Search in sources :

Example 1 with PropertyValue

use of org.apache.nifi.registry.util.PropertyValue in project nifi-registry by apache.

the class FileAccessPolicyProvider method onConfigured.

@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws SecurityProviderCreationException {
    try {
        final PropertyValue userGroupProviderIdentifier = configurationContext.getProperty(PROP_USER_GROUP_PROVIDER);
        if (!userGroupProviderIdentifier.isSet()) {
            throw new SecurityProviderCreationException("The user group provider must be specified.");
        }
        userGroupProvider = userGroupProviderLookup.getUserGroupProvider(userGroupProviderIdentifier.getValue());
        if (userGroupProvider == null) {
            throw new SecurityProviderCreationException("Unable to locate user group provider with identifier " + userGroupProviderIdentifier.getValue());
        }
        final PropertyValue authorizationsPath = configurationContext.getProperty(PROP_AUTHORIZATIONS_FILE);
        if (StringUtils.isBlank(authorizationsPath.getValue())) {
            throw new SecurityProviderCreationException("The authorizations file must be specified.");
        }
        // get the authorizations file and ensure it exists
        authorizationsFile = new File(authorizationsPath.getValue());
        if (!authorizationsFile.exists()) {
            logger.info("Creating new authorizations file at {}", new Object[] { authorizationsFile.getAbsolutePath() });
            saveAuthorizations(new Authorizations());
        }
        // extract the identity mappings from nifi-registry.properties if any are provided
        identityMappings = Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
        // get the value of the initial admin identity
        final PropertyValue initialAdminIdentityProp = configurationContext.getProperty(PROP_INITIAL_ADMIN_IDENTITY);
        initialAdminIdentity = initialAdminIdentityProp.isSet() ? IdentityMappingUtil.mapIdentity(initialAdminIdentityProp.getValue(), identityMappings) : null;
        // extract any nifi identities
        nifiIdentities = new HashSet<>();
        for (Map.Entry<String, String> entry : configurationContext.getProperties().entrySet()) {
            Matcher matcher = NIFI_IDENTITY_PATTERN.matcher(entry.getKey());
            if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
                nifiIdentities.add(IdentityMappingUtil.mapIdentity(entry.getValue(), identityMappings));
            }
        }
        // load the authorizations
        load();
        logger.info(String.format("Authorizations file loaded at %s", new Date().toString()));
    } catch (SecurityProviderCreationException | JAXBException | IllegalStateException | SAXException e) {
        throw new SecurityProviderCreationException(e);
    }
}
Also used : Authorizations(org.apache.nifi.registry.security.authorization.file.generated.Authorizations) SecurityProviderCreationException(org.apache.nifi.registry.security.exception.SecurityProviderCreationException) Matcher(java.util.regex.Matcher) JAXBException(javax.xml.bind.JAXBException) PropertyValue(org.apache.nifi.registry.util.PropertyValue) Date(java.util.Date) SAXException(org.xml.sax.SAXException) File(java.io.File) Map(java.util.Map)

Example 2 with PropertyValue

use of org.apache.nifi.registry.util.PropertyValue in project nifi-registry by apache.

the class LdapUserGroupProvider method onConfigured.

@Override
public void onConfigured(final AuthorizerConfigurationContext configurationContext) throws SecurityProviderCreationException {
    final LdapContextSource context = new LdapContextSource();
    final Map<String, Object> baseEnvironment = new HashMap<>();
    // connect/read time out
    setTimeout(configurationContext, baseEnvironment, PROP_CONNECT_TIMEOUT, "com.sun.jndi.ldap.connect.timeout");
    setTimeout(configurationContext, baseEnvironment, PROP_READ_TIMEOUT, "com.sun.jndi.ldap.read.timeout");
    // authentication strategy
    final PropertyValue rawAuthenticationStrategy = configurationContext.getProperty(PROP_AUTHENTICATION_STRATEGY);
    final LdapAuthenticationStrategy authenticationStrategy;
    try {
        authenticationStrategy = LdapAuthenticationStrategy.valueOf(rawAuthenticationStrategy.getValue());
    } catch (final IllegalArgumentException iae) {
        throw new SecurityProviderCreationException(String.format("Unrecognized authentication strategy '%s'. Possible values are [%s]", rawAuthenticationStrategy.getValue(), StringUtils.join(LdapAuthenticationStrategy.values(), ", ")));
    }
    switch(authenticationStrategy) {
        case ANONYMOUS:
            context.setAnonymousReadOnly(true);
            break;
        default:
            final String userDn = configurationContext.getProperty(PROP_MANAGER_DN).getValue();
            final String password = configurationContext.getProperty(PROP_MANAGER_PASSWORD).getValue();
            context.setUserDn(userDn);
            context.setPassword(password);
            switch(authenticationStrategy) {
                case SIMPLE:
                    context.setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy());
                    break;
                case LDAPS:
                    context.setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy());
                    // indicate a secure connection
                    baseEnvironment.put(Context.SECURITY_PROTOCOL, "ssl");
                    // get the configured ssl context
                    final SSLContext ldapsSslContext = getConfiguredSslContext(configurationContext);
                    if (ldapsSslContext != null) {
                        // initialize the ldaps socket factory prior to use
                        LdapsSocketFactory.initialize(ldapsSslContext.getSocketFactory());
                        baseEnvironment.put("java.naming.ldap.factory.socket", LdapsSocketFactory.class.getName());
                    }
                    break;
                case START_TLS:
                    final AbstractTlsDirContextAuthenticationStrategy tlsAuthenticationStrategy = new DefaultTlsDirContextAuthenticationStrategy();
                    // shutdown gracefully
                    final String rawShutdownGracefully = configurationContext.getProperty("TLS - Shutdown Gracefully").getValue();
                    if (StringUtils.isNotBlank(rawShutdownGracefully)) {
                        final boolean shutdownGracefully = Boolean.TRUE.toString().equalsIgnoreCase(rawShutdownGracefully);
                        tlsAuthenticationStrategy.setShutdownTlsGracefully(shutdownGracefully);
                    }
                    // get the configured ssl context
                    final SSLContext startTlsSslContext = getConfiguredSslContext(configurationContext);
                    if (startTlsSslContext != null) {
                        tlsAuthenticationStrategy.setSslSocketFactory(startTlsSslContext.getSocketFactory());
                    }
                    // set the authentication strategy
                    context.setAuthenticationStrategy(tlsAuthenticationStrategy);
                    break;
            }
            break;
    }
    // referrals
    final String rawReferralStrategy = configurationContext.getProperty(PROP_REFERRAL_STRATEGY).getValue();
    final ReferralStrategy referralStrategy;
    try {
        referralStrategy = ReferralStrategy.valueOf(rawReferralStrategy);
    } catch (final IllegalArgumentException iae) {
        throw new SecurityProviderCreationException(String.format("Unrecognized referral strategy '%s'. Possible values are [%s]", rawReferralStrategy, StringUtils.join(ReferralStrategy.values(), ", ")));
    }
    // using the value as this needs to be the lowercase version while the value is configured with the enum constant
    context.setReferral(referralStrategy.getValue());
    // url
    final String urls = configurationContext.getProperty(PROP_URL).getValue();
    if (StringUtils.isBlank(urls)) {
        throw new SecurityProviderCreationException("LDAP identity provider 'Url' must be specified.");
    }
    // connection
    context.setUrls(StringUtils.split(urls));
    // raw user search base
    final PropertyValue rawUserSearchBase = configurationContext.getProperty(PROP_USER_SEARCH_BASE);
    final PropertyValue rawUserObjectClass = configurationContext.getProperty(PROP_USER_OBJECT_CLASS);
    final PropertyValue rawUserSearchScope = configurationContext.getProperty(PROP_USER_SEARCH_SCOPE);
    // if loading the users, ensure the object class set
    if (rawUserSearchBase.isSet() && !rawUserObjectClass.isSet()) {
        throw new SecurityProviderCreationException("LDAP user group provider 'User Object Class' must be specified when 'User Search Base' is set.");
    }
    // if loading the users, ensure the search scope is set
    if (rawUserSearchBase.isSet() && !rawUserSearchScope.isSet()) {
        throw new SecurityProviderCreationException("LDAP user group provider 'User Search Scope' must be specified when 'User Search Base' is set.");
    }
    // user search criteria
    userSearchBase = rawUserSearchBase.getValue();
    userObjectClass = rawUserObjectClass.getValue();
    userSearchFilter = configurationContext.getProperty(PROP_USER_SEARCH_FILTER).getValue();
    userIdentityAttribute = configurationContext.getProperty(PROP_USER_IDENTITY_ATTRIBUTE).getValue();
    userGroupNameAttribute = configurationContext.getProperty(PROP_USER_GROUP_ATTRIBUTE).getValue();
    userGroupReferencedGroupAttribute = configurationContext.getProperty(PROP_USER_GROUP_REFERENCED_GROUP_ATTRIBUTE).getValue();
    try {
        userSearchScope = SearchScope.valueOf(rawUserSearchScope.getValue());
    } catch (final IllegalArgumentException iae) {
        throw new SecurityProviderCreationException(String.format("Unrecognized user search scope '%s'. Possible values are [%s]", rawUserSearchScope.getValue(), StringUtils.join(SearchScope.values(), ", ")));
    }
    // determine user behavior
    useDnForUserIdentity = StringUtils.isBlank(userIdentityAttribute);
    performUserSearch = StringUtils.isNotBlank(userSearchBase);
    // raw group search criteria
    final PropertyValue rawGroupSearchBase = configurationContext.getProperty(PROP_GROUP_SEARCH_BASE);
    final PropertyValue rawGroupObjectClass = configurationContext.getProperty(PROP_GROUP_OBJECT_CLASS);
    final PropertyValue rawGroupSearchScope = configurationContext.getProperty(PROP_GROUP_SEARCH_SCOPE);
    // if loading the groups, ensure the object class is set
    if (rawGroupSearchBase.isSet() && !rawGroupObjectClass.isSet()) {
        throw new SecurityProviderCreationException("LDAP user group provider 'Group Object Class' must be specified when 'Group Search Base' is set.");
    }
    // if loading the groups, ensure the search scope is set
    if (rawGroupSearchBase.isSet() && !rawGroupSearchScope.isSet()) {
        throw new SecurityProviderCreationException("LDAP user group provider 'Group Search Scope' must be specified when 'Group Search Base' is set.");
    }
    // group search criteria
    groupSearchBase = rawGroupSearchBase.getValue();
    groupObjectClass = rawGroupObjectClass.getValue();
    groupSearchFilter = configurationContext.getProperty(PROP_GROUP_SEARCH_FILTER).getValue();
    groupNameAttribute = configurationContext.getProperty(PROP_GROUP_NAME_ATTRIBUTE).getValue();
    groupMemberAttribute = configurationContext.getProperty(PROP_GROUP_MEMBER_ATTRIBUTE).getValue();
    groupMemberReferencedUserAttribute = configurationContext.getProperty(PROP_GROUP_MEMBER_REFERENCED_USER_ATTRIBUTE).getValue();
    try {
        groupSearchScope = SearchScope.valueOf(rawGroupSearchScope.getValue());
    } catch (final IllegalArgumentException iae) {
        throw new SecurityProviderCreationException(String.format("Unrecognized group search scope '%s'. Possible values are [%s]", rawGroupSearchScope.getValue(), StringUtils.join(SearchScope.values(), ", ")));
    }
    // determine group behavior
    useDnForGroupName = StringUtils.isBlank(groupNameAttribute);
    performGroupSearch = StringUtils.isNotBlank(groupSearchBase);
    // ensure we are either searching users or groups (at least one must be specified)
    if (!performUserSearch && !performGroupSearch) {
        throw new SecurityProviderCreationException("LDAP user group provider 'User Search Base' or 'Group Search Base' must be specified.");
    }
    // ensure group member attribute is set if searching groups but not users
    if (performGroupSearch && !performUserSearch && StringUtils.isBlank(groupMemberAttribute)) {
        throw new SecurityProviderCreationException("'Group Member Attribute' is required when searching groups but not users.");
    }
    // ensure that performUserSearch is set when groupMemberReferencedUserAttribute is specified
    if (StringUtils.isNotBlank(groupMemberReferencedUserAttribute) && !performUserSearch) {
        throw new SecurityProviderCreationException("''User Search Base' must be set when specifying 'Group Member Attribute - Referenced User Attribute'.");
    }
    // ensure that performGroupSearch is set when userGroupReferencedGroupAttribute is specified
    if (StringUtils.isNotBlank(userGroupReferencedGroupAttribute) && !performGroupSearch) {
        throw new SecurityProviderCreationException("'Group Search Base' must be set when specifying 'User Group Name Attribute - Referenced Group Attribute'.");
    }
    // get the page size if configured
    final PropertyValue rawPageSize = configurationContext.getProperty(PROP_PAGE_SIZE);
    if (rawPageSize.isSet() && StringUtils.isNotBlank(rawPageSize.getValue())) {
        pageSize = rawPageSize.asInteger();
    }
    // extract the identity mappings from nifi-registry.properties if any are provided
    identityMappings = Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
    // set the base environment is necessary
    if (!baseEnvironment.isEmpty()) {
        context.setBaseEnvironmentProperties(baseEnvironment);
    }
    try {
        // handling initializing beans
        context.afterPropertiesSet();
    } catch (final Exception e) {
        throw new SecurityProviderCreationException(e.getMessage(), e);
    }
    final PropertyValue rawSyncInterval = configurationContext.getProperty(PROP_SYNC_INTERVAL);
    final long syncInterval;
    if (rawSyncInterval.isSet()) {
        try {
            syncInterval = FormatUtils.getTimeDuration(rawSyncInterval.getValue(), TimeUnit.MILLISECONDS);
        } catch (final IllegalArgumentException iae) {
            throw new SecurityProviderCreationException(String.format("The %s '%s' is not a valid time duration", PROP_SYNC_INTERVAL, rawSyncInterval.getValue()));
        }
    } else {
        throw new SecurityProviderCreationException("The 'Sync Interval' must be specified.");
    }
    try {
        // perform the initial load, tenants must be loaded as the configured UserGroupProvider is supplied
        // to the AccessPolicyProvider for granting initial permissions
        load(context);
        // ensure the tenants were successfully synced
        if (tenants.get() == null) {
            throw new SecurityProviderCreationException("Unable to sync users and groups.");
        }
        // schedule the background thread to load the users/groups
        ldapSync.scheduleWithFixedDelay(() -> load(context), syncInterval, syncInterval, TimeUnit.MILLISECONDS);
    } catch (final AuthorizationAccessException e) {
        throw new SecurityProviderCreationException(e);
    }
}
Also used : SecurityProviderCreationException(org.apache.nifi.registry.security.exception.SecurityProviderCreationException) LdapContextSource(org.springframework.ldap.core.support.LdapContextSource) HashMap(java.util.HashMap) SimpleDirContextAuthenticationStrategy(org.springframework.ldap.core.support.SimpleDirContextAuthenticationStrategy) PropertyValue(org.apache.nifi.registry.util.PropertyValue) AbstractTlsDirContextAuthenticationStrategy(org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy) LdapAuthenticationStrategy(org.apache.nifi.registry.security.ldap.LdapAuthenticationStrategy) SSLContext(javax.net.ssl.SSLContext) LdapsSocketFactory(org.apache.nifi.registry.security.ldap.LdapsSocketFactory) NamingException(javax.naming.NamingException) KeyStoreException(java.security.KeyStoreException) KeyManagementException(java.security.KeyManagementException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) SecurityProviderDestructionException(org.apache.nifi.registry.security.exception.SecurityProviderDestructionException) AuthorizationAccessException(org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException) SecurityProviderCreationException(org.apache.nifi.registry.security.exception.SecurityProviderCreationException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) AuthorizationAccessException(org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException) ReferralStrategy(org.apache.nifi.registry.security.ldap.ReferralStrategy) DefaultTlsDirContextAuthenticationStrategy(org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy)

Example 3 with PropertyValue

use of org.apache.nifi.registry.util.PropertyValue in project nifi-registry by apache.

the class LdapUserGroupProvider method setTimeout.

private void setTimeout(final AuthorizerConfigurationContext configurationContext, final Map<String, Object> baseEnvironment, final String configurationProperty, final String environmentKey) {
    final PropertyValue rawTimeout = configurationContext.getProperty(configurationProperty);
    if (rawTimeout.isSet()) {
        try {
            final Long timeout = FormatUtils.getTimeDuration(rawTimeout.getValue(), TimeUnit.MILLISECONDS);
            baseEnvironment.put(environmentKey, timeout.toString());
        } catch (final IllegalArgumentException iae) {
            throw new SecurityProviderCreationException(String.format("The %s '%s' is not a valid time duration", configurationProperty, rawTimeout));
        }
    }
}
Also used : SecurityProviderCreationException(org.apache.nifi.registry.security.exception.SecurityProviderCreationException) PropertyValue(org.apache.nifi.registry.util.PropertyValue)

Example 4 with PropertyValue

use of org.apache.nifi.registry.util.PropertyValue in project nifi-registry by apache.

the class FileUserGroupProvider method onConfigured.

@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws SecurityProviderCreationException {
    try {
        final PropertyValue tenantsPath = configurationContext.getProperty(PROP_TENANTS_FILE);
        if (StringUtils.isBlank(tenantsPath.getValue())) {
            throw new SecurityProviderCreationException("The users file must be specified.");
        }
        // get the tenants file and ensure it exists
        tenantsFile = new File(tenantsPath.getValue());
        if (!tenantsFile.exists()) {
            logger.info("Creating new users file at {}", new Object[] { tenantsFile.getAbsolutePath() });
            saveTenants(new Tenants());
        }
        final File tenantsFileDirectory = tenantsFile.getAbsoluteFile().getParentFile();
        // extract the identity mappings from nifi-registry.properties if any are provided
        identityMappings = Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
        // extract any nifi identities
        initialUserIdentities = new HashSet<>();
        for (Map.Entry<String, String> entry : configurationContext.getProperties().entrySet()) {
            Matcher matcher = INITIAL_USER_IDENTITY_PATTERN.matcher(entry.getKey());
            if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
                initialUserIdentities.add(IdentityMappingUtil.mapIdentity(entry.getValue(), identityMappings));
            }
        }
        load();
        // if we've copied the authorizations file to a restore directory synchronize it
        if (restoreTenantsFile != null) {
            FileUtils.copyFile(tenantsFile, restoreTenantsFile, false, false, logger);
        }
        logger.info(String.format("Users/Groups file loaded at %s", new Date().toString()));
    } catch (IOException | SecurityProviderCreationException | JAXBException | IllegalStateException | SAXException e) {
        throw new SecurityProviderCreationException(e);
    }
}
Also used : SecurityProviderCreationException(org.apache.nifi.registry.security.exception.SecurityProviderCreationException) Matcher(java.util.regex.Matcher) JAXBException(javax.xml.bind.JAXBException) PropertyValue(org.apache.nifi.registry.util.PropertyValue) Tenants(org.apache.nifi.registry.security.authorization.file.tenants.generated.Tenants) IOException(java.io.IOException) Date(java.util.Date) SAXException(org.xml.sax.SAXException) File(java.io.File) Map(java.util.Map)

Example 5 with PropertyValue

use of org.apache.nifi.registry.util.PropertyValue in project nifi-registry by apache.

the class StandardManagedAuthorizer method onConfigured.

@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws SecurityProviderCreationException {
    final PropertyValue accessPolicyProviderKey = configurationContext.getProperty("Access Policy Provider");
    if (!accessPolicyProviderKey.isSet()) {
        throw new SecurityProviderCreationException("The Access Policy Provider must be set.");
    }
    accessPolicyProvider = accessPolicyProviderLookup.getAccessPolicyProvider(accessPolicyProviderKey.getValue());
    // ensure the desired access policy provider was found
    if (accessPolicyProvider == null) {
        throw new SecurityProviderCreationException(String.format("Unable to locate configured Access Policy Provider: %s", accessPolicyProviderKey));
    }
    userGroupProvider = accessPolicyProvider.getUserGroupProvider();
    // ensure the desired access policy provider has a user group provider
    if (userGroupProvider == null) {
        throw new SecurityProviderCreationException(String.format("Configured Access Policy Provider %s does not contain a User Group Provider", accessPolicyProviderKey));
    }
}
Also used : SecurityProviderCreationException(org.apache.nifi.registry.security.exception.SecurityProviderCreationException) PropertyValue(org.apache.nifi.registry.util.PropertyValue)

Aggregations

SecurityProviderCreationException (org.apache.nifi.registry.security.exception.SecurityProviderCreationException)6 PropertyValue (org.apache.nifi.registry.util.PropertyValue)6 Map (java.util.Map)3 Matcher (java.util.regex.Matcher)3 File (java.io.File)2 IOException (java.io.IOException)2 Date (java.util.Date)2 JAXBException (javax.xml.bind.JAXBException)2 SAXException (org.xml.sax.SAXException)2 KeyManagementException (java.security.KeyManagementException)1 KeyStoreException (java.security.KeyStoreException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 UnrecoverableKeyException (java.security.UnrecoverableKeyException)1 CertificateException (java.security.cert.CertificateException)1 HashMap (java.util.HashMap)1 NamingException (javax.naming.NamingException)1 SSLContext (javax.net.ssl.SSLContext)1 AuthorizationAccessException (org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException)1 Authorizations (org.apache.nifi.registry.security.authorization.file.generated.Authorizations)1 Tenants (org.apache.nifi.registry.security.authorization.file.tenants.generated.Tenants)1