use of org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl in project nifi by apache.
the class TestRangerNiFiAuthorizer method testDenied.
@Test
public void testDenied() {
final String systemResource = "/system";
final RequestAction action = RequestAction.WRITE;
final String user = "admin";
// the incoming NiFi request to test
final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
// the expected Ranger resource and request that are created
final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
expectedRangerRequest.setResource(resource);
expectedRangerRequest.setAction(request.getAction().name());
expectedRangerRequest.setAccessType(request.getAction().name());
expectedRangerRequest.setUser(request.getIdentity());
// no result processor should be provided used non-direct access
when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(notAllowedResult);
// return true when checking if a policy exists for the resource
when(rangerBasePlugin.doesPolicyExist(systemResource, action)).thenReturn(true);
final AuthorizationResult result = authorizer.authorize(request);
assertEquals(AuthorizationResult.denied().getResult(), result.getResult());
}
use of org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl in project nifi by apache.
the class TestRangerNiFiAuthorizer method runRangerAdminTest.
private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) {
configurationContext = createMockConfigContext();
final String rangerAdminIdentity = "ranger-admin";
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP))).thenReturn(new MockPropertyValue(rangerAdminIdentity));
rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
authorizer.onConfigured(configurationContext);
final RequestAction action = RequestAction.WRITE;
// the incoming NiFi request to test
final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(resourceIdentifier, resourceIdentifier)).action(action).identity(rangerAdminIdentity).resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
// the expected Ranger resource and request that are created
final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);
final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
expectedRangerRequest.setResource(resource);
expectedRangerRequest.setAction(request.getAction().name());
expectedRangerRequest.setAccessType(request.getAction().name());
expectedRangerRequest.setUser(request.getIdentity());
// return true when checking if a policy exists for the resource
when(rangerBasePlugin.doesPolicyExist(resourceIdentifier, action)).thenReturn(true);
// a non-null result processor should be used for direct access
when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(notAllowedResult);
final AuthorizationResult result = authorizer.authorize(request);
assertEquals(expectedResult, result.getResult());
}
use of org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl in project nifi by apache.
the class RangerNiFiAuthorizer method authorize.
@Override
public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
final String identity = request.getIdentity();
final Set<String> userGroups = request.getGroups();
final String resourceIdentifier = request.getResource().getIdentifier();
// and the request is to retrieve the resources, then allow it through
if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity) && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
return AuthorizationResult.approved();
}
final String clientIp;
if (request.getUserContext() != null) {
clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name());
} else {
clientIp = null;
}
final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);
final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
rangerRequest.setResource(resource);
rangerRequest.setAction(request.getAction().name());
rangerRequest.setAccessType(request.getAction().name());
rangerRequest.setUser(identity);
rangerRequest.setUserGroups(userGroups);
rangerRequest.setAccessTime(new Date());
if (!StringUtils.isBlank(clientIp)) {
rangerRequest.setClientIPAddress(clientIp);
}
final RangerAccessResult result = nifiPlugin.isAccessAllowed(rangerRequest);
// store the result for auditing purposes later if appropriate
if (request.isAccessAttempt()) {
synchronized (resultLookup) {
resultLookup.put(request, result);
}
}
if (result != null && result.getIsAllowed()) {
// return approved
return AuthorizationResult.approved();
} else {
// if result.getIsAllowed() is false, then we need to determine if it was because no policy exists for the
// given resource, or if it was because a policy exists but not for the given user or action
final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier(), request.getAction());
if (doesPolicyExist) {
final String reason = result == null ? null : result.getReason();
if (reason != null) {
logger.debug(String.format("Unable to authorize %s due to %s", identity, reason));
}
// a policy does exist for the resource so we were really denied access here
return AuthorizationResult.denied(request.getExplanationSupplier().get());
} else {
// a policy doesn't exist so return resource not found so NiFi can work back up the resource hierarchy
return AuthorizationResult.resourceNotFound();
}
}
}
use of org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl in project nifi by apache.
the class TestRangerNiFiAuthorizer method testResourceNotFound.
@Test
public void testResourceNotFound() {
final String systemResource = "/system";
final RequestAction action = RequestAction.WRITE;
final String user = "admin";
// the incoming NiFi request to test
final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
// the expected Ranger resource and request that are created
final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
expectedRangerRequest.setResource(resource);
expectedRangerRequest.setAction(request.getAction().name());
expectedRangerRequest.setAccessType(request.getAction().name());
expectedRangerRequest.setUser(request.getIdentity());
// no result processor should be provided used non-direct access
when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)), notNull(RangerAccessResultProcessor.class))).thenReturn(notAllowedResult);
// return false when checking if a policy exists for the resource
when(rangerBasePlugin.doesPolicyExist(systemResource, action)).thenReturn(false);
final AuthorizationResult result = authorizer.authorize(request);
assertEquals(AuthorizationResult.resourceNotFound().getResult(), result.getResult());
}
use of org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl in project nifi by apache.
the class TestRangerNiFiAuthorizer method testApprovedWithDirectAccess.
@Test
public void testApprovedWithDirectAccess() {
final String systemResource = "/system";
final RequestAction action = RequestAction.WRITE;
final String user = "admin";
final String clientIp = "192.168.1.1";
final Map<String, String> userContext = new HashMap<>();
userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), clientIp);
// the incoming NiFi request to test
final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).userContext(userContext).accessAttempt(true).anonymous(false).build();
// the expected Ranger resource and request that are created
final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
expectedRangerRequest.setResource(resource);
expectedRangerRequest.setAction(request.getAction().name());
expectedRangerRequest.setAccessType(request.getAction().name());
expectedRangerRequest.setUser(request.getIdentity());
expectedRangerRequest.setClientIPAddress(clientIp);
// a non-null result processor should be used for direct access
when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(allowedResult);
final AuthorizationResult result = authorizer.authorize(request);
assertEquals(AuthorizationResult.approved().getResult(), result.getResult());
}
Aggregations