Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-2346: 

- Introducing data resource for authorizing provenance events and queue listing.
- Authorizing entire proxy chain for data resource and data transfer resource.
NIFI-2338:
- Ensuring that replay authorization only happens once.

- Allowing users with access to policies for a component to be able to access all policies for that component.
-- Includes the component, data, data transfers, and policies.
- Fixing drop request completion to update the correct queued field.
- Fixing access control check for listing and emptying queues.
- Reseting selected policy when re-opening the policy management page.
- Fixing button/link visibility for available actions in policy management page.
- Fixing policy issues with policy removal when the underlying component is deleted.
- Updating file authorizer seeding to grant data access to node's in the cluster.

This closes #720.
This commit is contained in:
Matt Gilman 2016-07-26 11:21:22 -04:00 committed by Mark Payne
parent c27763a12f
commit 69586d8bd0
33 changed files with 688 additions and 465 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nifi-framework-api/src/main/java/org/apache/nifi/authorization/resource/Authorizable.java
View File

@ -69,6 +69,10 @@ public interface Authorizable {
* @return is authorized
*/
default AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
if (user == null) {
return AuthorizationResult.denied("Unknown user");
}
final Map<String,String> userContext;
if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
userContext = new HashMap<>();
@ -128,6 +132,10 @@ public interface Authorizable {
* @param resourceContext resource context
*/
default void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
if (user == null) {
throw new AccessDeniedException("Unknown user");
}
final Map<String,String> userContext;
if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) {
userContext = new HashMap<>();

7
nifi-framework-api/src/main/java/org/apache/nifi/provenance/ProvenanceAuthorizableFactory.java
View File

@ -23,13 +23,14 @@ import org.apache.nifi.web.ResourceNotFoundException;
public interface ProvenanceAuthorizableFactory {
/**
* Generates an Authorizable object for the Provenance events of the component with the given ID
* Generates an Authorizable object for the Data of the component with the given ID. This includes
* provenance data and queue's on outgoing relationships.
*
* @param componentId the ID of the component to which the Provenance events belong
* @param componentId the ID of the component to which the Data belongs
*
* @return the Authorizable that can be use to authorize access to provenance events
* @throws ResourceNotFoundException if no component can be found with the given ID
*/
Authorizable createProvenanceAuthorizable(String componentId);
Authorizable createDataAuthorizable(String componentId);
}

9
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
View File

@ -276,6 +276,9 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
// grant the user read access to the root process group resource
if (rootGroupId != null) {
addAccessPolicy(authorizations, ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, adminUser.getIdentifier(), READ_CODE);
addAccessPolicy(authorizations, ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, adminUser.getIdentifier(), WRITE_CODE);
addAccessPolicy(authorizations, ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, adminUser.getIdentifier(), READ_CODE);
addAccessPolicy(authorizations, ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, adminUser.getIdentifier(), WRITE_CODE);
}
@ -322,6 +325,12 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
// grant access to the proxy resource
addAccessPolicy(authorizations, ResourceType.Proxy.getValue(), jaxbNodeUser.getIdentifier(), READ_CODE);
addAccessPolicy(authorizations, ResourceType.Proxy.getValue(), jaxbNodeUser.getIdentifier(), WRITE_CODE);
// grant the user read/write access data of the root group
if (rootGroupId != null) {
addAccessPolicy(authorizations, ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, jaxbNodeUser.getIdentifier(), READ_CODE);
addAccessPolicy(authorizations, ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, jaxbNodeUser.getIdentifier(), WRITE_CODE);
}
}
}

8
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/RoleAccessPolicy.java
View File

@ -63,7 +63,7 @@ public final class RoleAccessPolicy {
final Set<RoleAccessPolicy> provenancePolicies = new HashSet<>();
provenancePolicies.add(new RoleAccessPolicy(ResourceType.Provenance.getValue(), READ_ACTION));
if (rootGroupId != null) {
provenancePolicies.add(new RoleAccessPolicy(ResourceType.ProvenanceEvent.getValue() + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, READ_ACTION));
provenancePolicies.add(new RoleAccessPolicy(ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, READ_ACTION));
}
roleAccessPolicies.put(Role.ROLE_PROVENANCE, Collections.unmodifiableSet(provenancePolicies));
@ -75,6 +75,8 @@ public final class RoleAccessPolicy {
if (rootGroupId != null) {
dfmPolicies.add(new RoleAccessPolicy(ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, READ_ACTION));
dfmPolicies.add(new RoleAccessPolicy(ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, WRITE_ACTION));
dfmPolicies.add(new RoleAccessPolicy(ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, READ_ACTION));
dfmPolicies.add(new RoleAccessPolicy(ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, WRITE_ACTION));
}
roleAccessPolicies.put(Role.ROLE_DFM, Collections.unmodifiableSet(dfmPolicies));
@ -93,6 +95,10 @@ public final class RoleAccessPolicy {
final Set<RoleAccessPolicy> proxyPolicies = new HashSet<>();
proxyPolicies.add(new RoleAccessPolicy(ResourceType.Proxy.getValue(), READ_ACTION));
proxyPolicies.add(new RoleAccessPolicy(ResourceType.Proxy.getValue(), WRITE_ACTION));
if (rootGroupId != null) {
proxyPolicies.add(new RoleAccessPolicy(ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, READ_ACTION));
proxyPolicies.add(new RoleAccessPolicy(ResourceType.Data.getValue() + ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, WRITE_ACTION));
}
roleAccessPolicies.put(Role.ROLE_PROXY, Collections.unmodifiableSet(proxyPolicies));
final Set<RoleAccessPolicy> nifiPolicies = new HashSet<>();

6
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java
View File

@ -254,7 +254,7 @@ public class FileAuthorizerTest {
// verify user3's policies
final Map<String,Set<RequestAction>> user3Policies = getResourceActions(policies, user3);
assertEquals(4, user3Policies.size());
assertEquals(5, user3Policies.size());
assertTrue(user3Policies.containsKey(ResourceType.Flow.getValue()));
assertEquals(1, user3Policies.get(ResourceType.Flow.getValue()).size());
@ -286,7 +286,7 @@ public class FileAuthorizerTest {
// verify user5's policies
final Map<String,Set<RequestAction>> user5Policies = getResourceActions(policies, user5);
assertEquals(1, user5Policies.size());
assertEquals(2, user5Policies.size());
assertTrue(user5Policies.containsKey(ResourceType.Proxy.getValue()));
assertEquals(2, user5Policies.get(ResourceType.Proxy.getValue()).size());
@ -384,7 +384,7 @@ public class FileAuthorizerTest {
assertEquals(adminIdentity, adminUser.getIdentity());
final Set<AccessPolicy> policies = authorizer.getAccessPolicies();
assertEquals(9, policies.size());
assertEquals(11, policies.size());
final String rootGroupResource = ResourceType.ProcessGroup.getValue() + "/" + ROOT_GROUP_ID;

98
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/AccessPolicyAuthorizable.java
View File

@ -16,12 +16,33 @@
*/
package org.apache.nifi.authorization.resource;
import org.apache.nifi.authorization.AccessDeniedException;
import org.apache.nifi.authorization.AuthorizationResult;
import org.apache.nifi.authorization.AuthorizationResult.Result;
import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.authorization.RequestAction;
import org.apache.nifi.authorization.Resource;
import org.apache.nifi.authorization.user.NiFiUser;
import java.util.Map;
/**
* Authorizable for policies of an Authorizable.
*/
public class AccessPolicyAuthorizable implements Authorizable {
public class AccessPolicyAuthorizable implements Authorizable, EnforcePolicyPermissionsThroughBaseResource {
private static final Authorizable POLICIES_AUTHORIZABLE = new Authorizable() {
@Override
public Authorizable getParentAuthorizable() {
return null;
}
@Override
public Resource getResource() {
return ResourceFactory.getPoliciesResource();
}
};
final Authorizable authorizable;
public AccessPolicyAuthorizable(Authorizable authorizable) {
@ -29,26 +50,73 @@ public class AccessPolicyAuthorizable implements Authorizable {
}
@Override
public Authorizable getParentAuthorizable() {
if (authorizable.getParentAuthorizable() == null) {
return new Authorizable() {
@Override
public Authorizable getParentAuthorizable() {
return null;
}
public Authorizable getBaseAuthorizable() {
return authorizable;
}
@Override
public Resource getResource() {
return ResourceFactory.getPoliciesResource();
}
};
@Override
public Authorizable getParentAuthorizable() {
final Authorizable effectiveAuthorizable = getEffectiveAuthorizable();
if (effectiveAuthorizable.getParentAuthorizable() == null) {
return POLICIES_AUTHORIZABLE;
} else {
return new AccessPolicyAuthorizable(authorizable.getParentAuthorizable());
return new AccessPolicyAuthorizable(effectiveAuthorizable.getParentAuthorizable());
}
}
@Override
public Resource getResource() {
return ResourceFactory.getPolicyResource(authorizable.getResource());
return ResourceFactory.getPolicyResource(getEffectiveAuthorizable().getResource());
}
private Authorizable getEffectiveAuthorizable() {
// possibly consider the base resource if the authorizable uses it to enforce policy permissions
if (authorizable instanceof EnforcePolicyPermissionsThroughBaseResource) {
final Authorizable baseAuthorizable = ((EnforcePolicyPermissionsThroughBaseResource) authorizable).getBaseAuthorizable();
// if the base authorizable is for a policy, we don't want to use the base otherwise it would keep unwinding and would eventually
// evaluate to the policy of the component and not the policy of the policies for the component
if (baseAuthorizable instanceof AccessPolicyAuthorizable) {
return authorizable;
} else {
return baseAuthorizable;
}
} else {
return authorizable;
}
}
@Override
public AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
if (user == null) {
throw new AccessDeniedException("Unknown user");
}
final AuthorizationResult resourceResult = Authorizable.super.checkAuthorization(authorizer, action, user, resourceContext);
// if we're denied from the resource try inheriting
if (Result.Denied.equals(resourceResult.getResult())) {
return getParentAuthorizable().checkAuthorization(authorizer, action, user, resourceContext);
} else {
return resourceResult;
}
}
@Override
public void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
if (user == null) {
throw new AccessDeniedException("Unknown user");
}
try {
Authorizable.super.authorize(authorizer, action, user, resourceContext);
} catch (final AccessDeniedException resourceDenied) {
// if we're denied from the resource try inheriting
try {
getParentAuthorizable().authorize(authorizer, action, user, resourceContext);
} catch (final AccessDeniedException policiesDenied) {
throw resourceDenied;
}
}
}
}

125
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/DataAuthorizable.java Normal file
View File

@ -0,0 +1,125 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.nifi.authorization.resource;
import org.apache.nifi.authorization.AccessDeniedException;
import org.apache.nifi.authorization.AuthorizationResult;
import org.apache.nifi.authorization.AuthorizationResult.Result;
import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.authorization.RequestAction;
import org.apache.nifi.authorization.Resource;
import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.apache.nifi.authorization.user.StandardNiFiUser;
import org.apache.nifi.web.ResourceNotFoundException;
import java.util.List;
import java.util.Map;
/**
* Authorizable for authorizing access to data. Data based authorizable requires authorization for the entire DN chain.
*/
public class DataAuthorizable implements Authorizable, EnforcePolicyPermissionsThroughBaseResource {
final Authorizable authorizable;
public DataAuthorizable(final Authorizable authorizable) {
this.authorizable = authorizable;
}
@Override
public Authorizable getBaseAuthorizable() {
return authorizable;
}
@Override
public Authorizable getParentAuthorizable() {
if (authorizable.getParentAuthorizable() == null) {
return null;
} else {
return new DataAuthorizable(authorizable.getParentAuthorizable());
}
}
@Override
public Resource getResource() {
return ResourceFactory.getDataResource(authorizable.getResource());
}
@Override
public AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
if (user == null) {
return AuthorizationResult.denied("Unknown user");
}
AuthorizationResult result = null;
// calculate the dn chain
final List<String> dnChain = NiFiUserUtils.buildProxiedEntitiesChain(user);
for (final String identity : dnChain) {
try {
final String clientAddress = user.getIdentity().equals(identity) ? user.getClientAddress() : null;
final NiFiUser chainUser = new StandardNiFiUser(identity, clientAddress) {
@Override
public boolean isAnonymous() {
// allow current user to drive anonymous flag as anonymous users are never chained... supports single user case
return user.isAnonymous();
}
};
result = Authorizable.super.checkAuthorization(authorizer, action, chainUser, resourceContext);
} catch (final ResourceNotFoundException e) {
result = AuthorizationResult.denied("Unknown source component.");
}
if (!Result.Approved.equals(result.getResult())) {
break;
}
}
if (result == null) {
result = AuthorizationResult.denied();
}
return result;
}
@Override
public void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
if (user == null) {
throw new AccessDeniedException("Unknown user");
}
// calculate the dn chain
final List<String> dnChain = NiFiUserUtils.buildProxiedEntitiesChain(user);
for (final String identity : dnChain) {
try {
final String clientAddress = user.getIdentity().equals(identity) ? user.getClientAddress() : null;
final NiFiUser chainUser = new StandardNiFiUser(identity, clientAddress) {
@Override
public boolean isAnonymous() {
// allow current user to drive anonymous flag as anonymous users are never chained... supports single user case
return user.isAnonymous();
}
};
Authorizable.super.authorize(authorizer, action, chainUser, resourceContext);
} catch (final ResourceNotFoundException e) {
throw new AccessDeniedException("Unknown source component.");
}
}
}
}

5
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/DataTransferAuthorizable.java
View File

@ -19,12 +19,13 @@ package org.apache.nifi.authorization.resource;
import org.apache.nifi.authorization.Resource;
/**
* Authorizable for policies of an Authorizable.
* Authorizable for authorizing data transfers.
*/
public class DataTransferAuthorizable implements Authorizable {
public class DataTransferAuthorizable extends DataAuthorizable implements EnforcePolicyPermissionsThroughBaseResource {
final Authorizable authorizable;
public DataTransferAuthorizable(Authorizable authorizable) {
super(authorizable);
this.authorizable = authorizable;
}

38
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/EnforcePolicyPermissionsThroughBaseResource.java Normal file
View File

@ -0,0 +1,38 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.nifi.authorization.resource;
/**
* Defers permissions on policies to the policies of the base authorizable. Required because we don't
* want to change the enforcement of the policies on the authorizable. For example...
*
* if a user has permissions to /policies/input-ports/1234 then they have permissions to the following
*
* - the policy for /input-ports/1234 -> /policies/input-ports/1234
* - the policy for /data/input-ports/1234 -> /policies/data/input-ports/1234
* - the policy for /data-transfers/input-ports/1234 -> /policies/data-transfers/input-ports/1234
* - the policy for /policies/input-ports/1234 -> /policies/policies/input-ports/1234
*/
public interface EnforcePolicyPermissionsThroughBaseResource {
/**
* Returns the base authorizable. Cannot be null.
*
* @return base authorizable
*/
Authorizable getBaseAuthorizable();
}

41
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ProvenanceEventAuthorizable.java
View File

@ -1,41 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.nifi.authorization.resource;
import org.apache.nifi.authorization.Resource;
public class ProvenanceEventAuthorizable implements Authorizable {
final Authorizable authorizable;
public ProvenanceEventAuthorizable(final Authorizable authorizable) {
this.authorizable = authorizable;
}
@Override
public Authorizable getParentAuthorizable() {
if (authorizable.getParentAuthorizable() == null) {
return null;
} else {
return new ProvenanceEventAuthorizable(authorizable.getParentAuthorizable());
}
}
@Override
public Resource getResource() {
return ResourceFactory.getProvenanceEventResource(authorizable.getResource());
}
}

12
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceFactory.java
View File

@ -166,15 +166,15 @@ public final class ResourceFactory {
}
};
private final static Resource PROVENANCE_EVENT_RESOURCE = new Resource() {
private final static Resource DATA_RESOURCE = new Resource() {
@Override
public String getIdentifier() {
return ResourceType.ProvenanceEvent.getValue();
return ResourceType.Data.getValue();
}
@Override
public String getName() {
return "Provenance Event";
return "Data";
}
};
@ -567,16 +567,16 @@ public final class ResourceFactory {
* @param resource The resource for the component being accessed
* @return The resource for the provenance of the component being accessed
*/
public static Resource getProvenanceEventResource(final Resource resource) {
public static Resource getDataResource(final Resource resource) {
return new Resource() {
@Override
public String getIdentifier() {
return String.format("%s%s", PROVENANCE_EVENT_RESOURCE.getIdentifier(), resource.getIdentifier());
return String.format("%s%s", DATA_RESOURCE.getIdentifier(), resource.getIdentifier());
}
@Override
public String getName() {
return "Provenance Events for " + resource.getName();
return "Data for " + resource.getName();
}
};
}

2
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/resource/ResourceType.java
View File

@ -29,7 +29,7 @@ public enum ResourceType {
Processor("/processors"),
ProcessGroup("/process-groups"),
Provenance("/provenance"),
ProvenanceEvent("/provenance-events"),
Data("/data"),
Proxy("/proxy"),
RemoteProcessGroup("/remote-process-groups"),
ReportingTask("/reporting-tasks"),

26
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/src/main/java/org/apache/nifi/authorization/user/NiFiUserUtils.java
View File

@ -20,6 +20,9 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import java.util.ArrayList;
import java.util.List;
/**
* Utility methods for retrieving information about the current application user.
*
@ -56,4 +59,27 @@ public final class NiFiUserUtils {
return user.getIdentity();
}
}
/**
* Builds the proxy chain for the specified user.
*
* @param user The current user
* @return The proxy chain for that user in List form
*/
public static List<String> buildProxiedEntitiesChain(final NiFiUser user) {
// calculate the dn chain
final List<String> proxyChain = new ArrayList<>();
// build the dn chain
NiFiUser chainedUser = user;
do {
// add the entry for this user
proxyChain.add(chainedUser.getIdentity());
// go to the next user in the chain
chainedUser = chainedUser.getChain();
} while (chainedUser != null);
return proxyChain;
}
}

19
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/src/main/java/org/apache/nifi/controller/Template.java
View File

@ -158,20 +158,26 @@ public class Template implements Authorizable {
}
@Override
public void authorize(final Authorizer authorizer, final RequestAction action, final NiFiUser user) throws AccessDeniedException {
final AuthorizationResult result = checkAuthorization(authorizer, action, true, user);
if (Result.Denied.equals(result)) {
public void authorize(final Authorizer authorizer, final RequestAction action, final NiFiUser user, final Map<String, String> resourceContext) throws AccessDeniedException {
final AuthorizationResult result = checkAuthorization(authorizer, action, true, user, resourceContext);
if (Result.Denied.equals(result.getResult())) {
final String explanation = result.getExplanation() == null ? "Access is denied" : result.getExplanation();
throw new AccessDeniedException(explanation);
}
}
@Override
public AuthorizationResult checkAuthorization(final Authorizer authorizer, final RequestAction action, final NiFiUser user) {
return checkAuthorization(authorizer, action, false, user);
public AuthorizationResult checkAuthorization(final Authorizer authorizer, final RequestAction action, final NiFiUser user, final Map<String, String> resourceContext) {
return checkAuthorization(authorizer, action, false, user, resourceContext);
}
private AuthorizationResult checkAuthorization(final Authorizer authorizer, final RequestAction action, final boolean accessAttempt, final NiFiUser user) {
private AuthorizationResult checkAuthorization(final Authorizer authorizer, final RequestAction action, final boolean accessAttempt,
final NiFiUser user, final Map<String, String> resourceContext) {
if (user == null) {
return AuthorizationResult.denied("Unknown user");
}
final Map<String,String> userContext;
if (!StringUtils.isBlank(user.getClientAddress())) {
userContext = new HashMap<>();
@ -188,6 +194,7 @@ public class Template implements Authorizable {
.action(action)
.resource(getResource())
.userContext(userContext)
.resourceContext(resourceContext)
.build();
// perform the authorization

8
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/connectable/StandardConnection.java
View File

@ -139,6 +139,10 @@ public final class StandardConnection implements Connection {
@Override
public AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) {
if (user == null) {
return AuthorizationResult.denied("Unknown user");
}
// check the source
final AuthorizationResult sourceResult = getSource().checkAuthorization(authorizer, action, user, resourceContext);
if (Result.Denied.equals(sourceResult.getResult())) {
@ -151,6 +155,10 @@ public final class StandardConnection implements Connection {
@Override
public void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException {
if (user == null) {
throw new AccessDeniedException("Unknown user");
}
getSource().authorize(authorizer, action, user, resourceContext);
getDestination().authorize(authorizer, action, user, resourceContext);
}

73
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/FlowController.java
View File

@ -18,38 +18,6 @@ package org.apache.nifi.controller;
import com.sun.jersey.api.client.ClientHandlerException;
import org.apache.commons.collections4.Predicate;
import static java.util.Objects.requireNonNull;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.net.ssl.SSLContext;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.action.Action;
import org.apache.nifi.admin.service.AuditService;
@ -63,7 +31,7 @@ import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.authorization.RequestAction;
import org.apache.nifi.authorization.Resource;
import org.apache.nifi.authorization.resource.Authorizable;
import org.apache.nifi.authorization.resource.ProvenanceEventAuthorizable;
import org.apache.nifi.authorization.resource.DataAuthorizable;
import org.apache.nifi.authorization.resource.ResourceFactory;
import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.cluster.HeartbeatPayload;
@ -238,6 +206,37 @@ import org.apache.zookeeper.server.quorum.QuorumPeerConfig.ConfigException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.net.ssl.SSLContext;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import static java.util.Objects.requireNonNull;
public class FlowController implements EventAccess, ControllerServiceProvider, ReportingTaskProvider, QueueProvider, Authorizable, ProvenanceAuthorizableFactory, NodeTypeProvider {
@ -3902,15 +3901,15 @@ public class FlowController implements EventAccess, ControllerServiceProvider, R
}
@Override
public Authorizable createProvenanceAuthorizable(final String componentId) {
public Authorizable createDataAuthorizable(final String componentId) {
final String rootGroupId = getRootGroupId();
// Provenance Events are generated only by connectable components, with the exception of DOWNLOAD events,
// which have the root process group's identifier assigned as the component ID. So, we check if the component ID
// is set to the root group and otherwise assume that the ID is that of a component.
final ProvenanceEventAuthorizable authorizable;
final DataAuthorizable authorizable;
if (rootGroupId.equals(componentId)) {
authorizable = new ProvenanceEventAuthorizable(rootGroup);
authorizable = new DataAuthorizable(rootGroup);
} else {
final Connectable connectable = rootGroup.findConnectable(componentId);
@ -3918,7 +3917,7 @@ public class FlowController implements EventAccess, ControllerServiceProvider, R
throw new ResourceNotFoundException("The component that generated this event is no longer part of the data flow.");
}
authorizable = new ProvenanceEventAuthorizable(connectable);
authorizable = new DataAuthorizable(connectable);
}
return authorizable;

7
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizableLookup.java
View File

@ -179,6 +179,13 @@ public interface AuthorizableLookup {
*/
Authorizable getTenant();
/**
* Get the authorizable for data of a specified component.
*
* @return authorizable
*/
Authorizable getData(String id);
/**
* Get the authorizable for access all policies.
*

17
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java
View File

@ -20,7 +20,7 @@ import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authorization.resource.AccessPolicyAuthorizable;
import org.apache.nifi.authorization.resource.Authorizable;
import org.apache.nifi.authorization.resource.DataTransferAuthorizable;
import org.apache.nifi.authorization.resource.ProvenanceEventAuthorizable;
import org.apache.nifi.authorization.resource.DataAuthorizable;
import org.apache.nifi.authorization.resource.ResourceFactory;
import org.apache.nifi.authorization.resource.ResourceType;
import org.apache.nifi.authorization.resource.TenantAuthorizable;
@ -233,6 +233,11 @@ class StandardAuthorizableLookup implements AuthorizableLookup {
return TENANT_AUTHORIZABLE;
}
@Override
public Authorizable getData(final String id) {
return controllerFacade.getDataAuthorizable(id);
}
@Override
public Authorizable getPolicies() {
return POLICIES_AUTHORIZABLE;
@ -269,7 +274,7 @@ class StandardAuthorizableLookup implements AuthorizableLookup {
}
// if this is a policy or a provenance event resource, there should be another resource type
if (ResourceType.Policy.equals(resourceType) || ResourceType.ProvenanceEvent.equals(resourceType) || ResourceType.DataTransfer.equals(resourceType)) {
if (ResourceType.Policy.equals(resourceType) || ResourceType.Data.equals(resourceType) || ResourceType.DataTransfer.equals(resourceType)) {
final ResourceType primaryResourceType = resourceType;
// get the resource type
@ -288,8 +293,8 @@ class StandardAuthorizableLookup implements AuthorizableLookup {
// must either be a policy, event, or data transfer
if (ResourceType.Policy.equals(primaryResourceType)) {
return new AccessPolicyAuthorizable(getAccessPolicy(resourceType, resource));
} else if (ResourceType.ProvenanceEvent.equals(primaryResourceType)) {
return new ProvenanceEventAuthorizable(getAccessPolicy(resourceType, resource));
} else if (ResourceType.Data.equals(primaryResourceType)) {
return new DataAuthorizable(getAccessPolicy(resourceType, resource));
} else {
return new DataTransferAuthorizable(getAccessPolicy(resourceType, resource));
}
@ -340,8 +345,8 @@ class StandardAuthorizableLookup implements AuthorizableLookup {
case Template:
authorizable = getTemplate(componentId);
break;
case ProvenanceEvent:
authorizable = controllerFacade.getProvenanceEventAuthorizable(componentId);
case Data:
authorizable = controllerFacade.getDataAuthorizable(componentId);
break;
}

12
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiContentAccess.java
View File

@ -164,20 +164,12 @@ public class StandardNiFiContentAccess implements ContentAccess {
}
private DownloadableContent getFlowFileContent(final String connectionId, final String flowfileId, final String dataUri) {
// TODO - ensure the user is authorized - not checking with @PreAuthorized annotation as aspect not trigger on call within a class
// if (!NiFiUserUtils.getAuthorities().contains(Authority.ROLE_DFM.toString())) {
// throw new AccessDeniedException("Access is denied.");
// }
// user authorization is handled once we have the actual content so we can utilize the flow file attributes in the resource context
return serviceFacade.getContent(connectionId, flowfileId, dataUri);
}
private DownloadableContent getProvenanceEventContent(final Long eventId, final String dataUri, final ContentDirection direction) {
// TODO - ensure the user is authorized - not checking with @PreAuthorized annotation as aspect not trigger on call within a class
// if (!NiFiUserUtils.getAuthorities().contains(Authority.ROLE_PROVENANCE.toString())) {
// throw new AccessDeniedException("Access is denied.");
// }
// user authorization is handled once we have the actual prov event so we can utilize the event attributes in the resource context
return serviceFacade.getContent(eventId, dataUri, direction);
}

106
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java
View File

@ -37,6 +37,7 @@ import org.apache.nifi.authorization.Resource;
import org.apache.nifi.authorization.User;
import org.apache.nifi.authorization.resource.Authorizable;
import org.apache.nifi.authorization.resource.DataTransferAuthorizable;
import org.apache.nifi.authorization.resource.ResourceFactory;
import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.apache.nifi.cluster.coordination.ClusterCoordinator;
@ -850,8 +851,9 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
final Connection connection = connectionDAO.getConnection(connectionId);
final ConnectionDTO snapshot = deleteComponent(
revision,
connection,
connection.getResource().getIdentifier(),
() -> connectionDAO.deleteConnection(connectionId),
false,
dtoFactory.createConnectionDto(connection));
return entityFactory.createConnectionEntity(snapshot, null, null, null);
@ -883,8 +885,9 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
final ProcessorNode processor = processorDAO.getProcessor(processorId);
final ProcessorDTO snapshot = deleteComponent(
revision,
processor,
processor.getResource().getIdentifier(),
() -> processorDAO.deleteProcessor(processorId),
true,
dtoFactory.createProcessorDto(processor));
return entityFactory.createProcessorEntity(snapshot, null, null, null, null);
@ -895,8 +898,9 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
final Label label = labelDAO.getLabel(labelId);
final LabelDTO snapshot = deleteComponent(
revision,
label,
label.getResource().getIdentifier(),
() -> labelDAO.deleteLabel(labelId),
true,
dtoFactory.createLabelDto(label));
return entityFactory.createLabelEntity(snapshot, null, null);
@ -910,21 +914,13 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
final Set<AccessPolicySummaryEntity> policyEntities = user != null ? userGroupDAO.getAccessPoliciesForUser(userId).stream()
.map(ap -> createAccessPolicySummaryEntity(ap)).collect(Collectors.toSet()) : null;
final RevisionClaim claim = new StandardRevisionClaim(revision);
final NiFiUser nifiUser = NiFiUserUtils.getNiFiUser();
// perform the deletion
final UserDTO snapshot = revisionManager.deleteRevision(claim, nifiUser, () -> {
logger.debug("Attempting to delete component {} with claim {}", user, claim);
userDAO.deleteUser(userId);
// save the flow
controllerFacade.save();
logger.debug("Deletion of component {} was successful", user);
return dtoFactory.createUserDto(user, userGroups, policyEntities);
});
final String resourceIdentifier = ResourceFactory.getTenantResource().getIdentifier() + "/" + userId;
final UserDTO snapshot = deleteComponent(
revision,
resourceIdentifier,
() -> userDAO.deleteUser(userId),
false, // no user specific policies to remove
dtoFactory.createUserDto(user, userGroups, policyEntities));
return entityFactory.createUserEntity(snapshot, null, null);
}
@ -936,21 +932,13 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
.map(mapUserIdToTenantEntity()).collect(Collectors.toSet()) :
null;
final RevisionClaim claim = new StandardRevisionClaim(revision);
final NiFiUser nifiUser = NiFiUserUtils.getNiFiUser();
// perform the deletion
final UserGroupDTO snapshot = revisionManager.deleteRevision(claim, nifiUser, () -> {
logger.debug("Attempting to delete component {} with claim {}", userGroup, claim);
userGroupDAO.deleteUserGroup(userGroupId);
// save the flow
controllerFacade.save();
logger.debug("Deletion of component {} was successful", userGroup);
return dtoFactory.createUserGroupDto(userGroup, users);
});
final String resourceIdentifier = ResourceFactory.getTenantResource().getIdentifier() + "/" + userGroupId;
final UserGroupDTO snapshot = deleteComponent(
revision,
resourceIdentifier,
() -> userGroupDAO.deleteUserGroup(userGroupId),
false, // no user group specific policies to remove
dtoFactory.createUserGroupDto(userGroup, users));
return entityFactory.createUserGroupEntity(snapshot, null, null);
}
@ -962,8 +950,9 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
final Set<TenantEntity> users = accessPolicy != null ? accessPolicy.getUsers().stream().map(mapUserIdToTenantEntity()).collect(Collectors.toSet()) : null;
final AccessPolicyDTO snapshot = deleteComponent(
revision,
authorizableLookup.getAccessPolicyById(accessPolicyId),
accessPolicy.getResource(),
() -> accessPolicyDAO.deleteAccessPolicy(accessPolicyId),
false, // no need to clean up any policies as it's already been removed above
dtoFactory.createAccessPolicyDto(accessPolicy, userGroups,
users));
@ -975,8 +964,9 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
final Funnel funnel = funnelDAO.getFunnel(funnelId);
final FunnelDTO snapshot = deleteComponent(
revision,
funnel,
funnel.getResource().getIdentifier(),
() -> funnelDAO.deleteFunnel(funnelId),
true,
dtoFactory.createFunnelDto(funnel));
return entityFactory.createFunnelEntity(snapshot, null, null);
@ -986,47 +976,49 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
* Deletes a component using the Optimistic Locking Manager
*
* @param revision the current revision
* @param resourceIdentifier the identifier of the resource being removed
* @param deleteAction the action that deletes the component via the appropriate DAO object
* @param cleanUpPolicies whether or not the policies for this resource should be removed as well - not necessary when there are
* no component specific policies or if the policies of the component are inherited
* @return a dto that represents the new configuration
*/
private <D, C> D deleteComponent(final Revision revision, final Authorizable authorizable, final Runnable deleteAction, final D dto) {
private <D, C> D deleteComponent(final Revision revision, final String resourceIdentifier, final Runnable deleteAction, final boolean cleanUpPolicies, final D dto) {
final RevisionClaim claim = new StandardRevisionClaim(revision);
final NiFiUser user = NiFiUserUtils.getNiFiUser();
return revisionManager.deleteRevision(claim, user, new DeleteRevisionTask<D>() {
@Override
public D performTask() {
logger.debug("Attempting to delete component {} with claim {}", authorizable, claim);
logger.debug("Attempting to delete component {} with claim {}", resourceIdentifier, claim);
// run the delete action
deleteAction.run();
// save the flow
controllerFacade.save();
logger.debug("Deletion of component {} was successful", authorizable);
logger.debug("Deletion of component {} was successful", resourceIdentifier);
// if configured with a policy based authorizer, attempt to remove the corresponding policies
if (authorizer instanceof AbstractPolicyBasedAuthorizer) {
// clean up the policy if necessary and configured with a policy based authorizer
if (cleanUpPolicies && authorizer instanceof AbstractPolicyBasedAuthorizer) {
try {
// since the component is being deleted, also delete any relevant read access policies
final AccessPolicy readPolicy = accessPolicyDAO.getAccessPolicy(RequestAction.READ, authorizable);
if (authorizable.getResource().getIdentifier().equals(readPolicy.getResource())) {
final AccessPolicy readPolicy = accessPolicyDAO.getAccessPolicy(RequestAction.READ, resourceIdentifier);
if (readPolicy != null) {
accessPolicyDAO.deleteAccessPolicy(readPolicy.getIdentifier());
}
} catch (final ResourceNotFoundException e) {
// no policy exists for this component... no worries
} catch (final Exception e) {
logger.warn(String.format("Unable to remove access policy for %s %s after component removal.", RequestAction.READ, authorizable.getResource().getIdentifier()), e);
logger.warn(String.format("Unable to remove access policy for %s %s after component removal.", RequestAction.READ, resourceIdentifier), e);
}
try {
// since the component is being deleted, also delete any relevant write access policies
final AccessPolicy writePolicy = accessPolicyDAO.getAccessPolicy(RequestAction.WRITE, authorizable);
if (authorizable.getResource().getIdentifier().equals(writePolicy.getResource())) {
final AccessPolicy writePolicy = accessPolicyDAO.getAccessPolicy(RequestAction.WRITE, resourceIdentifier);
if (writePolicy != null) {
accessPolicyDAO.deleteAccessPolicy(writePolicy.getIdentifier());
}
} catch (final ResourceNotFoundException e) {
// no policy exists for this component... no worries
} catch (final Exception e) {
logger.warn(String.format("Unable to remove access policy for %s %s after component removal.", RequestAction.WRITE, authorizable.getResource().getIdentifier()), e);
logger.warn(String.format("Unable to remove access policy for %s %s after component removal.", RequestAction.WRITE, resourceIdentifier), e);
}
}
@ -1071,8 +1063,9 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
final Port port = inputPortDAO.getPort(inputPortId);
final PortDTO snapshot = deleteComponent(
revision,
port,
port.getResource().getIdentifier(),
() -> inputPortDAO.deletePort(inputPortId),
true,
dtoFactory.createPortDto(port));
return entityFactory.createPortEntity(snapshot, null, null, null, null);
@ -1083,8 +1076,9 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
final Port port = outputPortDAO.getPort(outputPortId);
final PortDTO snapshot = deleteComponent(
revision,
port,
port.getResource().getIdentifier(),
() -> outputPortDAO.deletePort(outputPortId),
true,
dtoFactory.createPortDto(port));
return entityFactory.createPortEntity(snapshot, null, null, null, null);
@ -1095,8 +1089,9 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
final ProcessGroup processGroup = processGroupDAO.getProcessGroup(groupId);
final ProcessGroupDTO snapshot = deleteComponent(
revision,
processGroup,
processGroup.getResource().getIdentifier(),
() -> processGroupDAO.deleteProcessGroup(groupId),
true,
dtoFactory.createProcessGroupDto(processGroup));
return entityFactory.createProcessGroupEntity(snapshot, null, null, null, null);
@ -1107,8 +1102,9 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
final RemoteProcessGroup remoteProcessGroup = remoteProcessGroupDAO.getRemoteProcessGroup(remoteProcessGroupId);
final RemoteProcessGroupDTO snapshot = deleteComponent(
revision,
remoteProcessGroup,
remoteProcessGroup.getResource().getIdentifier(),
() -> remoteProcessGroupDAO.deleteRemoteProcessGroup(remoteProcessGroupId),
true,
dtoFactory.createRemoteProcessGroupDto(remoteProcessGroup));
return entityFactory.createRemoteProcessGroupEntity(snapshot, null, null, null, null);
@ -1740,8 +1736,9 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
final ControllerServiceNode controllerService = controllerServiceDAO.getControllerService(controllerServiceId);
final ControllerServiceDTO snapshot = deleteComponent(
revision,
controllerService,
controllerService.getResource().getIdentifier(),
() -> controllerServiceDAO.deleteControllerService(controllerServiceId),
true,
dtoFactory.createControllerServiceDto(controllerService));
return entityFactory.createControllerServiceEntity(snapshot, null, null, null);
@ -1793,8 +1790,9 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade {
final ReportingTaskNode reportingTask = reportingTaskDAO.getReportingTask(reportingTaskId);
final ReportingTaskDTO snapshot = deleteComponent(
revision,
reportingTask,
reportingTask.getResource().getIdentifier(),
() -> reportingTaskDAO.deleteReportingTask(reportingTaskId),
true,
dtoFactory.createReportingTaskDto(reportingTask));
return entityFactory.createReportingTaskEntity(snapshot, null, null, null);

10
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java
View File

@ -83,9 +83,7 @@ public class AccessPolicyResource extends ApplicationResource {
* @return accessPolicyEntity
*/
public AccessPolicyEntity populateRemainingAccessPolicyEntityContent(AccessPolicyEntity accessPolicyEntity) {
if (accessPolicyEntity.getComponent() != null) {
accessPolicyEntity.setUri(generateResourceUri("policies", accessPolicyEntity.getId()));
}
accessPolicyEntity.setUri(generateResourceUri("policies", accessPolicyEntity.getId()));
return accessPolicyEntity;
}
@ -229,7 +227,7 @@ public class AccessPolicyResource extends ApplicationResource {
}
// set the access policy id as appropriate
accessPolicyEntity.getComponent().setId(generateUuid());
requestAccessPolicy.setId(generateUuid());
// get revision from the config
final RevisionDTO revisionDTO = accessPolicyEntity.getRevision();
@ -286,7 +284,7 @@ public class AccessPolicyResource extends ApplicationResource {
// authorize access
serviceFacade.authorizeAccess(lookup -> {
Authorizable authorizable = lookup.getAccessPolicyById(id);
authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
authorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
});
// get the access policy
@ -438,7 +436,7 @@ public class AccessPolicyResource extends ApplicationResource {
revision,
lookup -> {
final Authorizable accessPolicy = lookup.getAccessPolicyById(id);
accessPolicy.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
accessPolicy.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
},
() -> {
},

75
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowFileQueueResource.java
View File

@ -24,6 +24,7 @@ import com.wordnik.swagger.annotations.ApiResponses;
import com.wordnik.swagger.annotations.Authorization;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.authorization.ConnectionAuthorizable;
import org.apache.nifi.authorization.RequestAction;
import org.apache.nifi.authorization.resource.Authorizable;
import org.apache.nifi.authorization.user.NiFiUserUtils;
@ -120,7 +121,7 @@ public class FlowFileQueueResource extends ApplicationResource {
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{connection-id}/flowfiles/{flowfile-uuid}")
@Path("{id}/flowfiles/{flowfile-uuid}")
// TODO - @PreAuthorize("hasRole('ROLE_DFM')")
@ApiOperation(
value = "Gets a FlowFile from a Connection.",
@ -142,7 +143,7 @@ public class FlowFileQueueResource extends ApplicationResource {
value = "The connection id.",
required = true
)
@PathParam("connection-id") final String connectionId,
@PathParam("id") final String connectionId,
@ApiParam(
value = "The flowfile uuid.",
required = true
@ -170,11 +171,7 @@ public class FlowFileQueueResource extends ApplicationResource {
}
}
// authorize access
serviceFacade.authorizeAccess(lookup -> {
final Authorizable connection = lookup.getConnection(connectionId).getAuthorizable();
connection.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
});
// NOTE - deferred authorization so we can consider flowfile attributes in the access decision
// get the flowfile
final FlowFileDTO flowfileDto = serviceFacade.getFlowFile(connectionId, flowFileUuid);
@ -200,7 +197,7 @@ public class FlowFileQueueResource extends ApplicationResource {
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.WILDCARD)
@Path("{connection-id}/flowfiles/{flowfile-uuid}/content")
@Path("{id}/flowfiles/{flowfile-uuid}/content")
// TODO - @PreAuthorize("hasRole('ROLE_DFM')")
@ApiOperation(
value = "Gets the content for a FlowFile in a Connection.",
@ -227,7 +224,7 @@ public class FlowFileQueueResource extends ApplicationResource {
value = "The connection id.",
required = true
)
@PathParam("connection-id") final String connectionId,
@PathParam("id") final String connectionId,
@ApiParam(
value = "The flowfile uuid.",
required = true
@ -255,11 +252,7 @@ public class FlowFileQueueResource extends ApplicationResource {
}
}
// authorize access
serviceFacade.authorizeAccess(lookup -> {
final Authorizable connection = lookup.getConnection(connectionId).getAuthorizable();
connection.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
});
// NOTE - deferred authorization so we can consider flowfile attributes in the access decision
// get the uri of the request
final String uri = generateResourceUri("flowfile-queues", connectionId, "flowfiles", flowFileUuid, "content");
@ -300,7 +293,7 @@ public class FlowFileQueueResource extends ApplicationResource {
@POST
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{connection-id}/listing-requests")
@Path("{id}/listing-requests")
// TODO - @PreAuthorize("hasRole('ROLE_DFM')")
@ApiOperation(
value = "Lists the contents of the queue in this connection.",
@ -325,7 +318,7 @@ public class FlowFileQueueResource extends ApplicationResource {
value = "The connection id.",
required = true
)
@PathParam("connection-id") final String id) {
@PathParam("id") final String id) {
if (isReplicateRequest()) {
return replicate(HttpMethod.POST);
@ -336,8 +329,9 @@ public class FlowFileQueueResource extends ApplicationResource {
if (validationPhase || !isTwoPhaseRequest(httpServletRequest)) {
// authorize access
serviceFacade.authorizeAccess(lookup -> {
final Authorizable connection = lookup.getConnection(id).getAuthorizable();
connection.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
final ConnectionAuthorizable connAuth = lookup.getConnection(id);
final Authorizable dataAuthorizable = lookup.getData(connAuth.getSource().getIdentifier());
dataAuthorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
});
}
if (validationPhase) {
@ -371,7 +365,7 @@ public class FlowFileQueueResource extends ApplicationResource {
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{connection-id}/listing-requests/{listing-request-id}")
@Path("{id}/listing-requests/{listing-request-id}")
// TODO - @PreAuthorize("hasRole('ROLE_DFM')")
@ApiOperation(
value = "Gets the current status of a listing request for the specified connection.",
@ -394,7 +388,7 @@ public class FlowFileQueueResource extends ApplicationResource {
value = "The connection id.",
required = true
)
@PathParam("connection-id") final String connectionId,
@PathParam("id") final String connectionId,
@ApiParam(
value = "The listing request id.",
required = true
@ -407,8 +401,9 @@ public class FlowFileQueueResource extends ApplicationResource {
// authorize access
serviceFacade.authorizeAccess(lookup -> {
final Authorizable connection = lookup.getConnection(connectionId).getAuthorizable();
connection.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
final ConnectionAuthorizable connAuth = lookup.getConnection(connectionId);
final Authorizable dataAuthorizable = lookup.getData(connAuth.getSource().getIdentifier());
dataAuthorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
});
// get the listing request
@ -433,7 +428,7 @@ public class FlowFileQueueResource extends ApplicationResource {
@DELETE
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{connection-id}/listing-requests/{listing-request-id}")
@Path("{id}/listing-requests/{listing-request-id}")
// TODO - @PreAuthorize("hasRole('ROLE_DFM')")
@ApiOperation(
value = "Cancels and/or removes a request to list the contents of this connection.",
@ -457,7 +452,7 @@ public class FlowFileQueueResource extends ApplicationResource {
value = "The connection id.",
required = true
)
@PathParam("connection-id") final String connectionId,
@PathParam("id") final String connectionId,
@ApiParam(
value = "The listing request id.",
required = true
@ -473,8 +468,9 @@ public class FlowFileQueueResource extends ApplicationResource {
if (validationPhase || !isTwoPhaseRequest(httpServletRequest)) {
// authorize access
serviceFacade.authorizeAccess(lookup -> {
final Authorizable connection = lookup.getConnection(connectionId).getAuthorizable();
connection.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
final ConnectionAuthorizable connAuth = lookup.getConnection(connectionId);
final Authorizable dataAuthorizable = lookup.getData(connAuth.getSource().getIdentifier());
dataAuthorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser());
});
}
if (validationPhase) {
@ -507,7 +503,7 @@ public class FlowFileQueueResource extends ApplicationResource {
@POST
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{connection-id}/drop-requests")
@Path("{id}/drop-requests")
// TODO - @PreAuthorize("hasRole('ROLE_DFM')")
@ApiOperation(
value = "Creates a request to drop the contents of the queue in this connection.",
@ -532,7 +528,7 @@ public class FlowFileQueueResource extends ApplicationResource {
value = "The connection id.",
required = true
)
@PathParam("connection-id") final String id) {
@PathParam("id") final String id) {
if (isReplicateRequest()) {
return replicate(HttpMethod.POST);
@ -543,8 +539,9 @@ public class FlowFileQueueResource extends ApplicationResource {
if (validationPhase || !isTwoPhaseRequest(httpServletRequest)) {
// authorize access
serviceFacade.authorizeAccess(lookup -> {
final Authorizable connection = lookup.getConnection(id).getAuthorizable();
connection.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
final ConnectionAuthorizable connAuth = lookup.getConnection(id);
final Authorizable dataAuthorizable = lookup.getData(connAuth.getSource().getIdentifier());
dataAuthorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
});
}
if (validationPhase) {
@ -577,7 +574,7 @@ public class FlowFileQueueResource extends ApplicationResource {
@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{connection-id}/drop-requests/{drop-request-id}")
@Path("{id}/drop-requests/{drop-request-id}")
// TODO - @PreAuthorize("hasRole('ROLE_DFM')")
@ApiOperation(
value = "Gets the current status of a drop request for the specified connection.",
@ -600,7 +597,7 @@ public class FlowFileQueueResource extends ApplicationResource {
value = "The connection id.",
required = true
)
@PathParam("connection-id") final String connectionId,
@PathParam("id") final String connectionId,
@ApiParam(
value = "The drop request id.",
required = true
@ -613,8 +610,9 @@ public class FlowFileQueueResource extends ApplicationResource {
// authorize access
serviceFacade.authorizeAccess(lookup -> {
final Authorizable connection = lookup.getConnection(connectionId).getAuthorizable();
connection.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
final ConnectionAuthorizable connAuth = lookup.getConnection(connectionId);
final Authorizable dataAuthorizable = lookup.getData(connAuth.getSource().getIdentifier());
dataAuthorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
});
// get the drop request
@ -639,7 +637,7 @@ public class FlowFileQueueResource extends ApplicationResource {
@DELETE
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.APPLICATION_JSON)
@Path("{connection-id}/drop-requests/{drop-request-id}")
@Path("{id}/drop-requests/{drop-request-id}")
// TODO - @PreAuthorize("hasRole('ROLE_DFM')")
@ApiOperation(
value = "Cancels and/or removes a request to drop the contents of this connection.",
@ -663,7 +661,7 @@ public class FlowFileQueueResource extends ApplicationResource {
value = "The connection id.",
required = true
)
@PathParam("connection-id") final String connectionId,
@PathParam("id") final String connectionId,
@ApiParam(
value = "The drop request id.",
required = true
@ -679,8 +677,9 @@ public class FlowFileQueueResource extends ApplicationResource {
if (validationPhase || !isTwoPhaseRequest(httpServletRequest)) {
// authorize access
serviceFacade.authorizeAccess(lookup -> {
final Authorizable connection = lookup.getConnection(connectionId).getAuthorizable();
connection.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
final ConnectionAuthorizable connAuth = lookup.getConnection(connectionId);
final Authorizable dataAuthorizable = lookup.getData(connAuth.getSource().getIdentifier());
dataAuthorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
});
}
if (validationPhase) {

115
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/controller/ControllerFacade.java
View File

@ -30,7 +30,6 @@ import org.apache.nifi.authorization.resource.ResourceFactory;
import org.apache.nifi.authorization.resource.ResourceType;
import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.apache.nifi.authorization.user.StandardNiFiUser;
import org.apache.nifi.cluster.coordination.ClusterCoordinator;
import org.apache.nifi.cluster.protocol.NodeIdentifier;
import org.apache.nifi.components.PropertyDescriptor;
@ -69,8 +68,8 @@ import org.apache.nifi.nar.NarCloseable;
import org.apache.nifi.processor.DataUnit;
import org.apache.nifi.processor.Processor;
import org.apache.nifi.processor.Relationship;
import org.apache.nifi.provenance.ProvenanceRepository;
import org.apache.nifi.provenance.ProvenanceEventRecord;
import org.apache.nifi.provenance.ProvenanceRepository;
import org.apache.nifi.provenance.SearchableFields;
import org.apache.nifi.provenance.lineage.ComputeLineageSubmission;
import org.apache.nifi.provenance.search.Query;
@ -109,7 +108,6 @@ import org.apache.nifi.web.api.dto.search.ComponentSearchResultDTO;
import org.apache.nifi.web.api.dto.search.SearchResultsDTO;
import org.apache.nifi.web.api.dto.status.ControllerStatusDTO;
import org.apache.nifi.web.api.dto.status.StatusHistoryDTO;
import org.apache.nifi.web.security.ProxiedEntitiesUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -767,7 +765,7 @@ public class ControllerFacade implements Authorizable {
// add each processor
for (final ProcessorNode processor : root.findAllProcessors()) {
resources.add(ResourceFactory.getComponentResource(ResourceType.Processor, processor.getIdentifier(), processor.getName()));
resources.add(ResourceFactory.getProvenanceEventResource(processor.getResource()));
resources.add(ResourceFactory.getDataResource(processor.getResource()));
}
// add each label
@ -778,25 +776,25 @@ public class ControllerFacade implements Authorizable {
// add each process group
for (final ProcessGroup processGroup : root.findAllProcessGroups()) {
resources.add(ResourceFactory.getComponentResource(ResourceType.ProcessGroup, processGroup.getIdentifier(), processGroup.getName()));
resources.add(ResourceFactory.getProvenanceEventResource(processGroup.getResource()));
resources.add(ResourceFactory.getDataResource(processGroup.getResource()));
}
// add each remote process group
for (final RemoteProcessGroup remoteProcessGroup : root.findAllRemoteProcessGroups()) {
resources.add(ResourceFactory.getComponentResource(ResourceType.RemoteProcessGroup, remoteProcessGroup.getIdentifier(), remoteProcessGroup.getName()));
resources.add(ResourceFactory.getProvenanceEventResource(remoteProcessGroup.getResource()));
resources.add(ResourceFactory.getDataResource(remoteProcessGroup.getResource()));
}
// add each input port
for (final Port inputPort : root.findAllInputPorts()) {
resources.add(ResourceFactory.getComponentResource(ResourceType.InputPort, inputPort.getIdentifier(), inputPort.getName()));
resources.add(ResourceFactory.getProvenanceEventResource(inputPort.getResource()));
resources.add(ResourceFactory.getDataResource(inputPort.getResource()));
}
// add each output port
for (final Port outputPort : root.findAllOutputPorts()) {
resources.add(ResourceFactory.getComponentResource(ResourceType.OutputPort, outputPort.getIdentifier(), outputPort.getName()));
resources.add(ResourceFactory.getProvenanceEventResource(outputPort.getResource()));
resources.add(ResourceFactory.getDataResource(outputPort.getResource()));
}
// add each controller service
@ -1087,7 +1085,7 @@ public class ControllerFacade implements Authorizable {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
// get the event in order to get the filename
final ProvenanceEventRecord event = flowController.getProvenanceRepository().getEvent(eventId, NiFiUserUtils.getNiFiUser());
final ProvenanceEventRecord event = flowController.getProvenanceRepository().getEvent(eventId);
if (event == null) {
throw new ResourceNotFoundException("Unable to find the specified event.");
}
@ -1101,7 +1099,8 @@ public class ControllerFacade implements Authorizable {
}
// authorize the event
authorizeEvent(event.getComponentId(), attributes);
final Authorizable dataAuthorizable = flowController.createDataAuthorizable(event.getComponentId());
dataAuthorizable.authorize(authorizer, RequestAction.READ, user, attributes);
// get the filename and fall back to the identifier (should never happen)
String filename = attributes.get(CoreAttributes.FILENAME.key());
@ -1137,7 +1136,7 @@ public class ControllerFacade implements Authorizable {
}
// lookup the original event
final ProvenanceEventRecord originalEvent = flowController.getProvenanceRepository().getEvent(eventId, NiFiUserUtils.getNiFiUser());
final ProvenanceEventRecord originalEvent = flowController.getProvenanceRepository().getEvent(eventId);
if (originalEvent == null) {
throw new ResourceNotFoundException("Unable to find the specified event.");
}
@ -1155,67 +1154,6 @@ public class ControllerFacade implements Authorizable {
}
}
/**
* Authorizes access to a provenance event generated by the specified component and containing the specified eventAttributes.
*
* @param componentId component id
* @param eventAttributes event attributes
*/
private AuthorizationResult checkAuthorizationForEvent(final String componentId, final Map<String, String> eventAttributes) {
AuthorizationResult result = null;
// calculate the dn chain
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final List<String> dnChain = ProxiedEntitiesUtils.buildProxiedEntitiesChain(user);
for (final String identity : dnChain) {
final Authorizable eventAuthorizable = flowController.createProvenanceAuthorizable(componentId);
final String clientAddress = user.getIdentity().equals(identity) ? user.getClientAddress() : null;
final NiFiUser chainUser = new StandardNiFiUser(identity, clientAddress) {
@Override
public boolean isAnonymous() {
// allow current user to drive anonymous flag as anonymous users are never chained... supports single user case
return user.isAnonymous();
}
};
result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, chainUser, eventAttributes);
if (!Result.Approved.equals(result.getResult())) {
break;
}
}
if (result == null) {
result = AuthorizationResult.denied();
}
return result;
}
/**
* Authorizes access to a provenance event generated by the specified component and containing the specified eventAttributes.
*
* @param componentId component id
* @param eventAttributes event attributes
*/
private void authorizeEvent(final String componentId, final Map<String, String> eventAttributes) {
// calculate the dn chain
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final List<String> dnChain = ProxiedEntitiesUtils.buildProxiedEntitiesChain(user);
for (final String identity : dnChain) {
final Authorizable eventAuthorizable = flowController.createProvenanceAuthorizable(componentId);
final String clientAddress = user.getIdentity().equals(identity) ? user.getClientAddress() : null;
final NiFiUser chainUser = new StandardNiFiUser(identity, clientAddress) {
@Override
public boolean isAnonymous() {
// allow current user to drive anonymous flag as anonymous users are never chained... supports single user case
return user.isAnonymous();
}
};
eventAuthorizable.authorize(authorizer, RequestAction.READ, chainUser, eventAttributes);
}
}
/**
* Authorizes access to replay a specified provenance event.
*
@ -1229,16 +1167,17 @@ public class ControllerFacade implements Authorizable {
return AuthorizationResult.denied();
}
final AuthorizationResult result = checkAuthorizationForEvent(componentId, eventAttributes);
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final Authorizable dataAuthorizable = flowController.createDataAuthorizable(componentId);
// ensure we can read the data
final AuthorizationResult result = dataAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, eventAttributes);
if (!Result.Approved.equals(result.getResult())) {
return result;
}
// authorize write permissions for the queue
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final ProcessGroup rootGroup = flowController.getGroup(flowController.getRootGroupId());
final Connection connection = rootGroup.findConnection(connectionId);
return connection.checkAuthorization(authorizer, RequestAction.WRITE, user);
// ensure we can write the data
return dataAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user, eventAttributes);
}
/**
@ -1254,13 +1193,12 @@ public class ControllerFacade implements Authorizable {
throw new AccessDeniedException("The connection id is unknown.");
}
authorizeEvent(componentId, eventAttributes);
// authorize write permissions for the queue
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final ProcessGroup rootGroup = flowController.getGroup(flowController.getRootGroupId());
final Connection connection = rootGroup.findConnection(connectionId);
connection.authorize(authorizer, RequestAction.WRITE, user);
final Authorizable dataAuthorizable = flowController.createDataAuthorizable(componentId);
// ensure we can read and write the data
dataAuthorizable.authorize(authorizer, RequestAction.READ, user, eventAttributes);
dataAuthorizable.authorize(authorizer, RequestAction.WRITE, user, eventAttributes);
}
/**
@ -1271,14 +1209,15 @@ public class ControllerFacade implements Authorizable {
*/
public ProvenanceEventDTO getProvenanceEvent(final Long eventId) {
try {
final ProvenanceEventRecord event = flowController.getProvenanceRepository().getEvent(eventId, NiFiUserUtils.getNiFiUser());
final ProvenanceEventRecord event = flowController.getProvenanceRepository().getEvent(eventId);
if (event == null) {
throw new ResourceNotFoundException("Unable to find the specified event.");
}
// get the flowfile attributes and authorize the event
final Map<String, String> attributes = event.getAttributes();
authorizeEvent(event.getComponentId(), attributes);
final Authorizable dataAuthorizable = flowController.createDataAuthorizable(event.getComponentId());
dataAuthorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser(), attributes);
// convert the event
return createProvenanceEventDto(event);
@ -1293,8 +1232,8 @@ public class ControllerFacade implements Authorizable {
* @param componentId component id
* @return authorizable
*/
public Authorizable getProvenanceEventAuthorizable(final String componentId) {
return flowController.createProvenanceAuthorizable(componentId);
public Authorizable getDataAuthorizable(final String componentId) {
return flowController.createDataAuthorizable(componentId);
}
/**

13
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/AccessPolicyDAO.java
View File

@ -46,7 +46,18 @@ public interface AccessPolicyDAO {
AccessPolicy getAccessPolicy(String accessPolicyId);
/**
* Gets the access policy according to the action and authorizable.
* Gets the access policy according to the action and authorizable. Will return null
* if no policy exists for the specific resource.
*
* @param requestAction action
* @param resource resource
* @return access policy
*/
AccessPolicy getAccessPolicy(RequestAction requestAction, String resource);
/**
* Gets the access policy according to the action and authorizable. Will return the
* effective policy if no policy exists for the specific authorizable.
*
* @param requestAction action
* @param authorizable authorizable

36
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/impl/StandardConnectionDAO.java
View File

@ -16,16 +16,11 @@
*/
package org.apache.nifi.web.dao.impl;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authorization.AccessDeniedException;
import org.apache.nifi.authorization.AuthorizationResult;
import org.apache.nifi.authorization.AuthorizationResult.Result;
import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.authorization.RequestAction;
import org.apache.nifi.authorization.UserContextKeys;
import org.apache.nifi.authorization.resource.Authorizable;
import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.apache.nifi.authorization.user.StandardNiFiUser;
import org.apache.nifi.connectable.Connectable;
import org.apache.nifi.connectable.ConnectableType;
import org.apache.nifi.connectable.Connection;
@ -50,7 +45,6 @@ import org.apache.nifi.web.api.dto.ConnectableDTO;
import org.apache.nifi.web.api.dto.ConnectionDTO;
import org.apache.nifi.web.api.dto.PositionDTO;
import org.apache.nifi.web.dao.ConnectionDAO;
import org.apache.nifi.web.security.ProxiedEntitiesUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -60,7 +54,6 @@ import java.io.InputStream;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
@ -139,6 +132,11 @@ public class StandardConnectionDAO extends ComponentDAO implements ConnectionDAO
throw new ResourceNotFoundException(String.format("The FlowFile with UUID %s is no longer in the active queue.", flowFileUuid));
}
// get the attributes and ensure appropriate access
final Map<String, String> attributes = flowFile.getAttributes();
final Authorizable dataAuthorizable = flowController.createDataAuthorizable(connection.getSource().getIdentifier());
dataAuthorizable.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser(), attributes);
return flowFile;
} catch (final IOException ioe) {
logger.error(String.format("Unable to get the flowfile (%s) at this time.", flowFileUuid), ioe);
@ -597,26 +595,10 @@ public class StandardConnectionDAO extends ComponentDAO implements ConnectionDAO
throw new ResourceNotFoundException(String.format("The FlowFile with UUID %s is no longer in the active queue.", flowFileUuid));
}
// get the attributes and ensure appropriate access
final Map<String, String> attributes = flowFile.getAttributes();
// calculate the dn chain
final List<String> dnChain = ProxiedEntitiesUtils.buildProxiedEntitiesChain(user);
dnChain.forEach(identity -> {
// build the request
final Map<String,String> userContext;
if (!StringUtils.isBlank(user.getClientAddress())) {
userContext = new HashMap<>();
userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress());
} else {
userContext = null;
}
final NiFiUser chainUser = new StandardNiFiUser(identity, user.getClientAddress());
final AuthorizationResult result = connection.checkAuthorization(authorizer, RequestAction.WRITE, chainUser, attributes);
if (!Result.Approved.equals(result.getResult())) {
throw new AccessDeniedException(result.getExplanation());
}
});
final Authorizable dataAuthorizable = flowController.createDataAuthorizable(connection.getSource().getIdentifier());
dataAuthorizable.authorize(authorizer, RequestAction.READ, user, attributes);
// get the filename and fall back to the identifier (should never happen)
String filename = attributes.get(CoreAttributes.FILENAME.key());

5
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAO.java
View File

@ -179,6 +179,11 @@ public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGr
return accessPolicy;
}
@Override
public AccessPolicy getAccessPolicy(final RequestAction requestAction, final String resource) {
return findAccessPolicy(requestAction, resource);
}
@Override
public AccessPolicy getAccessPolicy(final RequestAction requestAction, final Authorizable authorizable) {
final String resource = authorizable.getResource().getIdentifier();

39
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/ProxiedEntitiesUtils.java
View File

@ -16,16 +16,18 @@
*/
package org.apache.nifi.web.security;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authorization.user.NiFiUser;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
/**
*
@ -72,33 +74,10 @@ public class ProxiedEntitiesUtils {
*/
public static String buildProxiedEntitiesChainString(final NiFiUser user) {
// calculate the dn chain
final List<String> proxyChain = buildProxiedEntitiesChain(user);
final List<String> proxyChain = NiFiUserUtils.buildProxiedEntitiesChain(user);
return formatProxyDn(StringUtils.join(proxyChain, "><"));
}
/**
* Builds the proxy chain for the specified user.
*
* @param user The current user
* @return The proxy chain for that user in List form
*/
public static List<String> buildProxiedEntitiesChain(final NiFiUser user) {
// calculate the dn chain
final List<String> proxyChain = new ArrayList<>();
// build the dn chain
NiFiUser chainedUser = user;
do {
// add the entry for this user
proxyChain.add(chainedUser.getIdentity());
// go to the next user in the chain
chainedUser = chainedUser.getChain();
} while (chainedUser != null);
return proxyChain;
}
/**
* Builds the proxy chain from the specified request and user.
*

2
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/css/login.css
View File

@ -68,7 +68,7 @@
*/
body.login-body input, body.login-body textarea {
width: 400px;
width: 412px;
}
div.login-container {

21
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-actions.js
View File

@ -999,8 +999,9 @@ nf.Actions = (function () {
$('#drop-request-status-message').text(dropRequest.state);
// update the current number of enqueued flowfiles
if (nf.Common.isDefinedAndNotNull(connection.status) && nf.Common.isDefinedAndNotNull(dropRequest.currentCount)) {
if (nf.Common.isDefinedAndNotNull(dropRequest.currentCount)) {
connection.status.queued = dropRequest.current;
connection.status.aggregateSnapshot.queued = dropRequest.current;
nf.Connection.refresh(connection.id);
}
@ -1028,13 +1029,19 @@ nf.Actions = (function () {
}).done(function (response) {
dropRequest = response.dropRequest;
processDropRequest(nextDelay);
}).fail(completeDropRequest);
}).fail(function (xhr, status, error) {
if (xhr.status === 403) {
nf.Common.handleAjaxError(xhr, status, error);
} else {
completeDropRequest()
}
});
};
// issue the request to delete the flow files
$.ajax({
type: 'POST',
url: '../nifi-api/flowfile-queues/' + connection.id + '/drop-requests',
url: '../nifi-api/flowfile-queues/' + encodeURIComponent(connection.id) + '/drop-requests',
dataType: 'json',
contentType: 'application/json'
}).done(function (response) {
@ -1047,7 +1054,13 @@ nf.Actions = (function () {
// process the drop request
dropRequest = response.dropRequest;
processDropRequest(1);
}).fail(completeDropRequest);
}).fail(function (xhr, status, error) {
if (xhr.status === 403) {
nf.Common.handleAjaxError(xhr, status, error);
} else {
completeDropRequest()
}
});
}
});
},

8
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-context-menu.js
View File

@ -316,10 +316,6 @@ nf.ContextMenu = (function () {
* @param {selection} selection
*/
var canEmptyQueue = function (selection) {
if (nf.CanvasUtils.canModify(selection) === false) {
return false;
}
return isConnection(selection);
};
@ -329,10 +325,6 @@ nf.ContextMenu = (function () {
* @param {selection} selection
*/
var canListQueue = function (selection) {
if (nf.CanvasUtils.canModify(selection) === false) {
return false;
}
return isConnection(selection);
};

194
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-policy-management.js
View File

@ -308,17 +308,13 @@ nf.PolicyManagement = (function () {
value: 'write-component',
description: 'Allows users to modify component configuration details'
}, {
text: 'view the provenance events',
value: 'read-provenance-events',
description: 'Allows users to access provenance events and content for this component'
text: 'view the data',
value: 'read-data',
description: 'Allows users to view metadata and content for this component through provenance data and flowfile queues in outbound connections'
}, {
text: 'view the policies',
value: 'read-policies',
description: 'Allows users to view the list of users who can view/modify this component'
}, {
text: 'modify the policies',
value: 'write-policies',
description: 'Allows users to modify the list of users who can view/modify this component'
text: 'modify the data',
value: 'write-data',
description: 'Allows users to empty flowfile queues in outbound connections and submit replays'
}, {
text: 'receive data via site-to-site',
value: 'write-receive-data',
@ -329,6 +325,14 @@ nf.PolicyManagement = (function () {
value: 'write-send-data',
description: 'Allows this port to send data to these NiFi instances',
disabled: true
}, {
text: 'view the policies',
value: 'read-policies',
description: 'Allows users to view the list of users who can view/modify this component'
}, {
text: 'modify the policies',
value: 'write-policies',
description: 'Allows users to modify the list of users who can view/modify this component'
}],
select: function (option) {
if (initialized) {
@ -338,9 +342,12 @@ nf.PolicyManagement = (function () {
$('#selected-policy-action').text('read');
} else if (option.value === 'write-component') {
$('#selected-policy-action').text('write');
} else if (option.value === 'read-provenance-events') {
} else if (option.value === 'read-data') {
$('#selected-policy-action').text('read');
resource = ('provenance-events/' + resource);
resource = ('data/' + resource);
} else if (option.value === 'write-data') {
$('#selected-policy-action').text('write');
resource = ('data/' + resource);
} else if (option.value === 'read-policies') {
$('#selected-policy-action').text('read');
resource = ('policies/' + resource);
@ -380,7 +387,11 @@ nf.PolicyManagement = (function () {
var actionFormatter = function (row, cell, value, columnDef, dataContext) {
var markup = '';
markup += '<div title="Remove" class="pointer delete-user fa fa-trash"></div>';
// see if the user has permissions for the current policy
var currentEntity = $('#policy-table').data('policy');
if (currentEntity.permissions.canWrite === true) {
markup += '<div title="Remove" class="pointer delete-user fa fa-trash"></div>';
}
return markup;
};
@ -538,7 +549,11 @@ nf.PolicyManagement = (function () {
dataType: 'json'
}).done(function () {
loadPolicy();
}).fail(nf.Common.handleAjaxError);
}).fail(function (xhr, status, error) {
nf.Common.handleAjaxError(xhr, status, error);
resetPolicy();
loadPolicy();
});
} else {
nf.Dialog.showOkDialog({
headerText: 'Update Policy',
@ -600,6 +615,7 @@ nf.PolicyManagement = (function () {
// re-sort and clear selection after updating
policyData.reSort();
policyGrid.invalidate();
policyGrid.getSelectionModel().setSelectedRows([]);
};
@ -634,20 +650,21 @@ nf.PolicyManagement = (function () {
// store the current policy version
$('#policy-table').data('policy', policyEntity);
// allow removal and modification as the policy is not inherited
$('#new-policy-user-button').prop('disabled', false);
// allow modification if allowed
$('#new-policy-user-button').prop('disabled', policyEntity.permissions.canWrite === false);
// see if the policy is for this resource
if (resourceAndAction.resource === policy.resource) {
// allow remove when policy is not inherited
$('#delete-policy-button').prop('disabled', false);
$('#delete-policy-button').prop('disabled', policyEntity.permissions.canWrite === false);
} else {
$('#policy-message').text('Showing effective policy inherited from ' + convertToHumanReadableResource(policy.resource) + '. ');
$('#new-policy-message').hide();
// policy is inherited, we do not know if the user has permissions to modify the desired policy... show button and let server decide
$('#override-policy-message').show();
// require non inherited policy for removal
// to not support policy deletion
$('#delete-policy-button').prop('disabled', true);
}
@ -660,7 +677,6 @@ nf.PolicyManagement = (function () {
*/
var loadPolicy = function () {
var resourceAndAction = getSelectedResourceAndAction();
return $.Deferred(function (deferred) {
$.ajax({
type: 'GET',
@ -673,7 +689,7 @@ nf.PolicyManagement = (function () {
$('#policy-last-refreshed').text(policyEntity.generated);
// ensure appropriate actions for the loaded policy
if (policyEntity.permissions.canRead === true && policyEntity.permissions.canWrite === true) {
if (policyEntity.permissions.canRead === true) {
var policy = policyEntity.component;
$('#policy-message').text(policy.resource);
@ -684,9 +700,10 @@ nf.PolicyManagement = (function () {
// reset the policy
resetPolicy();
// show an appropriate message
$('#policy-message').text('No policy for the specified resource and not authorized to access the inherited policy. ');
$('#new-policy-message').hide();
// since we cannot read, the policy may be inherited or not... we cannot tell
$('#policy-message').text('Not authorized to view the policy.');
// allow option to override because we don't know if it's supported or not
$('#override-policy-message').show();
}
@ -698,8 +715,9 @@ nf.PolicyManagement = (function () {
// show an appropriate message
$('#policy-message').text('No policy for the specified resource.');
// we don't know if the user has permissions to the desired policy... show create button and allow the server to decide
$('#new-policy-message').show();
$('#override-policy-message').hide();
deferred.resolve();
} else if (xhr.status === 403) {
@ -708,8 +726,6 @@ nf.PolicyManagement = (function () {
// show an appropriate message
$('#policy-message').text('Not authorized to access the policy for the specified resource.');
$('#new-policy-message').hide();
$('#override-policy-message').hide();
deferred.resolve();
} else {
@ -747,7 +763,19 @@ nf.PolicyManagement = (function () {
dataType: 'json',
contentType: 'application/json'
}).done(function (policyEntity) {
populatePolicy(policyEntity);
// ensure appropriate actions for the loaded policy
if (policyEntity.permissions.canRead === true) {
var policy = policyEntity.component;
$('#policy-message').text(policy.resource);
// populate the policy details
populatePolicy(policyEntity);
} else {
// the request succeeded but we don't have access to the policy... reset/reload the policy
resetPolicy();
loadPolicy();
}
}).fail(nf.Common.handleAjaxError);
};
@ -792,7 +820,7 @@ nf.PolicyManagement = (function () {
contentType: 'application/json'
}).done(function (policyEntity) {
// ensure appropriate actions for the loaded policy
if (policyEntity.permissions.canRead === true && policyEntity.permissions.canWrite === true) {
if (policyEntity.permissions.canRead === true) {
var policy = policyEntity.component;
$('#policy-message').text(policy.resource);
@ -800,15 +828,15 @@ nf.PolicyManagement = (function () {
// populate the policy details
populatePolicy(policyEntity);
} else {
// reset the policy
// the request succeeded but we don't have access to the policy... reset/reload the policy
resetPolicy();
// show an appropriate message
$('#policy-message').text('No policy for the specified resource and not authorized to access the inherited policy. ');
$('#new-policy-message').hide();
$('#override-policy-message').show();
loadPolicy();
}
}).fail(nf.Common.handleAjaxError);
}).fail(function (xhr, status, error) {
nf.Common.handleAjaxError(xhr, status, error)
resetPolicy();
loadPolicy();
});
} else {
nf.Dialog.showOkDialog({
headerText: 'Update Policy',
@ -872,35 +900,6 @@ nf.PolicyManagement = (function () {
$('div.policy-selected-component-container').hide();
};
/**
* Populates the initial policy resource.
*
* @param resource
*/
var populateComponentResource = function (resource) {
// record the initial resource type
$('#selected-policy-component-type').text(resource);
var policyTarget = $('#component-policy-target').combo('getSelectedOption').value;
if (policyTarget === 'read-component') {
$('#selected-policy-action').text('read');
} else if (policyTarget === 'write-component') {
$('#selected-policy-action').text('write');
} else if (policyTarget === 'read-provenance-events') {
$('#selected-policy-action').text('read');
resource = ('provenance-events/' + resource);
} else if (policyTarget === 'read-policies') {
$('#selected-policy-action').text('read');
resource = ('policies/' + resource);
} else if (policyTarget === 'write-policies') {
$('#selected-policy-action').text('write');
resource = ('policies/' + resource);
}
// update the policy type
$('#selected-policy-type').text(resource);
};
return {
/**
* Initializes the settings page.
@ -909,6 +908,13 @@ nf.PolicyManagement = (function () {
initAddTenantToPolicyDialog();
initPolicyTable();
$('#policy-refresh-button').on('click', function () {
loadPolicy();
});
// reset the policy to initialize
resetPolicy();
// mark as initialized
initialized = true;
},
@ -940,7 +946,7 @@ nf.PolicyManagement = (function () {
$('#global-policy-controls').hide();
// update the visibility
if (d.permissions.canRead) {
if (d.permissions.canRead === true) {
$('#policy-selected-controller-service-container div.policy-selected-component-name').text(d.component.name);
} else {
$('#policy-selected-controller-service-container div.policy-selected-component-name').text(d.id);
@ -949,7 +955,17 @@ nf.PolicyManagement = (function () {
// populate the initial resource
$('#selected-policy-component-id').text(d.id);
populateComponentResource('controller-services');
$('#selected-policy-component-type').text('controller-services');
$('#component-policy-target')
.combo('setOptionEnabled', {
value: 'write-receive-data'
}, false)
.combo('setOptionEnabled', {
value: 'write-send-data'
}, false)
.combo('setSelectedOption', {
value: 'read-component'
});
return loadPolicy().always(showPolicy);
},
@ -968,7 +984,7 @@ nf.PolicyManagement = (function () {
$('#global-policy-controls').hide();
// update the visibility
if (d.permissions.canRead) {
if (d.permissions.canRead === true) {
$('#policy-selected-reporting-task-container div.policy-selected-component-name').text(d.component.name);
} else {
$('#policy-selected-reporting-task-container div.policy-selected-component-name').text(d.id);
@ -977,7 +993,17 @@ nf.PolicyManagement = (function () {
// populate the initial resource
$('#selected-policy-component-id').text(d.id);
populateComponentResource('reporting-tasks');
$('#selected-policy-component-type').text('reporting-tasks');
$('#component-policy-target')
.combo('setOptionEnabled', {
value: 'write-receive-data'
}, false)
.combo('setOptionEnabled', {
value: 'write-send-data'
}, false)
.combo('setSelectedOption', {
value: 'read-component'
});
return loadPolicy().always(showPolicy);
},
@ -996,7 +1022,7 @@ nf.PolicyManagement = (function () {
$('#global-policy-controls').hide();
// update the visibility
if (d.permissions.canRead) {
if (d.permissions.canRead === true) {
$('#policy-selected-template-container div.policy-selected-component-name').text(d.template.name);
} else {
$('#policy-selected-template-container div.policy-selected-component-name').text(d.id);
@ -1005,7 +1031,17 @@ nf.PolicyManagement = (function () {
// populate the initial resource
$('#selected-policy-component-id').text(d.id);
populateComponentResource('templates');
$('#selected-policy-component-type').text('templates');
$('#component-policy-target')
.combo('setOptionEnabled', {
value: 'write-receive-data'
}, false)
.combo('setOptionEnabled', {
value: 'write-send-data'
}, false)
.combo('setSelectedOption', {
value: 'read-component'
});
return loadPolicy().always(showPolicy);
},
@ -1028,6 +1064,15 @@ nf.PolicyManagement = (function () {
if (selection.empty()) {
$('#selected-policy-component-id').text(nf.Canvas.getGroupId());
resource = 'process-groups';
// disable site to site option
$('#component-policy-target')
.combo('setOptionEnabled', {
value: 'write-receive-data'
}, false)
.combo('setOptionEnabled', {
value: 'write-send-data'
}, false);
} else {
var d = selection.datum();
$('#selected-policy-component-id').text(d.id);
@ -1059,7 +1104,10 @@ nf.PolicyManagement = (function () {
}
// populate the initial resource
populateComponentResource(resource);
$('#selected-policy-component-type').text(resource);
$('#component-policy-target').combo('setSelectedOption', {
value: 'read-component'
});
return loadPolicy().always(showPolicy);
},

4
nifi-nar-bundles/nifi-provenance-repository-bundle/nifi-persistent-provenance-repository/src/main/java/org/apache/nifi/provenance/PersistentProvenanceRepository.java
View File

@ -411,7 +411,7 @@ public class PersistentProvenanceRepository implements ProvenanceRepository {
final Authorizable eventAuthorizable;
try {
eventAuthorizable = resourceFactory.createProvenanceAuthorizable(event.getComponentId());
eventAuthorizable = resourceFactory.createDataAuthorizable(event.getComponentId());
} catch (final ResourceNotFoundException rnfe) {
return false;
}
@ -425,7 +425,7 @@ public class PersistentProvenanceRepository implements ProvenanceRepository {
return;
}
final Authorizable eventAuthorizable = resourceFactory.createProvenanceAuthorizable(event.getComponentId());
final Authorizable eventAuthorizable = resourceFactory.createDataAuthorizable(event.getComponentId());
eventAuthorizable.authorize(authorizer, RequestAction.READ, user, event.getAttributes());
}

4
nifi-nar-bundles/nifi-provenance-repository-bundle/nifi-volatile-provenance-repository/src/main/java/org/apache/nifi/provenance/VolatileProvenanceRepository.java
View File

@ -243,7 +243,7 @@ public class VolatileProvenanceRepository implements ProvenanceRepository {
final Authorizable eventAuthorizable;
try {
eventAuthorizable = resourceFactory.createProvenanceAuthorizable(event.getComponentId());
eventAuthorizable = resourceFactory.createDataAuthorizable(event.getComponentId());
} catch (final ResourceNotFoundException rnfe) {
return false;
}
@ -257,7 +257,7 @@ public class VolatileProvenanceRepository implements ProvenanceRepository {
return;
}
final Authorizable eventAuthorizable = resourceFactory.createProvenanceAuthorizable(event.getComponentId());
final Authorizable eventAuthorizable = resourceFactory.createDataAuthorizable(event.getComponentId());
eventAuthorizable.authorize(authorizer, RequestAction.READ, user, event.getAttributes());
}