRequest request
 * @param id                 The id of the connection.
 * @param requestConnectionEntity   A connectionEntity.
 * @return A connectionEntity.
 * @throws InterruptedException if interrupted
 */
@PUT
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@Path("/{id}")
@ApiOperation(value = "Updates a connection", response = ConnectionEntity.class, authorizations = { @Authorization(value = "Write Source - /{component-type}/{uuid}"), @Authorization(value = "Write Destination - /{component-type}/{uuid}"), @Authorization(value = "Write New Destination - /{component-type}/{uuid} - if updating Destination"), @Authorization(value = "Write Process Group - /process-groups/{uuid} - if updating Destination") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response updateConnection(@Context HttpServletRequest httpServletRequest, @ApiParam(value = "The connection id.", required = true) @PathParam("id") final String id, @ApiParam(value = "The connection configuration details.", required = true) final ConnectionEntity requestConnectionEntity) throws InterruptedException {
    if (requestConnectionEntity == null || requestConnectionEntity.getComponent() == null) {
        throw new IllegalArgumentException("Connection details must be specified.");
    }
    if (requestConnectionEntity.getRevision() == null) {
        throw new IllegalArgumentException("Revision must be specified.");
    }
    // ensure the ids are the same
    final ConnectionDTO requestConnection = requestConnectionEntity.getComponent();
    if (!id.equals(requestConnection.getId())) {
        throw new IllegalArgumentException(String.format("The connection id " + "(%s) in the request body does not equal the connection id of the " + "requested resource (%s).", requestConnection.getId(), id));
    }
    if (requestConnection.getDestination() != null) {
        if (requestConnection.getDestination().getId() == null) {
            throw new IllegalArgumentException("When specifying a destination component, the destination id is required.");
        }
        if (requestConnection.getDestination().getType() == null) {
            throw new IllegalArgumentException("When specifying a destination component, the type of the destination is required.");
        }
    }
    final List<PositionDTO> proposedBends = requestConnection.getBends();
    if (proposedBends != null) {
        for (final PositionDTO proposedBend : proposedBends) {
            if (proposedBend.getX() == null || proposedBend.getY() == null) {
                throw new IllegalArgumentException("The x and y coordinate of the each bend must be specified.");
            }
        }
    }
    if (isReplicateRequest()) {
        return replicate(HttpMethod.PUT, requestConnectionEntity);
    }
    final Revision requestRevision = getRevision(requestConnectionEntity, id);
    return withWriteLock(serviceFacade, requestConnectionEntity, requestRevision, lookup -> {
        // verifies write access to this connection (this checks the current source and destination)
        ConnectionAuthorizable connAuth = lookup.getConnection(id);
        connAuth.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
        // if a destination has been specified and is different
        final Connectable currentDestination = connAuth.getDestination();
        if (requestConnection.getDestination() != null && !currentDestination.getIdentifier().equals(requestConnection.getDestination().getId())) {
            try {
                final ConnectableType destinationConnectableType = ConnectableType.valueOf(requestConnection.getDestination().getType());
                // explicitly handle RPGs differently as the connectable id can be ambiguous if self referencing
                final Authorizable newDestinationAuthorizable;
                if (ConnectableType.REMOTE_INPUT_PORT.equals(destinationConnectableType)) {
                    newDestinationAuthorizable = lookup.getRemoteProcessGroup(requestConnection.getDestination().getGroupId());
                } else {
                    newDestinationAuthorizable = lookup.getLocalConnectable(requestConnection.getDestination().getId());
                }
                // verify access of the new destination (current destination was already authorized as part of the connection check)
                newDestinationAuthorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
            } catch (final IllegalArgumentException e) {
                throw new IllegalArgumentException(String.format("Unrecognized destination type %s. Excepted values are [%s]", requestConnection.getDestination().getType(), StringUtils.join(ConnectableType.values(), ", ")));
            }
            // verify access of the parent group (this is the same check that is performed when creating the connection)
            connAuth.getParentGroup().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
        }
    }, () -> serviceFacade.verifyUpdateConnection(requestConnection), (revision, connectionEntity) -> {
        final ConnectionDTO connection = connectionEntity.getComponent();
        final ConnectionEntity entity = serviceFacade.updateConnection(revision, connection);
        populateRemainingConnectionEntityContent(entity);
        // generate the response
        return generateOkResponse(entity).build();
    });
}
Also used : Revision(org.apache.nifi.web.Revision) Connectable(org.apache.nifi.connectable.Connectable) ConnectionDTO(org.apache.nifi.web.api.dto.ConnectionDTO) Authorizable(org.apache.nifi.authorization.resource.Authorizable) ConnectionAuthorizable(org.apache.nifi.authorization.ConnectionAuthorizable) ConnectableType(org.apache.nifi.connectable.ConnectableType) ConnectionAuthorizable(org.apache.nifi.authorization.ConnectionAuthorizable) ConnectionEntity(org.apache.nifi.web.api.entity.ConnectionEntity) PositionDTO(org.apache.nifi.web.api.dto.PositionDTO) Path(javax.ws.rs.Path) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) ApiOperation(io.swagger.annotations.ApiOperation) PUT(javax.ws.rs.PUT) ApiResponses(io.swagger.annotations.ApiResponses)

Aggregations

Authorizable (org.apache.nifi.authorization.resource.Authorizable)140 ApiOperation (io.swagger.annotations.ApiOperation)96 ApiResponses (io.swagger.annotations.ApiResponses)96 Consumes (javax.ws.rs.Consumes)96 Produces (javax.ws.rs.Produces)96 Path (javax.ws.rs.Path)95 ComponentAuthorizable (org.apache.nifi.authorization.ComponentAuthorizable)53 GET (javax.ws.rs.GET)46 Revision (org.apache.nifi.web.Revision)44 ProcessGroupAuthorizable (org.apache.nifi.authorization.ProcessGroupAuthorizable)33 SnippetAuthorizable (org.apache.nifi.authorization.SnippetAuthorizable)28 TemplateContentsAuthorizable (org.apache.nifi.authorization.TemplateContentsAuthorizable)28 POST (javax.ws.rs.POST)24 NiFiUser (org.apache.nifi.authorization.user.NiFiUser)21 ResourceNotFoundException (org.apache.nifi.web.ResourceNotFoundException)21 DELETE (javax.ws.rs.DELETE)20 PUT (javax.ws.rs.PUT)20 RevisionDTO (org.apache.nifi.web.api.dto.RevisionDTO)19 PositionDTO (org.apache.nifi.web.api.dto.PositionDTO)18 PortEntity (org.apache.nifi.web.api.entity.PortEntity)15