Example 31 with NiFiUser
use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.
the class ControllerFacade method authorizeReplay.
/**
* Authorizes access to replay a specified provenance event.
*
* @param event event
*/
private void authorizeReplay(final ProvenanceEventRecord event) {
// if the connection id isn't specified, then the replay wouldn't be available anyways and we have nothing to authorize against so deny it`
if (event.getSourceQueueIdentifier() == null) {
throw new AccessDeniedException("The connection id in the provenance event is unknown.");
}
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final Authorizable dataAuthorizable;
if (event.isRemotePortType()) {
dataAuthorizable = flowController.createRemoteDataAuthorizable(event.getComponentId());
} else {
dataAuthorizable = flowController.createLocalDataAuthorizable(event.getComponentId());
}
// ensure we can read and write the data
final Map<String, String> eventAttributes = event.getAttributes();
dataAuthorizable.authorize(authorizer, RequestAction.READ, user, eventAttributes);
dataAuthorizable.authorize(authorizer, RequestAction.WRITE, user, eventAttributes);
}
Also used :
AccessDeniedException(org.apache.nifi.authorization.AccessDeniedException)
NiFiUser(org.apache.nifi.authorization.user.NiFiUser)
Authorizable(org.apache.nifi.authorization.resource.Authorizable)
Example 32 with NiFiUser
use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.
the class ControllerSearchService method search.
/**
* Searches term in the controller beginning from a given process group.
*
* @param results Search results
* @param search The search term
* @param group The init process group
*/
public void search(final SearchResultsDTO results, final String search, final ProcessGroup group) {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
if (group.isAuthorized(authorizer, RequestAction.READ, user)) {
final ComponentSearchResultDTO groupMatch = search(search, group);
if (groupMatch != null) {
// get the parent group, not the current one
groupMatch.setParentGroup(buildResultGroup(group.getParent(), user));
groupMatch.setVersionedGroup(buildVersionedGroup(group.getParent(), user));
results.getProcessGroupResults().add(groupMatch);
}
}
for (final ProcessorNode procNode : group.getProcessors()) {
if (procNode.isAuthorized(authorizer, RequestAction.READ, user)) {
final ComponentSearchResultDTO match = search(search, procNode);
if (match != null) {
match.setGroupId(group.getIdentifier());
match.setParentGroup(buildResultGroup(group, user));
match.setVersionedGroup(buildVersionedGroup(group, user));
results.getProcessorResults().add(match);
}
}
}
for (final Connection connection : group.getConnections()) {
if (connection.isAuthorized(authorizer, RequestAction.READ, user)) {
final ComponentSearchResultDTO match = search(search, connection);
if (match != null) {
match.setGroupId(group.getIdentifier());
match.setParentGroup(buildResultGroup(group, user));
match.setVersionedGroup(buildVersionedGroup(group, user));
results.getConnectionResults().add(match);
}
}
}
for (final RemoteProcessGroup remoteGroup : group.getRemoteProcessGroups()) {
if (remoteGroup.isAuthorized(authorizer, RequestAction.READ, user)) {
final ComponentSearchResultDTO match = search(search, remoteGroup);
if (match != null) {
match.setGroupId(group.getIdentifier());
match.setParentGroup(buildResultGroup(group, user));
match.setVersionedGroup(buildVersionedGroup(group, user));
results.getRemoteProcessGroupResults().add(match);
}
}
}
for (final Port port : group.getInputPorts()) {
if (port.isAuthorized(authorizer, RequestAction.READ, user)) {
final ComponentSearchResultDTO match = search(search, port);
if (match != null) {
match.setGroupId(group.getIdentifier());
match.setParentGroup(buildResultGroup(group, user));
match.setVersionedGroup(buildVersionedGroup(group, user));
results.getInputPortResults().add(match);
}
}
}
for (final Port port : group.getOutputPorts()) {
if (port.isAuthorized(authorizer, RequestAction.READ, user)) {
final ComponentSearchResultDTO match = search(search, port);
if (match != null) {
match.setGroupId(group.getIdentifier());
match.setParentGroup(buildResultGroup(group, user));
match.setVersionedGroup(buildVersionedGroup(group, user));
results.getOutputPortResults().add(match);
}
}
}
for (final Funnel funnel : group.getFunnels()) {
if (funnel.isAuthorized(authorizer, RequestAction.READ, user)) {
final ComponentSearchResultDTO match = search(search, funnel);
if (match != null) {
match.setGroupId(group.getIdentifier());
match.setParentGroup(buildResultGroup(group, user));
match.setVersionedGroup(buildVersionedGroup(group, user));
results.getFunnelResults().add(match);
}
}
}
for (final ProcessGroup processGroup : group.getProcessGroups()) {
search(results, search, processGroup);
}
}
Also used :
RemoteProcessGroup(org.apache.nifi.groups.RemoteProcessGroup)
Funnel(org.apache.nifi.connectable.Funnel)
ProcessorNode(org.apache.nifi.controller.ProcessorNode)
NiFiUser(org.apache.nifi.authorization.user.NiFiUser)
Port(org.apache.nifi.connectable.Port)
RootGroupPort(org.apache.nifi.remote.RootGroupPort)
ComponentSearchResultDTO(org.apache.nifi.web.api.dto.search.ComponentSearchResultDTO)
Connection(org.apache.nifi.connectable.Connection)
ProcessGroup(org.apache.nifi.groups.ProcessGroup)
RemoteProcessGroup(org.apache.nifi.groups.RemoteProcessGroup)
Example 33 with NiFiUser
use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.
the class StandardConnectionDAO method getContent.
@Override
public DownloadableContent getContent(String id, String flowFileUuid, String requestUri) {
try {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final Connection connection = locateConnection(id);
final FlowFileQueue queue = connection.getFlowFileQueue();
final FlowFileRecord flowFile = queue.getFlowFile(flowFileUuid);
if (flowFile == null) {
throw new ResourceNotFoundException(String.format("The FlowFile with UUID %s is no longer in the active queue.", flowFileUuid));
}
// get the attributes and ensure appropriate access
final Map<String, String> attributes = flowFile.getAttributes();
final Authorizable dataAuthorizable = new DataAuthorizable(connection.getSourceAuthorizable());
dataAuthorizable.authorize(authorizer, RequestAction.READ, user, attributes);
// get the filename and fall back to the identifier (should never happen)
String filename = attributes.get(CoreAttributes.FILENAME.key());
if (filename == null) {
filename = flowFileUuid;
}
// get the mime-type
final String type = attributes.get(CoreAttributes.MIME_TYPE.key());
// get the content
final InputStream content = flowController.getContent(flowFile, user.getIdentity(), requestUri);
return new DownloadableContent(filename, type, content);
} catch (final ContentNotFoundException cnfe) {
throw new ResourceNotFoundException("Unable to find the specified content.");
} catch (final IOException ioe) {
logger.error(String.format("Unable to get the content for flowfile (%s) at this time.", flowFileUuid), ioe);
throw new IllegalStateException("Unable to get the content at this time.");
}
}
Also used :
DownloadableContent(org.apache.nifi.web.DownloadableContent)
NiFiUser(org.apache.nifi.authorization.user.NiFiUser)
ContentNotFoundException(org.apache.nifi.controller.repository.ContentNotFoundException)
InputStream(java.io.InputStream)
Connection(org.apache.nifi.connectable.Connection)
IOException(java.io.IOException)
FlowFileQueue(org.apache.nifi.controller.queue.FlowFileQueue)
DataAuthorizable(org.apache.nifi.authorization.resource.DataAuthorizable)
DataAuthorizable(org.apache.nifi.authorization.resource.DataAuthorizable)
Authorizable(org.apache.nifi.authorization.resource.Authorizable)
FlowFileRecord(org.apache.nifi.controller.repository.FlowFileRecord)
ResourceNotFoundException(org.apache.nifi.web.ResourceNotFoundException)
Example 34 with NiFiUser
use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.
the class AccessPolicyAuditor method generateAuditRecord.
/**
* Generates an audit record for the creation of a policy.
*
* @param policy policy
* @param operation operation
* @param actionDetails details
* @return action
*/
public Action generateAuditRecord(AccessPolicy policy, Operation operation, ActionDetails actionDetails) {
FlowChangeAction action = null;
// get the current user
NiFiUser user = NiFiUserUtils.getNiFiUser();
// ensure the user was found
if (user != null) {
// create the policy action for adding this policy
action = new FlowChangeAction();
action.setUserIdentity(user.getIdentity());
action.setOperation(operation);
action.setTimestamp(new Date());
action.setSourceId(policy.getIdentifier());
action.setSourceName(formatPolicyName(policy));
action.setSourceType(Component.AccessPolicy);
if (actionDetails != null) {
action.setActionDetails(actionDetails);
}
}
return action;
}
Also used :
NiFiUser(org.apache.nifi.authorization.user.NiFiUser)
Date(java.util.Date)
FlowChangeAction(org.apache.nifi.action.FlowChangeAction)
Example 35 with NiFiUser
use of org.apache.nifi.authorization.user.NiFiUser in project nifi by apache.
the class ControllerServiceAuditor method updateControllerServiceReferenceAdvice.
/**
* Audits the update of a component referencing a controller service.
*
* @param proceedingJoinPoint join point
* @return object
* @throws Throwable ex
*/
@Around("within(org.apache.nifi.web.dao.ControllerServiceDAO+) && " + "execution(org.apache.nifi.controller.service.ControllerServiceReference " + "updateControllerServiceReferencingComponents(java.lang.String, org.apache.nifi.controller.ScheduledState, " + "org.apache.nifi.controller.service.ControllerServiceState))")
public Object updateControllerServiceReferenceAdvice(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
// update the controller service references
final ControllerServiceReference controllerServiceReference = (ControllerServiceReference) proceedingJoinPoint.proceed();
// get the current user
final NiFiUser user = NiFiUserUtils.getNiFiUser();
if (user != null) {
final Collection<Action> actions = new ArrayList<>();
final Collection<String> visitedServices = new ArrayList<>();
visitedServices.add(controllerServiceReference.getReferencedComponent().getIdentifier());
// get all applicable actions
getUpdateActionsForReferencingComponents(user, actions, visitedServices, controllerServiceReference.getReferencingComponents());
// ensure there are actions to record
if (!actions.isEmpty()) {
// save the actions
saveActions(actions, logger);
}
}
return controllerServiceReference;
}
Also used :
FlowChangeAction(org.apache.nifi.action.FlowChangeAction)
Action(org.apache.nifi.action.Action)
NiFiUser(org.apache.nifi.authorization.user.NiFiUser)
ControllerServiceReference(org.apache.nifi.controller.service.ControllerServiceReference)
ArrayList(java.util.ArrayList)
Around(org.aspectj.lang.annotation.Around)
Aggregations
NiFiUser (org.apache.nifi.authorization.user.NiFiUser)127
Date (java.util.Date)47
FlowChangeAction (org.apache.nifi.action.FlowChangeAction)42
ArrayList (java.util.ArrayList)33
Authorizable (org.apache.nifi.authorization.resource.Authorizable)32
Action (org.apache.nifi.action.Action)29
HashMap (java.util.HashMap)27
Map (java.util.Map)26
AccessDeniedException (org.apache.nifi.authorization.AccessDeniedException)26
RevisionDTO (org.apache.nifi.web.api.dto.RevisionDTO)26
IOException (java.io.IOException)25
Set (java.util.Set)25
ScheduledState (org.apache.nifi.controller.ScheduledState)25
Collectors (java.util.stream.Collectors)24
UUID (java.util.UUID)23
ControllerServiceState (org.apache.nifi.controller.service.ControllerServiceState)22
AffectedComponentDTO (org.apache.nifi.web.api.dto.AffectedComponentDTO)22
DtoFactory (org.apache.nifi.web.api.dto.DtoFactory)22
AffectedComponentEntity (org.apache.nifi.web.api.entity.AffectedComponentEntity)22
ProcessorEntity (org.apache.nifi.web.api.entity.ProcessorEntity)22
