Examples with Authorizable org.apache.nifi.authorization.resource.Authorizable used on opensource projects

Example 31 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class FlowFileQueueResource method removeDropRequest.

/**
 * Deletes the specified drop request.
 *
 * @param httpServletRequest request
 * @param connectionId       The connection id
 * @param dropRequestId      The drop request id
 * @return A dropRequestEntity
 */
@DELETE
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{id}/drop-requests/{drop-request-id}")
@ApiOperation(value = "Cancels and/or removes a request to drop the contents of this connection.", response = DropRequestEntity.class, authorizations = { @Authorization(value = "Write Source Data - /data/{component-type}/{uuid}") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response removeDropRequest(@Context final HttpServletRequest httpServletRequest, @ApiParam(value = "The connection id.", required = true) @PathParam("id") final String connectionId, @ApiParam(value = "The drop request id.", required = true) @PathParam("drop-request-id") final String dropRequestId) {
    if (isReplicateRequest()) {
        return replicate(HttpMethod.DELETE);
    }
    return withWriteLock(serviceFacade, new DropEntity(connectionId, dropRequestId), lookup -> {
        final ConnectionAuthorizable connAuth = lookup.getConnection(connectionId);
        final Authorizable dataAuthorizable = connAuth.getSourceData();
        dataAuthorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
    }, null, (dropEntity) -> {
        // delete the drop request
        final DropRequestDTO dropRequest = serviceFacade.deleteFlowFileDropRequest(dropEntity.getConnectionId(), dropEntity.getDropRequestId());
        dropRequest.setUri(generateResourceUri("flowfile-queues", dropEntity.getConnectionId(), "drop-requests", dropEntity.getDropRequestId()));
        // create the response entity
        final DropRequestEntity entity = new DropRequestEntity();
        entity.setDropRequest(dropRequest);
        return generateOkResponse(entity).build();
    });
}

Example 32 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class FlowFileQueueResource method createFlowFileListing.

/**
 * Creates a request to list the flowfiles in the queue of the specified connection.
 *
 * @param httpServletRequest request
 * @param id                 The id of the connection
 * @return A listRequestEntity
 */
@POST
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{id}/listing-requests")
@ApiOperation(value = "Lists the contents of the queue in this connection.", response = ListingRequestEntity.class, authorizations = { @Authorization(value = "Read Source Data - /data/{component-type}/{uuid}") })
@ApiResponses(value = { @ApiResponse(code = 202, message = "The request has been accepted. A HTTP response header will contain the URI where the response can be polled."), @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response createFlowFileListing(@Context final HttpServletRequest httpServletRequest, @ApiParam(value = "The connection id.", required = true) @PathParam("id") final String id) {
    if (isReplicateRequest()) {
        return replicate(HttpMethod.POST);
    }
    final ConnectionEntity requestConnectionEntity = new ConnectionEntity();
    requestConnectionEntity.setId(id);
    return withWriteLock(serviceFacade, requestConnectionEntity, lookup -> {
        final ConnectionAuthorizable connAuth = lookup.getConnection(id);
        final Authorizable dataAuthorizable = connAuth.getSourceData();
        dataAuthorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
    }, () -> serviceFacade.verifyListQueue(id), (connectionEntity) -> {
        // ensure the id is the same across the cluster
        final String listingRequestId = generateUuid();
        // submit the listing request
        final ListingRequestDTO listingRequest = serviceFacade.createFlowFileListingRequest(connectionEntity.getId(), listingRequestId);
        populateRemainingFlowFileListingContent(connectionEntity.getId(), listingRequest);
        // create the response entity
        final ListingRequestEntity entity = new ListingRequestEntity();
        entity.setListingRequest(listingRequest);
        // generate the URI where the response will be
        final URI location = URI.create(listingRequest.getUri());
        return Response.status(Status.ACCEPTED).location(location).entity(entity).build();
    });
}

Example 33 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class FlowResource method getComponentHistory.

/**
 * Gets the actions for the specified component.
 *
 * @param componentId The id of the component.
 * @return An processorHistoryEntity.
 */
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("history/components/{componentId}")
@ApiOperation(value = "Gets configuration history for a component", notes = NON_GUARANTEED_ENDPOINT, response = ComponentHistoryEntity.class, authorizations = { @Authorization(value = "Read - /flow"), @Authorization(value = "Read underlying component - /{component-type}/{uuid}") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response getComponentHistory(@ApiParam(value = "The component id.", required = true) @PathParam("componentId") final String componentId) {
    serviceFacade.authorizeAccess(lookup -> {
        final NiFiUser user = NiFiUserUtils.getNiFiUser();
        // authorize the flow
        authorizeFlow();
        try {
            final Authorizable authorizable = lookup.getProcessor(componentId).getAuthorizable();
            authorizable.authorize(authorizer, RequestAction.READ, user);
            return;
        } catch (final ResourceNotFoundException e) {
        // ignore as the component may not be a processor
        }
        try {
            final Authorizable authorizable = lookup.getControllerService(componentId).getAuthorizable();
            authorizable.authorize(authorizer, RequestAction.READ, user);
            return;
        } catch (final ResourceNotFoundException e) {
        // ignore as the component may not be a controller service
        }
        try {
            final Authorizable authorizable = lookup.getReportingTask(componentId).getAuthorizable();
            authorizable.authorize(authorizer, RequestAction.READ, user);
            return;
        } catch (final ResourceNotFoundException e) {
        // ignore as the component may not be a reporting task
        }
        // a component for the specified id could not be found, attempt to authorize based on read to the controller
        final Authorizable controller = lookup.getController();
        controller.authorize(authorizer, RequestAction.READ, user);
    });
    // Note: History requests are not replicated throughout the cluster and are instead handled by the nodes independently
    // create the response entity
    final ComponentHistoryEntity entity = new ComponentHistoryEntity();
    entity.setComponentHistory(serviceFacade.getComponentHistory(componentId));
    // generate the response
    return generateOkResponse(entity).build();
}

Example 34 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class FlowResource method activateControllerServices.

@PUT
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@Path("process-groups/{id}/controller-services")
@ApiOperation(value = "Enable or disable Controller Services in the specified Process Group.", response = ActivateControllerServicesEntity.class, authorizations = { @Authorization(value = "Read - /flow"), @Authorization(value = "Write - /{component-type}/{uuid} - For every service being enabled/disabled") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response activateControllerServices(@Context HttpServletRequest httpServletRequest, @ApiParam(value = "The process group id.", required = true) @PathParam("id") String id, @ApiParam(value = "The request to schedule or unschedule. If the comopnents in the request are not specified, all authorized components will be considered.", required = true) final ActivateControllerServicesEntity requestEntity) {
    // ensure the same id is being used
    if (!id.equals(requestEntity.getId())) {
        throw new IllegalArgumentException(String.format("The process group id (%s) in the request body does " + "not equal the process group id of the requested resource (%s).", requestEntity.getId(), id));
    }
    final ControllerServiceState state;
    if (requestEntity.getState() == null) {
        throw new IllegalArgumentException("The controller service state must be specified.");
    } else {
        try {
            state = ControllerServiceState.valueOf(requestEntity.getState());
        } catch (final IllegalArgumentException iae) {
            throw new IllegalArgumentException(String.format("The controller service state must be one of [%s].", StringUtils.join(EnumSet.of(ControllerServiceState.ENABLED, ControllerServiceState.DISABLED), ", ")));
        }
    }
    // ensure its a supported scheduled state
    if (ControllerServiceState.DISABLING.equals(state) || ControllerServiceState.ENABLING.equals(state)) {
        throw new IllegalArgumentException(String.format("The scheduled must be one of [%s].", StringUtils.join(EnumSet.of(ControllerServiceState.ENABLED, ControllerServiceState.DISABLED), ", ")));
    }
    // if the components are not specified, gather all components and their current revision
    if (requestEntity.getComponents() == null) {
        // get the current revisions for the components being updated
        final Set<Revision> revisions = serviceFacade.getRevisionsFromGroup(id, group -> {
            final Set<String> componentIds = new HashSet<>();
            final Predicate<ControllerServiceNode> filter;
            if (ControllerServiceState.ENABLED.equals(state)) {
                filter = service -> !service.isActive() && service.isValid();
            } else {
                filter = service -> service.isActive();
            }
            group.findAllControllerServices().stream().filter(filter).filter(service -> service.isAuthorized(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser())).forEach(service -> componentIds.add(service.getIdentifier()));
            return componentIds;
        });
        // build the component mapping
        final Map<String, RevisionDTO> componentsToSchedule = new HashMap<>();
        revisions.forEach(revision -> {
            final RevisionDTO dto = new RevisionDTO();
            dto.setClientId(revision.getClientId());
            dto.setVersion(revision.getVersion());
            componentsToSchedule.put(revision.getComponentId(), dto);
        });
        // set the components and their current revision
        requestEntity.setComponents(componentsToSchedule);
    }
    if (isReplicateRequest()) {
        return replicate(HttpMethod.PUT, requestEntity);
    }
    final Map<String, RevisionDTO> requestComponentsToSchedule = requestEntity.getComponents();
    final Map<String, Revision> requestComponentRevisions = requestComponentsToSchedule.entrySet().stream().collect(Collectors.toMap(Map.Entry::getKey, e -> getRevision(e.getValue(), e.getKey())));
    final Set<Revision> requestRevisions = new HashSet<>(requestComponentRevisions.values());
    return withWriteLock(serviceFacade, requestEntity, requestRevisions, lookup -> {
        // ensure access to the flow
        authorizeFlow();
        // ensure access to every component being scheduled
        requestComponentsToSchedule.keySet().forEach(componentId -> {
            final Authorizable authorizable = lookup.getControllerService(componentId).getAuthorizable();
            authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
        });
    }, () -> serviceFacade.verifyActivateControllerServices(id, state, requestComponentRevisions.keySet()), (revisions, scheduleComponentsEntity) -> {
        final ControllerServiceState serviceState = ControllerServiceState.valueOf(scheduleComponentsEntity.getState());
        final Map<String, RevisionDTO> componentsToSchedule = scheduleComponentsEntity.getComponents();
        final Map<String, Revision> componentRevisions = componentsToSchedule.entrySet().stream().collect(Collectors.toMap(Map.Entry::getKey, e -> getRevision(e.getValue(), e.getKey())));
        // update the controller services
        final ActivateControllerServicesEntity entity = serviceFacade.activateControllerServices(id, serviceState, componentRevisions);
        return generateOkResponse(entity).build();
    });
}

Example 35 with Authorizable

use of org.apache.nifi.authorization.resource.Authorizable in project nifi by apache.

the class InputPortResource method getInputPort.

/**
 * Retrieves the specified input port.
 *
 * @param id The id of the input port to retrieve
 * @return A inputPortEntity.
 */
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{id}")
@ApiOperation(value = "Gets an input port", response = PortEntity.class, authorizations = { @Authorization(value = "Read - /input-ports/{uuid}") })
@ApiResponses(value = { @ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") })
public Response getInputPort(@ApiParam(value = "The input port id.", required = true) @PathParam("id") final String id) {
    if (isReplicateRequest()) {
        return replicate(HttpMethod.GET);
    }
    // authorize access
    serviceFacade.authorizeAccess(lookup -> {
        final Authorizable inputPort = lookup.getInputPort(id);
        inputPort.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
    });
    // get the port
    final PortEntity entity = serviceFacade.getInputPort(id);
    populateRemainingInputPortEntityContent(entity);
    return generateOkResponse(entity).build();
}