Java Code Examples for org.apache.nifi.authorization.AuthorizationResult#resourceNotFound()

The following examples show how to use org.apache.nifi.authorization.AuthorizationResult#resourceNotFound() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: RangerNiFiAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
    final String identity = request.getIdentity();
    final String resourceIdentifier = request.getResource().getIdentifier();

    // if a ranger admin identity was provided, and it equals the identity making the request,
    // and the request is to retrieve the resources, then allow it through
    if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
            && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
        return AuthorizationResult.approved();
    }

    final String clientIp;
    if (request.getUserContext() != null) {
        clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name());
    } else {
        clientIp = null;
    }

    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);

    final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
    rangerRequest.setResource(resource);
    rangerRequest.setAction(request.getAction().name());
    rangerRequest.setAccessType(request.getAction().name());
    rangerRequest.setUser(identity);
    rangerRequest.setAccessTime(new Date());

    if (!StringUtils.isBlank(clientIp)) {
        rangerRequest.setClientIPAddress(clientIp);
    }

    // for a direct access request use the default audit handler so we generate audit logs
    // for non-direct access provide a null result processor so no audit logs get generated
    final RangerAccessResultProcessor resultProcessor = request.isAccessAttempt() ?  defaultAuditHandler : null;

    final RangerAccessResult result = nifiPlugin.isAccessAllowed(rangerRequest, resultProcessor);

    if (result != null && result.getIsAllowed()) {
        return AuthorizationResult.approved();
    } else {
        // if result.getIsAllowed() is false, then we need to determine if it was because no policy exists for the
        // given resource, or if it was because a policy exists but not for the given user or action
        final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier());

        if (doesPolicyExist) {
            final String reason = result == null ? null : result.getReason();
            if (reason != null) {
                logger.debug(String.format("Unable to authorize %s due to %s", identity, reason));
            }

            // a policy does exist for the resource so we were really denied access here
            return AuthorizationResult.denied(request.getExplanationSupplier().get());
        } else {
            // a policy doesn't exist so return resource not found so NiFi can work back up the resource hierarchy
            return AuthorizationResult.resourceNotFound();
        }
    }
}
 
Example 2
Source File: NiFiTestAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
    // allow proxy
    if (ResourceFactory.getProxyResource().getIdentifier().equals(request.getResource().getIdentifier()) && PROXY_DN.equals(request.getIdentity())) {
        return AuthorizationResult.approved();
    }

    // allow flow for all users unless explicitly disable
    if (ResourceFactory.getFlowResource().getIdentifier().equals(request.getResource().getIdentifier())) {
        return AuthorizationResult.approved();
    }

    // no policy to test inheritance
    if (NO_POLICY_COMPONENT_NAME.equals(request.getResource().getName())) {
        return AuthorizationResult.resourceNotFound();
    }

    // allow the token user
    if (TOKEN_USER.equals(request.getIdentity())) {
        return AuthorizationResult.approved();
    }

    // restricted component access
    if (ResourceFactory.getRestrictedComponentsResource().getIdentifier().equals(request.getResource().getIdentifier())) {
        if (PRIVILEGED_USER_DN.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        } else {
            return AuthorizationResult.denied();
        }
    }

    // read access
    if (READ_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity()) || PRIVILEGED_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.READ.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    // write access
    if (WRITE_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity()) || PRIVILEGED_USER_DN.equals(request.getIdentity())) {
        if (RequestAction.WRITE.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    return AuthorizationResult.denied();
}
 
Example 3
Source File: RangerNiFiAuthorizer.java    From nifi with Apache License 2.0 4 votes vote down vote up
@Override
public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
    final String identity = request.getIdentity();
    final Set<String> userGroups = request.getGroups();
    final String resourceIdentifier = request.getResource().getIdentifier();

    // if a ranger admin identity was provided, and it equals the identity making the request,
    // and the request is to retrieve the resources, then allow it through
    if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
            && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
        return AuthorizationResult.approved();
    }

    final String clientIp;
    if (request.getUserContext() != null) {
        clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name());
    } else {
        clientIp = null;
    }

    final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
    resource.setValue(RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);

    final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
    rangerRequest.setResource(resource);
    rangerRequest.setAction(request.getAction().name());
    rangerRequest.setAccessType(request.getAction().name());
    rangerRequest.setUser(identity);
    rangerRequest.setUserGroups(userGroups);
    rangerRequest.setAccessTime(new Date());

    if (!StringUtils.isBlank(clientIp)) {
        rangerRequest.setClientIPAddress(clientIp);
    }

    final RangerAccessResult result = nifiPlugin.isAccessAllowed(rangerRequest);

    // store the result for auditing purposes later if appropriate
    if (request.isAccessAttempt()) {
        synchronized (resultLookup) {
            resultLookup.put(request, result);
        }
    }

    if (result != null && result.getIsAllowed()) {
        // return approved
        return AuthorizationResult.approved();
    } else {
        // if result.getIsAllowed() is false, then we need to determine if it was because no policy exists for the
        // given resource, or if it was because a policy exists but not for the given user or action
        final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier(), request.getAction());

        if (doesPolicyExist) {
            final String reason = result == null ? null : result.getReason();
            if (reason != null) {
                logger.debug(String.format("Unable to authorize %s due to %s", identity, reason));
            }

            // a policy does exist for the resource so we were really denied access here
            return AuthorizationResult.denied(request.getExplanationSupplier().get());
        } else {
            // a policy doesn't exist so return resource not found so NiFi can work back up the resource hierarchy
            return AuthorizationResult.resourceNotFound();
        }
    }
}
 
Example 4
Source File: NiFiTestAuthorizer.java    From nifi with Apache License 2.0 4 votes vote down vote up
@Override
public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
    // allow proxy
    if (ResourceFactory.getProxyResource().getIdentifier().equals(request.getResource().getIdentifier()) && PROXY_DN.equals(request.getIdentity())) {
        return AuthorizationResult.approved();
    }

    // allow flow for all users unless explicitly disable
    if (ResourceFactory.getFlowResource().getIdentifier().equals(request.getResource().getIdentifier())) {
        return AuthorizationResult.approved();
    }

    // no policy to test inheritance
    if (NO_POLICY_COMPONENT_NAME.equals(request.getResource().getName())) {
        return AuthorizationResult.resourceNotFound();
    }

    // allow the anonymous user
    if (request.isAnonymous()) {
        return AuthorizationResult.approved();
    }

    // allow the token user
    if (TOKEN_USER.equals(request.getIdentity())) {
        return AuthorizationResult.approved();
    }

    // restricted component access
    if (ResourceFactory.getRestrictedComponentsResource().getIdentifier().equals(request.getResource().getIdentifier())) {
        if (PRIVILEGED_USER_DN.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        } else {
            return AuthorizationResult.denied();
        }
    }

    // execute code access
    if (ResourceFactory.getRestrictedComponentsResource(RequiredPermission.EXECUTE_CODE).getIdentifier().equals(request.getResource().getIdentifier())) {
        if (EXECUTED_CODE_USER_DN.equals(request.getIdentity())) {
            return AuthorizationResult.approved();
        } else {
            return AuthorizationResult.denied();
        }
    }

    // read access
    if (READ_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity())
            || PRIVILEGED_USER_DN.equals(request.getIdentity()) || EXECUTED_CODE_USER_DN.equals(request.getIdentity())) {

        if (RequestAction.READ.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    // write access
    if (WRITE_USER_DN.equals(request.getIdentity()) || READ_WRITE_USER_DN.equals(request.getIdentity())
            || PRIVILEGED_USER_DN.equals(request.getIdentity()) || EXECUTED_CODE_USER_DN.equals(request.getIdentity())) {

        if (RequestAction.WRITE.equals(request.getAction())) {
            return AuthorizationResult.approved();
        }
    }

    return AuthorizationResult.denied();
}