org.apache.nifi.authorization.exception.AuthorizationAccessException Java Examples

The following examples show how to use org.apache.nifi.authorization.exception.AuthorizationAccessException. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: MockPolicyBasedAuthorizer.java    From localization_nifi with Apache License 2.0 6 votes vote down vote up
@Override
public UsersAndAccessPolicies getUsersAndAccessPolicies() throws AuthorizationAccessException {
    return new UsersAndAccessPolicies() {
        @Override
        public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) {
            return null;
        }

        @Override
        public User getUser(String identity) {
            return getUserByIdentity(identity);
        }

        @Override
        public Set<Group> getGroups(String userIdentity) {
            User user = getUserByIdentity(userIdentity);
            if (user == null) {
                return new HashSet<>();
            } else {
                return groups.stream()
                        .filter(g -> g.getUsers().contains(user.getIdentifier()))
                        .collect(Collectors.toSet());
            }
        }
    };
}
 
Example #2
Source File: NiFiFlowTestAuthorizer.java    From localization_nifi with Apache License 2.0 6 votes vote down vote up
@Override
public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
    // allow proxy
    if (ResourceFactory.getProxyResource().getIdentifier().equals(request.getResource().getIdentifier()) && PROXY_DN.equals(request.getIdentity())) {
        return AuthorizationResult.approved();
    }

    // read access
    if (READ_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.READ.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    // write access
    if (WRITE_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.WRITE.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    return AuthorizationResult.denied();
}
 
Example #3
Source File: AuthorizerFactoryBean.java    From localization_nifi with Apache License 2.0 6 votes vote down vote up
/**
 * @return a default Authorizer to use when running unsecurely with no authorizer configured
 */
private Authorizer createDefaultAuthorizer() {
    return new Authorizer() {
        @Override
        public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
            return AuthorizationResult.approved();
        }

        @Override
        public void initialize(AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException {
        }

        @Override
        public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
        }

        @Override
        public void preDestruction() throws AuthorizerDestructionException {
        }
    };
}
 
Example #4
Source File: MockPolicyBasedAuthorizer.java    From localization_nifi with Apache License 2.0 6 votes vote down vote up
@Override
public UsersAndAccessPolicies getUsersAndAccessPolicies() throws AuthorizationAccessException {
    return new UsersAndAccessPolicies() {
        @Override
        public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) {
            return null;
        }

        @Override
        public User getUser(String identity) {
            return getUserByIdentity(identity);
        }

        @Override
        public Set<Group> getGroups(String userIdentity) {
            User user = getUserByIdentity(userIdentity);
            if (user == null) {
                return new HashSet<>();
            } else {
                return groups.stream()
                        .filter(g -> g.getUsers().contains(user.getIdentifier()))
                        .collect(Collectors.toSet());
            }
        }
    };
}
 
Example #5
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 6 votes vote down vote up
@Override
public synchronized AccessPolicy doAddAccessPolicy(final AccessPolicy accessPolicy) throws AuthorizationAccessException {
    if (accessPolicy == null) {
        throw new IllegalArgumentException("AccessPolicy cannot be null");
    }

    // create the new JAXB Policy
    final Policy policy = createJAXBPolicy(accessPolicy);

    // add the new Policy to the top-level list of policies
    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();
    authorizations.getPolicies().getPolicy().add(policy);

    saveAndRefreshHolder(authorizations, tenants);

    return this.authorizationsHolder.get().getPoliciesById().get(accessPolicy.getIdentifier());
}
 
Example #6
Source File: AbstractPolicyBasedAuthorizer.java    From localization_nifi with Apache License 2.0 6 votes vote down vote up
@Override
public final AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
    final UsersAndAccessPolicies usersAndAccessPolicies = getUsersAndAccessPolicies();
    final String resourceIdentifier = request.getResource().getIdentifier();

    final AccessPolicy policy = usersAndAccessPolicies.getAccessPolicy(resourceIdentifier, request.getAction());
    if (policy == null) {
        return AuthorizationResult.resourceNotFound();
    }

    final User user = usersAndAccessPolicies.getUser(request.getIdentity());
    if (user == null) {
        return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity()));
    }

    final Set<Group> userGroups = usersAndAccessPolicies.getGroups(user.getIdentity());
    if (policy.getUsers().contains(user.getIdentifier()) || containsGroup(userGroups, policy)) {
        return AuthorizationResult.approved();
    }

    return AuthorizationResult.denied(request.getExplanationSupplier().get());
}
 
Example #7
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
@Override
public synchronized Group doAddGroup(Group group) throws AuthorizationAccessException {
    if (group == null) {
        throw new IllegalArgumentException("Group cannot be null");
    }

    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();

    // determine that all users in the group exist before doing anything, throw an exception if they don't
    final Set<org.apache.nifi.authorization.file.tenants.generated.User> jaxbUsers = checkGroupUsers(group, tenants.getUsers().getUser());

    // create a new JAXB Group based on the incoming Group
    final org.apache.nifi.authorization.file.tenants.generated.Group jaxbGroup = new org.apache.nifi.authorization.file.tenants.generated.Group();
    jaxbGroup.setIdentifier(group.getIdentifier());
    jaxbGroup.setName(group.getName());

    // add each user to the group
    for (String groupUser : group.getUsers()) {
        org.apache.nifi.authorization.file.tenants.generated.Group.User jaxbGroupUser = new org.apache.nifi.authorization.file.tenants.generated.Group.User();
        jaxbGroupUser.setIdentifier(groupUser);
        jaxbGroup.getUser().add(jaxbGroupUser);
    }

    tenants.getGroups().getGroup().add(jaxbGroup);
    saveAndRefreshHolder(authorizations, tenants);

    return this.authorizationsHolder.get().getGroupsById().get(group.getIdentifier());
}
 
Example #8
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
@Override
public synchronized AccessPolicy updateAccessPolicy(final AccessPolicy accessPolicy) throws AuthorizationAccessException {
    if (accessPolicy == null) {
        throw new IllegalArgumentException("AccessPolicy cannot be null");
    }

    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();

    // try to find an existing Authorization that matches the policy id
    Policy updatePolicy = null;
    for (Policy policy : authorizations.getPolicies().getPolicy()) {
        if (policy.getIdentifier().equals(accessPolicy.getIdentifier())) {
            updatePolicy = policy;
            break;
        }
    }

    // no matching Policy so return null
    if (updatePolicy == null) {
        return null;
    }

    // update the Policy, save, reload, and return
    transferUsersAndGroups(accessPolicy, updatePolicy);
    saveAndRefreshHolder(authorizations, tenants);

    return this.authorizationsHolder.get().getPoliciesById().get(accessPolicy.getIdentifier());
}
 
Example #9
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
@Override
public synchronized AccessPolicy deleteAccessPolicy(final AccessPolicy accessPolicy) throws AuthorizationAccessException {
    if (accessPolicy == null) {
        throw new IllegalArgumentException("AccessPolicy cannot be null");
    }

    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();

    // find the matching Policy and remove it
    boolean deletedPolicy = false;
    Iterator<Policy> policyIter = authorizations.getPolicies().getPolicy().iterator();
    while (policyIter.hasNext()) {
        final Policy policy = policyIter.next();
        if (policy.getIdentifier().equals(accessPolicy.getIdentifier())) {
            policyIter.remove();
            deletedPolicy = true;
            break;
        }
    }

    // never found a matching Policy so return null
    if (!deletedPolicy) {
        return null;
    }

    saveAndRefreshHolder(authorizations, tenants);
    return accessPolicy;
}
 
Example #10
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
@Override
public AccessPolicy getAccessPolicy(final String identifier) throws AuthorizationAccessException {
    if (identifier == null) {
        return null;
    }

    final AuthorizationsHolder holder = authorizationsHolder.get();
    return holder.getPoliciesById().get(identifier);
}
 
Example #11
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
/**
 * Saves the Authorizations instance by marshalling to a file, then re-populates the
 * in-memory data structures and sets the new holder.
 *
 * Synchronized to ensure only one thread writes the file at a time.
 *
 * @param authorizations the authorizations to save and populate from
 * @param tenants the tenants to save and populate from
 * @throws AuthorizationAccessException if an error occurs saving the authorizations
 */
private synchronized void saveAndRefreshHolder(final Authorizations authorizations, final Tenants tenants) throws AuthorizationAccessException {
    try {
        saveTenants(tenants);
        saveAuthorizations(authorizations);

        final AuthorizationsHolder authorizationsHolder = new AuthorizationsHolder(authorizations, tenants);
        this.authorizationsHolder.set(authorizationsHolder);
    } catch (JAXBException e) {
        throw new AuthorizationAccessException("Unable to save Authorizations", e);
    }
}
 
Example #12
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
@Override
public Group getGroup(String identifier) throws AuthorizationAccessException {
    if (identifier == null) {
        return null;
    }
    return authorizationsHolder.get().getGroupsById().get(identifier);
}
 
Example #13
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
@Override
public synchronized Group doUpdateGroup(Group group) throws AuthorizationAccessException {
    if (group == null) {
        throw new IllegalArgumentException("Group cannot be null");
    }

    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();

    // find the group that needs to be update
    org.apache.nifi.authorization.file.tenants.generated.Group updateGroup = null;
    for (org.apache.nifi.authorization.file.tenants.generated.Group jaxbGroup : tenants.getGroups().getGroup()) {
        if (jaxbGroup.getIdentifier().equals(group.getIdentifier())) {
            updateGroup = jaxbGroup;
            break;
        }
    }

    // if the group wasn't found return null, otherwise update the group and save changes
    if (updateGroup == null) {
        return null;
    }

    // reset the list of users and add each user to the group
    updateGroup.getUser().clear();
    for (String groupUser : group.getUsers()) {
        org.apache.nifi.authorization.file.tenants.generated.Group.User jaxbGroupUser = new org.apache.nifi.authorization.file.tenants.generated.Group.User();
        jaxbGroupUser.setIdentifier(groupUser);
        updateGroup.getUser().add(jaxbGroupUser);
    }

    updateGroup.setName(group.getName());
    saveAndRefreshHolder(authorizations, tenants);

    return this.authorizationsHolder.get().getGroupsById().get(group.getIdentifier());
}
 
Example #14
Source File: AuthorizationAccessExceptionMapper.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
@Override
public Response toResponse(AuthorizationAccessException e) {
    // log the error
    logger.error(String.format("%s. Returning %s response.", e, Response.Status.INTERNAL_SERVER_ERROR), e);

    // generate the response
    return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(e.getMessage()).type("text/plain").build();
}
 
Example #15
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
@Override
public User getUser(final String identifier) throws AuthorizationAccessException {
    if (identifier == null) {
        return null;
    }

    final AuthorizationsHolder holder = authorizationsHolder.get();
    return holder.getUsersById().get(identifier);
}
 
Example #16
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
@Override
public User getUserByIdentity(final String identity) throws AuthorizationAccessException {
    if (identity == null) {
        return null;
    }

    final AuthorizationsHolder holder = authorizationsHolder.get();
    return holder.getUsersByIdentity().get(identity);
}
 
Example #17
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
@Override
public synchronized User doUpdateUser(final User user) throws AuthorizationAccessException {
    if (user == null) {
        throw new IllegalArgumentException("User cannot be null");
    }

    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();

    final List<org.apache.nifi.authorization.file.tenants.generated.User> users = tenants.getUsers().getUser();

    // fine the User that needs to be updated
    org.apache.nifi.authorization.file.tenants.generated.User updateUser = null;
    for (org.apache.nifi.authorization.file.tenants.generated.User jaxbUser : users) {
        if (user.getIdentifier().equals(jaxbUser.getIdentifier())) {
            updateUser = jaxbUser;
            break;
        }
    }

    // if user wasn't found return null, otherwise update the user and save changes
    if (updateUser == null) {
        return null;
    } else {
        updateUser.setIdentity(user.getIdentity());
        saveAndRefreshHolder(authorizations, tenants);

        return this.authorizationsHolder.get().getUsersById().get(user.getIdentifier());
    }
}
 
Example #18
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 5 votes vote down vote up
@Override
public synchronized Group deleteGroup(Group group) throws AuthorizationAccessException {
    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();

    final List<org.apache.nifi.authorization.file.tenants.generated.Group> groups = tenants.getGroups().getGroup();

    // for each policy iterate over the group reference and remove the group reference if it matches the group being deleted
    for (Policy policy : authorizations.getPolicies().getPolicy()) {
        Iterator<Policy.Group> policyGroupIter = policy.getGroup().iterator();
        while (policyGroupIter.hasNext()) {
            Policy.Group policyGroup = policyGroupIter.next();
            if (policyGroup.getIdentifier().equals(group.getIdentifier())) {
                policyGroupIter.remove();
                break;
            }
        }
    }

    // now remove the actual group from the top-level list of groups
    boolean removedGroup = false;
    Iterator<org.apache.nifi.authorization.file.tenants.generated.Group> iter = groups.iterator();
    while (iter.hasNext()) {
        org.apache.nifi.authorization.file.tenants.generated.Group jaxbGroup = iter.next();
        if (group.getIdentifier().equals(jaxbGroup.getIdentifier())) {
            iter.remove();
            removedGroup = true;
            break;
        }
    }

    if (removedGroup) {
        saveAndRefreshHolder(authorizations, tenants);
        return group;
    } else {
        return null;
    }
}
 
Example #19
Source File: MockPolicyBasedAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public AccessPolicy deleteAccessPolicy(AccessPolicy policy) throws AuthorizationAccessException {
    policies.remove(policy);
    return policy;
}
 
Example #20
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public Set<Group> getGroups() throws AuthorizationAccessException {
    return authorizationsHolder.get().getAllGroups();
}
 
Example #21
Source File: MockPolicyBasedAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public User doAddUser(User user) throws AuthorizationAccessException {
    users.add(user);
    return user;
}
 
Example #22
Source File: MockPolicyBasedAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public Set<Group> getGroups() throws AuthorizationAccessException {
    return groups;
}
 
Example #23
Source File: MockPolicyBasedAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public Group deleteGroup(Group group) throws AuthorizationAccessException {
    groups.remove(group);
    return group;
}
 
Example #24
Source File: MockPolicyBasedAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public Group doUpdateGroup(Group group) throws AuthorizationAccessException {
    deleteGroup(group);
    return addGroup(group);
}
 
Example #25
Source File: MockPolicyBasedAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public Group getGroup(String identifier) throws AuthorizationAccessException {
    return groups.stream().filter(g -> g.getIdentifier().equals(identifier)).findFirst().get();
}
 
Example #26
Source File: MockPolicyBasedAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
protected AccessPolicy doAddAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
    policies.add(accessPolicy);
    return accessPolicy;
}
 
Example #27
Source File: MockPolicyBasedAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public Group doAddGroup(Group group) throws AuthorizationAccessException {
    groups.add(group);
    return group;
}
 
Example #28
Source File: FileAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
    return authorizationsHolder.get().getAllPolicies();
}
 
Example #29
Source File: RangerNiFiAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
    final String identity = request.getIdentity();
    final String resourceIdentifier = request.getResource().getIdentifier();

    // if a ranger admin identity was provided, and it equals the identity making the request,
    // and the request is to retrieve the resources, then allow it through
    if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
            && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
        return AuthorizationResult.approved();
    }

    final String clientIp;
    if (request.getUserContext() != null) {
        clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name());
    } else {
        clientIp = null;
    }

    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);

    final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
    rangerRequest.setResource(resource);
    rangerRequest.setAction(request.getAction().name());
    rangerRequest.setAccessType(request.getAction().name());
    rangerRequest.setUser(identity);
    rangerRequest.setAccessTime(new Date());

    if (!StringUtils.isBlank(clientIp)) {
        rangerRequest.setClientIPAddress(clientIp);
    }

    // for a direct access request use the default audit handler so we generate audit logs
    // for non-direct access provide a null result processor so no audit logs get generated
    final RangerAccessResultProcessor resultProcessor = request.isAccessAttempt() ?  defaultAuditHandler : null;

    final RangerAccessResult result = nifiPlugin.isAccessAllowed(rangerRequest, resultProcessor);

    if (result != null && result.getIsAllowed()) {
        return AuthorizationResult.approved();
    } else {
        // if result.getIsAllowed() is false, then we need to determine if it was because no policy exists for the
        // given resource, or if it was because a policy exists but not for the given user or action
        final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier());

        if (doesPolicyExist) {
            final String reason = result == null ? null : result.getReason();
            if (reason != null) {
                logger.debug(String.format("Unable to authorize %s due to %s", identity, reason));
            }

            // a policy does exist for the resource so we were really denied access here
            return AuthorizationResult.denied(request.getExplanationSupplier().get());
        } else {
            // a policy doesn't exist so return resource not found so NiFi can work back up the resource hierarchy
            return AuthorizationResult.resourceNotFound();
        }
    }
}
 
Example #30
Source File: NiFiTestAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
    // allow proxy
    if (ResourceFactory.getProxyResource().getIdentifier().equals(request.getResource().getIdentifier()) && PROXY_DN.equals(request.getIdentity())) {
        return AuthorizationResult.approved();
    }

    // allow flow for all users unless explicitly disable
    if (ResourceFactory.getFlowResource().getIdentifier().equals(request.getResource().getIdentifier())) {
        return AuthorizationResult.approved();
    }

    // no policy to test inheritance
    if (NO_POLICY_COMPONENT_NAME.equals(request.getResource().getName())) {
        return AuthorizationResult.resourceNotFound();
    }

    // allow the token user
    if (TOKEN_USER.equals(request.getIdentity())) {
        return AuthorizationResult.approved();
    }

    // restricted component access
    if (ResourceFactory.getRestrictedComponentsResource().getIdentifier().equals(request.getResource().getIdentifier())) {
        if (PRIVILEGED_USER_DN.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        } else {
            return AuthorizationResult.denied();
        }
    }

    // read access
    if (READ_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity()) || PRIVILEGED_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.READ.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    // write access
    if (WRITE_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity()) || PRIVILEGED_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.WRITE.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    return AuthorizationResult.denied();
}