org.apache.nifi.authorization.exception.AuthorizationAccessException Java Examples

@Override
public UsersAndAccessPolicies getUsersAndAccessPolicies() throws AuthorizationAccessException {
    return new UsersAndAccessPolicies() {
        @Override
        public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) {
            return null;
        }

        @Override
        public User getUser(String identity) {
            return getUserByIdentity(identity);
        }

        @Override
        public Set<Group> getGroups(String userIdentity) {
            User user = getUserByIdentity(userIdentity);
            if (user == null) {
                return new HashSet<>();
            } else {
                return groups.stream()
                        .filter(g -> g.getUsers().contains(user.getIdentifier()))
                        .collect(Collectors.toSet());
            }
        }
    };
}
 

@Override
public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
    // allow proxy
    if (ResourceFactory.getProxyResource().getIdentifier().equals(request.getResource().getIdentifier()) && PROXY_DN.equals(request.getIdentity())) {
        return AuthorizationResult.approved();
    }

    // read access
    if (READ_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.READ.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    // write access
    if (WRITE_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.WRITE.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    return AuthorizationResult.denied();
}
 

/**
 * @return a default Authorizer to use when running unsecurely with no authorizer configured
 */
private Authorizer createDefaultAuthorizer() {
    return new Authorizer() {
        @Override
        public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
            return AuthorizationResult.approved();
        }

        @Override
        public void initialize(AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException {
        }

        @Override
        public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
        }

        @Override
        public void preDestruction() throws AuthorizerDestructionException {
        }
    };
}
 

@Override
public UsersAndAccessPolicies getUsersAndAccessPolicies() throws AuthorizationAccessException {
    return new UsersAndAccessPolicies() {
        @Override
        public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) {
            return null;
        }

        @Override
        public User getUser(String identity) {
            return getUserByIdentity(identity);
        }

        @Override
        public Set<Group> getGroups(String userIdentity) {
            User user = getUserByIdentity(userIdentity);
            if (user == null) {
                return new HashSet<>();
            } else {
                return groups.stream()
                        .filter(g -> g.getUsers().contains(user.getIdentifier()))
                        .collect(Collectors.toSet());
            }
        }
    };
}
 

@Override
public synchronized AccessPolicy doAddAccessPolicy(final AccessPolicy accessPolicy) throws AuthorizationAccessException {
    if (accessPolicy == null) {
        throw new IllegalArgumentException("AccessPolicy cannot be null");
    }

    // create the new JAXB Policy
    final Policy policy = createJAXBPolicy(accessPolicy);

    // add the new Policy to the top-level list of policies
    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();
    authorizations.getPolicies().getPolicy().add(policy);

    saveAndRefreshHolder(authorizations, tenants);

    return this.authorizationsHolder.get().getPoliciesById().get(accessPolicy.getIdentifier());
}
 

@Override
public final AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
    final UsersAndAccessPolicies usersAndAccessPolicies = getUsersAndAccessPolicies();
    final String resourceIdentifier = request.getResource().getIdentifier();

    final AccessPolicy policy = usersAndAccessPolicies.getAccessPolicy(resourceIdentifier, request.getAction());
    if (policy == null) {
        return AuthorizationResult.resourceNotFound();
    }

    final User user = usersAndAccessPolicies.getUser(request.getIdentity());
    if (user == null) {
        return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity()));
    }

    final Set<Group> userGroups = usersAndAccessPolicies.getGroups(user.getIdentity());
    if (policy.getUsers().contains(user.getIdentifier()) || containsGroup(userGroups, policy)) {
        return AuthorizationResult.approved();
    }

    return AuthorizationResult.denied(request.getExplanationSupplier().get());
}
 

@Override
public synchronized Group doAddGroup(Group group) throws AuthorizationAccessException {
    if (group == null) {
        throw new IllegalArgumentException("Group cannot be null");
    }

    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();

    // determine that all users in the group exist before doing anything, throw an exception if they don't
    final Set<org.apache.nifi.authorization.file.tenants.generated.User> jaxbUsers = checkGroupUsers(group, tenants.getUsers().getUser());

    // create a new JAXB Group based on the incoming Group
    final org.apache.nifi.authorization.file.tenants.generated.Group jaxbGroup = new org.apache.nifi.authorization.file.tenants.generated.Group();
    jaxbGroup.setIdentifier(group.getIdentifier());
    jaxbGroup.setName(group.getName());

    // add each user to the group
    for (String groupUser : group.getUsers()) {
        org.apache.nifi.authorization.file.tenants.generated.Group.User jaxbGroupUser = new org.apache.nifi.authorization.file.tenants.generated.Group.User();
        jaxbGroupUser.setIdentifier(groupUser);
        jaxbGroup.getUser().add(jaxbGroupUser);
    }

    tenants.getGroups().getGroup().add(jaxbGroup);
    saveAndRefreshHolder(authorizations, tenants);

    return this.authorizationsHolder.get().getGroupsById().get(group.getIdentifier());
}
 

@Override
public synchronized AccessPolicy updateAccessPolicy(final AccessPolicy accessPolicy) throws AuthorizationAccessException {
    if (accessPolicy == null) {
        throw new IllegalArgumentException("AccessPolicy cannot be null");
    }

    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();

    // try to find an existing Authorization that matches the policy id
    Policy updatePolicy = null;
    for (Policy policy : authorizations.getPolicies().getPolicy()) {
        if (policy.getIdentifier().equals(accessPolicy.getIdentifier())) {
            updatePolicy = policy;
            break;
        }
    }

    // no matching Policy so return null
    if (updatePolicy == null) {
        return null;
    }

    // update the Policy, save, reload, and return
    transferUsersAndGroups(accessPolicy, updatePolicy);
    saveAndRefreshHolder(authorizations, tenants);

    return this.authorizationsHolder.get().getPoliciesById().get(accessPolicy.getIdentifier());
}
 

@Override
public synchronized AccessPolicy deleteAccessPolicy(final AccessPolicy accessPolicy) throws AuthorizationAccessException {
    if (accessPolicy == null) {
        throw new IllegalArgumentException("AccessPolicy cannot be null");
    }

    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();

    // find the matching Policy and remove it
    boolean deletedPolicy = false;
    Iterator<Policy> policyIter = authorizations.getPolicies().getPolicy().iterator();
    while (policyIter.hasNext()) {
        final Policy policy = policyIter.next();
        if (policy.getIdentifier().equals(accessPolicy.getIdentifier())) {
            policyIter.remove();
            deletedPolicy = true;
            break;
        }
    }

    // never found a matching Policy so return null
    if (!deletedPolicy) {
        return null;
    }

    saveAndRefreshHolder(authorizations, tenants);
    return accessPolicy;
}
 

@Override
public AccessPolicy getAccessPolicy(final String identifier) throws AuthorizationAccessException {
    if (identifier == null) {
        return null;
    }

    final AuthorizationsHolder holder = authorizationsHolder.get();
    return holder.getPoliciesById().get(identifier);
}
 

/**
 * Saves the Authorizations instance by marshalling to a file, then re-populates the
 * in-memory data structures and sets the new holder.
 *
 * Synchronized to ensure only one thread writes the file at a time.
 *
 * @param authorizations the authorizations to save and populate from
 * @param tenants the tenants to save and populate from
 * @throws AuthorizationAccessException if an error occurs saving the authorizations
 */
private synchronized void saveAndRefreshHolder(final Authorizations authorizations, final Tenants tenants) throws AuthorizationAccessException {
    try {
        saveTenants(tenants);
        saveAuthorizations(authorizations);

        final AuthorizationsHolder authorizationsHolder = new AuthorizationsHolder(authorizations, tenants);
        this.authorizationsHolder.set(authorizationsHolder);
    } catch (JAXBException e) {
        throw new AuthorizationAccessException("Unable to save Authorizations", e);
    }
}
 

@Override
public Group getGroup(String identifier) throws AuthorizationAccessException {
    if (identifier == null) {
        return null;
    }
    return authorizationsHolder.get().getGroupsById().get(identifier);
}
 

@Override
public synchronized Group doUpdateGroup(Group group) throws AuthorizationAccessException {
    if (group == null) {
        throw new IllegalArgumentException("Group cannot be null");
    }

    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();

    // find the group that needs to be update
    org.apache.nifi.authorization.file.tenants.generated.Group updateGroup = null;
    for (org.apache.nifi.authorization.file.tenants.generated.Group jaxbGroup : tenants.getGroups().getGroup()) {
        if (jaxbGroup.getIdentifier().equals(group.getIdentifier())) {
            updateGroup = jaxbGroup;
            break;
        }
    }

    // if the group wasn't found return null, otherwise update the group and save changes
    if (updateGroup == null) {
        return null;
    }

    // reset the list of users and add each user to the group
    updateGroup.getUser().clear();
    for (String groupUser : group.getUsers()) {
        org.apache.nifi.authorization.file.tenants.generated.Group.User jaxbGroupUser = new org.apache.nifi.authorization.file.tenants.generated.Group.User();
        jaxbGroupUser.setIdentifier(groupUser);
        updateGroup.getUser().add(jaxbGroupUser);
    }

    updateGroup.setName(group.getName());
    saveAndRefreshHolder(authorizations, tenants);

    return this.authorizationsHolder.get().getGroupsById().get(group.getIdentifier());
}
 

@Override
public Response toResponse(AuthorizationAccessException e) {
    // log the error
    logger.error(String.format("%s. Returning %s response.", e, Response.Status.INTERNAL_SERVER_ERROR), e);

    // generate the response
    return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(e.getMessage()).type("text/plain").build();
}
 

@Override
public User getUser(final String identifier) throws AuthorizationAccessException {
    if (identifier == null) {
        return null;
    }

    final AuthorizationsHolder holder = authorizationsHolder.get();
    return holder.getUsersById().get(identifier);
}
 

@Override
public User getUserByIdentity(final String identity) throws AuthorizationAccessException {
    if (identity == null) {
        return null;
    }

    final AuthorizationsHolder holder = authorizationsHolder.get();
    return holder.getUsersByIdentity().get(identity);
}
 

@Override
public synchronized User doUpdateUser(final User user) throws AuthorizationAccessException {
    if (user == null) {
        throw new IllegalArgumentException("User cannot be null");
    }

    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();

    final List<org.apache.nifi.authorization.file.tenants.generated.User> users = tenants.getUsers().getUser();

    // fine the User that needs to be updated
    org.apache.nifi.authorization.file.tenants.generated.User updateUser = null;
    for (org.apache.nifi.authorization.file.tenants.generated.User jaxbUser : users) {
        if (user.getIdentifier().equals(jaxbUser.getIdentifier())) {
            updateUser = jaxbUser;
            break;
        }
    }

    // if user wasn't found return null, otherwise update the user and save changes
    if (updateUser == null) {
        return null;
    } else {
        updateUser.setIdentity(user.getIdentity());
        saveAndRefreshHolder(authorizations, tenants);

        return this.authorizationsHolder.get().getUsersById().get(user.getIdentifier());
    }
}
 

@Override
public synchronized Group deleteGroup(Group group) throws AuthorizationAccessException {
    final AuthorizationsHolder holder = this.authorizationsHolder.get();
    final Tenants tenants = holder.getTenants();
    final Authorizations authorizations = holder.getAuthorizations();

    final List<org.apache.nifi.authorization.file.tenants.generated.Group> groups = tenants.getGroups().getGroup();

    // for each policy iterate over the group reference and remove the group reference if it matches the group being deleted
    for (Policy policy : authorizations.getPolicies().getPolicy()) {
        Iterator<Policy.Group> policyGroupIter = policy.getGroup().iterator();
        while (policyGroupIter.hasNext()) {
            Policy.Group policyGroup = policyGroupIter.next();
            if (policyGroup.getIdentifier().equals(group.getIdentifier())) {
                policyGroupIter.remove();
                break;
            }
        }
    }

    // now remove the actual group from the top-level list of groups
    boolean removedGroup = false;
    Iterator<org.apache.nifi.authorization.file.tenants.generated.Group> iter = groups.iterator();
    while (iter.hasNext()) {
        org.apache.nifi.authorization.file.tenants.generated.Group jaxbGroup = iter.next();
        if (group.getIdentifier().equals(jaxbGroup.getIdentifier())) {
            iter.remove();
            removedGroup = true;
            break;
        }
    }

    if (removedGroup) {
        saveAndRefreshHolder(authorizations, tenants);
        return group;
    } else {
        return null;
    }
}
 

@Override
public AccessPolicy deleteAccessPolicy(AccessPolicy policy) throws AuthorizationAccessException {
    policies.remove(policy);
    return policy;
}
 

@Override
public Set<Group> getGroups() throws AuthorizationAccessException {
    return authorizationsHolder.get().getAllGroups();
}
 

@Override
public User doAddUser(User user) throws AuthorizationAccessException {
    users.add(user);
    return user;
}
 

@Override
public Set<Group> getGroups() throws AuthorizationAccessException {
    return groups;
}
 

@Override
public Group deleteGroup(Group group) throws AuthorizationAccessException {
    groups.remove(group);
    return group;
}
 

@Override
public Group doUpdateGroup(Group group) throws AuthorizationAccessException {
    deleteGroup(group);
    return addGroup(group);
}
 

@Override
public Group getGroup(String identifier) throws AuthorizationAccessException {
    return groups.stream().filter(g -> g.getIdentifier().equals(identifier)).findFirst().get();
}
 

@Override
protected AccessPolicy doAddAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
    policies.add(accessPolicy);
    return accessPolicy;
}
 

@Override
public Group doAddGroup(Group group) throws AuthorizationAccessException {
    groups.add(group);
    return group;
}
 

@Override
public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
    return authorizationsHolder.get().getAllPolicies();
}
 

@Override
public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
    final String identity = request.getIdentity();
    final String resourceIdentifier = request.getResource().getIdentifier();

    // if a ranger admin identity was provided, and it equals the identity making the request,
    // and the request is to retrieve the resources, then allow it through
    if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
            && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
        return AuthorizationResult.approved();
    }

    final String clientIp;
    if (request.getUserContext() != null) {
        clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name());
    } else {
        clientIp = null;
    }

    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);

    final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
    rangerRequest.setResource(resource);
    rangerRequest.setAction(request.getAction().name());
    rangerRequest.setAccessType(request.getAction().name());
    rangerRequest.setUser(identity);
    rangerRequest.setAccessTime(new Date());

    if (!StringUtils.isBlank(clientIp)) {
        rangerRequest.setClientIPAddress(clientIp);
    }

    // for a direct access request use the default audit handler so we generate audit logs
    // for non-direct access provide a null result processor so no audit logs get generated
    final RangerAccessResultProcessor resultProcessor = request.isAccessAttempt() ?  defaultAuditHandler : null;

    final RangerAccessResult result = nifiPlugin.isAccessAllowed(rangerRequest, resultProcessor);

    if (result != null && result.getIsAllowed()) {
        return AuthorizationResult.approved();
    } else {
        // if result.getIsAllowed() is false, then we need to determine if it was because no policy exists for the
        // given resource, or if it was because a policy exists but not for the given user or action
        final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier());

        if (doesPolicyExist) {
            final String reason = result == null ? null : result.getReason();
            if (reason != null) {
                logger.debug(String.format("Unable to authorize %s due to %s", identity, reason));
            }

            // a policy does exist for the resource so we were really denied access here
            return AuthorizationResult.denied(request.getExplanationSupplier().get());
        } else {
            // a policy doesn't exist so return resource not found so NiFi can work back up the resource hierarchy
            return AuthorizationResult.resourceNotFound();
        }
    }
}
 

@Override
public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
    // allow proxy
    if (ResourceFactory.getProxyResource().getIdentifier().equals(request.getResource().getIdentifier()) && PROXY_DN.equals(request.getIdentity())) {
        return AuthorizationResult.approved();
    }

    // allow flow for all users unless explicitly disable
    if (ResourceFactory.getFlowResource().getIdentifier().equals(request.getResource().getIdentifier())) {
        return AuthorizationResult.approved();
    }

    // no policy to test inheritance
    if (NO_POLICY_COMPONENT_NAME.equals(request.getResource().getName())) {
        return AuthorizationResult.resourceNotFound();
    }

    // allow the token user
    if (TOKEN_USER.equals(request.getIdentity())) {
        return AuthorizationResult.approved();
    }

    // restricted component access
    if (ResourceFactory.getRestrictedComponentsResource().getIdentifier().equals(request.getResource().getIdentifier())) {
        if (PRIVILEGED_USER_DN.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        } else {
            return AuthorizationResult.denied();
        }
    }

    // read access
    if (READ_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity()) || PRIVILEGED_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.READ.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    // write access
    if (WRITE_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity()) || PRIVILEGED_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.WRITE.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    return AuthorizationResult.denied();
}