Search in sources :

Example 1 with Resource

use of org.apache.nifi.registry.security.authorization.Resource in project nifi-registry by apache.

the class Authorizable method authorize.

/**
 * Authorizes the current user for the specified action on the specified resource. This method does imply the user is
 * directly accessing the specified resource.
 *
 * @param authorizer authorizer
 * @param action action
 * @param user user
 * @param resourceContext resource context
 */
default void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
    if (user == null) {
        throw new AccessDeniedException("Unknown user.");
    }
    final Map<String, String> userContext;
    if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
        userContext = new HashMap<>();
        userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
    } else {
        userContext = null;
    }
    final Resource resource = getResource();
    final Resource requestedResource = getRequestedResource();
    final AuthorizationRequest request = new AuthorizationRequest.Builder().identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(true).action(action).resource(resource).requestedResource(requestedResource).resourceContext(resourceContext).userContext(userContext).explanationSupplier(() -> {
        // build the safe explanation
        final StringBuilder safeDescription = new StringBuilder("Unable to ");
        if (RequestAction.READ.equals(action)) {
            safeDescription.append("view ");
        } else {
            safeDescription.append("modify ");
        }
        safeDescription.append(resource.getSafeDescription()).append(".");
        return safeDescription.toString();
    }).build();
    final AuthorizationResult result = authorizer.authorize(request);
    if (Result.ResourceNotFound.equals(result.getResult())) {
        final Authorizable parent = getParentAuthorizable();
        if (parent == null) {
            final AuthorizationResult failure = AuthorizationResult.denied("No applicable policies could be found.");
            // audit authorization request
            if (authorizer instanceof AuthorizationAuditor) {
                ((AuthorizationAuditor) authorizer).auditAccessAttempt(request, failure);
            }
            // denied
            throw new AccessDeniedException(failure.getExplanation());
        } else {
            // create a custom authorizable to override the safe description but still defer to the parent authorizable
            final Authorizable parentProxy = new Authorizable() {

                @Override
                public Authorizable getParentAuthorizable() {
                    return parent.getParentAuthorizable();
                }

                @Override
                public Resource getRequestedResource() {
                    return requestedResource;
                }

                @Override
                public Resource getResource() {
                    final Resource parentResource = parent.getResource();
                    return new Resource() {

                        @Override
                        public String getIdentifier() {
                            return parentResource.getIdentifier();
                        }

                        @Override
                        public String getName() {
                            return parentResource.getName();
                        }

                        @Override
                        public String getSafeDescription() {
                            return resource.getSafeDescription();
                        }
                    };
                }
            };
            parentProxy.authorize(authorizer, action, user, resourceContext);
        }
    } else if (Result.Denied.equals(result.getResult())) {
        throw new AccessDeniedException(result.getExplanation());
    }
}
Also used : AccessDeniedException(org.apache.nifi.registry.security.authorization.exception.AccessDeniedException) AuthorizationRequest(org.apache.nifi.registry.security.authorization.AuthorizationRequest) Resource(org.apache.nifi.registry.security.authorization.Resource) AuthorizationAuditor(org.apache.nifi.registry.security.authorization.AuthorizationAuditor) AuthorizationResult(org.apache.nifi.registry.security.authorization.AuthorizationResult)

Example 2 with Resource

use of org.apache.nifi.registry.security.authorization.Resource in project nifi-registry by apache.

the class Authorizable method checkAuthorization.

/**
 * Returns the result of an authorization request for the specified user for the specified action on the specified
 * resource. This method does not imply the user is directly attempting to access the specified resource. If the user is
 * attempting a direct access use Authorizable.authorize().
 *
 * @param authorizer authorizer
 * @param action action
 * @param user user
 * @return is authorized
 */
default AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
    if (user == null) {
        return AuthorizationResult.denied("Unknown user.");
    }
    final Map<String, String> userContext;
    if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
        userContext = new HashMap<>();
        userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
    } else {
        userContext = null;
    }
    final Resource resource = getResource();
    final Resource requestedResource = getRequestedResource();
    final AuthorizationRequest request = new AuthorizationRequest.Builder().identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(false).action(action).resource(resource).requestedResource(requestedResource).resourceContext(resourceContext).userContext(userContext).explanationSupplier(() -> {
        // build the safe explanation
        final StringBuilder safeDescription = new StringBuilder("Unable to ");
        if (RequestAction.READ.equals(action)) {
            safeDescription.append("view ");
        } else {
            // covers write or delete
            safeDescription.append("modify ");
        }
        safeDescription.append(resource.getSafeDescription()).append(".");
        return safeDescription.toString();
    }).build();
    // perform the authorization
    final AuthorizationResult result = authorizer.authorize(request);
    // verify the results
    if (Result.ResourceNotFound.equals(result.getResult())) {
        final Authorizable parent = getParentAuthorizable();
        if (parent == null) {
            return AuthorizationResult.denied("No applicable policies could be found.");
        } else {
            // create a custom authorizable to override the safe description but still defer to the parent authorizable
            final Authorizable parentProxy = new Authorizable() {

                @Override
                public Authorizable getParentAuthorizable() {
                    return parent.getParentAuthorizable();
                }

                @Override
                public Resource getRequestedResource() {
                    return requestedResource;
                }

                @Override
                public Resource getResource() {
                    final Resource parentResource = parent.getResource();
                    return new Resource() {

                        @Override
                        public String getIdentifier() {
                            return parentResource.getIdentifier();
                        }

                        @Override
                        public String getName() {
                            return parentResource.getName();
                        }

                        @Override
                        public String getSafeDescription() {
                            return resource.getSafeDescription();
                        }
                    };
                }
            };
            return parentProxy.checkAuthorization(authorizer, action, user, resourceContext);
        }
    } else {
        return result;
    }
}
Also used : AuthorizationRequest(org.apache.nifi.registry.security.authorization.AuthorizationRequest) Resource(org.apache.nifi.registry.security.authorization.Resource) AuthorizationResult(org.apache.nifi.registry.security.authorization.AuthorizationResult)

Aggregations

AuthorizationRequest (org.apache.nifi.registry.security.authorization.AuthorizationRequest)2 AuthorizationResult (org.apache.nifi.registry.security.authorization.AuthorizationResult)2 Resource (org.apache.nifi.registry.security.authorization.Resource)2 AuthorizationAuditor (org.apache.nifi.registry.security.authorization.AuthorizationAuditor)1 AccessDeniedException (org.apache.nifi.registry.security.authorization.exception.AccessDeniedException)1