Example 6 with AccessPolicy
use of org.apache.nifi.registry.authorization.AccessPolicy in project nifi-registry by apache.
the class AccessPolicyResource method updateAccessPolicy.
/**
* Update an access policy.
*
* @param httpServletRequest request
* @param identifier The id of the access policy to update.
* @param requestAccessPolicy An access policy.
* @return the updated access policy.
*/
@PUT
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@Path("{id}")
@ApiOperation(value = "Updates a access policy", response = AccessPolicy.class, extensions = { @Extension(name = "access-policy", properties = { @ExtensionProperty(name = "action", value = "write"), @ExtensionProperty(name = "resource", value = "/policies") }) })
@ApiResponses({ @ApiResponse(code = 400, message = HttpStatusMessages.MESSAGE_400), @ApiResponse(code = 401, message = HttpStatusMessages.MESSAGE_401), @ApiResponse(code = 403, message = HttpStatusMessages.MESSAGE_403), @ApiResponse(code = 404, message = HttpStatusMessages.MESSAGE_404), @ApiResponse(code = 409, message = HttpStatusMessages.MESSAGE_409 + " The NiFi Registry might not be configured to use a ConfigurableAccessPolicyProvider.") })
public Response updateAccessPolicy(@Context final HttpServletRequest httpServletRequest, @ApiParam(value = "The access policy id.", required = true) @PathParam("id") final String identifier, @ApiParam(value = "The access policy configuration details.", required = true) final AccessPolicy requestAccessPolicy) {
verifyAuthorizerSupportsConfigurablePolicies();
authorizeAccess(RequestAction.WRITE);
if (requestAccessPolicy == null) {
throw new IllegalArgumentException("Access policy details must be specified when updating a policy.");
}
if (!identifier.equals(requestAccessPolicy.getIdentifier())) {
throw new IllegalArgumentException(String.format("The policy id in the request body (%s) does not equal the " + "policy id of the requested resource (%s).", requestAccessPolicy.getIdentifier(), identifier));
}
AccessPolicy createdPolicy = authorizationService.updateAccessPolicy(requestAccessPolicy);
String locationUri = generateAccessPolicyUri(createdPolicy);
return generateOkResponse(createdPolicy).build();
}
Also used :
AccessPolicy(org.apache.nifi.registry.authorization.AccessPolicy)
Path(javax.ws.rs.Path)
Consumes(javax.ws.rs.Consumes)
Produces(javax.ws.rs.Produces)
ApiOperation(io.swagger.annotations.ApiOperation)
PUT(javax.ws.rs.PUT)
ApiResponses(io.swagger.annotations.ApiResponses)
Example 7 with AccessPolicy
use of org.apache.nifi.registry.authorization.AccessPolicy in project nifi-registry by apache.
the class AccessPolicyResource method getAccessPolicy.
/**
* Retrieves the specified access policy.
*
* @param identifier The id of the access policy to retrieve
* @return An accessPolicyEntity.
*/
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{id}")
@ApiOperation(value = "Gets an access policy", response = AccessPolicy.class, extensions = { @Extension(name = "access-policy", properties = { @ExtensionProperty(name = "action", value = "read"), @ExtensionProperty(name = "resource", value = "/policies") }) })
@ApiResponses({ @ApiResponse(code = 401, message = HttpStatusMessages.MESSAGE_401), @ApiResponse(code = 403, message = HttpStatusMessages.MESSAGE_403), @ApiResponse(code = 404, message = HttpStatusMessages.MESSAGE_404), @ApiResponse(code = 409, message = HttpStatusMessages.MESSAGE_409) })
public Response getAccessPolicy(@ApiParam(value = "The access policy id.", required = true) @PathParam("id") final String identifier) {
verifyAuthorizerIsManaged();
authorizeAccess(RequestAction.READ);
final AccessPolicy accessPolicy = authorizationService.getAccessPolicy(identifier);
if (accessPolicy == null) {
logger.warn("The specified access policy id [{}] does not exist.", identifier);
throw new ResourceNotFoundException("The specified policy does not exist in this registry.");
}
return generateOkResponse(accessPolicy).build();
}
Also used :
ResourceNotFoundException(org.apache.nifi.registry.exception.ResourceNotFoundException)
AccessPolicy(org.apache.nifi.registry.authorization.AccessPolicy)
Path(javax.ws.rs.Path)
Consumes(javax.ws.rs.Consumes)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
ApiOperation(io.swagger.annotations.ApiOperation)
ApiResponses(io.swagger.annotations.ApiResponses)
Example 8 with AccessPolicy
use of org.apache.nifi.registry.authorization.AccessPolicy in project nifi-registry by apache.
the class SecureLdapIT method testAccessPolicyCreation.
@Test
public void testAccessPolicyCreation() throws Exception {
// Given: the server has been configured with an initial admin "nifiadmin" and a user with no accessPolicies "nobel"
String nobelId = getTenantIdentifierByIdentity("nobel");
// a group containing user "nobel"
String chemistsId = getTenantIdentifierByIdentity("chemists");
final String basicAuthCredentials = encodeCredentialsForBasicAuth("nobel", "password");
final String nobelAuthToken = client.target(createURL(tokenIdentityProviderPath)).request().header("Authorization", "Basic " + basicAuthCredentials).post(null, String.class);
// When: user nobel re-checks top-level permissions
final CurrentUser currentUser = client.target(createURL("/access")).request().header("Authorization", "Bearer " + nobelAuthToken).get(CurrentUser.class);
// Then: 200 OK is returned indicating user has access to no top-level resources
assertEquals(new Permissions(), currentUser.getResourcePermissions().getBuckets());
assertEquals(new Permissions(), currentUser.getResourcePermissions().getTenants());
assertEquals(new Permissions(), currentUser.getResourcePermissions().getPolicies());
assertEquals(new Permissions(), currentUser.getResourcePermissions().getProxy());
// When: nifiadmin creates a bucket
final Bucket bucket = new Bucket();
bucket.setName("Integration Test Bucket");
bucket.setDescription("A bucket created by an integration test.");
Response adminCreatesBucketResponse = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(bucket, MediaType.APPLICATION_JSON), Response.class);
// Then: the server returns a 200 OK
assertEquals(200, adminCreatesBucketResponse.getStatus());
Bucket createdBucket = adminCreatesBucketResponse.readEntity(Bucket.class);
// When: user nobel initial queries /buckets
final Bucket[] buckets1 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
// Then: an empty list is returned (nobel has no read access yet)
assertNotNull(buckets1);
assertEquals(0, buckets1.length);
// When: nifiadmin grants read access on createdBucket to 'chemists' a group containing nobel
AccessPolicy readPolicy = new AccessPolicy();
readPolicy.setResource("/buckets/" + createdBucket.getIdentifier());
readPolicy.setAction("read");
readPolicy.addUserGroups(Arrays.asList(new Tenant(chemistsId, "chemists")));
Response adminGrantsReadAccessResponse = client.target(createURL("policies")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(readPolicy, MediaType.APPLICATION_JSON), Response.class);
// Then: the server returns a 201 Created
assertEquals(201, adminGrantsReadAccessResponse.getStatus());
// When: nifiadmin tries to list all buckets
final Bucket[] adminBuckets = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + adminAuthToken).get(Bucket[].class);
// Then: the full list is returned (verifies that per-bucket access policies are additive to base /buckets policy)
assertNotNull(adminBuckets);
assertEquals(1, adminBuckets.length);
assertEquals(createdBucket.getIdentifier(), adminBuckets[0].getIdentifier());
assertEquals(new Permissions().withCanRead(true).withCanWrite(true).withCanDelete(true), adminBuckets[0].getPermissions());
// When: user nobel re-queries /buckets
final Bucket[] buckets2 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
// Then: the created bucket is now present
assertNotNull(buckets2);
assertEquals(1, buckets2.length);
assertEquals(createdBucket.getIdentifier(), buckets2[0].getIdentifier());
assertEquals(new Permissions().withCanRead(true), buckets2[0].getPermissions());
// When: nifiadmin grants write access on createdBucket to user 'nobel'
AccessPolicy writePolicy = new AccessPolicy();
writePolicy.setResource("/buckets/" + createdBucket.getIdentifier());
writePolicy.setAction("write");
writePolicy.addUsers(Arrays.asList(new Tenant(nobelId, "nobel")));
Response adminGrantsWriteAccessResponse = client.target(createURL("policies")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(writePolicy, MediaType.APPLICATION_JSON), Response.class);
// Then: the server returns a 201 Created
assertEquals(201, adminGrantsWriteAccessResponse.getStatus());
// When: user nobel re-queries /buckets
final Bucket[] buckets3 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
// Then: the authorizedActions are updated
assertNotNull(buckets3);
assertEquals(1, buckets3.length);
assertEquals(createdBucket.getIdentifier(), buckets3[0].getIdentifier());
assertEquals(new Permissions().withCanRead(true).withCanWrite(true), buckets3[0].getPermissions());
}
Also used :
Response(javax.ws.rs.core.Response)
Tenant(org.apache.nifi.registry.authorization.Tenant)
CurrentUser(org.apache.nifi.registry.authorization.CurrentUser)
Bucket(org.apache.nifi.registry.bucket.Bucket)
Permissions(org.apache.nifi.registry.authorization.Permissions)
AccessPolicy(org.apache.nifi.registry.authorization.AccessPolicy)
Test(org.junit.Test)
SpringBootTest(org.springframework.boot.test.context.SpringBootTest)
Example 9 with AccessPolicy
use of org.apache.nifi.registry.authorization.AccessPolicy in project nifi-registry by apache.
the class AuthorizationService method accessPolicyToDTO.
private static AccessPolicy accessPolicyToDTO(final org.apache.nifi.registry.security.authorization.AccessPolicy accessPolicy, final Collection<? extends Tenant> userGroups, final Collection<? extends Tenant> users, final Boolean isConfigurable) {
if (accessPolicy == null) {
return null;
}
final AccessPolicy accessPolicyDTO = new AccessPolicy();
accessPolicyDTO.setIdentifier(accessPolicy.getIdentifier());
accessPolicyDTO.setAction(accessPolicy.getAction().toString());
accessPolicyDTO.setResource(accessPolicy.getResource());
accessPolicyDTO.setConfigurable(isConfigurable);
accessPolicyDTO.addUsers(users);
accessPolicyDTO.addUserGroups(userGroups);
return accessPolicyDTO;
}
Also used :
AccessPolicy(org.apache.nifi.registry.authorization.AccessPolicy)
Example 10 with AccessPolicy
use of org.apache.nifi.registry.authorization.AccessPolicy in project nifi-registry by apache.
the class AccessPolicyResource method createAccessPolicy.
/**
* Create a new access policy.
*
* @param httpServletRequest request
* @param requestAccessPolicy the access policy to create.
* @return The created access policy.
*/
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "Creates an access policy", response = AccessPolicy.class, extensions = { @Extension(name = "access-policy", properties = { @ExtensionProperty(name = "action", value = "write"), @ExtensionProperty(name = "resource", value = "/policies") }) })
@ApiResponses({ @ApiResponse(code = 400, message = HttpStatusMessages.MESSAGE_400), @ApiResponse(code = 401, message = HttpStatusMessages.MESSAGE_401), @ApiResponse(code = 403, message = HttpStatusMessages.MESSAGE_403), @ApiResponse(code = 409, message = HttpStatusMessages.MESSAGE_409 + " The NiFi Registry might not be configured to use a ConfigurableAccessPolicyProvider.") })
public Response createAccessPolicy(@Context final HttpServletRequest httpServletRequest, @ApiParam(value = "The access policy configuration details.", required = true) final AccessPolicy requestAccessPolicy) {
verifyAuthorizerSupportsConfigurablePolicies();
authorizeAccess(RequestAction.WRITE);
if (requestAccessPolicy == null) {
throw new IllegalArgumentException("Access policy details must be specified when creating a new policy.");
}
if (requestAccessPolicy.getIdentifier() != null) {
throw new IllegalArgumentException("Access policy ID cannot be specified when creating a new policy.");
}
if (requestAccessPolicy.getResource() == null) {
throw new IllegalArgumentException("Resource must be specified when creating a new access policy.");
}
RequestAction.valueOfValue(requestAccessPolicy.getAction());
AccessPolicy createdPolicy = authorizationService.createAccessPolicy(requestAccessPolicy);
String locationUri = generateAccessPolicyUri(createdPolicy);
return generateCreatedResponse(URI.create(locationUri), createdPolicy).build();
}
Also used :
AccessPolicy(org.apache.nifi.registry.authorization.AccessPolicy)
POST(javax.ws.rs.POST)
Consumes(javax.ws.rs.Consumes)
Produces(javax.ws.rs.Produces)
ApiOperation(io.swagger.annotations.ApiOperation)
ApiResponses(io.swagger.annotations.ApiResponses)
Aggregations
AccessPolicy (org.apache.nifi.registry.authorization.AccessPolicy)11
ApiOperation (io.swagger.annotations.ApiOperation)5
ApiResponses (io.swagger.annotations.ApiResponses)5
Consumes (javax.ws.rs.Consumes)5
Produces (javax.ws.rs.Produces)5
Path (javax.ws.rs.Path)4
ResourceNotFoundException (org.apache.nifi.registry.exception.ResourceNotFoundException)3
GET (javax.ws.rs.GET)2
Response (javax.ws.rs.core.Response)2
AccessPolicySummary (org.apache.nifi.registry.authorization.AccessPolicySummary)2
ArrayList (java.util.ArrayList)1
DELETE (javax.ws.rs.DELETE)1
POST (javax.ws.rs.POST)1
PUT (javax.ws.rs.PUT)1
CurrentUser (org.apache.nifi.registry.authorization.CurrentUser)1
Permissions (org.apache.nifi.registry.authorization.Permissions)1
Tenant (org.apache.nifi.registry.authorization.Tenant)1
Bucket (org.apache.nifi.registry.bucket.Bucket)1
ConfigurableAccessPolicyProvider (org.apache.nifi.registry.security.authorization.ConfigurableAccessPolicyProvider)1
RequestAction (org.apache.nifi.registry.security.authorization.RequestAction)1
