Search in sources :

Example 6 with RangerAccessRequestImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl in project nifi by apache.

the class TestRangerNiFiAuthorizer method testDenied.

@Test
public void testDenied() {
    final String systemResource = "/system";
    final RequestAction action = RequestAction.WRITE;
    final String user = "admin";
    // the incoming NiFi request to test
    final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
    // the expected Ranger resource and request that are created
    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
    final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
    expectedRangerRequest.setResource(resource);
    expectedRangerRequest.setAction(request.getAction().name());
    expectedRangerRequest.setAccessType(request.getAction().name());
    expectedRangerRequest.setUser(request.getIdentity());
    // no result processor should be provided used non-direct access
    when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(notAllowedResult);
    // return true when checking if a policy exists for the resource
    when(rangerBasePlugin.doesPolicyExist(systemResource, action)).thenReturn(true);
    final AuthorizationResult result = authorizer.authorize(request);
    assertEquals(AuthorizationResult.denied().getResult(), result.getResult());
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RequestAction(org.apache.nifi.authorization.RequestAction) HashMap(java.util.HashMap) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) Test(org.junit.Test)

Example 7 with RangerAccessRequestImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl in project nifi by apache.

the class TestRangerNiFiAuthorizer method runRangerAdminTest.

private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) {
    configurationContext = createMockConfigContext();
    final String rangerAdminIdentity = "ranger-admin";
    when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP))).thenReturn(new MockPropertyValue(rangerAdminIdentity));
    rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
    authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
    authorizer.onConfigured(configurationContext);
    final RequestAction action = RequestAction.WRITE;
    // the incoming NiFi request to test
    final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(resourceIdentifier, resourceIdentifier)).action(action).identity(rangerAdminIdentity).resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
    // the expected Ranger resource and request that are created
    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);
    final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
    expectedRangerRequest.setResource(resource);
    expectedRangerRequest.setAction(request.getAction().name());
    expectedRangerRequest.setAccessType(request.getAction().name());
    expectedRangerRequest.setUser(request.getIdentity());
    // return true when checking if a policy exists for the resource
    when(rangerBasePlugin.doesPolicyExist(resourceIdentifier, action)).thenReturn(true);
    // a non-null result processor should be used for direct access
    when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(notAllowedResult);
    final AuthorizationResult result = authorizer.authorize(request);
    assertEquals(expectedResult, result.getResult());
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) RequestAction(org.apache.nifi.authorization.RequestAction) HashMap(java.util.HashMap) MockPropertyValue(org.apache.nifi.util.MockPropertyValue) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)

Example 8 with RangerAccessRequestImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl in project nifi by apache.

the class RangerNiFiAuthorizer method authorize.

@Override
public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
    final String identity = request.getIdentity();
    final Set<String> userGroups = request.getGroups();
    final String resourceIdentifier = request.getResource().getIdentifier();
    // and the request is to retrieve the resources, then allow it through
    if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity) && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
        return AuthorizationResult.approved();
    }
    final String clientIp;
    if (request.getUserContext() != null) {
        clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name());
    } else {
        clientIp = null;
    }
    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);
    final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
    rangerRequest.setResource(resource);
    rangerRequest.setAction(request.getAction().name());
    rangerRequest.setAccessType(request.getAction().name());
    rangerRequest.setUser(identity);
    rangerRequest.setUserGroups(userGroups);
    rangerRequest.setAccessTime(new Date());
    if (!StringUtils.isBlank(clientIp)) {
        rangerRequest.setClientIPAddress(clientIp);
    }
    final RangerAccessResult result = nifiPlugin.isAccessAllowed(rangerRequest);
    // store the result for auditing purposes later if appropriate
    if (request.isAccessAttempt()) {
        synchronized (resultLookup) {
            resultLookup.put(request, result);
        }
    }
    if (result != null && result.getIsAllowed()) {
        // return approved
        return AuthorizationResult.approved();
    } else {
        // if result.getIsAllowed() is false, then we need to determine if it was because no policy exists for the
        // given resource, or if it was because a policy exists but not for the given user or action
        final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier(), request.getAction());
        if (doesPolicyExist) {
            final String reason = result == null ? null : result.getReason();
            if (reason != null) {
                logger.debug(String.format("Unable to authorize %s due to %s", identity, reason));
            }
            // a policy does exist for the resource so we were really denied access here
            return AuthorizationResult.denied(request.getExplanationSupplier().get());
        } else {
            // a policy doesn't exist so return resource not found so NiFi can work back up the resource hierarchy
            return AuthorizationResult.resourceNotFound();
        }
    }
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) Date(java.util.Date)

Example 9 with RangerAccessRequestImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl in project nifi by apache.

the class TestRangerNiFiAuthorizer method testResourceNotFound.

@Test
public void testResourceNotFound() {
    final String systemResource = "/system";
    final RequestAction action = RequestAction.WRITE;
    final String user = "admin";
    // the incoming NiFi request to test
    final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).accessAttempt(true).anonymous(false).build();
    // the expected Ranger resource and request that are created
    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
    final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
    expectedRangerRequest.setResource(resource);
    expectedRangerRequest.setAction(request.getAction().name());
    expectedRangerRequest.setAccessType(request.getAction().name());
    expectedRangerRequest.setUser(request.getIdentity());
    // no result processor should be provided used non-direct access
    when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)), notNull(RangerAccessResultProcessor.class))).thenReturn(notAllowedResult);
    // return false when checking if a policy exists for the resource
    when(rangerBasePlugin.doesPolicyExist(systemResource, action)).thenReturn(false);
    final AuthorizationResult result = authorizer.authorize(request);
    assertEquals(AuthorizationResult.resourceNotFound().getResult(), result.getResult());
}
Also used : RangerAccessResultProcessor(org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor) RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RequestAction(org.apache.nifi.authorization.RequestAction) HashMap(java.util.HashMap) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) Test(org.junit.Test)

Example 10 with RangerAccessRequestImpl

use of org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl in project nifi by apache.

the class TestRangerNiFiAuthorizer method testApprovedWithDirectAccess.

@Test
public void testApprovedWithDirectAccess() {
    final String systemResource = "/system";
    final RequestAction action = RequestAction.WRITE;
    final String user = "admin";
    final String clientIp = "192.168.1.1";
    final Map<String, String> userContext = new HashMap<>();
    userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), clientIp);
    // the incoming NiFi request to test
    final AuthorizationRequest request = new AuthorizationRequest.Builder().resource(new MockResource(systemResource, systemResource)).action(action).identity(user).resourceContext(new HashMap<>()).userContext(userContext).accessAttempt(true).anonymous(false).build();
    // the expected Ranger resource and request that are created
    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
    final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
    expectedRangerRequest.setResource(resource);
    expectedRangerRequest.setAction(request.getAction().name());
    expectedRangerRequest.setAccessType(request.getAction().name());
    expectedRangerRequest.setUser(request.getIdentity());
    expectedRangerRequest.setClientIPAddress(clientIp);
    // a non-null result processor should be used for direct access
    when(rangerBasePlugin.isAccessAllowed(argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))).thenReturn(allowedResult);
    final AuthorizationResult result = authorizer.authorize(request);
    assertEquals(AuthorizationResult.approved().getResult(), result.getResult());
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) AuthorizationRequest(org.apache.nifi.authorization.AuthorizationRequest) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RequestAction(org.apache.nifi.authorization.RequestAction) HashMap(java.util.HashMap) AuthorizationResult(org.apache.nifi.authorization.AuthorizationResult) Test(org.junit.Test)

Aggregations

RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)19 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)16 HashMap (java.util.HashMap)5 AuthorizationRequest (org.apache.nifi.authorization.AuthorizationRequest)5 AuthorizationResult (org.apache.nifi.authorization.AuthorizationResult)5 RequestAction (org.apache.nifi.authorization.RequestAction)5 RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)4 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)4 Test (org.junit.Test)4 Date (java.util.Date)2 RangerAccessRequest (org.apache.ranger.plugin.policyengine.RangerAccessRequest)2 Gson (com.google.gson.Gson)1 MockPropertyValue (org.apache.nifi.util.MockPropertyValue)1 RangerAccessResultProcessor (org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor)1