Search in sources :

Example 91 with NiFiUser

use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.

the class AuthorizeControllerServiceReference method authorizeControllerServiceReferences.

/**
 * Authorizes the proposed properties for the specified authorizable.
 *
 * @param proposedProperties proposed properties
 * @param authorizable authorizable that may reference a controller service
 * @param authorizer authorizer
 * @param lookup lookup
 */
public static void authorizeControllerServiceReferences(final Map<String, String> proposedProperties, final ComponentAuthorizable authorizable, final Authorizer authorizer, final AuthorizableLookup lookup) {
    // only attempt to authorize if properties are changing
    if (proposedProperties != null) {
        final NiFiUser user = NiFiUserUtils.getNiFiUser();
        for (final Map.Entry<String, String> entry : proposedProperties.entrySet()) {
            final String propertyName = entry.getKey();
            final PropertyDescriptor propertyDescriptor = authorizable.getPropertyDescriptor(propertyName);
            // if this descriptor identifies a controller service
            if (propertyDescriptor.getControllerServiceDefinition() != null) {
                final String currentValue = authorizable.getValue(propertyDescriptor);
                final String proposedValue = entry.getValue();
                // if the value is changing
                if (!Objects.equals(currentValue, proposedValue)) {
                    // ensure access to the old service
                    if (currentValue != null) {
                        try {
                            final Authorizable currentServiceAuthorizable = lookup.getControllerService(currentValue).getAuthorizable();
                            currentServiceAuthorizable.authorize(authorizer, RequestAction.READ, user);
                        } catch (ResourceNotFoundException e) {
                        // ignore if the resource is not found, if currentValue was previously deleted, it should not stop assignment of proposedValue
                        }
                    }
                    // ensure access to the new service
                    if (proposedValue != null) {
                        final Authorizable newServiceAuthorizable = lookup.getControllerService(proposedValue).getAuthorizable();
                        newServiceAuthorizable.authorize(authorizer, RequestAction.READ, user);
                    }
                }
            }
        }
    }
}
Also used : NiFiUser(org.apache.nifi.authorization.user.NiFiUser) PropertyDescriptor(org.apache.nifi.components.PropertyDescriptor) Authorizable(org.apache.nifi.authorization.resource.Authorizable) ResourceNotFoundException(org.apache.nifi.web.ResourceNotFoundException) Map(java.util.Map)

Example 92 with NiFiUser

use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.

the class StandardAuthorizableLookup method getRootGroupOutputPort.

@Override
public RootGroupPortAuthorizable getRootGroupOutputPort(String id) {
    final Port outputPort = outputPortDAO.getPort(id);
    if (!(outputPort instanceof RootGroupPort)) {
        throw new IllegalArgumentException(String.format("The specified id '%s' does not represent an output port in the root group.", id));
    }
    final DataTransferAuthorizable baseAuthorizable = new DataTransferAuthorizable(outputPort);
    return new RootGroupPortAuthorizable() {

        @Override
        public Authorizable getAuthorizable() {
            return baseAuthorizable;
        }

        @Override
        public AuthorizationResult checkAuthorization(NiFiUser user) {
            // perform the authorization of the user by using the underlying component, ensures consistent authorization with raw s2s
            final PortAuthorizationResult authorizationResult = ((RootGroupPort) outputPort).checkUserAuthorization(user);
            if (authorizationResult.isAuthorized()) {
                return AuthorizationResult.approved();
            } else {
                return AuthorizationResult.denied(authorizationResult.getExplanation());
            }
        }
    };
}
Also used : NiFiUser(org.apache.nifi.authorization.user.NiFiUser) RootGroupPort(org.apache.nifi.remote.RootGroupPort) Port(org.apache.nifi.connectable.Port) RootGroupPort(org.apache.nifi.remote.RootGroupPort) DataTransferAuthorizable(org.apache.nifi.authorization.resource.DataTransferAuthorizable) PortAuthorizationResult(org.apache.nifi.remote.PortAuthorizationResult)

Example 93 with NiFiUser

use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.

the class DataAuthorizable method authorize.

@Override
public void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
    if (user == null) {
        throw new AccessDeniedException("Unknown user.");
    }
    // authorize each element in the chain
    NiFiUser chainedUser = user;
    do {
        try {
            // perform the current user authorization
            Authorizable.super.authorize(authorizer, action, chainedUser, resourceContext);
            // go to the next user in the chain
            chainedUser = chainedUser.getChain();
        } catch (final ResourceNotFoundException e) {
            throw new AccessDeniedException("Unknown source component.");
        }
    } while (chainedUser != null);
}
Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) ResourceNotFoundException(org.apache.nifi.web.ResourceNotFoundException)

Example 94 with NiFiUser

use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.

the class TestPersistentProvenanceRepository method testNotAuthorizedGetSpecificEvent.

@Test
public void testNotAuthorizedGetSpecificEvent() throws IOException {
    assumeFalse(isWindowsEnvironment());
    final RepositoryConfiguration config = createConfiguration();
    config.setMaxRecordLife(5, TimeUnit.MINUTES);
    config.setMaxStorageCapacity(1024L * 1024L);
    config.setMaxEventFileLife(500, TimeUnit.MILLISECONDS);
    config.setMaxEventFileCapacity(1024L * 1024L);
    config.setSearchableFields(new ArrayList<>(SearchableFields.getStandardFields()));
    // force new index to be created for each rollover
    config.setDesiredIndexSize(10);
    final AccessDeniedException expectedException = new AccessDeniedException("Unit Test - Intentionally Thrown");
    repo = new PersistentProvenanceRepository(config, DEFAULT_ROLLOVER_MILLIS) {

        @Override
        public void authorize(ProvenanceEventRecord event, NiFiUser user) {
            throw expectedException;
        }
    };
    repo.initialize(getEventReporter(), null, null, IdentifierLookup.EMPTY);
    final String uuid = "00000000-0000-0000-0000-000000000000";
    final Map<String, String> attributes = new HashMap<>();
    attributes.put("abc", "xyz");
    attributes.put("xyz", "abc");
    attributes.put("filename", "file-" + uuid);
    final ProvenanceEventBuilder builder = new StandardProvenanceEventRecord.Builder();
    builder.setEventTime(System.currentTimeMillis());
    builder.setEventType(ProvenanceEventType.RECEIVE);
    builder.setTransitUri("nifi://unit-test");
    builder.fromFlowFile(createFlowFile(3L, 3000L, attributes));
    builder.setComponentId("1234");
    builder.setComponentType("dummy processor");
    for (int i = 0; i < 10; i++) {
        attributes.put("uuid", "00000000-0000-0000-0000-00000000000" + i);
        builder.fromFlowFile(createFlowFile(i, 3000L, attributes));
        // make sure the events are destroyed when we call purge
        builder.setEventTime(10L);
        repo.registerEvent(builder.build());
    }
    repo.waitForRollover();
    try {
        repo.getEvent(0L, null);
        Assert.fail("getEvent() did not throw an Exception");
    } catch (final Exception e) {
        Assert.assertSame(expectedException, e);
    }
}
Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) HashMap(java.util.HashMap) InvocationTargetException(java.lang.reflect.InvocationTargetException) ParseException(org.apache.lucene.queryparser.classic.ParseException) AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) IOException(java.io.IOException) Test(org.junit.Test)

Example 95 with NiFiUser

use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.

the class TestLuceneEventIndex method testUnauthorizedEventsGetPlaceholdersForExpandChildren.

@Test(timeout = 60000)
public void testUnauthorizedEventsGetPlaceholdersForExpandChildren() throws InterruptedException {
    assumeFalse(isWindowsEnvironment());
    final RepositoryConfiguration repoConfig = createConfig(1);
    repoConfig.setDesiredIndexSize(1L);
    final IndexManager indexManager = new SimpleIndexManager(repoConfig);
    final ArrayListEventStore eventStore = new ArrayListEventStore();
    final LuceneEventIndex index = new LuceneEventIndex(repoConfig, indexManager, 3, EventReporter.NO_OP);
    index.initialize(eventStore);
    final ProvenanceEventRecord firstEvent = createEvent("4444");
    final Map<String, String> previousAttributes = new HashMap<>();
    previousAttributes.put("uuid", "4444");
    final Map<String, String> updatedAttributes = new HashMap<>();
    updatedAttributes.put("updated", "true");
    final ProvenanceEventRecord fork = new StandardProvenanceEventRecord.Builder().setEventType(ProvenanceEventType.FORK).setAttributes(previousAttributes, updatedAttributes).addChildFlowFile("1234").setComponentId("component-1").setComponentType("unit test").setEventId(idGenerator.getAndIncrement()).setEventTime(System.currentTimeMillis()).setFlowFileEntryDate(System.currentTimeMillis()).setFlowFileUUID("4444").setLineageStartDate(System.currentTimeMillis()).setCurrentContentClaim("container", "section", "unit-test-id", 0L, 1024L).build();
    index.addEvents(eventStore.addEvent(firstEvent).getStorageLocations());
    index.addEvents(eventStore.addEvent(fork).getStorageLocations());
    for (int i = 0; i < 3; i++) {
        final ProvenanceEventRecord event = createEvent("1234");
        final StorageResult storageResult = eventStore.addEvent(event);
        index.addEvents(storageResult.getStorageLocations());
    }
    final NiFiUser user = createUser();
    final EventAuthorizer allowForkEvents = new EventAuthorizer() {

        @Override
        public boolean isAuthorized(ProvenanceEventRecord event) {
            return event.getEventType() == ProvenanceEventType.FORK;
        }

        @Override
        public void authorize(ProvenanceEventRecord event) throws AccessDeniedException {
        }
    };
    List<LineageNode> nodes = Collections.emptyList();
    while (nodes.size() < 5) {
        final ComputeLineageSubmission submission = index.submitExpandChildren(1L, user, allowForkEvents);
        assertTrue(submission.getResult().awaitCompletion(5, TimeUnit.SECONDS));
        nodes = submission.getResult().getNodes();
        Thread.sleep(25L);
    }
    assertEquals(5, nodes.size());
    assertEquals(1L, nodes.stream().filter(n -> n.getNodeType() == LineageNodeType.FLOWFILE_NODE).count());
    assertEquals(4L, nodes.stream().filter(n -> n.getNodeType() == LineageNodeType.PROVENANCE_EVENT_NODE).count());
    final Map<ProvenanceEventType, List<LineageNode>> eventMap = nodes.stream().filter(n -> n.getNodeType() == LineageNodeType.PROVENANCE_EVENT_NODE).collect(Collectors.groupingBy(n -> ((ProvenanceEventLineageNode) n).getEventType()));
    assertEquals(2, eventMap.size());
    assertEquals(1, eventMap.get(ProvenanceEventType.FORK).size());
    assertEquals(3, eventMap.get(ProvenanceEventType.UNKNOWN).size());
}
Also used : BeforeClass(org.junit.BeforeClass) Query(org.apache.nifi.provenance.search.Query) Assume.assumeFalse(org.junit.Assume.assumeFalse) AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) SearchableFields(org.apache.nifi.provenance.SearchableFields) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Answer(org.mockito.stubbing.Answer) InvocationOnMock(org.mockito.invocation.InvocationOnMock) QueryResult(org.apache.nifi.provenance.search.QueryResult) StorageResult(org.apache.nifi.provenance.store.StorageResult) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) ProvenanceEventRecord(org.apache.nifi.provenance.ProvenanceEventRecord) TestName(org.junit.rules.TestName) Map(java.util.Map) EventStore(org.apache.nifi.provenance.store.EventStore) LineageNode(org.apache.nifi.provenance.lineage.LineageNode) QuerySubmission(org.apache.nifi.provenance.search.QuerySubmission) StorageSummary(org.apache.nifi.provenance.serialization.StorageSummary) ProvenanceEventType(org.apache.nifi.provenance.ProvenanceEventType) Assert.assertNotNull(org.junit.Assert.assertNotNull) Set(java.util.Set) Assert.assertTrue(org.junit.Assert.assertTrue) Test(org.junit.Test) IOException(java.io.IOException) UUID(java.util.UUID) Collectors(java.util.stream.Collectors) StandardProvenanceEventRecord(org.apache.nifi.provenance.StandardProvenanceEventRecord) SimpleIndexManager(org.apache.nifi.provenance.lucene.SimpleIndexManager) File(java.io.File) TimeUnit(java.util.concurrent.TimeUnit) Mockito(org.mockito.Mockito) AtomicLong(java.util.concurrent.atomic.AtomicLong) List(java.util.List) Rule(org.junit.Rule) Assert.assertNull(org.junit.Assert.assertNull) EventReporter(org.apache.nifi.events.EventReporter) ComputeLineageSubmission(org.apache.nifi.provenance.lineage.ComputeLineageSubmission) RepositoryConfiguration(org.apache.nifi.provenance.RepositoryConfiguration) ProvenanceEventLineageNode(org.apache.nifi.provenance.lineage.ProvenanceEventLineageNode) IndexManager(org.apache.nifi.provenance.lucene.IndexManager) ArrayListEventStore(org.apache.nifi.provenance.store.ArrayListEventStore) Collections(java.util.Collections) EventAuthorizer(org.apache.nifi.provenance.authorization.EventAuthorizer) SearchTerms(org.apache.nifi.provenance.search.SearchTerms) Assert.assertEquals(org.junit.Assert.assertEquals) LineageNodeType(org.apache.nifi.provenance.lineage.LineageNodeType) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) HashMap(java.util.HashMap) EventAuthorizer(org.apache.nifi.provenance.authorization.EventAuthorizer) ComputeLineageSubmission(org.apache.nifi.provenance.lineage.ComputeLineageSubmission) SimpleIndexManager(org.apache.nifi.provenance.lucene.SimpleIndexManager) ArrayListEventStore(org.apache.nifi.provenance.store.ArrayListEventStore) SimpleIndexManager(org.apache.nifi.provenance.lucene.SimpleIndexManager) IndexManager(org.apache.nifi.provenance.lucene.IndexManager) ProvenanceEventLineageNode(org.apache.nifi.provenance.lineage.ProvenanceEventLineageNode) ProvenanceEventRecord(org.apache.nifi.provenance.ProvenanceEventRecord) StandardProvenanceEventRecord(org.apache.nifi.provenance.StandardProvenanceEventRecord) ArrayList(java.util.ArrayList) List(java.util.List) LineageNode(org.apache.nifi.provenance.lineage.LineageNode) ProvenanceEventLineageNode(org.apache.nifi.provenance.lineage.ProvenanceEventLineageNode) RepositoryConfiguration(org.apache.nifi.provenance.RepositoryConfiguration) ProvenanceEventType(org.apache.nifi.provenance.ProvenanceEventType) StorageResult(org.apache.nifi.provenance.store.StorageResult) Test(org.junit.Test)

Aggregations

NiFiUser (org.apache.nifi.authorization.user.NiFiUser)127 Date (java.util.Date)47 FlowChangeAction (org.apache.nifi.action.FlowChangeAction)42 ArrayList (java.util.ArrayList)33 Authorizable (org.apache.nifi.authorization.resource.Authorizable)32 Action (org.apache.nifi.action.Action)29 HashMap (java.util.HashMap)27 Map (java.util.Map)26 AccessDeniedException (org.apache.nifi.authorization.AccessDeniedException)26 RevisionDTO (org.apache.nifi.web.api.dto.RevisionDTO)26 IOException (java.io.IOException)25 Set (java.util.Set)25 ScheduledState (org.apache.nifi.controller.ScheduledState)25 Collectors (java.util.stream.Collectors)24 UUID (java.util.UUID)23 ControllerServiceState (org.apache.nifi.controller.service.ControllerServiceState)22 AffectedComponentDTO (org.apache.nifi.web.api.dto.AffectedComponentDTO)22 DtoFactory (org.apache.nifi.web.api.dto.DtoFactory)22 AffectedComponentEntity (org.apache.nifi.web.api.entity.AffectedComponentEntity)22 ProcessorEntity (org.apache.nifi.web.api.entity.ProcessorEntity)22