use of org.apache.nifi.registry.authorization.Permissions in project nifi by apache.
the class StandardNiFiServiceFacade method deleteUserGroup.
@Override
public UserGroupEntity deleteUserGroup(final Revision revision, final String userGroupId) {
final Group userGroup = userGroupDAO.getUserGroup(userGroupId);
final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizableLookup.getTenant());
final Set<TenantEntity> users = userGroup != null ? userGroup.getUsers().stream().map(mapUserIdToTenantEntity()).collect(Collectors.toSet()) : null;
final Set<AccessPolicySummaryEntity> policyEntities = userGroupDAO.getAccessPoliciesForUserGroup(userGroup.getIdentifier()).stream().map(ap -> createAccessPolicySummaryEntity(ap)).collect(Collectors.toSet());
final String resourceIdentifier = ResourceFactory.getTenantResource().getIdentifier() + "/" + userGroupId;
final UserGroupDTO snapshot = deleteComponent(revision, new Resource() {
@Override
public String getIdentifier() {
return resourceIdentifier;
}
@Override
public String getName() {
return resourceIdentifier;
}
@Override
public String getSafeDescription() {
return "User Group " + userGroupId;
}
}, () -> userGroupDAO.deleteUserGroup(userGroupId), // no user group specific policies to remove
false, dtoFactory.createUserGroupDto(userGroup, users, policyEntities));
return entityFactory.createUserGroupEntity(snapshot, null, permissions);
}
use of org.apache.nifi.registry.authorization.Permissions in project nifi by apache.
the class StandardNiFiServiceFacade method updateUser.
@Override
public UserEntity updateUser(final Revision revision, final UserDTO userDTO) {
final Authorizable usersAuthorizable = authorizableLookup.getTenant();
final Set<Group> groups = userGroupDAO.getUserGroupsForUser(userDTO.getId());
final Set<AccessPolicy> policies = userGroupDAO.getAccessPoliciesForUser(userDTO.getId());
final RevisionUpdate<UserDTO> snapshot = updateComponent(revision, usersAuthorizable, () -> userDAO.updateUser(userDTO), user -> {
final Set<TenantEntity> tenantEntities = groups.stream().map(g -> g.getIdentifier()).map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet());
final Set<AccessPolicySummaryEntity> policyEntities = policies.stream().map(ap -> createAccessPolicySummaryEntity(ap)).collect(Collectors.toSet());
return dtoFactory.createUserDto(user, tenantEntities, policyEntities);
});
final PermissionsDTO permissions = dtoFactory.createPermissionsDto(usersAuthorizable);
return entityFactory.createUserEntity(snapshot.getComponent(), dtoFactory.createRevisionDTO(snapshot.getLastModification()), permissions);
}
use of org.apache.nifi.registry.authorization.Permissions in project nifi by apache.
the class StandardNiFiServiceFacade method createUserEntity.
private UserEntity createUserEntity(final User user) {
final RevisionDTO userRevision = dtoFactory.createRevisionDTO(revisionManager.getRevision(user.getIdentifier()));
final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizableLookup.getTenant());
final Set<TenantEntity> userGroups = userGroupDAO.getUserGroupsForUser(user.getIdentifier()).stream().map(g -> g.getIdentifier()).map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet());
final Set<AccessPolicySummaryEntity> policyEntities = userGroupDAO.getAccessPoliciesForUser(user.getIdentifier()).stream().map(ap -> createAccessPolicySummaryEntity(ap)).collect(Collectors.toSet());
return entityFactory.createUserEntity(dtoFactory.createUserDto(user, userGroups, policyEntities), userRevision, permissions);
}
use of org.apache.nifi.registry.authorization.Permissions in project nifi-registry by apache.
the class SecureLdapIT method testAccessPolicyCreation.
@Test
public void testAccessPolicyCreation() throws Exception {
// Given: the server has been configured with an initial admin "nifiadmin" and a user with no accessPolicies "nobel"
String nobelId = getTenantIdentifierByIdentity("nobel");
// a group containing user "nobel"
String chemistsId = getTenantIdentifierByIdentity("chemists");
final String basicAuthCredentials = encodeCredentialsForBasicAuth("nobel", "password");
final String nobelAuthToken = client.target(createURL(tokenIdentityProviderPath)).request().header("Authorization", "Basic " + basicAuthCredentials).post(null, String.class);
// When: user nobel re-checks top-level permissions
final CurrentUser currentUser = client.target(createURL("/access")).request().header("Authorization", "Bearer " + nobelAuthToken).get(CurrentUser.class);
// Then: 200 OK is returned indicating user has access to no top-level resources
assertEquals(new Permissions(), currentUser.getResourcePermissions().getBuckets());
assertEquals(new Permissions(), currentUser.getResourcePermissions().getTenants());
assertEquals(new Permissions(), currentUser.getResourcePermissions().getPolicies());
assertEquals(new Permissions(), currentUser.getResourcePermissions().getProxy());
// When: nifiadmin creates a bucket
final Bucket bucket = new Bucket();
bucket.setName("Integration Test Bucket");
bucket.setDescription("A bucket created by an integration test.");
Response adminCreatesBucketResponse = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(bucket, MediaType.APPLICATION_JSON), Response.class);
// Then: the server returns a 200 OK
assertEquals(200, adminCreatesBucketResponse.getStatus());
Bucket createdBucket = adminCreatesBucketResponse.readEntity(Bucket.class);
// When: user nobel initial queries /buckets
final Bucket[] buckets1 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
// Then: an empty list is returned (nobel has no read access yet)
assertNotNull(buckets1);
assertEquals(0, buckets1.length);
// When: nifiadmin grants read access on createdBucket to 'chemists' a group containing nobel
AccessPolicy readPolicy = new AccessPolicy();
readPolicy.setResource("/buckets/" + createdBucket.getIdentifier());
readPolicy.setAction("read");
readPolicy.addUserGroups(Arrays.asList(new Tenant(chemistsId, "chemists")));
Response adminGrantsReadAccessResponse = client.target(createURL("policies")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(readPolicy, MediaType.APPLICATION_JSON), Response.class);
// Then: the server returns a 201 Created
assertEquals(201, adminGrantsReadAccessResponse.getStatus());
// When: nifiadmin tries to list all buckets
final Bucket[] adminBuckets = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + adminAuthToken).get(Bucket[].class);
// Then: the full list is returned (verifies that per-bucket access policies are additive to base /buckets policy)
assertNotNull(adminBuckets);
assertEquals(1, adminBuckets.length);
assertEquals(createdBucket.getIdentifier(), adminBuckets[0].getIdentifier());
assertEquals(new Permissions().withCanRead(true).withCanWrite(true).withCanDelete(true), adminBuckets[0].getPermissions());
// When: user nobel re-queries /buckets
final Bucket[] buckets2 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
// Then: the created bucket is now present
assertNotNull(buckets2);
assertEquals(1, buckets2.length);
assertEquals(createdBucket.getIdentifier(), buckets2[0].getIdentifier());
assertEquals(new Permissions().withCanRead(true), buckets2[0].getPermissions());
// When: nifiadmin grants write access on createdBucket to user 'nobel'
AccessPolicy writePolicy = new AccessPolicy();
writePolicy.setResource("/buckets/" + createdBucket.getIdentifier());
writePolicy.setAction("write");
writePolicy.addUsers(Arrays.asList(new Tenant(nobelId, "nobel")));
Response adminGrantsWriteAccessResponse = client.target(createURL("policies")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(writePolicy, MediaType.APPLICATION_JSON), Response.class);
// Then: the server returns a 201 Created
assertEquals(201, adminGrantsWriteAccessResponse.getStatus());
// When: user nobel re-queries /buckets
final Bucket[] buckets3 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
// Then: the authorizedActions are updated
assertNotNull(buckets3);
assertEquals(1, buckets3.length);
assertEquals(createdBucket.getIdentifier(), buckets3[0].getIdentifier());
assertEquals(new Permissions().withCanRead(true).withCanWrite(true), buckets3[0].getPermissions());
}
use of org.apache.nifi.registry.authorization.Permissions in project nifi-registry by apache.
the class SecureNiFiRegistryClientIT method testGetAccessStatus.
@Test
public void testGetAccessStatus() throws IOException, NiFiRegistryException {
final UserClient userClient = client.getUserClient();
final CurrentUser currentUser = userClient.getAccessStatus();
Assert.assertEquals("CN=user1, OU=nifi", currentUser.getIdentity());
Assert.assertFalse(currentUser.isAnonymous());
Assert.assertNotNull(currentUser.getResourcePermissions());
Permissions fullAccess = new Permissions().withCanRead(true).withCanWrite(true).withCanDelete(true);
Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getAnyTopLevelResource());
Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getBuckets());
Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getTenants());
Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getPolicies());
Assert.assertEquals(new Permissions().withCanWrite(true), currentUser.getResourcePermissions().getProxy());
}
Aggregations