Examples with Permissions org.apache.nifi.registry.authorization.Permissions used on opensource projects

Example 31 with Permissions

use of org.apache.nifi.registry.authorization.Permissions in project nifi by apache.

the class StandardNiFiServiceFacade method deleteUserGroup.

@Override
public UserGroupEntity deleteUserGroup(final Revision revision, final String userGroupId) {
    final Group userGroup = userGroupDAO.getUserGroup(userGroupId);
    final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizableLookup.getTenant());
    final Set<TenantEntity> users = userGroup != null ? userGroup.getUsers().stream().map(mapUserIdToTenantEntity()).collect(Collectors.toSet()) : null;
    final Set<AccessPolicySummaryEntity> policyEntities = userGroupDAO.getAccessPoliciesForUserGroup(userGroup.getIdentifier()).stream().map(ap -> createAccessPolicySummaryEntity(ap)).collect(Collectors.toSet());
    final String resourceIdentifier = ResourceFactory.getTenantResource().getIdentifier() + "/" + userGroupId;
    final UserGroupDTO snapshot = deleteComponent(revision, new Resource() {

        @Override
        public String getIdentifier() {
            return resourceIdentifier;
        }

        @Override
        public String getName() {
            return resourceIdentifier;
        }

        @Override
        public String getSafeDescription() {
            return "User Group " + userGroupId;
        }
    }, () -> userGroupDAO.deleteUserGroup(userGroupId), // no user group specific policies to remove
    false, dtoFactory.createUserGroupDto(userGroup, users, policyEntities));
    return entityFactory.createUserGroupEntity(snapshot, null, permissions);
}

Example 32 with Permissions

use of org.apache.nifi.registry.authorization.Permissions in project nifi by apache.

the class StandardNiFiServiceFacade method updateUser.

@Override
public UserEntity updateUser(final Revision revision, final UserDTO userDTO) {
    final Authorizable usersAuthorizable = authorizableLookup.getTenant();
    final Set<Group> groups = userGroupDAO.getUserGroupsForUser(userDTO.getId());
    final Set<AccessPolicy> policies = userGroupDAO.getAccessPoliciesForUser(userDTO.getId());
    final RevisionUpdate<UserDTO> snapshot = updateComponent(revision, usersAuthorizable, () -> userDAO.updateUser(userDTO), user -> {
        final Set<TenantEntity> tenantEntities = groups.stream().map(g -> g.getIdentifier()).map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet());
        final Set<AccessPolicySummaryEntity> policyEntities = policies.stream().map(ap -> createAccessPolicySummaryEntity(ap)).collect(Collectors.toSet());
        return dtoFactory.createUserDto(user, tenantEntities, policyEntities);
    });
    final PermissionsDTO permissions = dtoFactory.createPermissionsDto(usersAuthorizable);
    return entityFactory.createUserEntity(snapshot.getComponent(), dtoFactory.createRevisionDTO(snapshot.getLastModification()), permissions);
}

Example 33 with Permissions

use of org.apache.nifi.registry.authorization.Permissions in project nifi by apache.

the class StandardNiFiServiceFacade method createUserEntity.

private UserEntity createUserEntity(final User user) {
    final RevisionDTO userRevision = dtoFactory.createRevisionDTO(revisionManager.getRevision(user.getIdentifier()));
    final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizableLookup.getTenant());
    final Set<TenantEntity> userGroups = userGroupDAO.getUserGroupsForUser(user.getIdentifier()).stream().map(g -> g.getIdentifier()).map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet());
    final Set<AccessPolicySummaryEntity> policyEntities = userGroupDAO.getAccessPoliciesForUser(user.getIdentifier()).stream().map(ap -> createAccessPolicySummaryEntity(ap)).collect(Collectors.toSet());
    return entityFactory.createUserEntity(dtoFactory.createUserDto(user, userGroups, policyEntities), userRevision, permissions);
}

Example 34 with Permissions

use of org.apache.nifi.registry.authorization.Permissions in project nifi-registry by apache.

the class SecureLdapIT method testAccessPolicyCreation.

@Test
public void testAccessPolicyCreation() throws Exception {
    // Given: the server has been configured with an initial admin "nifiadmin" and a user with no accessPolicies "nobel"
    String nobelId = getTenantIdentifierByIdentity("nobel");
    // a group containing user "nobel"
    String chemistsId = getTenantIdentifierByIdentity("chemists");
    final String basicAuthCredentials = encodeCredentialsForBasicAuth("nobel", "password");
    final String nobelAuthToken = client.target(createURL(tokenIdentityProviderPath)).request().header("Authorization", "Basic " + basicAuthCredentials).post(null, String.class);
    // When: user nobel re-checks top-level permissions
    final CurrentUser currentUser = client.target(createURL("/access")).request().header("Authorization", "Bearer " + nobelAuthToken).get(CurrentUser.class);
    // Then: 200 OK is returned indicating user has access to no top-level resources
    assertEquals(new Permissions(), currentUser.getResourcePermissions().getBuckets());
    assertEquals(new Permissions(), currentUser.getResourcePermissions().getTenants());
    assertEquals(new Permissions(), currentUser.getResourcePermissions().getPolicies());
    assertEquals(new Permissions(), currentUser.getResourcePermissions().getProxy());
    // When: nifiadmin creates a bucket
    final Bucket bucket = new Bucket();
    bucket.setName("Integration Test Bucket");
    bucket.setDescription("A bucket created by an integration test.");
    Response adminCreatesBucketResponse = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(bucket, MediaType.APPLICATION_JSON), Response.class);
    // Then: the server returns a 200 OK
    assertEquals(200, adminCreatesBucketResponse.getStatus());
    Bucket createdBucket = adminCreatesBucketResponse.readEntity(Bucket.class);
    // When: user nobel initial queries /buckets
    final Bucket[] buckets1 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
    // Then: an empty list is returned (nobel has no read access yet)
    assertNotNull(buckets1);
    assertEquals(0, buckets1.length);
    // When: nifiadmin grants read access on createdBucket to 'chemists' a group containing nobel
    AccessPolicy readPolicy = new AccessPolicy();
    readPolicy.setResource("/buckets/" + createdBucket.getIdentifier());
    readPolicy.setAction("read");
    readPolicy.addUserGroups(Arrays.asList(new Tenant(chemistsId, "chemists")));
    Response adminGrantsReadAccessResponse = client.target(createURL("policies")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(readPolicy, MediaType.APPLICATION_JSON), Response.class);
    // Then: the server returns a 201 Created
    assertEquals(201, adminGrantsReadAccessResponse.getStatus());
    // When: nifiadmin tries to list all buckets
    final Bucket[] adminBuckets = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + adminAuthToken).get(Bucket[].class);
    // Then: the full list is returned (verifies that per-bucket access policies are additive to base /buckets policy)
    assertNotNull(adminBuckets);
    assertEquals(1, adminBuckets.length);
    assertEquals(createdBucket.getIdentifier(), adminBuckets[0].getIdentifier());
    assertEquals(new Permissions().withCanRead(true).withCanWrite(true).withCanDelete(true), adminBuckets[0].getPermissions());
    // When: user nobel re-queries /buckets
    final Bucket[] buckets2 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
    // Then: the created bucket is now present
    assertNotNull(buckets2);
    assertEquals(1, buckets2.length);
    assertEquals(createdBucket.getIdentifier(), buckets2[0].getIdentifier());
    assertEquals(new Permissions().withCanRead(true), buckets2[0].getPermissions());
    // When: nifiadmin grants write access on createdBucket to user 'nobel'
    AccessPolicy writePolicy = new AccessPolicy();
    writePolicy.setResource("/buckets/" + createdBucket.getIdentifier());
    writePolicy.setAction("write");
    writePolicy.addUsers(Arrays.asList(new Tenant(nobelId, "nobel")));
    Response adminGrantsWriteAccessResponse = client.target(createURL("policies")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(writePolicy, MediaType.APPLICATION_JSON), Response.class);
    // Then: the server returns a 201 Created
    assertEquals(201, adminGrantsWriteAccessResponse.getStatus());
    // When: user nobel re-queries /buckets
    final Bucket[] buckets3 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
    // Then: the authorizedActions are updated
    assertNotNull(buckets3);
    assertEquals(1, buckets3.length);
    assertEquals(createdBucket.getIdentifier(), buckets3[0].getIdentifier());
    assertEquals(new Permissions().withCanRead(true).withCanWrite(true), buckets3[0].getPermissions());
}

Example 35 with Permissions

use of org.apache.nifi.registry.authorization.Permissions in project nifi-registry by apache.

the class SecureNiFiRegistryClientIT method testGetAccessStatus.

@Test
public void testGetAccessStatus() throws IOException, NiFiRegistryException {
    final UserClient userClient = client.getUserClient();
    final CurrentUser currentUser = userClient.getAccessStatus();
    Assert.assertEquals("CN=user1, OU=nifi", currentUser.getIdentity());
    Assert.assertFalse(currentUser.isAnonymous());
    Assert.assertNotNull(currentUser.getResourcePermissions());
    Permissions fullAccess = new Permissions().withCanRead(true).withCanWrite(true).withCanDelete(true);
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getAnyTopLevelResource());
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getBuckets());
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getTenants());
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getPolicies());
    Assert.assertEquals(new Permissions().withCanWrite(true), currentUser.getResourcePermissions().getProxy());
}