Example 1 with AccessDeniedException
use of org.apache.nifi.registry.security.authorization.exception.AccessDeniedException in project nifi-registry by apache.
the class Authorizable method authorize.
/**
* Authorizes the current user for the specified action on the specified resource. This method does imply the user is
* directly accessing the specified resource.
*
* @param authorizer authorizer
* @param action action
* @param user user
* @param resourceContext resource context
*/
default void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
if (user == null) {
throw new AccessDeniedException("Unknown user.");
}
final Map<String, String> userContext;
if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
userContext = new HashMap<>();
userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
} else {
userContext = null;
}
final Resource resource = getResource();
final Resource requestedResource = getRequestedResource();
final AuthorizationRequest request = new AuthorizationRequest.Builder().identity(user.getIdentity()).groups(user.getGroups()).anonymous(user.isAnonymous()).accessAttempt(true).action(action).resource(resource).requestedResource(requestedResource).resourceContext(resourceContext).userContext(userContext).explanationSupplier(() -> {
// build the safe explanation
final StringBuilder safeDescription = new StringBuilder("Unable to ");
if (RequestAction.READ.equals(action)) {
safeDescription.append("view ");
} else {
safeDescription.append("modify ");
}
safeDescription.append(resource.getSafeDescription()).append(".");
return safeDescription.toString();
}).build();
final AuthorizationResult result = authorizer.authorize(request);
if (Result.ResourceNotFound.equals(result.getResult())) {
final Authorizable parent = getParentAuthorizable();
if (parent == null) {
final AuthorizationResult failure = AuthorizationResult.denied("No applicable policies could be found.");
// audit authorization request
if (authorizer instanceof AuthorizationAuditor) {
((AuthorizationAuditor) authorizer).auditAccessAttempt(request, failure);
}
// denied
throw new AccessDeniedException(failure.getExplanation());
} else {
// create a custom authorizable to override the safe description but still defer to the parent authorizable
final Authorizable parentProxy = new Authorizable() {
@Override
public Authorizable getParentAuthorizable() {
return parent.getParentAuthorizable();
}
@Override
public Resource getRequestedResource() {
return requestedResource;
}
@Override
public Resource getResource() {
final Resource parentResource = parent.getResource();
return new Resource() {
@Override
public String getIdentifier() {
return parentResource.getIdentifier();
}
@Override
public String getName() {
return parentResource.getName();
}
@Override
public String getSafeDescription() {
return resource.getSafeDescription();
}
};
}
};
parentProxy.authorize(authorizer, action, user, resourceContext);
}
} else if (Result.Denied.equals(result.getResult())) {
throw new AccessDeniedException(result.getExplanation());
}
}
Also used :
AccessDeniedException(org.apache.nifi.registry.security.authorization.exception.AccessDeniedException)
AuthorizationRequest(org.apache.nifi.registry.security.authorization.AuthorizationRequest)
Resource(org.apache.nifi.registry.security.authorization.Resource)
AuthorizationAuditor(org.apache.nifi.registry.security.authorization.AuthorizationAuditor)
AuthorizationResult(org.apache.nifi.registry.security.authorization.AuthorizationResult)
Example 2 with AccessDeniedException
use of org.apache.nifi.registry.security.authorization.exception.AccessDeniedException in project nifi-registry by apache.
the class X509IdentityAuthenticationProvider method buildAuthenticatedToken.
@Override
protected AuthenticationSuccessToken buildAuthenticatedToken(AuthenticationRequestToken requestToken, AuthenticationResponse response) {
AuthenticationRequest authenticationRequest = requestToken.getAuthenticationRequest();
String proxiedEntitiesChain = authenticationRequest.getDetails() != null ? (String) authenticationRequest.getDetails() : null;
if (StringUtils.isBlank(proxiedEntitiesChain)) {
return super.buildAuthenticatedToken(requestToken, response);
}
// build the entire proxy chain if applicable - <end-user><proxy1><proxy2>
final List<String> proxyChain = ProxiedEntitiesUtils.tokenizeProxiedEntitiesChain(proxiedEntitiesChain);
proxyChain.add(response.getIdentity());
// add the chain as appropriate to each proxy
NiFiUser proxy = null;
for (final ListIterator<String> chainIter = proxyChain.listIterator(proxyChain.size()); chainIter.hasPrevious(); ) {
String identity = chainIter.previous();
// determine if the user is anonymous
final boolean isAnonymous = StringUtils.isBlank(identity);
if (isAnonymous) {
identity = StandardNiFiUser.ANONYMOUS_IDENTITY;
} else {
identity = mapIdentity(identity);
}
final Set<String> groups = getUserGroups(identity);
// Only set the client address for client making the request because we don't know the clientAddress of the proxied entities
String clientAddress = (proxy == null) ? requestToken.getClientAddress() : null;
proxy = createUser(identity, groups, proxy, clientAddress, isAnonymous);
if (chainIter.hasPrevious()) {
try {
PROXY_AUTHORIZABLE.authorize(authorizer, RequestAction.WRITE, proxy);
} catch (final AccessDeniedException e) {
throw new UntrustedProxyException(String.format("Untrusted proxy [%s].", identity));
}
}
}
return new AuthenticationSuccessToken(new NiFiUserDetails(proxy));
}
Also used :
AccessDeniedException(org.apache.nifi.registry.security.authorization.exception.AccessDeniedException)
StandardNiFiUser(org.apache.nifi.registry.security.authorization.user.StandardNiFiUser)
NiFiUser(org.apache.nifi.registry.security.authorization.user.NiFiUser)
UntrustedProxyException(org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException)
AuthenticationSuccessToken(org.apache.nifi.registry.web.security.authentication.AuthenticationSuccessToken)
AuthenticationRequest(org.apache.nifi.registry.security.authentication.AuthenticationRequest)
NiFiUserDetails(org.apache.nifi.registry.security.authorization.user.NiFiUserDetails)
Aggregations
AccessDeniedException (org.apache.nifi.registry.security.authorization.exception.AccessDeniedException)2
AuthenticationRequest (org.apache.nifi.registry.security.authentication.AuthenticationRequest)1
AuthorizationAuditor (org.apache.nifi.registry.security.authorization.AuthorizationAuditor)1
AuthorizationRequest (org.apache.nifi.registry.security.authorization.AuthorizationRequest)1
AuthorizationResult (org.apache.nifi.registry.security.authorization.AuthorizationResult)1
Resource (org.apache.nifi.registry.security.authorization.Resource)1
NiFiUser (org.apache.nifi.registry.security.authorization.user.NiFiUser)1
NiFiUserDetails (org.apache.nifi.registry.security.authorization.user.NiFiUserDetails)1
StandardNiFiUser (org.apache.nifi.registry.security.authorization.user.StandardNiFiUser)1
AuthenticationSuccessToken (org.apache.nifi.registry.web.security.authentication.AuthenticationSuccessToken)1
UntrustedProxyException (org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException)1
