Examples with Tenant org.apache.nifi.registry.authorization.Tenant used on opensource projects

Example 6 with Tenant

use of org.apache.nifi.registry.authorization.Tenant in project nifi-registry by apache.

the class SecureLdapIT method testCreateTenantFails.

@Test
public void testCreateTenantFails() throws Exception {
    // Given: the server has been configured with the LdapUserGroupProvider, which is non-configurable,
    // and: the client wants to create a tenant
    Tenant tenant = new Tenant();
    tenant.setIdentity("new_tenant");
    // When: the POST /tenants/users endpoint is accessed
    final Response createUserResponse = client.target(createURL("tenants/users")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(tenant, MediaType.APPLICATION_JSON_TYPE), Response.class);
    // Then: an error is returned
    assertEquals(409, createUserResponse.getStatus());
    // When: the POST /tenants/users endpoint is accessed
    final Response createUserGroupResponse = client.target(createURL("tenants/user-groups")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(tenant, MediaType.APPLICATION_JSON_TYPE), Response.class);
    // Then: an error is returned because the UserGroupProvider is non-configurable
    assertEquals(409, createUserGroupResponse.getStatus());
}

Example 7 with Tenant

use of org.apache.nifi.registry.authorization.Tenant in project nifi-registry by apache.

the class SecureFileIT method testCreateUser.

@Test
public void testCreateUser() throws Exception {
    // Given: the server has been configured with FileUserGroupProvider, which is configurable,
    // and: the initial admin client wants to create a tenant
    Tenant tenant = new Tenant();
    tenant.setIdentity("New User");
    // When: the POST /tenants/users endpoint is accessed
    final Response createUserResponse = client.target(createURL("tenants/users")).request().post(Entity.entity(tenant, MediaType.APPLICATION_JSON_TYPE), Response.class);
    // Then: "201 created" is returned with the expected user
    assertEquals(201, createUserResponse.getStatus());
    User actualUser = createUserResponse.readEntity(User.class);
    assertNotNull(actualUser.getIdentifier());
    try {
        assertEquals(tenant.getIdentity(), actualUser.getIdentity());
        assertEquals(true, actualUser.getConfigurable());
        assertEquals(0, actualUser.getUserGroups().size());
        assertEquals(0, actualUser.getAccessPolicies().size());
        assertEquals(new ResourcePermissions(), actualUser.getResourcePermissions());
    } finally {
        // cleanup user for other tests
        client.target(createURL("tenants/users/" + actualUser.getIdentifier())).request().delete();
    }
}

Example 8 with Tenant

use of org.apache.nifi.registry.authorization.Tenant in project nifi-registry by apache.

the class SecureLdapIT method testAccessPolicyCreation.

@Test
public void testAccessPolicyCreation() throws Exception {
    // Given: the server has been configured with an initial admin "nifiadmin" and a user with no accessPolicies "nobel"
    String nobelId = getTenantIdentifierByIdentity("nobel");
    // a group containing user "nobel"
    String chemistsId = getTenantIdentifierByIdentity("chemists");
    final String basicAuthCredentials = encodeCredentialsForBasicAuth("nobel", "password");
    final String nobelAuthToken = client.target(createURL(tokenIdentityProviderPath)).request().header("Authorization", "Basic " + basicAuthCredentials).post(null, String.class);
    // When: user nobel re-checks top-level permissions
    final CurrentUser currentUser = client.target(createURL("/access")).request().header("Authorization", "Bearer " + nobelAuthToken).get(CurrentUser.class);
    // Then: 200 OK is returned indicating user has access to no top-level resources
    assertEquals(new Permissions(), currentUser.getResourcePermissions().getBuckets());
    assertEquals(new Permissions(), currentUser.getResourcePermissions().getTenants());
    assertEquals(new Permissions(), currentUser.getResourcePermissions().getPolicies());
    assertEquals(new Permissions(), currentUser.getResourcePermissions().getProxy());
    // When: nifiadmin creates a bucket
    final Bucket bucket = new Bucket();
    bucket.setName("Integration Test Bucket");
    bucket.setDescription("A bucket created by an integration test.");
    Response adminCreatesBucketResponse = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(bucket, MediaType.APPLICATION_JSON), Response.class);
    // Then: the server returns a 200 OK
    assertEquals(200, adminCreatesBucketResponse.getStatus());
    Bucket createdBucket = adminCreatesBucketResponse.readEntity(Bucket.class);
    // When: user nobel initial queries /buckets
    final Bucket[] buckets1 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
    // Then: an empty list is returned (nobel has no read access yet)
    assertNotNull(buckets1);
    assertEquals(0, buckets1.length);
    // When: nifiadmin grants read access on createdBucket to 'chemists' a group containing nobel
    AccessPolicy readPolicy = new AccessPolicy();
    readPolicy.setResource("/buckets/" + createdBucket.getIdentifier());
    readPolicy.setAction("read");
    readPolicy.addUserGroups(Arrays.asList(new Tenant(chemistsId, "chemists")));
    Response adminGrantsReadAccessResponse = client.target(createURL("policies")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(readPolicy, MediaType.APPLICATION_JSON), Response.class);
    // Then: the server returns a 201 Created
    assertEquals(201, adminGrantsReadAccessResponse.getStatus());
    // When: nifiadmin tries to list all buckets
    final Bucket[] adminBuckets = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + adminAuthToken).get(Bucket[].class);
    // Then: the full list is returned (verifies that per-bucket access policies are additive to base /buckets policy)
    assertNotNull(adminBuckets);
    assertEquals(1, adminBuckets.length);
    assertEquals(createdBucket.getIdentifier(), adminBuckets[0].getIdentifier());
    assertEquals(new Permissions().withCanRead(true).withCanWrite(true).withCanDelete(true), adminBuckets[0].getPermissions());
    // When: user nobel re-queries /buckets
    final Bucket[] buckets2 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
    // Then: the created bucket is now present
    assertNotNull(buckets2);
    assertEquals(1, buckets2.length);
    assertEquals(createdBucket.getIdentifier(), buckets2[0].getIdentifier());
    assertEquals(new Permissions().withCanRead(true), buckets2[0].getPermissions());
    // When: nifiadmin grants write access on createdBucket to user 'nobel'
    AccessPolicy writePolicy = new AccessPolicy();
    writePolicy.setResource("/buckets/" + createdBucket.getIdentifier());
    writePolicy.setAction("write");
    writePolicy.addUsers(Arrays.asList(new Tenant(nobelId, "nobel")));
    Response adminGrantsWriteAccessResponse = client.target(createURL("policies")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(writePolicy, MediaType.APPLICATION_JSON), Response.class);
    // Then: the server returns a 201 Created
    assertEquals(201, adminGrantsWriteAccessResponse.getStatus());
    // When: user nobel re-queries /buckets
    final Bucket[] buckets3 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
    // Then: the authorizedActions are updated
    assertNotNull(buckets3);
    assertEquals(1, buckets3.length);
    assertEquals(createdBucket.getIdentifier(), buckets3[0].getIdentifier());
    assertEquals(new Permissions().withCanRead(true).withCanWrite(true), buckets3[0].getPermissions());
}

Example 9 with Tenant

use of org.apache.nifi.registry.authorization.Tenant in project nifi-registry by apache.

the class AuthorizationService method userGroupToDTO.

private UserGroup userGroupToDTO(final org.apache.nifi.registry.security.authorization.Group userGroup) {
    if (userGroup == null) {
        return null;
    }
    Collection<Tenant> userTenants = userGroup.getUsers() != null ? userGroup.getUsers().stream().map(this::tenantIdToDTO).collect(Collectors.toSet()) : null;
    Collection<AccessPolicySummary> accessPolicySummaries = getAccessPolicySummariesForUserGroup(userGroup.getIdentifier());
    UserGroup userGroupDTO = new UserGroup(userGroup.getIdentifier(), userGroup.getName());
    userGroupDTO.setConfigurable(AuthorizerCapabilityDetection.isGroupConfigurable(authorizer, userGroup));
    userGroupDTO.setResourcePermissions(getTopLevelPermissions(userGroupDTO.getIdentifier()));
    userGroupDTO.addUsers(userTenants);
    userGroupDTO.addAccessPolicies(accessPolicySummaries);
    return userGroupDTO;
}