Examples with NiFiUser org.apache.nifi.registry.security.authorization.user.NiFiUser used on opensource projects

Example 1 with NiFiUser

use of org.apache.nifi.registry.security.authorization.user.NiFiUser in project nifi-registry by apache.

the class AuthorizationService method getTopLevelPermissions.

private ResourcePermissions getTopLevelPermissions() {
    NiFiUser user = NiFiUserUtils.getNiFiUser();
    ResourcePermissions resourcePermissions = new ResourcePermissions();
    final Permissions bucketsPermissions = getPermissionsForResource(authorizableLookup.getBucketsAuthorizable());
    resourcePermissions.setBuckets(bucketsPermissions);
    final Permissions policiesPermissions = getPermissionsForResource(authorizableLookup.getPoliciesAuthorizable());
    resourcePermissions.setPolicies(policiesPermissions);
    final Permissions tenantsPermissions = getPermissionsForResource(authorizableLookup.getTenantsAuthorizable());
    resourcePermissions.setTenants(tenantsPermissions);
    final Permissions proxyPermissions = getPermissionsForResource(authorizableLookup.getProxyAuthorizable());
    resourcePermissions.setProxy(proxyPermissions);
    return resourcePermissions;
}

Example 2 with NiFiUser

use of org.apache.nifi.registry.security.authorization.user.NiFiUser in project nifi-registry by apache.

the class X509IdentityAuthenticationProvider method buildAuthenticatedToken.

@Override
protected AuthenticationSuccessToken buildAuthenticatedToken(AuthenticationRequestToken requestToken, AuthenticationResponse response) {
    AuthenticationRequest authenticationRequest = requestToken.getAuthenticationRequest();
    String proxiedEntitiesChain = authenticationRequest.getDetails() != null ? (String) authenticationRequest.getDetails() : null;
    if (StringUtils.isBlank(proxiedEntitiesChain)) {
        return super.buildAuthenticatedToken(requestToken, response);
    }
    // build the entire proxy chain if applicable - <end-user><proxy1><proxy2>
    final List<String> proxyChain = ProxiedEntitiesUtils.tokenizeProxiedEntitiesChain(proxiedEntitiesChain);
    proxyChain.add(response.getIdentity());
    // add the chain as appropriate to each proxy
    NiFiUser proxy = null;
    for (final ListIterator<String> chainIter = proxyChain.listIterator(proxyChain.size()); chainIter.hasPrevious(); ) {
        String identity = chainIter.previous();
        // determine if the user is anonymous
        final boolean isAnonymous = StringUtils.isBlank(identity);
        if (isAnonymous) {
            identity = StandardNiFiUser.ANONYMOUS_IDENTITY;
        } else {
            identity = mapIdentity(identity);
        }
        final Set<String> groups = getUserGroups(identity);
        // Only set the client address for client making the request because we don't know the clientAddress of the proxied entities
        String clientAddress = (proxy == null) ? requestToken.getClientAddress() : null;
        proxy = createUser(identity, groups, proxy, clientAddress, isAnonymous);
        if (chainIter.hasPrevious()) {
            try {
                PROXY_AUTHORIZABLE.authorize(authorizer, RequestAction.WRITE, proxy);
            } catch (final AccessDeniedException e) {
                throw new UntrustedProxyException(String.format("Untrusted proxy [%s].", identity));
            }
        }
    }
    return new AuthenticationSuccessToken(new NiFiUserDetails(proxy));
}

Example 3 with NiFiUser

use of org.apache.nifi.registry.security.authorization.user.NiFiUser in project nifi-registry by apache.

the class AccessDeniedExceptionMapper method toResponse.

@Override
public Response toResponse(AccessDeniedException exception) {
    // get the current user
    NiFiUser user = NiFiUserUtils.getNiFiUser();
    // if the user was authenticated - forbidden, otherwise unauthorized... the user may be null if the
    // AccessDeniedException was thrown from a /access endpoint that isn't subject to the security
    // filter chain. for instance, one that performs kerberos negotiation
    final Status status;
    if (user == null || user.isAnonymous()) {
        status = Status.UNAUTHORIZED;
    } else {
        status = Status.FORBIDDEN;
    }
    final String identity;
    if (user == null) {
        identity = "<no user found>";
    } else {
        identity = user.toString();
    }
    logger.info(String.format("%s does not have permission to access the requested resource. %s Returning %s response.", identity, exception.getMessage(), status));
    if (logger.isDebugEnabled()) {
        logger.debug(StringUtils.EMPTY, exception);
    }
    return Response.status(status).entity(String.format("%s Contact the system administrator.", exception.getMessage())).type("text/plain").build();
}

Example 4 with NiFiUser

use of org.apache.nifi.registry.security.authorization.user.NiFiUser in project nifi-registry by apache.

the class ResourceAuthorizationFilter method failedAuthorization.

private void failedAuthorization(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Exception failure) throws IOException, ServletException {
    logger.debug("Request filter authorization check failed. Blocking access.");
    NiFiUser user = NiFiUserUtils.getNiFiUser();
    final String identity = (user != null) ? user.toString() : "<no user found>";
    final int status = !userIsAuthenticated() ? HttpServletResponse.SC_UNAUTHORIZED : HttpServletResponse.SC_FORBIDDEN;
    logger.info("{} does not have permission to perform this action on the requested resource. {} Returning {} response.", identity, failure.getMessage(), status);
    logger.debug("", failure);
    if (!response.isCommitted()) {
        response.setStatus(status);
        response.setContentType("text/plain");
        response.getWriter().println(String.format("Access is denied due to: %s Contact the system administrator.", failure.getLocalizedMessage()));
    }
}

Example 5 with NiFiUser

use of org.apache.nifi.registry.security.authorization.user.NiFiUser in project nifi-registry by apache.

the class AuthorizationService method getPermissionsForResource.

public Permissions getPermissionsForResource(Authorizable authorizableResource, Permissions knownParentAuthorizablePermissions) {
    if (knownParentAuthorizablePermissions == null) {
        return getPermissionsForResource(authorizableResource);
    }
    final Permissions permissions = new Permissions(knownParentAuthorizablePermissions);
    NiFiUser user = NiFiUserUtils.getNiFiUser();
    if (!permissions.getCanRead()) {
        permissions.setCanRead(authorizableResource.isAuthorized(authorizer, RequestAction.READ, user));
    }
    if (!permissions.getCanWrite()) {
        permissions.setCanWrite(authorizableResource.isAuthorized(authorizer, RequestAction.WRITE, user));
    }
    if (!permissions.getCanDelete()) {
        permissions.setCanDelete(authorizableResource.isAuthorized(authorizer, RequestAction.DELETE, user));
    }
    return permissions;
}