From 01adb050f93ced1fe0ff85963265d286e1817a69 Mon Sep 17 00:00:00 2001 From: Matt Gilman Date: Thu, 28 Jul 2016 12:56:39 -0400 Subject: [PATCH] NIFI-2421: - Only attempting to clone policies when NiFI supports a configurable authorizer. This closes #738 Signed-off-by: jpercivall --- .../apache/nifi/web/StandardNiFiServiceFacade.java | 3 +-- .../org/apache/nifi/web/dao/AccessPolicyDAO.java | 7 +++++++ .../dao/impl/StandardPolicyBasedAuthorizerDAO.java | 8 ++++++++ .../java/org/apache/nifi/web/util/SnippetUtils.java | 12 ++++++++++++ 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java index 77696dfef9..3b010d529b 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java @@ -23,7 +23,6 @@ import org.apache.nifi.action.FlowChangeAction; import org.apache.nifi.action.Operation; import org.apache.nifi.action.details.FlowChangePurgeDetails; import org.apache.nifi.admin.service.AuditService; -import org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer; import org.apache.nifi.authorization.AccessDeniedException; import org.apache.nifi.authorization.AccessPolicy; import org.apache.nifi.authorization.AuthorizableLookup; @@ -999,7 +998,7 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade { logger.debug("Deletion of component {} was successful", resourceIdentifier); // clean up the policy if necessary and configured with a policy based authorizer - if (cleanUpPolicies && authorizer instanceof AbstractPolicyBasedAuthorizer) { + if (cleanUpPolicies && accessPolicyDAO.supportsConfigurableAuthorizer()) { try { // since the component is being deleted, also delete any relevant read access policies final AccessPolicy readPolicy = accessPolicyDAO.getAccessPolicy(RequestAction.READ, resourceIdentifier); diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/AccessPolicyDAO.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/AccessPolicyDAO.java index 05b7fd771a..009ec9c0c1 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/AccessPolicyDAO.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/AccessPolicyDAO.java @@ -23,6 +23,13 @@ import org.apache.nifi.web.api.dto.AccessPolicyDTO; public interface AccessPolicyDAO { + /** + * Whether or not NiFi supports a configurable authorizer. + * + * @return whether or not NiFi supports a configurable authorizer + */ + boolean supportsConfigurableAuthorizer(); + /** * @param accessPolicyId access policy ID * @return Determines if the specified access policy exists diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAO.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAO.java index a4be613325..4c415840e4 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAO.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAO.java @@ -46,10 +46,12 @@ public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGr static final String MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER = "This NiFi is not configured to internally manage users, groups, and policies. Please contact your system administrator."; private final AbstractPolicyBasedAuthorizer authorizer; + private final boolean supportsConfigurableAuthorizer; public StandardPolicyBasedAuthorizerDAO(final Authorizer authorizer) { if (authorizer instanceof AbstractPolicyBasedAuthorizer) { this.authorizer = (AbstractPolicyBasedAuthorizer) authorizer; + this.supportsConfigurableAuthorizer = true; } else { this.authorizer = new AbstractPolicyBasedAuthorizer() { @Override @@ -149,6 +151,7 @@ public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGr public void preDestruction() throws AuthorizerDestructionException { } }; + this.supportsConfigurableAuthorizer = false; } } @@ -159,6 +162,11 @@ public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGr .orElse(null); } + @Override + public boolean supportsConfigurableAuthorizer() { + return supportsConfigurableAuthorizer; + } + @Override public boolean hasAccessPolicy(final String accessPolicyId) { return authorizer.getAccessPolicy(accessPolicyId) != null; diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/util/SnippetUtils.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/util/SnippetUtils.java index e7b69c14f9..f88889e699 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/util/SnippetUtils.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/util/SnippetUtils.java @@ -612,6 +612,10 @@ public final class SnippetUtils { * @param idGenerationSeed id generation seed */ private void cloneComponentSpecificPolicies(final Resource originalComponentResource, final Resource clonedComponentResource, final String idGenerationSeed) { + if (!accessPolicyDAO.supportsConfigurableAuthorizer()) { + return; + } + final Map resources = new HashMap<>(); resources.put(originalComponentResource, clonedComponentResource); resources.put(ResourceFactory.getDataResource(originalComponentResource), ResourceFactory.getDataResource(clonedComponentResource)); @@ -661,6 +665,10 @@ public final class SnippetUtils { * @param snippet snippet */ public void rollbackClonedPolicies(final FlowSnippetDTO snippet) { + if (!accessPolicyDAO.supportsConfigurableAuthorizer()) { + return; + } + snippet.getControllerServices().forEach(controllerServiceDTO -> { rollbackClonedPolicy(ResourceFactory.getComponentResource(ResourceType.ControllerService, controllerServiceDTO.getId(), controllerServiceDTO.getName())); }); @@ -699,6 +707,10 @@ public final class SnippetUtils { * @param componentResource component resource */ private void rollbackClonedPolicy(final Resource componentResource) { + if (!accessPolicyDAO.supportsConfigurableAuthorizer()) { + return; + } + final List resources = new ArrayList<>(); resources.add(componentResource); resources.add(ResourceFactory.getDataResource(componentResource));