Search in sources :

Example 16 with NiFiUser

use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.

the class AccessResource method createUiExtensionToken.

/**
 * Creates a single use access token for accessing a NiFi UI extension.
 *
 * @param httpServletRequest the servlet request
 * @return A token (string)
 */
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.TEXT_PLAIN)
@Path("/ui-extension-token")
@ApiOperation(value = "Creates a single use access token for accessing a NiFi UI extension.", notes = "The token returned is a base64 encoded string. It is valid for a single request up to five minutes from being issued. " + "It is used as a query parameter name 'access_token'.", response = String.class)
@ApiResponses(value = { @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 409, message = "Unable to create the download token because NiFi is not in the appropriate state. " + "(i.e. may not have any tokens to grant or be configured to support username/password login)"), @ApiResponse(code = 500, message = "Unable to create download token because an unexpected error occurred.") })
public Response createUiExtensionToken(@Context HttpServletRequest httpServletRequest) {
    // only support access tokens when communicating over HTTPS
    if (!httpServletRequest.isSecure()) {
        throw new IllegalStateException("UI extension access tokens are only issued over HTTPS.");
    }
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    if (user == null) {
        throw new AccessDeniedException("No user authenticated in the request.");
    }
    final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(user.getIdentity());
    // generate otp for response
    final String token = otpService.generateUiExtensionToken(authenticationToken);
    // build the response
    final URI uri = URI.create(generateResourceUri("access", "ui-extension-token"));
    return generateCreatedResponse(uri, token).build();
}
Also used : AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) OtpAuthenticationToken(org.apache.nifi.web.security.token.OtpAuthenticationToken) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) URI(java.net.URI) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 17 with NiFiUser

use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.

the class ApplicationResource method phaseTwoVerifyTransaction.

private <T extends Entity> Request<T> phaseTwoVerifyTransaction() {
    // get the transaction id
    final String transactionId = httpServletRequest.getHeader(RequestReplicator.REQUEST_TRANSACTION_ID_HEADER);
    if (StringUtils.isBlank(transactionId)) {
        throw new IllegalArgumentException("Two phase commit Transaction Id missing.");
    }
    // get the entry for the second phase
    final Request<T> request;
    synchronized (twoPhaseCommitCache) {
        final CacheKey key = new CacheKey(transactionId);
        request = (Request<T>) twoPhaseCommitCache.getIfPresent(key);
        if (request == null) {
            throw new IllegalArgumentException("The request from phase one is missing.");
        }
        twoPhaseCommitCache.invalidate(key);
    }
    final String phaseOneChain = request.getUserChain();
    // build the chain for the current request
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    final String phaseTwoChain = ProxiedEntitiesUtils.buildProxiedEntitiesChainString(user);
    if (phaseOneChain == null || !phaseOneChain.equals(phaseTwoChain)) {
        throw new IllegalArgumentException("The same user must issue the request for phase one and two.");
    }
    final String phaseOneUri = request.getUri();
    if (phaseOneUri == null || !phaseOneUri.equals(getAbsolutePath().toString())) {
        throw new IllegalArgumentException("The URI must be the same for phase one and two.");
    }
    return request;
}
Also used : NiFiUser(org.apache.nifi.authorization.user.NiFiUser) CacheKey(org.apache.nifi.web.security.util.CacheKey)

Example 18 with NiFiUser

use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.

the class ApplicationResource method withWriteLock.

/**
 * Executes an action through the service facade using the specified revision.
 *
 * @param serviceFacade service facade
 * @param revision      revision
 * @param authorizer    authorizer
 * @param verifier      verifier
 * @param action        executor
 * @return the response
 */
protected <T extends Entity> Response withWriteLock(final NiFiServiceFacade serviceFacade, final T entity, final Revision revision, final AuthorizeAccess authorizer, final Runnable verifier, final BiFunction<Revision, T, Response> action) {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    if (isTwoPhaseRequest(httpServletRequest)) {
        if (isValidationPhase(httpServletRequest)) {
            // authorize access
            serviceFacade.authorizeAccess(authorizer);
            serviceFacade.verifyRevision(revision, user);
            // verify if necessary
            if (verifier != null) {
                verifier.run();
            }
            // store the request
            phaseOneStoreTransaction(entity, revision, null);
            return generateContinueResponse().build();
        } else if (isExecutionPhase(httpServletRequest)) {
            // get the original request and run the action
            final Request<T> phaseOneRequest = phaseTwoVerifyTransaction();
            return action.apply(phaseOneRequest.getRevision(), phaseOneRequest.getRequest());
        } else if (isCancellationPhase(httpServletRequest)) {
            cancelTransaction();
            return generateOkResponse().build();
        } else {
            throw new IllegalStateException("This request does not appear to be part of the two phase commit.");
        }
    } else {
        // authorize access and run the action
        serviceFacade.authorizeAccess(authorizer);
        serviceFacade.verifyRevision(revision, user);
        // verify if necessary
        if (verifier != null) {
            verifier.run();
        }
        return action.apply(revision, entity);
    }
}
Also used : NiFiUser(org.apache.nifi.authorization.user.NiFiUser) HttpServletRequest(javax.servlet.http.HttpServletRequest)

Example 19 with NiFiUser

use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.

the class ApplicationResource method withWriteLock.

/**
 * Executes an action through the service facade using the specified revision.
 *
 * @param serviceFacade service facade
 * @param revisions     revisions
 * @param authorizer    authorizer
 * @param verifier      verifier
 * @param action        executor
 * @return the response
 */
protected <T extends Entity> Response withWriteLock(final NiFiServiceFacade serviceFacade, final T entity, final Set<Revision> revisions, final AuthorizeAccess authorizer, final Runnable verifier, final BiFunction<Set<Revision>, T, Response> action) {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    if (isTwoPhaseRequest(httpServletRequest)) {
        if (isValidationPhase(httpServletRequest)) {
            // authorize access
            serviceFacade.authorizeAccess(authorizer);
            serviceFacade.verifyRevisions(revisions, user);
            // verify if necessary
            if (verifier != null) {
                verifier.run();
            }
            // store the request
            phaseOneStoreTransaction(entity, null, revisions);
            return generateContinueResponse().build();
        } else if (isExecutionPhase(httpServletRequest)) {
            // get the original request and run the action
            final Request<T> phaseOneRequest = phaseTwoVerifyTransaction();
            return action.apply(phaseOneRequest.getRevisions(), phaseOneRequest.getRequest());
        } else if (isCancellationPhase(httpServletRequest)) {
            cancelTransaction();
            return generateOkResponse().build();
        } else {
            throw new IllegalStateException("This request does not appear to be part of the two phase commit.");
        }
    } else {
        // authorize access and run the action
        serviceFacade.authorizeAccess(authorizer);
        serviceFacade.verifyRevisions(revisions, user);
        // verify if necessary
        if (verifier != null) {
            verifier.run();
        }
        return action.apply(revisions, entity);
    }
}
Also used : NiFiUser(org.apache.nifi.authorization.user.NiFiUser) HttpServletRequest(javax.servlet.http.HttpServletRequest)

Example 20 with NiFiUser

use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.

the class DataTransferResource method authorizeDataTransfer.

/**
 * Authorizes access to data transfers.
 * <p>
 * Note: Protected for testing purposes
 */
protected void authorizeDataTransfer(final AuthorizableLookup lookup, final ResourceType resourceType, final String identifier) {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    // ensure the resource type is correct
    if (!ResourceType.InputPort.equals(resourceType) && !ResourceType.OutputPort.equals(resourceType)) {
        throw new IllegalArgumentException("The resource must be an Input or Output Port.");
    }
    // get the authorizable
    final RootGroupPortAuthorizable authorizable;
    if (ResourceType.InputPort.equals(resourceType)) {
        authorizable = lookup.getRootGroupInputPort(identifier);
    } else {
        authorizable = lookup.getRootGroupOutputPort(identifier);
    }
    // perform the authorization
    final AuthorizationResult authorizationResult = authorizable.checkAuthorization(user);
    if (!Result.Approved.equals(authorizationResult.getResult())) {
        throw new AccessDeniedException(authorizationResult.getExplanation());
    }
}
Also used : RootGroupPortAuthorizable(org.apache.nifi.authorization.RootGroupPortAuthorizable) AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException) NiFiUser(org.apache.nifi.authorization.user.NiFiUser) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult)

Aggregations

NiFiUser (org.apache.nifi.authorization.user.NiFiUser)127 Date (java.util.Date)47 FlowChangeAction (org.apache.nifi.action.FlowChangeAction)42 ArrayList (java.util.ArrayList)33 Authorizable (org.apache.nifi.authorization.resource.Authorizable)32 Action (org.apache.nifi.action.Action)29 HashMap (java.util.HashMap)27 Map (java.util.Map)26 AccessDeniedException (org.apache.nifi.authorization.AccessDeniedException)26 RevisionDTO (org.apache.nifi.web.api.dto.RevisionDTO)26 IOException (java.io.IOException)25 Set (java.util.Set)25 ScheduledState (org.apache.nifi.controller.ScheduledState)25 Collectors (java.util.stream.Collectors)24 UUID (java.util.UUID)23 ControllerServiceState (org.apache.nifi.controller.service.ControllerServiceState)22 AffectedComponentDTO (org.apache.nifi.web.api.dto.AffectedComponentDTO)22 DtoFactory (org.apache.nifi.web.api.dto.DtoFactory)22 AffectedComponentEntity (org.apache.nifi.web.api.entity.AffectedComponentEntity)22 ProcessorEntity (org.apache.nifi.web.api.entity.ProcessorEntity)22