Examples with Users - org.apache.nifi.user.generated.Users

Example 1 with Users

use of org.apache.nifi.user.generated.Users in project nifi by apache.

the class FileAccessPolicyProvider method convertLegacyAuthorizedUsers.

/**
 * Unmarshalls an existing authorized-users.xml and converts the object model to the new model.
 *
 * @param authorizations the current Authorizations instance that policies will be added to
 * @throws AuthorizerCreationException if the legacy authorized users file that was provided does not exist
 * @throws JAXBException if the legacy authorized users file that was provided could not be unmarshalled
 */
private void convertLegacyAuthorizedUsers(final Authorizations authorizations) throws AuthorizerCreationException, JAXBException {
    final File authorizedUsersFile = new File(legacyAuthorizedUsersFile);
    if (!authorizedUsersFile.exists()) {
        throw new AuthorizerCreationException("Legacy Authorized Users File '" + legacyAuthorizedUsersFile + "' does not exists");
    }
    final Unmarshaller unmarshaller = JAXB_USERS_CONTEXT.createUnmarshaller();
    unmarshaller.setSchema(usersSchema);
    final XMLStreamReader xsr;
    try {
        xsr = XmlUtils.createSafeReader(new StreamSource(authorizedUsersFile));
    } catch (XMLStreamException e) {
        logger.error("Encountered an error reading authorized users file: ", e);
        throw new JAXBException("Error reading authorized users file", e);
    }
    final JAXBElement<Users> element = unmarshaller.unmarshal(xsr, org.apache.nifi.user.generated.Users.class);
    final org.apache.nifi.user.generated.Users users = element.getValue();
    if (users.getUser().isEmpty()) {
        logger.info("Legacy Authorized Users File contained no users, nothing to convert");
        return;
    }
    // get all the user DNs into a list
    List<String> userIdentities = new ArrayList<>();
    for (org.apache.nifi.user.generated.User legacyUser : users.getUser()) {
        userIdentities.add(IdentityMappingUtil.mapIdentity(legacyUser.getDn(), identityMappings));
    }
    // sort the list and pull out the first identity
    Collections.sort(userIdentities);
    final String seedIdentity = userIdentities.get(0);
    // create mapping from Role to access policies
    final Map<Role, Set<RoleAccessPolicy>> roleAccessPolicies = RoleAccessPolicy.getMappings(rootGroupId);
    final List<Policy> allPolicies = new ArrayList<>();
    for (org.apache.nifi.user.generated.User legacyUser : users.getUser()) {
        // create the identifier of the new user based on the DN
        final String legacyUserDn = IdentityMappingUtil.mapIdentity(legacyUser.getDn(), identityMappings);
        final User user = userGroupProvider.getUserByIdentity(legacyUserDn);
        if (user == null) {
            throw new AuthorizerCreationException("Unable to locate legacy user " + legacyUserDn + " to seed policies.");
        }
        // create policies based on the given role
        for (org.apache.nifi.user.generated.Role jaxbRole : legacyUser.getRole()) {
            Role role = Role.valueOf(jaxbRole.getName());
            Set<RoleAccessPolicy> policies = roleAccessPolicies.get(role);
            for (RoleAccessPolicy roleAccessPolicy : policies) {
                // get the matching policy, or create a new one
                Policy policy = getOrCreatePolicy(allPolicies, seedIdentity, roleAccessPolicy.getResource(), roleAccessPolicy.getAction());
                // add the user to the policy if it doesn't exist
                addUserToPolicy(user.getIdentifier(), policy);
            }
        }
    }
    // convert any access controls on ports to the appropriate policies
    for (PortDTO portDTO : ports) {
        final Resource resource;
        if (portDTO.getType() != null && portDTO.getType().equals("inputPort")) {
            resource = ResourceFactory.getDataTransferResource(ResourceFactory.getComponentResource(ResourceType.InputPort, portDTO.getId(), portDTO.getName()));
        } else {
            resource = ResourceFactory.getDataTransferResource(ResourceFactory.getComponentResource(ResourceType.OutputPort, portDTO.getId(), portDTO.getName()));
        }
        if (portDTO.getUserAccessControl() != null) {
            for (String userAccessControl : portDTO.getUserAccessControl()) {
                // need to perform the identity mapping on the access control so it matches the identities in the User objects
                final String mappedUserAccessControl = IdentityMappingUtil.mapIdentity(userAccessControl, identityMappings);
                final User foundUser = userGroupProvider.getUserByIdentity(mappedUserAccessControl);
                // couldn't find the user matching the access control so log a warning and skip
                if (foundUser == null) {
                    logger.warn("Found port with user access control for {} but no user exists with this identity, skipping...", new Object[] { mappedUserAccessControl });
                    continue;
                }
                // we found the user so create the appropriate policy and add the user to it
                Policy policy = getOrCreatePolicy(allPolicies, seedIdentity, resource.getIdentifier(), WRITE_CODE);
                addUserToPolicy(foundUser.getIdentifier(), policy);
            }
        }
        if (portDTO.getGroupAccessControl() != null) {
            for (String groupAccessControl : portDTO.getGroupAccessControl()) {
                // find a group where the name is the groupAccessControl
                Group foundGroup = null;
                for (Group group : userGroupProvider.getGroups()) {
                    if (group.getName().equals(groupAccessControl)) {
                        foundGroup = group;
                        break;
                    }
                }
                // couldn't find the group matching the access control so log a warning and skip
                if (foundGroup == null) {
                    logger.warn("Found port with group access control for {} but no group exists with this name, skipping...", new Object[] { groupAccessControl });
                    continue;
                }
                // we found the group so create the appropriate policy and add all the users to it
                Policy policy = getOrCreatePolicy(allPolicies, seedIdentity, resource.getIdentifier(), WRITE_CODE);
                addGroupToPolicy(IdentifierUtil.getIdentifier(groupAccessControl), policy);
            }
        }
    }
    authorizations.getPolicies().getPolicy().addAll(allPolicies);
}

Also used : Policy(org.apache.nifi.authorization.file.generated.Policy) XMLStreamReader(javax.xml.stream.XMLStreamReader) Set(java.util.Set) HashSet(java.util.HashSet) Users(org.apache.nifi.user.generated.Users) ArrayList(java.util.ArrayList) Users(org.apache.nifi.user.generated.Users) Unmarshaller(javax.xml.bind.Unmarshaller) AuthorizerCreationException(org.apache.nifi.authorization.exception.AuthorizerCreationException) PortDTO(org.apache.nifi.web.api.dto.PortDTO) StreamSource(javax.xml.transform.stream.StreamSource) JAXBException(javax.xml.bind.JAXBException) XMLStreamException(javax.xml.stream.XMLStreamException) File(java.io.File)

Aggregations

File (java.io.File)1 ArrayList (java.util.ArrayList)1 HashSet (java.util.HashSet)1 Set (java.util.Set)1 JAXBException (javax.xml.bind.JAXBException)1 Unmarshaller (javax.xml.bind.Unmarshaller)1 XMLStreamException (javax.xml.stream.XMLStreamException)1 XMLStreamReader (javax.xml.stream.XMLStreamReader)1 StreamSource (javax.xml.transform.stream.StreamSource)1 AuthorizerCreationException (org.apache.nifi.authorization.exception.AuthorizerCreationException)1 Policy (org.apache.nifi.authorization.file.generated.Policy)1 Users (org.apache.nifi.user.generated.Users)1 PortDTO (org.apache.nifi.web.api.dto.PortDTO)1