Java Code Examples for org.apache.nifi.authorization.resource.Authorizable#authorize()
The following examples show how to use
org.apache.nifi.authorization.resource.Authorizable#authorize() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: StandardConnectionDAO.java From nifi with Apache License 2.0 | 6 votes |
|
@Override
public FlowFileRecord getFlowFile(String id, String flowFileUuid) {
try {
final Connection connection = locateConnection(id);
final FlowFileQueue queue = connection.getFlowFileQueue();
final FlowFileRecord flowFile = queue.getFlowFile(flowFileUuid);
if (flowFile == null) {
throw new ResourceNotFoundException(String.format("The FlowFile with UUID %s is no longer in the active queue.", flowFileUuid));
}
// get the attributes and ensure appropriate access
final Map<String, String> attributes = flowFile.getAttributes();
final Authorizable dataAuthorizable = new DataAuthorizable(connection.getSourceAuthorizable());
dataAuthorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser(), attributes);
return flowFile;
} catch (final IOException ioe) {
logger.error(String.format("Unable to get the flowfile (%s) at this time.", flowFileUuid), ioe);
throw new IllegalStateException("Unable to get the FlowFile at this time.");
}
}
Example 2
| Source File: AuthorizeParameterReference.java From nifi with Apache License 2.0 | 6 votes |
|
public static void authorizeParameterReferences(final Map<String, String> proposedProperties, final Authorizer authorizer, final Authorizable parameterContextAuthorizable, final NiFiUser user) {
if (proposedProperties == null || parameterContextAuthorizable == null) {
return;
}
final ParameterParser parameterParser = new ExpressionLanguageAgnosticParameterParser();
boolean referencesParameter = false;
for (final String proposedPropertyValue : proposedProperties.values()) {
// Check if any Parameter is referenced. If so, user must have READ policy on the Parameter Context
ParameterTokenList tokenList = parameterParser.parseTokens(proposedPropertyValue);
if (!tokenList.toReferenceList().isEmpty()) {
referencesParameter = true;
break;
}
}
if (referencesParameter) {
parameterContextAuthorizable.authorize(authorizer, RequestAction.READ, user);
}
}
Example 3
| Source File: ControllerFacade.java From localization_nifi with Apache License 2.0 | 6 votes |
|
/**
* Authorizes access to replay a specified provenance event.
*
* @param event event
*/
private void authorizeReplay(final ProvenanceEventRecord event) {
// if the connection id isn't specified, then the replay wouldn't be available anyways and we have nothing to authorize against so deny it`
if (event.getSourceQueueIdentifier() == null) {
throw new AccessDeniedException("The connection id in the provenance event is unknown.");
}
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final Authorizable dataAuthorizable;
if (event.isRemotePortType()) {
dataAuthorizable = flowController.createRemoteDataAuthorizable(event.getComponentId());
} else {
dataAuthorizable = flowController.createLocalDataAuthorizable(event.getComponentId());
}
// ensure we can read and write the data
final Map<String, String> eventAttributes = event.getAttributes();
dataAuthorizable.authorize(authorizer, RequestAction.READ, user, eventAttributes);
dataAuthorizable.authorize(authorizer, RequestAction.WRITE, user, eventAttributes);
}
Example 4
| Source File: ControllerFacade.java From localization_nifi with Apache License 2.0 | 6 votes |
|
/**
* Get the provenance event with the specified event id.
*
* @param eventId event id
* @return the provenance event with the specified event id
*/
public ProvenanceEventDTO getProvenanceEvent(final Long eventId) {
try {
final ProvenanceEventRecord event = flowController.getProvenanceRepository().getEvent(eventId);
if (event == null) {
throw new ResourceNotFoundException("Unable to find the specified event.");
}
// get the flowfile attributes and authorize the event
final Map<String, String> attributes = event.getAttributes();
final Authorizable dataAuthorizable;
if (event.isRemotePortType()) {
dataAuthorizable = flowController.createRemoteDataAuthorizable(event.getComponentId());
} else {
dataAuthorizable = flowController.createLocalDataAuthorizable(event.getComponentId());
}
dataAuthorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser(), attributes);
// convert the event
return createProvenanceEventDto(event, false);
} catch (final IOException ioe) {
throw new NiFiCoreException("An error occurred while getting the specified event.", ioe);
}
}
Example 5
| Source File: StandardConnectionDAO.java From localization_nifi with Apache License 2.0 | 6 votes |
|
@Override
public FlowFileRecord getFlowFile(String id, String flowFileUuid) {
try {
final Connection connection = locateConnection(id);
final FlowFileQueue queue = connection.getFlowFileQueue();
final FlowFileRecord flowFile = queue.getFlowFile(flowFileUuid);
if (flowFile == null) {
throw new ResourceNotFoundException(String.format("The FlowFile with UUID %s is no longer in the active queue.", flowFileUuid));
}
// get the attributes and ensure appropriate access
final Map<String, String> attributes = flowFile.getAttributes();
final Authorizable dataAuthorizable = new DataAuthorizable(connection.getSourceAuthorizable());
dataAuthorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser(), attributes);
return flowFile;
} catch (final IOException ioe) {
logger.error(String.format("Unable to get the flowfile (%s) at this time.", flowFileUuid), ioe);
throw new IllegalStateException("Unable to get the FlowFile at this time.");
}
}
Example 6
| Source File: AuthorizeParameterReference.java From nifi with Apache License 2.0 | 6 votes |
|
public static void authorizeParameterReferences(final ComponentAuthorizable authorizable, final Authorizer authorizer, final Authorizable parameterContextAuthorizable, final NiFiUser user) {
if (parameterContextAuthorizable == null) {
return;
}
final ParameterParser parameterParser = new ExpressionLanguageAgnosticParameterParser();
boolean referencesParameter = false;
for (final PropertyDescriptor propertyDescriptor : authorizable.getPropertyDescriptors()) {
final String rawValue = authorizable.getRawValue(propertyDescriptor);
final ParameterTokenList tokenList = parameterParser.parseTokens(rawValue);
if (!tokenList.toReferenceList().isEmpty()) {
referencesParameter = true;
break;
}
}
if (referencesParameter) {
parameterContextAuthorizable.authorize(authorizer, RequestAction.READ, user);
}
}
Example 7
| Source File: StandardConnectionDAO.java From nifi with Apache License 2.0 | 5 votes |
|
@Override
public DownloadableContent getContent(String id, String flowFileUuid, String requestUri) {
try {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final Connection connection = locateConnection(id);
final FlowFileQueue queue = connection.getFlowFileQueue();
final FlowFileRecord flowFile = queue.getFlowFile(flowFileUuid);
if (flowFile == null) {
throw new ResourceNotFoundException(String.format("The FlowFile with UUID %s is no longer in the active queue.", flowFileUuid));
}
// get the attributes and ensure appropriate access
final Map<String, String> attributes = flowFile.getAttributes();
final Authorizable dataAuthorizable = new DataAuthorizable(connection.getSourceAuthorizable());
dataAuthorizable.authorize(authorizer, RequestAction.READ, user, attributes);
// get the filename and fall back to the identifier (should never happen)
String filename = attributes.get(CoreAttributes.FILENAME.key());
if (filename == null) {
filename = flowFileUuid;
}
// get the mime-type
final String type = attributes.get(CoreAttributes.MIME_TYPE.key());
// get the content
final InputStream content = flowController.getContent(flowFile, user.getIdentity(), requestUri);
return new DownloadableContent(filename, type, content);
} catch (final ContentNotFoundException cnfe) {
throw new ResourceNotFoundException("Unable to find the specified content.");
} catch (final IOException ioe) {
logger.error(String.format("Unable to get the content for flowfile (%s) at this time.", flowFileUuid), ioe);
throw new IllegalStateException("Unable to get the content at this time.");
}
}
Example 8
| Source File: ControllerFacade.java From nifi with Apache License 2.0 | 5 votes |
|
/**
* Authorizes access to replay for a specified provenance event.
*
* @param event event
*/
private void authorizeReplay(final ProvenanceEventRecord event) {
// if the connection id isn't specified, then the replay wouldn't be available anyways and we have nothing to authorize against so deny it`
if (event.getSourceQueueIdentifier() == null) {
throw new AccessDeniedException("The connection id in the provenance event is unknown.");
}
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final Authorizable dataAuthorizable = getDataAuthorizable(event);
// ensure we can read and write the data
final Map<String, String> eventAttributes = event.getAttributes();
dataAuthorizable.authorize(authorizer, RequestAction.READ, user, eventAttributes);
dataAuthorizable.authorize(authorizer, RequestAction.WRITE, user, eventAttributes);
}
Example 9
| Source File: VolatileProvenanceRepository.java From nifi with Apache License 2.0 | 5 votes |
|
protected void authorize(final ProvenanceEventRecord event, final NiFiUser user) {
if (authorizer == null || user == null) {
return;
}
final Authorizable eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId());
eventAuthorizable.authorize(authorizer, RequestAction.READ, user);
}
Example 10
| Source File: WriteAheadProvenanceRepository.java From nifi with Apache License 2.0 | 5 votes |
|
private void authorize(final ProvenanceEventRecord event, final NiFiUser user) {
if (authorizer == null || user == null) {
return;
}
final Authorizable eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId());
eventAuthorizable.authorize(authorizer, RequestAction.READ, user);
}
Example 11
| Source File: PersistentProvenanceRepository.java From nifi with Apache License 2.0 | 5 votes |
|
public void authorize(final ProvenanceEventRecord event, final NiFiUser user) {
if (authorizer == null || user == null) {
return;
}
final Authorizable eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId());
eventAuthorizable.authorize(authorizer, RequestAction.READ, user);
}
Example 12
| Source File: UserEventAuthorizer.java From nifi with Apache License 2.0 | 5 votes |
|
@Override
public void authorize(final ProvenanceEventRecord event) {
if (authorizer == null) {
return;
}
final Authorizable eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId());
eventAuthorizable.authorize(authorizer, RequestAction.READ, user);
}
Example 13
| Source File: UserEventAuthorizer.java From localization_nifi with Apache License 2.0 | 5 votes |
|
@Override
public void authorize(final ProvenanceEventRecord event) {
if (authorizer == null) {
return;
}
final Authorizable eventAuthorizable;
if (event.isRemotePortType()) {
eventAuthorizable = resourceFactory.createRemoteDataAuthorizable(event.getComponentId());
} else {
eventAuthorizable = resourceFactory.createLocalDataAuthorizable(event.getComponentId());
}
eventAuthorizable.authorize(authorizer, RequestAction.READ, user, event.getAttributes());
}
Example 14
| Source File: StandardConnectionDAO.java From localization_nifi with Apache License 2.0 | 5 votes |
|
@Override
public DownloadableContent getContent(String id, String flowFileUuid, String requestUri) {
try {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final Connection connection = locateConnection(id);
final FlowFileQueue queue = connection.getFlowFileQueue();
final FlowFileRecord flowFile = queue.getFlowFile(flowFileUuid);
if (flowFile == null) {
throw new ResourceNotFoundException(String.format("The FlowFile with UUID %s is no longer in the active queue.", flowFileUuid));
}
// get the attributes and ensure appropriate access
final Map<String, String> attributes = flowFile.getAttributes();
final Authorizable dataAuthorizable = new DataAuthorizable(connection.getSourceAuthorizable());
dataAuthorizable.authorize(authorizer, RequestAction.READ, user, attributes);
// get the filename and fall back to the identifier (should never happen)
String filename = attributes.get(CoreAttributes.FILENAME.key());
if (filename == null) {
filename = flowFileUuid;
}
// get the mime-type
final String type = attributes.get(CoreAttributes.MIME_TYPE.key());
// get the content
final InputStream content = flowController.getContent(flowFile, user.getIdentity(), requestUri);
return new DownloadableContent(filename, type, content);
} catch (final ContentNotFoundException cnfe) {
throw new ResourceNotFoundException("Unable to find the specified content.");
} catch (final IOException ioe) {
logger.error(String.format("Unable to get the content for flowfile (%s) at this time.", flowFileUuid), ioe);
throw new IllegalStateException("Unable to get the content at this time.");
}
}
Example 15
| Source File: VolatileProvenanceRepository.java From localization_nifi with Apache License 2.0 | 5 votes |
|
protected void authorize(final ProvenanceEventRecord event, final NiFiUser user) {
if (authorizer == null) {
return;
}
final Authorizable eventAuthorizable;
if (event.isRemotePortType()) {
eventAuthorizable = resourceFactory.createRemoteDataAuthorizable(event.getComponentId());
} else {
eventAuthorizable = resourceFactory.createLocalDataAuthorizable(event.getComponentId());
}
eventAuthorizable.authorize(authorizer, RequestAction.READ, user, event.getAttributes());
}
Example 16
| Source File: WriteAheadProvenanceRepository.java From localization_nifi with Apache License 2.0 | 5 votes |
|
private void authorize(final ProvenanceEventRecord event, final NiFiUser user) {
if (authorizer == null) {
return;
}
final Authorizable eventAuthorizable;
if (event.isRemotePortType()) {
eventAuthorizable = resourceFactory.createRemoteDataAuthorizable(event.getComponentId());
} else {
eventAuthorizable = resourceFactory.createLocalDataAuthorizable(event.getComponentId());
}
eventAuthorizable.authorize(authorizer, RequestAction.READ, user, event.getAttributes());
}
Example 17
| Source File: PersistentProvenanceRepository.java From localization_nifi with Apache License 2.0 | 5 votes |
|
public void authorize(final ProvenanceEventRecord event, final NiFiUser user) {
if (authorizer == null) {
return;
}
final Authorizable eventAuthorizable;
if (event.isRemotePortType()) {
eventAuthorizable = resourceFactory.createRemoteDataAuthorizable(event.getComponentId());
} else {
eventAuthorizable = resourceFactory.createLocalDataAuthorizable(event.getComponentId());
}
eventAuthorizable.authorize(authorizer, RequestAction.READ, user, event.getAttributes());
}
Example 18
| Source File: ControllerFacade.java From localization_nifi with Apache License 2.0 | 4 votes |
|
/**
* Gets the content for the specified claim.
*
* @param eventId event id
* @param uri uri
* @param contentDirection direction
* @return the content for the specified claim
*/
public DownloadableContent getContent(final Long eventId, final String uri, final ContentDirection contentDirection) {
try {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
// get the event in order to get the filename
final ProvenanceEventRecord event = flowController.getProvenanceRepository().getEvent(eventId);
if (event == null) {
throw new ResourceNotFoundException("Unable to find the specified event.");
}
// get the flowfile attributes
final Map<String, String> attributes;
if (ContentDirection.INPUT.equals(contentDirection)) {
attributes = event.getPreviousAttributes();
} else {
attributes = event.getAttributes();
}
// authorize the event
final Authorizable dataAuthorizable;
if (event.isRemotePortType()) {
dataAuthorizable = flowController.createRemoteDataAuthorizable(event.getComponentId());
} else {
dataAuthorizable = flowController.createLocalDataAuthorizable(event.getComponentId());
}
dataAuthorizable.authorize(authorizer, RequestAction.READ, user, attributes);
// get the filename and fall back to the identifier (should never happen)
String filename = attributes.get(CoreAttributes.FILENAME.key());
if (filename == null) {
filename = event.getFlowFileUuid();
}
// get the mime-type
final String type = attributes.get(CoreAttributes.MIME_TYPE.key());
// get the content
final InputStream content = flowController.getContent(event, contentDirection, user.getIdentity(), uri);
return new DownloadableContent(filename, type, content);
} catch (final ContentNotFoundException cnfe) {
throw new ResourceNotFoundException("Unable to find the specified content.");
} catch (final IOException ioe) {
logger.error(String.format("Unable to get the content for event (%s) at this time.", eventId), ioe);
throw new IllegalStateException("Unable to get the content at this time.");
}
}
Example 19
| Source File: ParameterContextResource.java From nifi with Apache License 2.0 | 4 votes |
|
private void authorizeAffectedComponent(final AffectedComponentEntity entity, final AuthorizableLookup lookup, final NiFiUser user, final boolean requireRead, final boolean requireWrite) {
final AffectedComponentDTO dto = entity.getComponent();
if (dto == null) {
// If the DTO is null, it is an indication that the user does not have permissions.
// However, we don't want to just throw an AccessDeniedException because we would rather
// ensure that all of the appropriate actions are taken by the pluggable Authorizer. As a result,
// we attempt to find the component as a Processor and fall back to finding it as a Controller Service.
// We then go ahead and attempt the authorization, expecting it to fail.
Authorizable authorizable;
try {
authorizable = lookup.getProcessor(entity.getId()).getAuthorizable();
} catch (final ResourceNotFoundException rnfe) {
authorizable = lookup.getControllerService(entity.getId()).getAuthorizable();
}
if (requireRead) {
authorizable.authorize(authorizer, RequestAction.READ, user);
}
if (requireWrite) {
authorizable.authorize(authorizer, RequestAction.WRITE, user);
}
} else if (AffectedComponentDTO.COMPONENT_TYPE_PROCESSOR.equals(dto.getReferenceType())) {
final Authorizable processor = lookup.getProcessor(dto.getId()).getAuthorizable();
if (requireRead) {
processor.authorize(authorizer, RequestAction.READ, user);
}
if (requireWrite) {
processor.authorize(authorizer, RequestAction.WRITE, user);
}
} else if (AffectedComponentDTO.COMPONENT_TYPE_CONTROLLER_SERVICE.equals(dto.getReferenceType())) {
final Authorizable service = lookup.getControllerService(dto.getId()).getAuthorizable();
if (requireRead) {
service.authorize(authorizer, RequestAction.READ, user);
}
if (requireWrite) {
service.authorize(authorizer, RequestAction.WRITE, user);
}
}
}
Example 20
| Source File: AuthorizeControllerServiceReference.java From nifi with Apache License 2.0 | 4 votes |
|
/**
* Authorizes the proposed properties for the specified authorizable.
*
* @param proposedProperties proposed properties
* @param authorizable authorizable that may reference a controller service
* @param authorizer authorizer
* @param lookup lookup
*/
public static void authorizeControllerServiceReferences(final Map<String, String> proposedProperties, final ComponentAuthorizable authorizable,
final Authorizer authorizer, final AuthorizableLookup lookup) {
// only attempt to authorize if properties are changing
if (proposedProperties != null) {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
for (final Map.Entry<String, String> entry : proposedProperties.entrySet()) {
final String propertyName = entry.getKey();
final PropertyDescriptor propertyDescriptor = authorizable.getPropertyDescriptor(propertyName);
// if this descriptor identifies a controller service
if (propertyDescriptor.getControllerServiceDefinition() != null) {
final String currentValue = authorizable.getValue(propertyDescriptor);
final String proposedValue = entry.getValue();
// if the value is changing
if (!Objects.equals(currentValue, proposedValue)) {
// ensure access to the old service
if (currentValue != null) {
try {
final Authorizable currentServiceAuthorizable = lookup.getControllerService(currentValue).getAuthorizable();
currentServiceAuthorizable.authorize(authorizer, RequestAction.READ, user);
} catch (ResourceNotFoundException e) {
// ignore if the resource is not found, if currentValue was previously deleted, it should not stop assignment of proposedValue
}
}
// ensure access to the new service
if (proposedValue != null) {
final ParameterParser parser = new ExpressionLanguageAgnosticParameterParser();
final ParameterTokenList tokenList = parser.parseTokens(proposedValue);
final boolean referencesParameter = !tokenList.toReferenceList().isEmpty();
if (referencesParameter) {
throw new IllegalArgumentException("The property '" + propertyDescriptor.getDisplayName() + "' cannot reference a Parameter because the property is a " +
"Controller Service reference. Allowing Controller Service references to make use of Parameters could result in security issues and a poor user experience. " +
"As a result, this is not allowed.");
}
final Authorizable newServiceAuthorizable = lookup.getControllerService(proposedValue).getAuthorizable();
newServiceAuthorizable.authorize(authorizer, RequestAction.READ, user);
}
}
}
}
}
}
