Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-2453 Making FileAuthorizer perform initial seeding when users and groups are already present 

Signed-off-by: Yolanda M. Davis <ymdavis@apache.org>

This closes #772
This commit is contained in:
Bryan Bende 2016-08-02 10:24:50 -04:00 committed by Yolanda M. Davis
parent 16348b071d
commit 698cde69ba
2 changed files with 93 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
View File

@ -257,7 +257,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
}
final AuthorizationsHolder authorizationsHolder = new AuthorizationsHolder(authorizations, tenants);
final boolean emptyAuthorizations = authorizationsHolder.getAllUsers().isEmpty() && authorizationsHolder.getAllPolicies().isEmpty();
final boolean emptyAuthorizations = authorizationsHolder.getAllPolicies().isEmpty();
final boolean hasInitialAdminIdentity = (initialAdminIdentity != null && !StringUtils.isBlank(initialAdminIdentity));
final boolean hasLegacyAuthorizedUsers = (legacyAuthorizedUsersFile != null && !StringUtils.isBlank(legacyAuthorizedUsersFile));
@ -319,12 +319,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
* Creates the initial admin user and policies for access the flow and managing users and policies.
*/
private void populateInitialAdmin(final Authorizations authorizations, Tenants tenants) {
// generate an identifier and add a User with the given identifier and identity
final UUID adminIdentifier = UUID.nameUUIDFromBytes(initialAdminIdentity.getBytes(StandardCharsets.UTF_8));
final User adminUser = new User.Builder().identifier(adminIdentifier.toString()).identity(initialAdminIdentity).build();
final org.apache.nifi.authorization.file.tenants.generated.User jaxbAdminUser = createJAXBUser(adminUser);
tenants.getUsers().getUser().add(jaxbAdminUser);
final org.apache.nifi.authorization.file.tenants.generated.User adminUser = getOrCreateUser(tenants, initialAdminIdentity);
// grant the user read access to the /flow resource
addAccessPolicy(authorizations, ResourceType.Flow.getValue(), adminUser.getIdentifier(), READ_CODE);
@ -358,24 +353,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
*/
private void populateNodes(Authorizations authorizations, Tenants tenants) {
for (String nodeIdentity : nodeIdentities) {
// see if we have an existing user for the given node identity
org.apache.nifi.authorization.file.tenants.generated.User jaxbNodeUser = null;
for (org.apache.nifi.authorization.file.tenants.generated.User user : tenants.getUsers().getUser()) {
if (user.getIdentity().equals(nodeIdentity)) {
jaxbNodeUser = user;
break;
}
}
// if we didn't find an existing user then create a new one
if (jaxbNodeUser == null) {
// generate an identifier and add a User with the given identifier and identity
final UUID nodeIdentifier = UUID.nameUUIDFromBytes(nodeIdentity.getBytes(StandardCharsets.UTF_8));
final User nodeUser = new User.Builder().identifier(nodeIdentifier.toString()).identity(nodeIdentity).build();
jaxbNodeUser = createJAXBUser(nodeUser);
tenants.getUsers().getUser().add(jaxbNodeUser);
}
final org.apache.nifi.authorization.file.tenants.generated.User jaxbNodeUser = getOrCreateUser(tenants, nodeIdentity);
// grant access to the proxy resource
addAccessPolicy(authorizations, ResourceType.Proxy.getValue(), jaxbNodeUser.getIdentifier(), READ_CODE);
@ -433,19 +411,13 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
for (org.apache.nifi.user.generated.User legacyUser : users.getUser()) {
// create the identifier of the new user based on the DN
final String legacyUserDn = IdentityMappingUtil.mapIdentity(legacyUser.getDn(), identityMappings);
final String userIdentifier = UUID.nameUUIDFromBytes(legacyUserDn.getBytes(StandardCharsets.UTF_8)).toString();
// create the new User and add it to the list of users
org.apache.nifi.authorization.file.tenants.generated.User user = new org.apache.nifi.authorization.file.tenants.generated.User();
user.setIdentifier(userIdentifier);
user.setIdentity(legacyUserDn);
tenants.getUsers().getUser().add(user);
org.apache.nifi.authorization.file.tenants.generated.User user = getOrCreateUser(tenants, legacyUserDn);
// if there was a group name find or create the group and add the user to it
org.apache.nifi.authorization.file.tenants.generated.Group group = getOrCreateGroup(tenants, legacyUser.getGroup());
if (group != null) {
org.apache.nifi.authorization.file.tenants.generated.Group.User groupUser = new org.apache.nifi.authorization.file.tenants.generated.Group.User();
groupUser.setIdentifier(userIdentifier);
groupUser.setIdentifier(user.getIdentifier());
group.getUser().add(groupUser);
}
@ -464,7 +436,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
roleAccessPolicy.getAction());
// add the user to the policy if it doesn't exist
addUserToPolicy(userIdentifier, policy);
addUserToPolicy(user.getIdentifier(), policy);
}
}
@ -589,11 +561,42 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
}
/**
* Finds the Group with the given name, or creates a new one and adds it to Authorizations.
* Finds the User with the given identity, or creates a new one and adds it to the Tenants.
*
* @param tenants the Authorizations reference
* @param tenants the Tenants reference
* @param userIdentity the user identity to find or create
* @return the User from Tenants with the given identity, or a new instance that was added to Tenants
*/
private org.apache.nifi.authorization.file.tenants.generated.User getOrCreateUser(final Tenants tenants, final String userIdentity) {
if (StringUtils.isBlank(userIdentity)) {
return null;
}
org.apache.nifi.authorization.file.tenants.generated.User foundUser = null;
for (org.apache.nifi.authorization.file.tenants.generated.User user : tenants.getUsers().getUser()) {
if (user.getIdentity().equals(userIdentity)) {
foundUser = user;
break;
}
}
if (foundUser == null) {
final String userIdentifier = UUID.nameUUIDFromBytes(userIdentity.getBytes(StandardCharsets.UTF_8)).toString();
foundUser = new org.apache.nifi.authorization.file.tenants.generated.User();
foundUser.setIdentifier(userIdentifier);
foundUser.setIdentity(userIdentity);
tenants.getUsers().getUser().add(foundUser);
}
return foundUser;
}
/**
* Finds the Group with the given name, or creates a new one and adds it to Tenants.
*
* @param tenants the Tenants reference
* @param groupName the name of the group to look for
* @return the Group from Authorizations with the given name, or a new instance
* @return the Group from Tenants with the given name, or a new instance that was added to Tenants
*/
private org.apache.nifi.authorization.file.tenants.generated.Group getOrCreateGroup(final Tenants tenants, final String groupName) {
if (StringUtils.isBlank(groupName)) {

53
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java
View File

@ -131,6 +131,16 @@ public class FileAuthorizerTest {
" </users>" +
"</tenants>";
private static final String TENANTS_FOR_ADMIN_AND_NODES =
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" +
"<tenants>" +
" <users>" +
" <user identifier=\"admin-user\" identity=\"admin-user\"/>" +
" <user identifier=\"node1\" identity=\"node1\"/>" +
" <user identifier=\"node2\" identity=\"node2\"/>" +
" </users>" +
"</tenants>";
// This is the root group id from the flow.xml.gz in src/test/resources
private static final String ROOT_GROUP_ID = "e530e14c-adcf-41c2-b5d6-d9a59ba8765c";
@ -650,6 +660,49 @@ public class FileAuthorizerTest {
assertTrue(proxyWritePolicy.getUsers().contains(nodeUser2.getIdentifier()));
}
@Test
public void testOnConfiguredWhenNodeIdentitiesProvidedAndUsersAlreadyExist() throws Exception {
final String adminIdentity = "admin-user";
when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_INITIAL_ADMIN_IDENTITY)))
.thenReturn(new StandardPropertyValue(adminIdentity, null));
final String nodeIdentity1 = "node1";
final String nodeIdentity2 = "node2";
final Map<String,String> props = new HashMap<>();
props.put("Node Identity 1", nodeIdentity1);
props.put("Node Identity 2", nodeIdentity2);
when(configurationContext.getProperties()).thenReturn(props);
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, TENANTS_FOR_ADMIN_AND_NODES);
authorizer.onConfigured(configurationContext);
assertEquals(3, authorizer.getUsers().size());
User adminUser = authorizer.getUserByIdentity(adminIdentity);
assertNotNull(adminUser);
User nodeUser1 = authorizer.getUserByIdentity(nodeIdentity1);
assertNotNull(nodeUser1);
User nodeUser2 = authorizer.getUserByIdentity(nodeIdentity2);
assertNotNull(nodeUser2);
AccessPolicy proxyReadPolicy = authorizer.getUsersAndAccessPolicies().getAccessPolicy(ResourceType.Proxy.getValue(), RequestAction.READ);
AccessPolicy proxyWritePolicy = authorizer.getUsersAndAccessPolicies().getAccessPolicy(ResourceType.Proxy.getValue(), RequestAction.WRITE);
assertNotNull(proxyReadPolicy);
assertTrue(proxyReadPolicy.getUsers().contains(nodeUser1.getIdentifier()));
assertTrue(proxyReadPolicy.getUsers().contains(nodeUser2.getIdentifier()));
assertNotNull(proxyWritePolicy);
assertTrue(proxyWritePolicy.getUsers().contains(nodeUser1.getIdentifier()));
assertTrue(proxyWritePolicy.getUsers().contains(nodeUser2.getIdentifier()));
}
@Test
public void testOnConfiguredWhenNodeIdentitiesProvidedWithIdentityMappings() throws Exception {
final Properties props = new Properties();