use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.
the class AccessResource method createUiExtensionToken.
/**
* Creates a single use access token for accessing a NiFi UI extension.
*
* @param httpServletRequest the servlet request
* @return A token (string)
*/
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.TEXT_PLAIN)
@Path("/ui-extension-token")
@ApiOperation(value = "Creates a single use access token for accessing a NiFi UI extension.", notes = "The token returned is a base64 encoded string. It is valid for a single request up to five minutes from being issued. " + "It is used as a query parameter name 'access_token'.", response = String.class)
@ApiResponses(value = { @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 409, message = "Unable to create the download token because NiFi is not in the appropriate state. " + "(i.e. may not have any tokens to grant or be configured to support username/password login)"), @ApiResponse(code = 500, message = "Unable to create download token because an unexpected error occurred.") })
public Response createUiExtensionToken(@Context HttpServletRequest httpServletRequest) {
// only support access tokens when communicating over HTTPS
if (!httpServletRequest.isSecure()) {
throw new IllegalStateException("UI extension access tokens are only issued over HTTPS.");
}
final NiFiUser user = NiFiUserUtils.getNiFiUser();
if (user == null) {
throw new AccessDeniedException("No user authenticated in the request.");
}
final OtpAuthenticationToken authenticationToken = new OtpAuthenticationToken(user.getIdentity());
// generate otp for response
final String token = otpService.generateUiExtensionToken(authenticationToken);
// build the response
final URI uri = URI.create(generateResourceUri("access", "ui-extension-token"));
return generateCreatedResponse(uri, token).build();
}
use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.
the class ApplicationResource method phaseTwoVerifyTransaction.
private <T extends Entity> Request<T> phaseTwoVerifyTransaction() {
// get the transaction id
final String transactionId = httpServletRequest.getHeader(RequestReplicator.REQUEST_TRANSACTION_ID_HEADER);
if (StringUtils.isBlank(transactionId)) {
throw new IllegalArgumentException("Two phase commit Transaction Id missing.");
}
// get the entry for the second phase
final Request<T> request;
synchronized (twoPhaseCommitCache) {
final CacheKey key = new CacheKey(transactionId);
request = (Request<T>) twoPhaseCommitCache.getIfPresent(key);
if (request == null) {
throw new IllegalArgumentException("The request from phase one is missing.");
}
twoPhaseCommitCache.invalidate(key);
}
final String phaseOneChain = request.getUserChain();
// build the chain for the current request
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final String phaseTwoChain = ProxiedEntitiesUtils.buildProxiedEntitiesChainString(user);
if (phaseOneChain == null || !phaseOneChain.equals(phaseTwoChain)) {
throw new IllegalArgumentException("The same user must issue the request for phase one and two.");
}
final String phaseOneUri = request.getUri();
if (phaseOneUri == null || !phaseOneUri.equals(getAbsolutePath().toString())) {
throw new IllegalArgumentException("The URI must be the same for phase one and two.");
}
return request;
}
use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.
the class ApplicationResource method withWriteLock.
/**
* Executes an action through the service facade using the specified revision.
*
* @param serviceFacade service facade
* @param revision revision
* @param authorizer authorizer
* @param verifier verifier
* @param action executor
* @return the response
*/
protected <T extends Entity> Response withWriteLock(final NiFiServiceFacade serviceFacade, final T entity, final Revision revision, final AuthorizeAccess authorizer, final Runnable verifier, final BiFunction<Revision, T, Response> action) {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
if (isTwoPhaseRequest(httpServletRequest)) {
if (isValidationPhase(httpServletRequest)) {
// authorize access
serviceFacade.authorizeAccess(authorizer);
serviceFacade.verifyRevision(revision, user);
// verify if necessary
if (verifier != null) {
verifier.run();
}
// store the request
phaseOneStoreTransaction(entity, revision, null);
return generateContinueResponse().build();
} else if (isExecutionPhase(httpServletRequest)) {
// get the original request and run the action
final Request<T> phaseOneRequest = phaseTwoVerifyTransaction();
return action.apply(phaseOneRequest.getRevision(), phaseOneRequest.getRequest());
} else if (isCancellationPhase(httpServletRequest)) {
cancelTransaction();
return generateOkResponse().build();
} else {
throw new IllegalStateException("This request does not appear to be part of the two phase commit.");
}
} else {
// authorize access and run the action
serviceFacade.authorizeAccess(authorizer);
serviceFacade.verifyRevision(revision, user);
// verify if necessary
if (verifier != null) {
verifier.run();
}
return action.apply(revision, entity);
}
}
use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.
the class ApplicationResource method withWriteLock.
/**
* Executes an action through the service facade using the specified revision.
*
* @param serviceFacade service facade
* @param revisions revisions
* @param authorizer authorizer
* @param verifier verifier
* @param action executor
* @return the response
*/
protected <T extends Entity> Response withWriteLock(final NiFiServiceFacade serviceFacade, final T entity, final Set<Revision> revisions, final AuthorizeAccess authorizer, final Runnable verifier, final BiFunction<Set<Revision>, T, Response> action) {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
if (isTwoPhaseRequest(httpServletRequest)) {
if (isValidationPhase(httpServletRequest)) {
// authorize access
serviceFacade.authorizeAccess(authorizer);
serviceFacade.verifyRevisions(revisions, user);
// verify if necessary
if (verifier != null) {
verifier.run();
}
// store the request
phaseOneStoreTransaction(entity, null, revisions);
return generateContinueResponse().build();
} else if (isExecutionPhase(httpServletRequest)) {
// get the original request and run the action
final Request<T> phaseOneRequest = phaseTwoVerifyTransaction();
return action.apply(phaseOneRequest.getRevisions(), phaseOneRequest.getRequest());
} else if (isCancellationPhase(httpServletRequest)) {
cancelTransaction();
return generateOkResponse().build();
} else {
throw new IllegalStateException("This request does not appear to be part of the two phase commit.");
}
} else {
// authorize access and run the action
serviceFacade.authorizeAccess(authorizer);
serviceFacade.verifyRevisions(revisions, user);
// verify if necessary
if (verifier != null) {
verifier.run();
}
return action.apply(revisions, entity);
}
}
use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.
the class DataTransferResource method authorizeDataTransfer.
/**
* Authorizes access to data transfers.
* <p>
* Note: Protected for testing purposes
*/
protected void authorizeDataTransfer(final AuthorizableLookup lookup, final ResourceType resourceType, final String identifier) {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
// ensure the resource type is correct
if (!ResourceType.InputPort.equals(resourceType) && !ResourceType.OutputPort.equals(resourceType)) {
throw new IllegalArgumentException("The resource must be an Input or Output Port.");
}
// get the authorizable
final RootGroupPortAuthorizable authorizable;
if (ResourceType.InputPort.equals(resourceType)) {
authorizable = lookup.getRootGroupInputPort(identifier);
} else {
authorizable = lookup.getRootGroupOutputPort(identifier);
}
// perform the authorization
final AuthorizationResult authorizationResult = authorizable.checkAuthorization(user);
if (!Result.Approved.equals(authorizationResult.getResult())) {
throw new AccessDeniedException(authorizationResult.getExplanation());
}
}
Aggregations