use of org.apache.nifi.registry.authorization.Tenant in project nifi-registry by apache.
the class SecureLdapIT method testCreateTenantFails.
@Test
public void testCreateTenantFails() throws Exception {
// Given: the server has been configured with the LdapUserGroupProvider, which is non-configurable,
// and: the client wants to create a tenant
Tenant tenant = new Tenant();
tenant.setIdentity("new_tenant");
// When: the POST /tenants/users endpoint is accessed
final Response createUserResponse = client.target(createURL("tenants/users")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(tenant, MediaType.APPLICATION_JSON_TYPE), Response.class);
// Then: an error is returned
assertEquals(409, createUserResponse.getStatus());
// When: the POST /tenants/users endpoint is accessed
final Response createUserGroupResponse = client.target(createURL("tenants/user-groups")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(tenant, MediaType.APPLICATION_JSON_TYPE), Response.class);
// Then: an error is returned because the UserGroupProvider is non-configurable
assertEquals(409, createUserGroupResponse.getStatus());
}
use of org.apache.nifi.registry.authorization.Tenant in project nifi-registry by apache.
the class SecureFileIT method testCreateUser.
@Test
public void testCreateUser() throws Exception {
// Given: the server has been configured with FileUserGroupProvider, which is configurable,
// and: the initial admin client wants to create a tenant
Tenant tenant = new Tenant();
tenant.setIdentity("New User");
// When: the POST /tenants/users endpoint is accessed
final Response createUserResponse = client.target(createURL("tenants/users")).request().post(Entity.entity(tenant, MediaType.APPLICATION_JSON_TYPE), Response.class);
// Then: "201 created" is returned with the expected user
assertEquals(201, createUserResponse.getStatus());
User actualUser = createUserResponse.readEntity(User.class);
assertNotNull(actualUser.getIdentifier());
try {
assertEquals(tenant.getIdentity(), actualUser.getIdentity());
assertEquals(true, actualUser.getConfigurable());
assertEquals(0, actualUser.getUserGroups().size());
assertEquals(0, actualUser.getAccessPolicies().size());
assertEquals(new ResourcePermissions(), actualUser.getResourcePermissions());
} finally {
// cleanup user for other tests
client.target(createURL("tenants/users/" + actualUser.getIdentifier())).request().delete();
}
}
use of org.apache.nifi.registry.authorization.Tenant in project nifi-registry by apache.
the class SecureLdapIT method testAccessPolicyCreation.
@Test
public void testAccessPolicyCreation() throws Exception {
// Given: the server has been configured with an initial admin "nifiadmin" and a user with no accessPolicies "nobel"
String nobelId = getTenantIdentifierByIdentity("nobel");
// a group containing user "nobel"
String chemistsId = getTenantIdentifierByIdentity("chemists");
final String basicAuthCredentials = encodeCredentialsForBasicAuth("nobel", "password");
final String nobelAuthToken = client.target(createURL(tokenIdentityProviderPath)).request().header("Authorization", "Basic " + basicAuthCredentials).post(null, String.class);
// When: user nobel re-checks top-level permissions
final CurrentUser currentUser = client.target(createURL("/access")).request().header("Authorization", "Bearer " + nobelAuthToken).get(CurrentUser.class);
// Then: 200 OK is returned indicating user has access to no top-level resources
assertEquals(new Permissions(), currentUser.getResourcePermissions().getBuckets());
assertEquals(new Permissions(), currentUser.getResourcePermissions().getTenants());
assertEquals(new Permissions(), currentUser.getResourcePermissions().getPolicies());
assertEquals(new Permissions(), currentUser.getResourcePermissions().getProxy());
// When: nifiadmin creates a bucket
final Bucket bucket = new Bucket();
bucket.setName("Integration Test Bucket");
bucket.setDescription("A bucket created by an integration test.");
Response adminCreatesBucketResponse = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(bucket, MediaType.APPLICATION_JSON), Response.class);
// Then: the server returns a 200 OK
assertEquals(200, adminCreatesBucketResponse.getStatus());
Bucket createdBucket = adminCreatesBucketResponse.readEntity(Bucket.class);
// When: user nobel initial queries /buckets
final Bucket[] buckets1 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
// Then: an empty list is returned (nobel has no read access yet)
assertNotNull(buckets1);
assertEquals(0, buckets1.length);
// When: nifiadmin grants read access on createdBucket to 'chemists' a group containing nobel
AccessPolicy readPolicy = new AccessPolicy();
readPolicy.setResource("/buckets/" + createdBucket.getIdentifier());
readPolicy.setAction("read");
readPolicy.addUserGroups(Arrays.asList(new Tenant(chemistsId, "chemists")));
Response adminGrantsReadAccessResponse = client.target(createURL("policies")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(readPolicy, MediaType.APPLICATION_JSON), Response.class);
// Then: the server returns a 201 Created
assertEquals(201, adminGrantsReadAccessResponse.getStatus());
// When: nifiadmin tries to list all buckets
final Bucket[] adminBuckets = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + adminAuthToken).get(Bucket[].class);
// Then: the full list is returned (verifies that per-bucket access policies are additive to base /buckets policy)
assertNotNull(adminBuckets);
assertEquals(1, adminBuckets.length);
assertEquals(createdBucket.getIdentifier(), adminBuckets[0].getIdentifier());
assertEquals(new Permissions().withCanRead(true).withCanWrite(true).withCanDelete(true), adminBuckets[0].getPermissions());
// When: user nobel re-queries /buckets
final Bucket[] buckets2 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
// Then: the created bucket is now present
assertNotNull(buckets2);
assertEquals(1, buckets2.length);
assertEquals(createdBucket.getIdentifier(), buckets2[0].getIdentifier());
assertEquals(new Permissions().withCanRead(true), buckets2[0].getPermissions());
// When: nifiadmin grants write access on createdBucket to user 'nobel'
AccessPolicy writePolicy = new AccessPolicy();
writePolicy.setResource("/buckets/" + createdBucket.getIdentifier());
writePolicy.setAction("write");
writePolicy.addUsers(Arrays.asList(new Tenant(nobelId, "nobel")));
Response adminGrantsWriteAccessResponse = client.target(createURL("policies")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(writePolicy, MediaType.APPLICATION_JSON), Response.class);
// Then: the server returns a 201 Created
assertEquals(201, adminGrantsWriteAccessResponse.getStatus());
// When: user nobel re-queries /buckets
final Bucket[] buckets3 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
// Then: the authorizedActions are updated
assertNotNull(buckets3);
assertEquals(1, buckets3.length);
assertEquals(createdBucket.getIdentifier(), buckets3[0].getIdentifier());
assertEquals(new Permissions().withCanRead(true).withCanWrite(true), buckets3[0].getPermissions());
}
use of org.apache.nifi.registry.authorization.Tenant in project nifi-registry by apache.
the class AuthorizationService method userGroupToDTO.
private UserGroup userGroupToDTO(final org.apache.nifi.registry.security.authorization.Group userGroup) {
if (userGroup == null) {
return null;
}
Collection<Tenant> userTenants = userGroup.getUsers() != null ? userGroup.getUsers().stream().map(this::tenantIdToDTO).collect(Collectors.toSet()) : null;
Collection<AccessPolicySummary> accessPolicySummaries = getAccessPolicySummariesForUserGroup(userGroup.getIdentifier());
UserGroup userGroupDTO = new UserGroup(userGroup.getIdentifier(), userGroup.getName());
userGroupDTO.setConfigurable(AuthorizerCapabilityDetection.isGroupConfigurable(authorizer, userGroup));
userGroupDTO.setResourcePermissions(getTopLevelPermissions(userGroupDTO.getIdentifier()));
userGroupDTO.addUsers(userTenants);
userGroupDTO.addAccessPolicies(accessPolicySummaries);
return userGroupDTO;
}
Aggregations