Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-2390 Separating of users and groups from authorizations.xml into separate file. This closes #735

This commit is contained in:
Bryan Bende 2016-07-26 17:02:25 -04:00 committed by Matt Gilman
parent 01adb050f9
commit 5e4ba04589
8 changed files with 513 additions and 279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
View File

@ -46,6 +46,18 @@
<packageName>org.apache.nifi.authorization.file.generated</packageName>
</configuration>
</execution>
<execution>
<id>tenants</id>
<goals>
<goal>xjc</goal>
</goals>
<configuration>
<schemaDirectory>src/main/xsd</schemaDirectory>
<schemaFiles>tenants.xsd</schemaFiles>
<packageName>org.apache.nifi.authorization.file.tenants.generated</packageName>
<clearOutputDir>false</clearOutputDir>
</configuration>
</execution>
<execution>
<id>users</id>
<goals>
@ -53,7 +65,7 @@
</goals>
<configuration>
<schemaDirectory>src/main/xsd</schemaDirectory>
<schemaFiles>users.xsd</schemaFiles>
<schemaFiles>legacy-users.xsd</schemaFiles>
<packageName>org.apache.nifi.user.generated</packageName>
<clearOutputDir>false</clearOutputDir>
</configuration>
@ -67,7 +79,7 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<configuration>
<excludes>**/authorization/file/generated/*.java,**/user/generated/*.java</excludes>
<excludes>**/authorization/file/generated/*.java,**/authorization/file/tenants/generated/*.java,**/user/generated/*.java</excludes>
</configuration>
</plugin>
</plugins>

29
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/AuthorizationsHolder.java
View File

@ -18,9 +18,10 @@ package org.apache.nifi.authorization;
import org.apache.nifi.authorization.file.generated.Authorizations;
import org.apache.nifi.authorization.file.generated.Groups;
import org.apache.nifi.authorization.file.generated.Policies;
import org.apache.nifi.authorization.file.generated.Users;
import org.apache.nifi.authorization.file.tenants.generated.Groups;
import org.apache.nifi.authorization.file.tenants.generated.Tenants;
import org.apache.nifi.authorization.file.tenants.generated.Users;
import java.util.Collections;
import java.util.HashMap;
@ -33,6 +34,7 @@ import java.util.Set;
*/
public class AuthorizationsHolder implements UsersAndAccessPolicies {
private final Tenants tenants;
private final Authorizations authorizations;
private final Set<AccessPolicy> allPolicies;
@ -52,15 +54,16 @@ public class AuthorizationsHolder implements UsersAndAccessPolicies {
*
* @param authorizations the current authorizations instance
*/
public AuthorizationsHolder(final Authorizations authorizations) {
public AuthorizationsHolder(final Authorizations authorizations, final Tenants tenants) {
this.authorizations = authorizations;
this.tenants = tenants;
// load all users
final Users users = authorizations.getUsers();
final Users users = tenants.getUsers();
final Set<User> allUsers = Collections.unmodifiableSet(createUsers(users));
// load all groups
final Groups groups = authorizations.getGroups();
final Groups groups = tenants.getGroups();
final Set<Group> allGroups = Collections.unmodifiableSet(createGroups(groups, users));
// load all access policies
@ -152,13 +155,13 @@ public class AuthorizationsHolder implements UsersAndAccessPolicies {
* @param users the JAXB Users
* @return a set of API Users matching the provided JAXB Users
*/
private Set<User> createUsers(org.apache.nifi.authorization.file.generated.Users users) {
private Set<User> createUsers(org.apache.nifi.authorization.file.tenants.generated.Users users) {
Set<User> allUsers = new HashSet<>();
if (users == null || users.getUser() == null) {
return allUsers;
}
for (org.apache.nifi.authorization.file.generated.User user : users.getUser()) {
for (org.apache.nifi.authorization.file.tenants.generated.User user : users.getUser()) {
final User.Builder builder = new User.Builder()
.identity(user.getIdentity())
.identifier(user.getIdentifier());
@ -175,19 +178,19 @@ public class AuthorizationsHolder implements UsersAndAccessPolicies {
* @param groups the JAXB Groups
* @return a set of API Groups matching the provided JAXB Groups
*/
private Set<Group> createGroups(org.apache.nifi.authorization.file.generated.Groups groups,
org.apache.nifi.authorization.file.generated.Users users) {
private Set<Group> createGroups(org.apache.nifi.authorization.file.tenants.generated.Groups groups,
org.apache.nifi.authorization.file.tenants.generated.Users users) {
Set<Group> allGroups = new HashSet<>();
if (groups == null || groups.getGroup() == null) {
return allGroups;
}
for (org.apache.nifi.authorization.file.generated.Group group : groups.getGroup()) {
for (org.apache.nifi.authorization.file.tenants.generated.Group group : groups.getGroup()) {
final Group.Builder builder = new Group.Builder()
.identifier(group.getIdentifier())
.name(group.getName());
for (org.apache.nifi.authorization.file.generated.Group.User groupUser : group.getUser()) {
for (org.apache.nifi.authorization.file.tenants.generated.Group.User groupUser : group.getUser()) {
builder.addUser(groupUser.getIdentifier());
}
@ -304,6 +307,10 @@ public class AuthorizationsHolder implements UsersAndAccessPolicies {
return authorizations;
}
public Tenants getTenants() {
return tenants;
}
public Set<AccessPolicy> getAllPolicies() {
return allPolicies;
}

295
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
View File

@ -21,10 +21,11 @@ import org.apache.nifi.authorization.annotation.AuthorizerContext;
import org.apache.nifi.authorization.exception.AuthorizationAccessException;
import org.apache.nifi.authorization.exception.AuthorizerCreationException;
import org.apache.nifi.authorization.file.generated.Authorizations;
import org.apache.nifi.authorization.file.generated.Groups;
import org.apache.nifi.authorization.file.tenants.generated.Groups;
import org.apache.nifi.authorization.file.generated.Policies;
import org.apache.nifi.authorization.file.generated.Policy;
import org.apache.nifi.authorization.file.generated.Users;
import org.apache.nifi.authorization.file.tenants.generated.Users;
import org.apache.nifi.authorization.file.tenants.generated.Tenants;
import org.apache.nifi.authorization.resource.ResourceFactory;
import org.apache.nifi.authorization.resource.ResourceType;
import org.apache.nifi.authorization.util.IdentityMapping;
@ -72,10 +73,14 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
private static final String AUTHORIZATIONS_XSD = "/authorizations.xsd";
private static final String JAXB_AUTHORIZATIONS_PATH = "org.apache.nifi.authorization.file.generated";
private static final String USERS_XSD = "/users.xsd";
private static final String TENANTS_XSD = "/tenants.xsd";
private static final String JAXB_TENANTS_PATH = "org.apache.nifi.authorization.file.tenants.generated";
private static final String USERS_XSD = "/legacy-users.xsd";
private static final String JAXB_USERS_PATH = "org.apache.nifi.user.generated";
private static final JAXBContext JAXB_AUTHORIZATIONS_CONTEXT = initializeJaxbContext(JAXB_AUTHORIZATIONS_PATH);
private static final JAXBContext JAXB_TENANTS_CONTEXT = initializeJaxbContext(JAXB_TENANTS_PATH);
private static final JAXBContext JAXB_USERS_CONTEXT = initializeJaxbContext(JAXB_USERS_PATH);
/**
@ -93,16 +98,20 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
static final String WRITE_CODE = "W";
static final String PROP_AUTHORIZATIONS_FILE = "Authorizations File";
static final String PROP_TENANTS_FILE = "Users File";
static final String PROP_INITIAL_ADMIN_IDENTITY = "Initial Admin Identity";
static final String PROP_LEGACY_AUTHORIZED_USERS_FILE = "Legacy Authorized Users File";
static final Pattern NODE_IDENTITY_PATTERN = Pattern.compile("Node Identity \\S+");
private Schema usersSchema;
private Schema tenantsSchema;
private Schema authorizationsSchema;
private SchemaFactory schemaFactory;
private NiFiProperties properties;
private File tenantsFile;
private File authorizationsFile;
private File restoreAuthorizationsFile;
private File restoreTenantsFile;
private String rootGroupId;
private String initialAdminIdentity;
private String legacyAuthorizedUsersFile;
@ -116,6 +125,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
public void initialize(final AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException {
try {
schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
tenantsSchema = schemaFactory.newSchema(FileAuthorizer.class.getResource(TENANTS_XSD));
authorizationsSchema = schemaFactory.newSchema(FileAuthorizer.class.getResource(AUTHORIZATIONS_XSD));
usersSchema = schemaFactory.newSchema(FileAuthorizer.class.getResource(USERS_XSD));
} catch (Exception e) {
@ -126,6 +136,18 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
@Override
public void doOnConfigured(final AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
try {
final PropertyValue tenantsPath = configurationContext.getProperty(PROP_TENANTS_FILE);
if (StringUtils.isBlank(tenantsPath.getValue())) {
throw new AuthorizerCreationException("The users file must be specified.");
}
// get the tenants file and ensure it exists
tenantsFile = new File(tenantsPath.getValue());
if (!tenantsFile.exists()) {
logger.info("Creating new users file at {}", new Object[] {tenantsFile.getAbsolutePath()});
saveTenants(new Tenants());
}
final PropertyValue authorizationsPath = configurationContext.getProperty(PROP_AUTHORIZATIONS_FILE);
if (StringUtils.isBlank(authorizationsPath.getValue())) {
throw new AuthorizerCreationException("The authorizations file must be specified.");
@ -135,10 +157,11 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
authorizationsFile = new File(authorizationsPath.getValue());
if (!authorizationsFile.exists()) {
logger.info("Creating new authorizations file at {}", new Object[] {authorizationsFile.getAbsolutePath()});
saveAndRefreshHolder(new Authorizations());
saveAuthorizations(new Authorizations());
}
final File authorizationsFileDirectory = authorizationsFile.getAbsoluteFile().getParentFile();
final File tenantsFileDirectory = tenantsFile.getAbsoluteFile().getParentFile();
// the restore directory is optional and may be null
final File restoreDirectory = properties.getRestoreDirectory();
@ -146,18 +169,26 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
// sanity check that restore directory is a directory, creating it if necessary
FileUtils.ensureDirectoryExistAndCanAccess(restoreDirectory);
// check that restore directory is not the same as the primary directory
// check that restore directory is not the same as the authorizations directory
if (authorizationsFileDirectory.getAbsolutePath().equals(restoreDirectory.getAbsolutePath())) {
throw new AuthorizerCreationException(String.format("Authorizations file directory '%s' is the same as restore directory '%s' ",
authorizationsFileDirectory.getAbsolutePath(), restoreDirectory.getAbsolutePath()));
}
// check that restore directory is not the same as the user's directory
if (tenantsFileDirectory.getAbsolutePath().equals(restoreDirectory.getAbsolutePath())) {
throw new AuthorizerCreationException(String.format("Users file directory '%s' is the same as restore directory '%s' ",
tenantsFileDirectory.getAbsolutePath(), restoreDirectory.getAbsolutePath()));
}
// the restore copy will have same file name, but reside in a different directory
restoreAuthorizationsFile = new File(restoreDirectory, authorizationsFile.getName());
restoreTenantsFile = new File(restoreDirectory, tenantsFile.getName());
try {
// sync the primary copy with the restore copy
FileUtils.syncWithRestore(authorizationsFile, restoreAuthorizationsFile, logger);
FileUtils.syncWithRestore(tenantsFile, restoreTenantsFile, logger);
} catch (final IOException | IllegalStateException ioe) {
throw new AuthorizerCreationException(ioe);
}
@ -191,6 +222,11 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
FileUtils.copyFile(authorizationsFile, restoreAuthorizationsFile, false, false, logger);
}
// if we've copied the authorizations file to a restore directory synchronize it
if (restoreTenantsFile != null) {
FileUtils.copyFile(tenantsFile, restoreTenantsFile, false, false, logger);
}
logger.info(String.format("Authorizations file loaded at %s", new Date().toString()));
} catch (IOException | AuthorizerCreationException | JAXBException | IllegalStateException | SAXException e) {
@ -207,23 +243,20 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
*/
private synchronized void load() throws JAXBException, IOException, IllegalStateException, SAXException {
// attempt to unmarshal
final Unmarshaller unmarshaller = JAXB_AUTHORIZATIONS_CONTEXT.createUnmarshaller();
unmarshaller.setSchema(authorizationsSchema);
final JAXBElement<Authorizations> element = unmarshaller.unmarshal(new StreamSource(authorizationsFile), Authorizations.class);
final Authorizations authorizations = element.getValue();
if (authorizations.getUsers() == null) {
authorizations.setUsers(new Users());
}
if (authorizations.getGroups() == null) {
authorizations.setGroups(new Groups());
}
final Authorizations authorizations = unmarshallAuthorizations();
if (authorizations.getPolicies() == null) {
authorizations.setPolicies(new Policies());
}
final AuthorizationsHolder authorizationsHolder = new AuthorizationsHolder(authorizations);
final Tenants tenants = unmarshallTenants();
if (tenants.getUsers() == null) {
tenants.setUsers(new Users());
}
if (tenants.getGroups() == null) {
tenants.setGroups(new Groups());
}
final AuthorizationsHolder authorizationsHolder = new AuthorizationsHolder(authorizations, tenants);
final boolean emptyAuthorizations = authorizationsHolder.getAllUsers().isEmpty() && authorizationsHolder.getAllPolicies().isEmpty();
final boolean hasInitialAdminIdentity = (initialAdminIdentity != null && !StringUtils.isBlank(initialAdminIdentity));
final boolean hasLegacyAuthorizedUsers = (legacyAuthorizedUsersFile != null && !StringUtils.isBlank(legacyAuthorizedUsersFile));
@ -236,21 +269,37 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
throw new AuthorizerCreationException("Cannot provide an Initial Admin Identity and a Legacy Authorized Users File");
} else if (hasInitialAdminIdentity) {
logger.info("Populating authorizations for Initial Admin: " + initialAdminIdentity);
populateInitialAdmin(authorizations);
populateInitialAdmin(authorizations, tenants);
} else if (hasLegacyAuthorizedUsers) {
logger.info("Converting " + legacyAuthorizedUsersFile + " to new authorizations model");
convertLegacyAuthorizedUsers(authorizations);
convertLegacyAuthorizedUsers(authorizations, tenants);
}
populateNodes(authorizations);
populateNodes(authorizations, tenants);
// save any changes that were made and repopulate the holder
saveAndRefreshHolder(authorizations);
saveAndRefreshHolder(authorizations, tenants);
} else {
this.authorizationsHolder.set(authorizationsHolder);
}
}
private Authorizations unmarshallAuthorizations() throws JAXBException {
final Unmarshaller unmarshaller = JAXB_AUTHORIZATIONS_CONTEXT.createUnmarshaller();
unmarshaller.setSchema(authorizationsSchema);
final JAXBElement<Authorizations> element = unmarshaller.unmarshal(new StreamSource(authorizationsFile), Authorizations.class);
return element.getValue();
}
private Tenants unmarshallTenants() throws JAXBException {
final Unmarshaller unmarshaller = JAXB_TENANTS_CONTEXT.createUnmarshaller();
unmarshaller.setSchema(tenantsSchema);
final JAXBElement<Tenants> element = unmarshaller.unmarshal(new StreamSource(tenantsFile), Tenants.class);
return element.getValue();
}
/**
* Try to parse the flow configuration file to extract the root group id and port information.
*
@ -269,13 +318,13 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
/**
* Creates the initial admin user and policies for access the flow and managing users and policies.
*/
private void populateInitialAdmin(final Authorizations authorizations) {
private void populateInitialAdmin(final Authorizations authorizations, Tenants tenants) {
// generate an identifier and add a User with the given identifier and identity
final UUID adminIdentifier = UUID.nameUUIDFromBytes(initialAdminIdentity.getBytes(StandardCharsets.UTF_8));
final User adminUser = new User.Builder().identifier(adminIdentifier.toString()).identity(initialAdminIdentity).build();
final org.apache.nifi.authorization.file.generated.User jaxbAdminUser = createJAXBUser(adminUser);
authorizations.getUsers().getUser().add(jaxbAdminUser);
final org.apache.nifi.authorization.file.tenants.generated.User jaxbAdminUser = createJAXBUser(adminUser);
tenants.getUsers().getUser().add(jaxbAdminUser);
// grant the user read access to the /flow resource
addAccessPolicy(authorizations, ResourceType.Flow.getValue(), adminUser.getIdentifier(), READ_CODE);
@ -307,11 +356,11 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
*
* @param authorizations the overall authorizations
*/
private void populateNodes(Authorizations authorizations) {
private void populateNodes(Authorizations authorizations, Tenants tenants) {
for (String nodeIdentity : nodeIdentities) {
// see if we have an existing user for the given node identity
org.apache.nifi.authorization.file.generated.User jaxbNodeUser = null;
for (org.apache.nifi.authorization.file.generated.User user : authorizations.getUsers().getUser()) {
org.apache.nifi.authorization.file.tenants.generated.User jaxbNodeUser = null;
for (org.apache.nifi.authorization.file.tenants.generated.User user : tenants.getUsers().getUser()) {
if (user.getIdentity().equals(nodeIdentity)) {
jaxbNodeUser = user;
break;
@ -325,7 +374,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
final User nodeUser = new User.Builder().identifier(nodeIdentifier.toString()).identity(nodeIdentity).build();
jaxbNodeUser = createJAXBUser(nodeUser);
authorizations.getUsers().getUser().add(jaxbNodeUser);
tenants.getUsers().getUser().add(jaxbNodeUser);
}
// grant access to the proxy resource
@ -343,11 +392,12 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
/**
* Unmarshalls an existing authorized-users.xml and converts the object model to the new model.
*
* @param authorizations the current Authorizations instance that users, groups, and policies will be added to
* @param authorizations the current Authorizations instance that policies will be added to
* @param tenants the current Tenants instance users and groups will be added to
* @throws AuthorizerCreationException if the legacy authorized users file that was provided does not exist
* @throws JAXBException if the legacy authorized users file that was provided could not be unmarshalled
*/
private void convertLegacyAuthorizedUsers(final Authorizations authorizations) throws AuthorizerCreationException, JAXBException {
private void convertLegacyAuthorizedUsers(final Authorizations authorizations, final Tenants tenants) throws AuthorizerCreationException, JAXBException {
final File authorizedUsersFile = new File(legacyAuthorizedUsersFile);
if (!authorizedUsersFile.exists()) {
throw new AuthorizerCreationException("Legacy Authorized Users File '" + legacyAuthorizedUsersFile + "' does not exists");
@ -386,15 +436,15 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
final String userIdentifier = UUID.nameUUIDFromBytes(legacyUserDn.getBytes(StandardCharsets.UTF_8)).toString();
// create the new User and add it to the list of users
org.apache.nifi.authorization.file.generated.User user = new org.apache.nifi.authorization.file.generated.User();
org.apache.nifi.authorization.file.tenants.generated.User user = new org.apache.nifi.authorization.file.tenants.generated.User();
user.setIdentifier(userIdentifier);
user.setIdentity(legacyUserDn);
authorizations.getUsers().getUser().add(user);
tenants.getUsers().getUser().add(user);
// if there was a group name find or create the group and add the user to it
org.apache.nifi.authorization.file.generated.Group group = getOrCreateGroup(authorizations, legacyUser.getGroup());
org.apache.nifi.authorization.file.tenants.generated.Group group = getOrCreateGroup(tenants, legacyUser.getGroup());
if (group != null) {
org.apache.nifi.authorization.file.generated.Group.User groupUser = new org.apache.nifi.authorization.file.generated.Group.User();
org.apache.nifi.authorization.file.tenants.generated.Group.User groupUser = new org.apache.nifi.authorization.file.tenants.generated.Group.User();
groupUser.setIdentifier(userIdentifier);
group.getUser().add(groupUser);
}
@ -431,8 +481,8 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
final String mappedUserAccessControl = IdentityMappingUtil.mapIdentity(userAccessControl, identityMappings);
// find a user where the identity is the userAccessControl
org.apache.nifi.authorization.file.generated.User foundUser = null;
for (org.apache.nifi.authorization.file.generated.User jaxbUser : authorizations.getUsers().getUser()) {
org.apache.nifi.authorization.file.tenants.generated.User foundUser = null;
for (org.apache.nifi.authorization.file.tenants.generated.User jaxbUser : tenants.getUsers().getUser()) {
if (jaxbUser.getIdentity().equals(mappedUserAccessControl)) {
foundUser = jaxbUser;
break;
@ -442,7 +492,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
// couldn't find the user matching the access control so log a warning and skip
if (foundUser == null) {
logger.warn("Found port with user access control for {} but no user exists with this identity, skipping...",
new Object[] {userAccessControl});
new Object[] {mappedUserAccessControl});
continue;
}
@ -460,8 +510,8 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
if (portDTO.getGroupAccessControl() != null) {
for (String groupAccessControl : portDTO.getGroupAccessControl()) {
// find a group where the name is the groupAccessControl
org.apache.nifi.authorization.file.generated.Group foundGroup = null;
for (org.apache.nifi.authorization.file.generated.Group jaxbGroup : authorizations.getGroups().getGroup()) {
org.apache.nifi.authorization.file.tenants.generated.Group foundGroup = null;
for (org.apache.nifi.authorization.file.tenants.generated.Group jaxbGroup : tenants.getGroups().getGroup()) {
if (jaxbGroup.getName().equals(groupAccessControl)) {
foundGroup = jaxbGroup;
break;
@ -541,17 +591,17 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
/**
* Finds the Group with the given name, or creates a new one and adds it to Authorizations.
*
* @param authorizations the Authorizations reference
* @param tenants the Authorizations reference
* @param groupName the name of the group to look for
* @return the Group from Authorizations with the given name, or a new instance
*/
private org.apache.nifi.authorization.file.generated.Group getOrCreateGroup(final Authorizations authorizations, final String groupName) {
private org.apache.nifi.authorization.file.tenants.generated.Group getOrCreateGroup(final Tenants tenants, final String groupName) {
if (StringUtils.isBlank(groupName)) {
return null;
}
org.apache.nifi.authorization.file.generated.Group foundGroup = null;
for (org.apache.nifi.authorization.file.generated.Group group : authorizations.getGroups().getGroup()) {
org.apache.nifi.authorization.file.tenants.generated.Group foundGroup = null;
for (org.apache.nifi.authorization.file.tenants.generated.Group group : tenants.getGroups().getGroup()) {
if (group.getName().equals(groupName)) {
foundGroup = group;
break;
@ -560,10 +610,10 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
if (foundGroup == null) {
UUID newGroupIdentifier = UUID.nameUUIDFromBytes(groupName.getBytes(StandardCharsets.UTF_8));
foundGroup = new org.apache.nifi.authorization.file.generated.Group();
foundGroup = new org.apache.nifi.authorization.file.tenants.generated.Group();
foundGroup.setIdentifier(newGroupIdentifier.toString());
foundGroup.setName(groupName);
authorizations.getGroups().getGroup().add(foundGroup);
tenants.getGroups().getGroup().add(foundGroup);
}
return foundGroup;
@ -659,22 +709,36 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
* Synchronized to ensure only one thread writes the file at a time.
*
* @param authorizations the authorizations to save and populate from
* @param tenants the tenants to save and populate from
* @throws AuthorizationAccessException if an error occurs saving the authorizations
*/
private synchronized void saveAndRefreshHolder(final Authorizations authorizations) throws AuthorizationAccessException {
private synchronized void saveAndRefreshHolder(final Authorizations authorizations, final Tenants tenants) throws AuthorizationAccessException {
try {
final Marshaller marshaller = JAXB_AUTHORIZATIONS_CONTEXT.createMarshaller();
marshaller.setSchema(authorizationsSchema);
marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
marshaller.marshal(authorizations, authorizationsFile);
saveTenants(tenants);
saveAuthorizations(authorizations);
final AuthorizationsHolder authorizationsHolder = new AuthorizationsHolder(authorizations);
final AuthorizationsHolder authorizationsHolder = new AuthorizationsHolder(authorizations, tenants);
this.authorizationsHolder.set(authorizationsHolder);
} catch (JAXBException e) {
throw new AuthorizationAccessException("Unable to save Authorizations", e);
}
}
private void saveAuthorizations(final Authorizations authorizations) throws JAXBException {
final Marshaller marshaller = JAXB_AUTHORIZATIONS_CONTEXT.createMarshaller();
marshaller.setSchema(authorizationsSchema);
marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
marshaller.marshal(authorizations, authorizationsFile);
}
private void saveTenants(final Tenants tenants) throws JAXBException {
final Marshaller marshaller = JAXB_TENANTS_CONTEXT.createMarshaller();
marshaller.setSchema(tenantsSchema);
marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
marshaller.marshal(tenants, tenantsFile);
}
@AuthorizerContext
public void setNiFiProperties(NiFiProperties properties) {
this.properties = properties;
@ -693,28 +757,29 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
throw new IllegalArgumentException("Group cannot be null");
}
final Authorizations authorizations = this.authorizationsHolder.get().getAuthorizations();
final AuthorizationsHolder holder = this.authorizationsHolder.get();
final Tenants tenants = holder.getTenants();
final Authorizations authorizations = holder.getAuthorizations();
// determine that all users in the group exist before doing anything, throw an exception if they don't
final Set<org.apache.nifi.authorization.file.generated.User> jaxbUsers = checkGroupUsers(group, authorizations.getUsers().getUser());
final Set<org.apache.nifi.authorization.file.tenants.generated.User> jaxbUsers = checkGroupUsers(group, tenants.getUsers().getUser());
// create a new JAXB Group based on the incoming Group
final org.apache.nifi.authorization.file.generated.Group jaxbGroup = new org.apache.nifi.authorization.file.generated.Group();
final org.apache.nifi.authorization.file.tenants.generated.Group jaxbGroup = new org.apache.nifi.authorization.file.tenants.generated.Group();
jaxbGroup.setIdentifier(group.getIdentifier());
jaxbGroup.setName(group.getName());
// add each user to the group
for (String groupUser : group.getUsers()) {
org.apache.nifi.authorization.file.generated.Group.User jaxbGroupUser = new org.apache.nifi.authorization.file.generated.Group.User();
org.apache.nifi.authorization.file.tenants.generated.Group.User jaxbGroupUser = new org.apache.nifi.authorization.file.tenants.generated.Group.User();
jaxbGroupUser.setIdentifier(groupUser);
jaxbGroup.getUser().add(jaxbGroupUser);
}
authorizations.getGroups().getGroup().add(jaxbGroup);
saveAndRefreshHolder(authorizations);
tenants.getGroups().getGroup().add(jaxbGroup);
saveAndRefreshHolder(authorizations, tenants);
final AuthorizationsHolder holder = this.authorizationsHolder.get();
return holder.getGroupsById().get(group.getIdentifier());
return this.authorizationsHolder.get().getGroupsById().get(group.getIdentifier());
}
@Override
@ -731,11 +796,13 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
throw new IllegalArgumentException("Group cannot be null");
}
final Authorizations authorizations = this.authorizationsHolder.get().getAuthorizations();
final AuthorizationsHolder holder = this.authorizationsHolder.get();
final Tenants tenants = holder.getTenants();
final Authorizations authorizations = holder.getAuthorizations();
// find the group that needs to be update
org.apache.nifi.authorization.file.generated.Group updateGroup = null;
for (org.apache.nifi.authorization.file.generated.Group jaxbGroup : authorizations.getGroups().getGroup()) {
org.apache.nifi.authorization.file.tenants.generated.Group updateGroup = null;
for (org.apache.nifi.authorization.file.tenants.generated.Group jaxbGroup : tenants.getGroups().getGroup()) {
if (jaxbGroup.getIdentifier().equals(group.getIdentifier())) {
updateGroup = jaxbGroup;
break;
@ -750,22 +817,24 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
// reset the list of users and add each user to the group
updateGroup.getUser().clear();
for (String groupUser : group.getUsers()) {
org.apache.nifi.authorization.file.generated.Group.User jaxbGroupUser = new org.apache.nifi.authorization.file.generated.Group.User();
org.apache.nifi.authorization.file.tenants.generated.Group.User jaxbGroupUser = new org.apache.nifi.authorization.file.tenants.generated.Group.User();
jaxbGroupUser.setIdentifier(groupUser);
updateGroup.getUser().add(jaxbGroupUser);
}
updateGroup.setName(group.getName());
saveAndRefreshHolder(authorizations);
saveAndRefreshHolder(authorizations, tenants);
final AuthorizationsHolder holder = this.authorizationsHolder.get();
return holder.getGroupsById().get(group.getIdentifier());
return this.authorizationsHolder.get().getGroupsById().get(group.getIdentifier());
}
@Override
public synchronized Group deleteGroup(Group group) throws AuthorizationAccessException {
final Authorizations authorizations = this.authorizationsHolder.get().getAuthorizations();
final List<org.apache.nifi.authorization.file.generated.Group> groups = authorizations.getGroups().getGroup();
final AuthorizationsHolder holder = this.authorizationsHolder.get();
final Tenants tenants = holder.getTenants();
final Authorizations authorizations = holder.getAuthorizations();
final List<org.apache.nifi.authorization.file.tenants.generated.Group> groups = tenants.getGroups().getGroup();
// for each policy iterate over the group reference and remove the group reference if it matches the group being deleted
for (Policy policy : authorizations.getPolicies().getPolicy()) {
@ -781,9 +850,9 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
// now remove the actual group from the top-level list of groups
boolean removedGroup = false;
Iterator<org.apache.nifi.authorization.file.generated.Group> iter = groups.iterator();
Iterator<org.apache.nifi.authorization.file.tenants.generated.Group> iter = groups.iterator();
while (iter.hasNext()) {
org.apache.nifi.authorization.file.generated.Group jaxbGroup = iter.next();
org.apache.nifi.authorization.file.tenants.generated.Group jaxbGroup = iter.next();
if (group.getIdentifier().equals(jaxbGroup.getIdentifier())) {
iter.remove();
removedGroup = true;
@ -792,7 +861,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
}
if (removedGroup) {
saveAndRefreshHolder(authorizations);
saveAndRefreshHolder(authorizations, tenants);
return group;
} else {
return null;
@ -804,11 +873,11 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
return authorizationsHolder.get().getAllGroups();
}
private Set<org.apache.nifi.authorization.file.generated.User> checkGroupUsers(final Group group, final List<org.apache.nifi.authorization.file.generated.User> users) {
final Set<org.apache.nifi.authorization.file.generated.User> jaxbUsers = new HashSet<>();
private Set<org.apache.nifi.authorization.file.tenants.generated.User> checkGroupUsers(final Group group, final List<org.apache.nifi.authorization.file.tenants.generated.User> users) {
final Set<org.apache.nifi.authorization.file.tenants.generated.User> jaxbUsers = new HashSet<>();
for (String groupUser : group.getUsers()) {
boolean found = false;
for (org.apache.nifi.authorization.file.generated.User jaxbUser : users) {
for (org.apache.nifi.authorization.file.tenants.generated.User jaxbUser : users) {
if (jaxbUser.getIdentifier().equals(groupUser)) {
jaxbUsers.add(jaxbUser);
found = true;
@ -831,19 +900,20 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
throw new IllegalArgumentException("User cannot be null");
}
final org.apache.nifi.authorization.file.generated.User jaxbUser = createJAXBUser(user);
final org.apache.nifi.authorization.file.tenants.generated.User jaxbUser = createJAXBUser(user);
final Authorizations authorizations = this.authorizationsHolder.get().getAuthorizations();
authorizations.getUsers().getUser().add(jaxbUser);
final AuthorizationsHolder holder = this.authorizationsHolder.get();
final Tenants tenants = holder.getTenants();
final Authorizations authorizations = holder.getAuthorizations();
tenants.getUsers().getUser().add(jaxbUser);
saveAndRefreshHolder(authorizations);
saveAndRefreshHolder(authorizations, tenants);
final AuthorizationsHolder holder = authorizationsHolder.get();
return holder.getUsersById().get(user.getIdentifier());
return this.authorizationsHolder.get().getUsersById().get(user.getIdentifier());
}
private org.apache.nifi.authorization.file.generated.User createJAXBUser(User user) {
final org.apache.nifi.authorization.file.generated.User jaxbUser = new org.apache.nifi.authorization.file.generated.User();
private org.apache.nifi.authorization.file.tenants.generated.User createJAXBUser(User user) {
final org.apache.nifi.authorization.file.tenants.generated.User jaxbUser = new org.apache.nifi.authorization.file.tenants.generated.User();
jaxbUser.setIdentifier(user.getIdentifier());
jaxbUser.setIdentity(user.getIdentity());
return jaxbUser;
@ -875,12 +945,15 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
throw new IllegalArgumentException("User cannot be null");
}
final Authorizations authorizations = this.authorizationsHolder.get().getAuthorizations();
final List<org.apache.nifi.authorization.file.generated.User> users = authorizations.getUsers().getUser();
final AuthorizationsHolder holder = this.authorizationsHolder.get();
final Tenants tenants = holder.getTenants();
final Authorizations authorizations = holder.getAuthorizations();
final List<org.apache.nifi.authorization.file.tenants.generated.User> users = tenants.getUsers().getUser();
// fine the User that needs to be updated
org.apache.nifi.authorization.file.generated.User updateUser = null;
for (org.apache.nifi.authorization.file.generated.User jaxbUser : users) {
org.apache.nifi.authorization.file.tenants.generated.User updateUser = null;
for (org.apache.nifi.authorization.file.tenants.generated.User jaxbUser : users) {
if (user.getIdentifier().equals(jaxbUser.getIdentifier())) {
updateUser = jaxbUser;
break;
@ -892,10 +965,9 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
return null;
} else {
updateUser.setIdentity(user.getIdentity());
saveAndRefreshHolder(authorizations);
saveAndRefreshHolder(authorizations, tenants);
final AuthorizationsHolder holder = authorizationsHolder.get();
return holder.getUsersById().get(user.getIdentifier());
return this.authorizationsHolder.get().getUsersById().get(user.getIdentifier());
}
}
@ -905,14 +977,17 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
throw new IllegalArgumentException("User cannot be null");
}
final Authorizations authorizations = this.authorizationsHolder.get().getAuthorizations();
final List<org.apache.nifi.authorization.file.generated.User> users = authorizations.getUsers().getUser();
final AuthorizationsHolder holder = this.authorizationsHolder.get();
final Tenants tenants = holder.getTenants();
final Authorizations authorizations = holder.getAuthorizations();
final List<org.apache.nifi.authorization.file.tenants.generated.User> users = tenants.getUsers().getUser();
// for each group iterate over the user references and remove the user reference if it matches the user being deleted
for (org.apache.nifi.authorization.file.generated.Group group : authorizations.getGroups().getGroup()) {
Iterator<org.apache.nifi.authorization.file.generated.Group.User> groupUserIter = group.getUser().iterator();
for (org.apache.nifi.authorization.file.tenants.generated.Group group : tenants.getGroups().getGroup()) {
Iterator<org.apache.nifi.authorization.file.tenants.generated.Group.User> groupUserIter = group.getUser().iterator();
while (groupUserIter.hasNext()) {
org.apache.nifi.authorization.file.generated.Group.User groupUser = groupUserIter.next();
org.apache.nifi.authorization.file.tenants.generated.Group.User groupUser = groupUserIter.next();
if (groupUser.getIdentifier().equals(user.getIdentifier())) {
groupUserIter.remove();
break;
@ -934,9 +1009,9 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
// remove the actual user if it exists
boolean removedUser = false;
Iterator<org.apache.nifi.authorization.file.generated.User> iter = users.iterator();
Iterator<org.apache.nifi.authorization.file.tenants.generated.User> iter = users.iterator();
while (iter.hasNext()) {
org.apache.nifi.authorization.file.generated.User jaxbUser = iter.next();
org.apache.nifi.authorization.file.tenants.generated.User jaxbUser = iter.next();
if (user.getIdentifier().equals(jaxbUser.getIdentifier())) {
iter.remove();
removedUser = true;
@ -945,7 +1020,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
}
if (removedUser) {
saveAndRefreshHolder(authorizations);
saveAndRefreshHolder(authorizations, tenants);
return user;
} else {
return null;
@ -969,13 +1044,14 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
final Policy policy = createJAXBPolicy(accessPolicy);
// add the new Policy to the top-level list of policies
final Authorizations authorizations = this.authorizationsHolder.get().getAuthorizations();
final AuthorizationsHolder holder = this.authorizationsHolder.get();
final Tenants tenants = holder.getTenants();
final Authorizations authorizations = holder.getAuthorizations();
authorizations.getPolicies().getPolicy().add(policy);
saveAndRefreshHolder(authorizations);
saveAndRefreshHolder(authorizations, tenants);
final AuthorizationsHolder holder = authorizationsHolder.get();
return holder.getPoliciesById().get(accessPolicy.getIdentifier());
return this.authorizationsHolder.get().getPoliciesById().get(accessPolicy.getIdentifier());
}
private Policy createJAXBPolicy(final AccessPolicy accessPolicy) {
@ -1014,7 +1090,9 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
throw new IllegalArgumentException("AccessPolicy cannot be null");
}
final Authorizations authorizations = this.authorizationsHolder.get().getAuthorizations();
final AuthorizationsHolder holder = this.authorizationsHolder.get();
final Tenants tenants = holder.getTenants();
final Authorizations authorizations = holder.getAuthorizations();
// try to find an existing Authorization that matches the policy id
Policy updatePolicy = null;
@ -1032,10 +1110,9 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
// update the Policy, save, reload, and return
transferUsersAndGroups(accessPolicy, updatePolicy);
saveAndRefreshHolder(authorizations);
saveAndRefreshHolder(authorizations, tenants);
final AuthorizationsHolder holder = authorizationsHolder.get();
return holder.getPoliciesById().get(accessPolicy.getIdentifier());
return this.authorizationsHolder.get().getPoliciesById().get(accessPolicy.getIdentifier());
}
@Override
@ -1044,7 +1121,9 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
throw new IllegalArgumentException("AccessPolicy cannot be null");
}
final Authorizations authorizations = this.authorizationsHolder.get().getAuthorizations();
final AuthorizationsHolder holder = this.authorizationsHolder.get();
final Tenants tenants = holder.getTenants();
final Authorizations authorizations = holder.getAuthorizations();
// find the matching Policy and remove it
boolean deletedPolicy = false;
@ -1063,7 +1142,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
return null;
}
saveAndRefreshHolder(authorizations);
saveAndRefreshHolder(authorizations, tenants);
return accessPolicy;
}

72
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/xsd/authorizations.xsd
View File

@ -15,75 +15,6 @@
-->
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<!-- group -->
<xs:complexType name="Group">
<xs:sequence>
<xs:element name="user" minOccurs="0" maxOccurs="unbounded" >
<xs:complexType>
<xs:attribute name="identifier">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:pattern value=".*[^\s].*"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="identifier">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:pattern value=".*[^\s].*"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="name">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:pattern value=".*[^\s].*"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
<!-- groups -->
<xs:complexType name="Groups">
<xs:sequence>
<xs:element name="group" type="Group" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- user -->
<xs:complexType name="User">
<xs:attribute name="identifier">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:pattern value=".*[^\s].*"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="identity">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:pattern value=".*[^\s].*"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
<!-- users -->
<xs:complexType name="Users">
<xs:sequence>
<xs:element name="user" type="User" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- authorization -->
<xs:complexType name="Policy">
<xs:sequence>
<xs:element name="group" minOccurs="0" maxOccurs="unbounded" >
@ -137,7 +68,6 @@
</xs:attribute>
</xs:complexType>
<!-- resources -->
<xs:complexType name="Policies">
<xs:sequence>
<xs:element name="policy" type="Policy" minOccurs="0" maxOccurs="unbounded"/>
@ -148,8 +78,6 @@
<xs:element name="authorizations">
<xs:complexType>
<xs:sequence>
<xs:element name="groups" type="Groups" minOccurs="0" maxOccurs="1" />
<xs:element name="users" type="Users" minOccurs="0" maxOccurs="1" />
<xs:element name="policies" type="Policies" minOccurs="0" maxOccurs="1" />
</xs:sequence>
</xs:complexType>

0
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/xsd/users.xsd → nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/xsd/legacy-users.xsd
View File

96
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/xsd/tenants.xsd Normal file
View File

@ -0,0 +1,96 @@
<?xml version="1.0"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<!-- group -->
<xs:complexType name="Group">
<xs:sequence>
<xs:element name="user" minOccurs="0" maxOccurs="unbounded" >
<xs:complexType>
<xs:attribute name="identifier">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:pattern value=".*[^\s].*"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="identifier">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:pattern value=".*[^\s].*"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="name">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:pattern value=".*[^\s].*"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
<!-- groups -->
<xs:complexType name="Groups">
<xs:sequence>
<xs:element name="group" type="Group" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- user -->
<xs:complexType name="User">
<xs:attribute name="identifier">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:pattern value=".*[^\s].*"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="identity">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:pattern value=".*[^\s].*"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
<!-- users -->
<xs:complexType name="Users">
<xs:sequence>
<xs:element name="user" type="User" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- top-level authorizations element -->
<xs:element name="tenants">
<xs:complexType>
<xs:sequence>
<xs:element name="groups" type="Groups" minOccurs="0" maxOccurs="1" />
<xs:element name="users" type="Users" minOccurs="0" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>

279
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java
View File

@ -56,23 +56,33 @@ public class FileAuthorizerTest {
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
+ "<authorizations/>";
private static final String EMPTY_TENANTS_CONCISE =
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
+ "<tenants/>";
private static final String EMPTY_AUTHORIZATIONS =
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
+ "<authorizations>"
+ "</authorizations>";
private static final String EMPTY_TENANTS =
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
+ "<tenants>"
+ "</tenants>";
private static final String BAD_SCHEMA_AUTHORIZATIONS =
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
+ "<authorization>"
+ "</authorization>";
private static final String BAD_SCHEMA_TENANTS =
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
+ "<tenant>"
+ "</tenant>";
private static final String SIMPLE_AUTHORIZATION_BY_USER =
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" +
"<authorizations>" +
" <users>" +
" <user identifier=\"user-1\" identity=\"user-1\"/>" +
" <user identifier=\"user-2\" identity=\"user-2\"/>" +
" </users>" +
" <policies>" +
" <policy identifier=\"policy-1\" resource=\"/flow\" action=\"R\">" +
" <user identifier=\"user-1\" />" +
@ -80,21 +90,18 @@ public class FileAuthorizerTest {
" </policies>" +
"</authorizations>";
private static final String SIMPLE_TENANTS_BY_USER =
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" +
"<tenants>" +
" <users>" +
" <user identifier=\"user-1\" identity=\"user-1\"/>" +
" <user identifier=\"user-2\" identity=\"user-2\"/>" +
" </users>" +
"</tenants>";
private static final String AUTHORIZATIONS =
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" +
"<authorizations>" +
" <groups>" +
" <group identifier=\"group-1\" name=\"group-1\">" +
" <user identifier=\"user-1\" />" +
" </group>" +
" <group identifier=\"group-2\" name=\"group-2\">" +
" <user identifier=\"user-2\" />" +
" </group>" +
" </groups>" +
" <users>" +
" <user identifier=\"user-1\" identity=\"user-1\" />" +
" <user identifier=\"user-2\" identity=\"user-2\" />" +
" </users>" +
" <policies>" +
" <policy identifier=\"policy-1\" resource=\"/flow\" action=\"R\">" +
" <group identifier=\"group-1\" />" +
@ -107,13 +114,32 @@ public class FileAuthorizerTest {
" </policies>" +
"</authorizations>";
private static final String TENANTS =
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" +
"<tenants>" +
" <groups>" +
" <group identifier=\"group-1\" name=\"group-1\">" +
" <user identifier=\"user-1\" />" +
" </group>" +
" <group identifier=\"group-2\" name=\"group-2\">" +
" <user identifier=\"user-2\" />" +
" </group>" +
" </groups>" +
" <users>" +
" <user identifier=\"user-1\" identity=\"user-1\" />" +
" <user identifier=\"user-2\" identity=\"user-2\" />" +
" </users>" +
"</tenants>";
// This is the root group id from the flow.xml.gz in src/test/resources
private static final String ROOT_GROUP_ID = "e530e14c-adcf-41c2-b5d6-d9a59ba8765c";
private NiFiProperties properties;
private FileAuthorizer authorizer;
private File primary;
private File restore;
private File primaryAuthorizations;
private File primaryTenants;
private File restoreAuthorizations;
private File restoreTenants;
private File flow;
private File flowNoPorts;
private File flowWithDns;
@ -123,12 +149,20 @@ public class FileAuthorizerTest {
@Before
public void setup() throws IOException {
// primary authorizations
primary = new File("target/primary/authorizations.xml");
FileUtils.ensureDirectoryExistAndCanAccess(primary.getParentFile());
primaryAuthorizations = new File("target/authorizations/authorizations.xml");
FileUtils.ensureDirectoryExistAndCanAccess(primaryAuthorizations.getParentFile());
// primary tenants
primaryTenants = new File("target/authorizations/users.xml");
FileUtils.ensureDirectoryExistAndCanAccess(primaryTenants.getParentFile());
// restore authorizations
restore = new File("target/restore/authorizations.xml");
FileUtils.ensureDirectoryExistAndCanAccess(restore.getParentFile());
restoreAuthorizations = new File("target/restore/authorizations.xml");
FileUtils.ensureDirectoryExistAndCanAccess(restoreAuthorizations.getParentFile());
// restore authorizations
restoreTenants = new File("target/restore/users.xml");
FileUtils.ensureDirectoryExistAndCanAccess(restoreTenants.getParentFile());
flow = new File("src/test/resources/flow.xml.gz");
FileUtils.ensureDirectoryExistAndCanAccess(flow.getParentFile());
@ -140,11 +174,12 @@ public class FileAuthorizerTest {
FileUtils.ensureDirectoryExistAndCanAccess(flowWithDns.getParentFile());
properties = mock(NiFiProperties.class);
when(properties.getRestoreDirectory()).thenReturn(restore.getParentFile());
when(properties.getRestoreDirectory()).thenReturn(restoreAuthorizations.getParentFile());
when(properties.getFlowConfigurationFile()).thenReturn(flow);
configurationContext = mock(AuthorizerConfigurationContext.class);
when(configurationContext.getProperty(Mockito.eq("Authorizations File"))).thenReturn(new StandardPropertyValue(primary.getPath(), null));
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_AUTHORIZATIONS_FILE))).thenReturn(new StandardPropertyValue(primaryAuthorizations.getPath(), null));
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_TENANTS_FILE))).thenReturn(new StandardPropertyValue(primaryTenants.getPath(), null));
authorizer = new FileAuthorizer();
authorizer.setNiFiProperties(properties);
@ -153,8 +188,10 @@ public class FileAuthorizerTest {
@After
public void cleanup() throws Exception {
deleteFile(primary);
deleteFile(restore);
deleteFile(primaryAuthorizations);
deleteFile(primaryTenants);
deleteFile(restoreAuthorizations);
deleteFile(restoreTenants);
}
@Test
@ -162,7 +199,8 @@ public class FileAuthorizerTest {
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE)))
.thenReturn(new StandardPropertyValue("src/test/resources/authorized-users-multirole.xml", null));
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
final Set<User> users = authorizer.getUsers();
@ -180,13 +218,14 @@ public class FileAuthorizerTest {
@Test
public void testOnConfiguredWhenLegacyUsersFileProvidedAndFlowHasNoPorts() throws Exception {
properties = mock(NiFiProperties.class);
when(properties.getRestoreDirectory()).thenReturn(restore.getParentFile());
when(properties.getRestoreDirectory()).thenReturn(restoreAuthorizations.getParentFile());
when(properties.getFlowConfigurationFile()).thenReturn(flowNoPorts);
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE)))
.thenReturn(new StandardPropertyValue("src/test/resources/authorized-users.xml", null));
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
boolean foundDataTransferPolicy = false;
@ -205,7 +244,8 @@ public class FileAuthorizerTest {
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE)))
.thenReturn(new StandardPropertyValue("src/test/resources/authorized-users.xml", null));
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
// verify all users got created correctly
@ -347,14 +387,15 @@ public class FileAuthorizerTest {
props.setProperty("nifi.security.identity.mapping.value.dn1", "$1");
properties = getNiFiProperties(props);
when(properties.getRestoreDirectory()).thenReturn(restore.getParentFile());
when(properties.getRestoreDirectory()).thenReturn(restoreAuthorizations.getParentFile());
when(properties.getFlowConfigurationFile()).thenReturn(flowWithDns);
authorizer.setNiFiProperties(properties);
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE)))
.thenReturn(new StandardPropertyValue("src/test/resources/authorized-users-with-dns.xml", null));
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
final User user1 = authorizer.getUserByIdentity("user1");
@ -401,7 +442,8 @@ public class FileAuthorizerTest {
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE)))
.thenReturn(new StandardPropertyValue("src/test/resources/does-not-exist.xml", null));
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
}
@ -415,13 +457,15 @@ public class FileAuthorizerTest {
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE)))
.thenReturn(new StandardPropertyValue("src/test/resources/authorized-users.xml", null));
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
}
@Test
public void testOnConfiguredWhenInitialAdminNotProvided() throws Exception {
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
final Set<User> users = authorizer.getUsers();
@ -438,7 +482,8 @@ public class FileAuthorizerTest {
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_INITIAL_ADMIN_IDENTITY)))
.thenReturn(new StandardPropertyValue(adminIdentity, null));
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
final Set<User> users = authorizer.getUsers();
@ -467,7 +512,7 @@ public class FileAuthorizerTest {
public void testOnConfiguredWhenInitialAdminProvidedAndNoFlowExists() throws Exception {
// setup NiFi properties to return a file that does not exist
properties = mock(NiFiProperties.class);
when(properties.getRestoreDirectory()).thenReturn(restore.getParentFile());
when(properties.getRestoreDirectory()).thenReturn(restoreAuthorizations.getParentFile());
when(properties.getFlowConfigurationFile()).thenReturn(new File("src/test/resources/does-not-exist.xml.gz"));
authorizer.setNiFiProperties(properties);
@ -475,7 +520,8 @@ public class FileAuthorizerTest {
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_INITIAL_ADMIN_IDENTITY)))
.thenReturn(new StandardPropertyValue(adminIdentity, null));
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
final Set<User> users = authorizer.getUsers();
@ -504,7 +550,7 @@ public class FileAuthorizerTest {
public void testOnConfiguredWhenInitialAdminProvidedAndFlowIsNull() throws Exception {
// setup NiFi properties to return a file that does not exist
properties = mock(NiFiProperties.class);
when(properties.getRestoreDirectory()).thenReturn(restore.getParentFile());
when(properties.getRestoreDirectory()).thenReturn(restoreAuthorizations.getParentFile());
when(properties.getFlowConfigurationFile()).thenReturn(null);
authorizer.setNiFiProperties(properties);
@ -512,7 +558,8 @@ public class FileAuthorizerTest {
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_INITIAL_ADMIN_IDENTITY)))
.thenReturn(new StandardPropertyValue(adminIdentity, null));
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
final Set<User> users = authorizer.getUsers();
@ -544,7 +591,7 @@ public class FileAuthorizerTest {
props.setProperty("nifi.security.identity.mapping.value.dn1", "$1_$2_$3");
properties = getNiFiProperties(props);
when(properties.getRestoreDirectory()).thenReturn(restore.getParentFile());
when(properties.getRestoreDirectory()).thenReturn(restoreAuthorizations.getParentFile());
when(properties.getFlowConfigurationFile()).thenReturn(flow);
authorizer.setNiFiProperties(properties);
@ -552,7 +599,8 @@ public class FileAuthorizerTest {
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_INITIAL_ADMIN_IDENTITY)))
.thenReturn(new StandardPropertyValue(adminIdentity, null));
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
final Set<User> users = authorizer.getUsers();
@ -578,7 +626,8 @@ public class FileAuthorizerTest {
when(configurationContext.getProperties()).thenReturn(props);
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
User adminUser = authorizer.getUserByIdentity(adminIdentity);
@ -609,7 +658,7 @@ public class FileAuthorizerTest {
props.setProperty("nifi.security.identity.mapping.value.dn1", "$1");
properties = getNiFiProperties(props);
when(properties.getRestoreDirectory()).thenReturn(restore.getParentFile());
when(properties.getRestoreDirectory()).thenReturn(restoreAuthorizations.getParentFile());
when(properties.getFlowConfigurationFile()).thenReturn(flow);
authorizer.setNiFiProperties(properties);
@ -626,7 +675,8 @@ public class FileAuthorizerTest {
when(configurationContext.getProperties()).thenReturn(nodeProps);
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
User adminUser = authorizer.getUserByIdentity("user1");
@ -639,42 +689,72 @@ public class FileAuthorizerTest {
assertNotNull(nodeUser2);
}
public void testOnConfiguredWhenTenantsAndAuthorizationsFileDoesNotExist() {
authorizer.onConfigured(configurationContext);
assertEquals(0, authorizer.getAccessPolicies().size());
}
@Test
public void testOnConfiguredWhenAuthorizationsFileDoesNotExist() {
public void testOnConfiguredWhenAuthorizationsFileDoesNotExist() throws Exception {
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
assertEquals(0, authorizer.getAccessPolicies().size());
}
@Test
public void testOnConfiguredWhenTenantsFileDoesNotExist() throws Exception {
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
authorizer.onConfigured(configurationContext);
assertEquals(0, authorizer.getAccessPolicies().size());
}
@Test
public void testOnConfiguredWhenRestoreDoesNotExist() throws Exception {
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
assertEquals(primary.length(), restore.length());
assertEquals(primaryAuthorizations.length(), restoreAuthorizations.length());
assertEquals(primaryTenants.length(), restoreTenants.length());
}
@Test(expected = AuthorizerCreationException.class)
public void testOnConfiguredWhenPrimaryDoesNotExist() throws Exception {
writeAuthorizationsFile(restore, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(restoreAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(restoreTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
}
@Test(expected = AuthorizerCreationException.class)
public void testOnConfiguredWhenPrimaryDifferentThanRestore() throws Exception {
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS);
writeAuthorizationsFile(restore, EMPTY_AUTHORIZATIONS_CONCISE);
public void testOnConfiguredWhenPrimaryAuthorizationsDifferentThanRestore() throws Exception {
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS);
writeFile(restoreAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
authorizer.onConfigured(configurationContext);
}
@Test(expected = AuthorizerCreationException.class)
public void testOnConfiguredWithBadSchema() throws Exception {
writeAuthorizationsFile(primary, BAD_SCHEMA_AUTHORIZATIONS);
public void testOnConfiguredWhenPrimaryTenantsDifferentThanRestore() throws Exception {
writeFile(primaryTenants, EMPTY_TENANTS);
writeFile(restoreTenants, EMPTY_TENANTS_CONCISE);
authorizer.onConfigured(configurationContext);
}
@Test(expected = AuthorizerCreationException.class)
public void testOnConfiguredWithBadAuthorizationsSchema() throws Exception {
writeFile(primaryAuthorizations, BAD_SCHEMA_AUTHORIZATIONS);
authorizer.onConfigured(configurationContext);
}
@Test(expected = AuthorizerCreationException.class)
public void testOnConfiguredWithBadTenantsSchema() throws Exception {
writeFile(primaryTenants, BAD_SCHEMA_TENANTS);
authorizer.onConfigured(configurationContext);
}
@Test
public void testAuthorizedUserAction() throws Exception {
writeAuthorizationsFile(primary, SIMPLE_AUTHORIZATION_BY_USER);
writeFile(primaryAuthorizations, SIMPLE_AUTHORIZATION_BY_USER);
writeFile(primaryTenants, SIMPLE_TENANTS_BY_USER);
authorizer.onConfigured(configurationContext);
final AuthorizationRequest request = new AuthorizationRequest.Builder()
@ -691,7 +771,8 @@ public class FileAuthorizerTest {
@Test
public void testUnauthorizedUser() throws Exception {
writeAuthorizationsFile(primary, SIMPLE_AUTHORIZATION_BY_USER);
writeFile(primaryAuthorizations, SIMPLE_AUTHORIZATION_BY_USER);
writeFile(primaryTenants, SIMPLE_TENANTS_BY_USER);
authorizer.onConfigured(configurationContext);
final AuthorizationRequest request = new AuthorizationRequest.Builder()
@ -708,7 +789,8 @@ public class FileAuthorizerTest {
@Test
public void testUnauthorizedAction() throws Exception {
writeAuthorizationsFile(primary, SIMPLE_AUTHORIZATION_BY_USER);
writeFile(primaryAuthorizations, SIMPLE_AUTHORIZATION_BY_USER);
writeFile(primaryTenants, SIMPLE_TENANTS_BY_USER);
authorizer.onConfigured(configurationContext);
final AuthorizationRequest request = new AuthorizationRequest.Builder()
@ -725,7 +807,8 @@ public class FileAuthorizerTest {
@Test
public void testGetAllUsersGroupsPolicies() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
final Set<Group> groups = authorizer.getGroups();
@ -798,7 +881,8 @@ public class FileAuthorizerTest {
@Test
public void testAddUser() throws Exception {
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS);
writeFile(primaryTenants, EMPTY_TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(0, authorizer.getUsers().size());
@ -818,7 +902,8 @@ public class FileAuthorizerTest {
@Test
public void testGetUserByIdentifierWhenFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getUsers().size());
@ -830,7 +915,8 @@ public class FileAuthorizerTest {
@Test
public void testGetUserByIdentifierWhenNotFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getUsers().size());
@ -841,7 +927,8 @@ public class FileAuthorizerTest {
@Test
public void testGetUserByIdentityWhenFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getUsers().size());
@ -853,7 +940,8 @@ public class FileAuthorizerTest {
@Test
public void testGetUserByIdentityWhenNotFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getUsers().size());
@ -864,7 +952,8 @@ public class FileAuthorizerTest {
@Test
public void testDeleteUser() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getUsers().size());
@ -891,7 +980,8 @@ public class FileAuthorizerTest {
@Test
public void testDeleteUserWhenNotFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getUsers().size());
@ -906,7 +996,8 @@ public class FileAuthorizerTest {
@Test
public void testUpdateUserWhenFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getUsers().size());
@ -923,7 +1014,8 @@ public class FileAuthorizerTest {
@Test
public void testUpdateUserWhenNotFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getUsers().size());
@ -940,7 +1032,8 @@ public class FileAuthorizerTest {
@Test
public void testAddGroup() throws Exception {
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS);
writeFile(primaryTenants, EMPTY_TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(0, authorizer.getGroups().size());
@ -961,7 +1054,8 @@ public class FileAuthorizerTest {
@Test
public void testAddGroupWithUser() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getGroups().size());
@ -984,7 +1078,8 @@ public class FileAuthorizerTest {
@Test(expected = IllegalStateException.class)
public void testAddGroupWhenUserDoesNotExist() throws Exception {
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS);
writeFile(primaryTenants, EMPTY_TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(0, authorizer.getGroups().size());
@ -999,7 +1094,8 @@ public class FileAuthorizerTest {
@Test
public void testGetGroupByIdentifierWhenFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getGroups().size());
@ -1011,7 +1107,8 @@ public class FileAuthorizerTest {
@Test
public void testGetGroupByIdentifierWhenNotFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getGroups().size());
@ -1022,7 +1119,8 @@ public class FileAuthorizerTest {
@Test
public void testDeleteGroupWhenFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getGroups().size());
@ -1051,7 +1149,8 @@ public class FileAuthorizerTest {
@Test
public void testDeleteGroupWhenNotFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getGroups().size());
@ -1067,7 +1166,8 @@ public class FileAuthorizerTest {
@Test
public void testUpdateGroupWhenFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getGroups().size());
@ -1092,7 +1192,8 @@ public class FileAuthorizerTest {
@Test
public void testUpdateGroupWhenNotFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getGroups().size());
@ -1110,7 +1211,8 @@ public class FileAuthorizerTest {
@Test
public void testAddAccessPolicy() throws Exception {
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS);
writeFile(primaryTenants, EMPTY_TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(0, authorizer.getAccessPolicies().size());
@ -1152,7 +1254,8 @@ public class FileAuthorizerTest {
@Test
public void testAddAccessPolicyWithEmptyUsersAndGroups() throws Exception {
writeAuthorizationsFile(primary, EMPTY_AUTHORIZATIONS);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS);
writeFile(primaryTenants, EMPTY_TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(0, authorizer.getAccessPolicies().size());
@ -1175,7 +1278,8 @@ public class FileAuthorizerTest {
@Test
public void testGetAccessPolicy() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getAccessPolicies().size());
@ -1196,7 +1300,8 @@ public class FileAuthorizerTest {
@Test
public void testGetAccessPolicyWhenNotFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getAccessPolicies().size());
@ -1206,7 +1311,8 @@ public class FileAuthorizerTest {
@Test
public void testUpdateAccessPolicy() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getAccessPolicies().size());
@ -1234,7 +1340,8 @@ public class FileAuthorizerTest {
@Test
public void testUpdateAccessPolicyWhenResourceNotFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getAccessPolicies().size());
@ -1252,7 +1359,8 @@ public class FileAuthorizerTest {
@Test
public void testDeleteAccessPolicy() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getAccessPolicies().size());
@ -1275,7 +1383,8 @@ public class FileAuthorizerTest {
@Test
public void testDeleteAccessPolicyWhenNotFound() throws Exception {
writeAuthorizationsFile(primary, AUTHORIZATIONS);
writeFile(primaryAuthorizations, AUTHORIZATIONS);
writeFile(primaryTenants, TENANTS);
authorizer.onConfigured(configurationContext);
assertEquals(2, authorizer.getAccessPolicies().size());
@ -1291,7 +1400,7 @@ public class FileAuthorizerTest {
assertNull(deletedAccessPolicy);
}
private static void writeAuthorizationsFile(final File file, final String content) throws Exception {
private static void writeFile(final File file, final String content) throws Exception {
byte[] bytes = content.getBytes(StandardCharsets.UTF_8);
try (final FileOutputStream fos = new FileOutputStream(file)) {
fos.write(bytes);

5
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
View File

@ -23,7 +23,9 @@
<!--
The FileAuthorizer is NiFi's provided authorizer and has the following properties:
- Authorizations File - The file where the FileAuthorizer will store authorizations.
- Authorizations File - The file where the FileAuthorizer will store policies.
- Users File - The file where the FileAuthorizer will store users and groups.
- Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
given the ability to create additional users, groups, and policies. The value of this property could be
@ -50,6 +52,7 @@
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
<property name="Initial Admin Identity"></property>
<property name="Legacy Authorized Users File"></property>