Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-3251: Delete requires WRITE perms on parent 

- Requiring WRITE permissions to the parent resource when attempting to remove a component.
- Updating expired certificates in the REST API integration tests.

This closes #1399.

Signed-off-by: James Wing <jvwing@gmail.com>
This commit is contained in:
Matt Gilman 2017-01-05 16:21:50 -05:00 committed by James Wing
parent ddda602620
commit 7340078de2
23 changed files with 141 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/connectable/StandardConnection.java
View File

@ -110,7 +110,7 @@ public final class StandardConnection implements Connection {
@Override
public Authorizable getParentAuthorizable() {
return null;
return getProcessGroup();
}
@Override

7
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/SnippetAuthorizable.java
View File

@ -24,6 +24,13 @@ import java.util.Set;
* Authorizable for a Snippet.
*/
public interface SnippetAuthorizable {
/**
* The authorizable for the parent process group of this snippet.
*
* @return authorizable for parent process group of this snippet
*/
Authorizable getParentProcessGroup();
/**
* The authorizables for selected processors. Non null
*

5
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java
View File

@ -329,6 +329,11 @@ class StandardAuthorizableLookup implements AuthorizableLookup {
final ProcessGroup processGroup = processGroupDAO.getProcessGroup(snippet.getParentGroupId());
return new SnippetAuthorizable() {
@Override
public Authorizable getParentProcessGroup() {
return processGroup;
}
@Override
public Set<ConfigurableComponentAuthorizable> getSelectedProcessors() {
return processGroup.getProcessors().stream()

8
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java
View File

@ -422,7 +422,8 @@ public class AccessPolicyResource extends ApplicationResource {
value = "Deletes an access policy",
response = AccessPolicyEntity.class,
authorizations = {
@Authorization(value = "Write - /policies/{resource}", type = "")
@Authorization(value = "Write - /policies/{resource}", type = ""),
@Authorization(value = "Write - Policy of the parent resource - /policies/{resource}", type = "")
}
)
@ApiResponses(
@ -472,7 +473,12 @@ public class AccessPolicyResource extends ApplicationResource {
requestRevision,
lookup -> {
final Authorizable accessPolicy = lookup.getAccessPolicyById(id);
// ensure write permission to the access policy
accessPolicy.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// ensure write permission to the policy for the parent process group
accessPolicy.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
},
null,
(revision, accessPolicyEntity) -> {

6
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ConnectionResource.java
View File

@ -295,6 +295,7 @@ public class ConnectionResource extends ApplicationResource {
response = ConnectionEntity.class,
authorizations = {
@Authorization(value = "Write Source - /{component-type}/{uuid}", type = ""),
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = ""),
@Authorization(value = "Write Destination - /{component-type}/{uuid}", type = "")
}
)
@ -344,7 +345,12 @@ public class ConnectionResource extends ApplicationResource {
lookup -> {
// verifies write access to the source and destination
final Authorizable authorizable = lookup.getConnection(id).getAuthorizable();
// ensure write permission to the connection
authorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// ensure write permission to the parent process group
authorizable.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
},
() -> serviceFacade.verifyDeleteConnection(id),
(revision, connectionEntity) -> {

7
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerServiceResource.java
View File

@ -661,6 +661,8 @@ public class ControllerServiceResource extends ApplicationResource {
response = ControllerServiceEntity.class,
authorizations = {
@Authorization(value = "Write - /controller-services/{uuid}", type = ""),
@Authorization(value = "Write - Parent Process Group if scoped by Process Group - /process-groups/{uuid}", type = ""),
@Authorization(value = "Write - Controller if scoped by Controller - /controller", type = ""),
@Authorization(value = "Read - any referenced Controller Services - /controller-services/{uuid}", type = "")
}
)
@ -706,8 +708,13 @@ public class ControllerServiceResource extends ApplicationResource {
requestRevision,
lookup -> {
final ConfigurableComponentAuthorizable controllerService = lookup.getControllerService(id);
// ensure write permission to the controller service
controllerService.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// ensure write permission to the parent process group
controllerService.getAuthorizable().getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// verify any referenced services
AuthorizeControllerServiceReference.authorizeControllerServiceReferences(controllerService, authorizer, lookup, false);
},

8
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FunnelResource.java
View File

@ -245,7 +245,8 @@ public class FunnelResource extends ApplicationResource {
value = "Deletes a funnel",
response = FunnelEntity.class,
authorizations = {
@Authorization(value = "Write - /funnels/{uuid}", type = "")
@Authorization(value = "Write - /funnels/{uuid}", type = ""),
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "")
}
)
@ApiResponses(
@ -290,7 +291,12 @@ public class FunnelResource extends ApplicationResource {
requestRevision,
lookup -> {
final Authorizable funnel = lookup.getFunnel(id);
// ensure write permission to the funnel
funnel.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// ensure write permission to the parent process group
funnel.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
},
() -> serviceFacade.verifyDeleteFunnel(id),
(revision, funnelEntity) -> {

8
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/InputPortResource.java
View File

@ -244,7 +244,8 @@ public class InputPortResource extends ApplicationResource {
value = "Deletes an input port",
response = PortEntity.class,
authorizations = {
@Authorization(value = "Write - /input-ports/{uuid}", type = "")
@Authorization(value = "Write - /input-ports/{uuid}", type = ""),
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "")
}
)
@ApiResponses(
@ -289,7 +290,12 @@ public class InputPortResource extends ApplicationResource {
requestRevision,
lookup -> {
final Authorizable inputPort = lookup.getInputPort(id);
// ensure write permission to the input port
inputPort.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// ensure write permission to the parent process group
inputPort.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
},
() -> serviceFacade.verifyDeleteInputPort(id),
(revision, portEntity) -> {

8
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/LabelResource.java
View File

@ -244,7 +244,8 @@ public class LabelResource extends ApplicationResource {
value = "Deletes a label",
response = LabelEntity.class,
authorizations = {
@Authorization(value = "Write - /labels/{uuid}", type = "")
@Authorization(value = "Write - /labels/{uuid}", type = ""),
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "")
}
)
@ApiResponses(
@ -289,7 +290,12 @@ public class LabelResource extends ApplicationResource {
requestRevision,
lookup -> {
final Authorizable label = lookup.getLabel(id);
// ensure write permission to the label
label.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// ensure write permission to the parent process group
label.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
},
null,
(revision, labelEntity) -> {

8
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/OutputPortResource.java
View File

@ -244,7 +244,8 @@ public class OutputPortResource extends ApplicationResource {
value = "Deletes an output port",
response = PortEntity.class,
authorizations = {
@Authorization(value = "Write - /output-ports/{uuid}", type = "")
@Authorization(value = "Write - /output-ports/{uuid}", type = ""),
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "")
}
)
@ApiResponses(
@ -289,7 +290,12 @@ public class OutputPortResource extends ApplicationResource {
requestRevision,
lookup -> {
final Authorizable outputPort = lookup.getOutputPort(id);
// ensure write permission to the output port
outputPort.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// ensure write permission to the parent process group
outputPort.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
},
() -> serviceFacade.verifyDeleteOutputPort(id),
(revision, portEntity) -> {

10
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessGroupResource.java
View File

@ -339,6 +339,8 @@ public class ProcessGroupResource extends ApplicationResource {
response = ProcessGroupEntity.class,
authorizations = {
@Authorization(value = "Write - /process-groups/{uuid}", type = ""),
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = ""),
@Authorization(value = "Read - any referenced Controller Services by any encapsulated components - /controller-services/{uuid}", type = ""),
@Authorization(value = "Write - /{component-type}/{uuid} - For all encapsulated components", type = "")
}
)
@ -384,12 +386,18 @@ public class ProcessGroupResource extends ApplicationResource {
requestProcessGroupEntity,
requestRevision,
lookup -> {
final NiFiUser user = NiFiUserUtils.getNiFiUser();
final ProcessGroupAuthorizable processGroupAuthorizable = lookup.getProcessGroup(id);
// ensure write to this process group and all encapsulated components including templates and controller services. additionally, ensure
// read to any referenced services by encapsulated components
authorizeProcessGroup(processGroupAuthorizable, authorizer, lookup, RequestAction.WRITE, true, true, true, false);
// ensure write permission to the parent process group, if applicable... if this is the root group the
// request will fail later but still need to handle authorization here
final Authorizable parentAuthorizable = processGroupAuthorizable.getAuthorizable().getParentAuthorizable();
if (parentAuthorizable != null) {
parentAuthorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
}
},
() -> serviceFacade.verifyDeleteProcessGroup(id),
(revision, processGroupEntity) -> {

6
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessorResource.java
View File

@ -496,6 +496,7 @@ public class ProcessorResource extends ApplicationResource {
response = ProcessorEntity.class,
authorizations = {
@Authorization(value = "Write - /processors/{uuid}", type = ""),
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = ""),
@Authorization(value = "Read - any referenced Controller Services - /controller-services/{uuid}", type = "")
}
)
@ -540,8 +541,13 @@ public class ProcessorResource extends ApplicationResource {
requestRevision,
lookup -> {
final ConfigurableComponentAuthorizable processor = lookup.getProcessor(id);
// ensure write permission to the processor
processor.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// ensure write permission to the parent process group
processor.getAuthorizable().getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// verify any referenced services
AuthorizeControllerServiceReference.authorizeControllerServiceReferences(processor, authorizer, lookup, false);
},

8
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/RemoteProcessGroupResource.java
View File

@ -159,7 +159,8 @@ public class RemoteProcessGroupResource extends ApplicationResource {
value = "Deletes a remote process group",
response = RemoteProcessGroupEntity.class,
authorizations = {
@Authorization(value = "Write - /remote-process-groups/{uuid}", type = "")
@Authorization(value = "Write - /remote-process-groups/{uuid}", type = ""),
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "")
}
)
@ApiResponses(
@ -204,7 +205,12 @@ public class RemoteProcessGroupResource extends ApplicationResource {
requestRevision,
lookup -> {
final Authorizable remoteProcessGroup = lookup.getRemoteProcessGroup(id);
// ensure write permission to the remote process group
remoteProcessGroup.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// ensure write permission to the parent process group
remoteProcessGroup.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
},
() -> serviceFacade.verifyDeleteRemoteProcessGroup(id),
(revision, remoteProcessGroupEntity) -> {

6
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ReportingTaskResource.java
View File

@ -465,6 +465,7 @@ public class ReportingTaskResource extends ApplicationResource {
response = ReportingTaskEntity.class,
authorizations = {
@Authorization(value = "Write - /reporting-tasks/{uuid}", type = ""),
@Authorization(value = "Write - /controller", type = ""),
@Authorization(value = "Read - any referenced Controller Services - /controller-services/{uuid}", type = "")
}
)
@ -510,8 +511,13 @@ public class ReportingTaskResource extends ApplicationResource {
requestRevision,
lookup -> {
final ConfigurableComponentAuthorizable reportingTask = lookup.getReportingTask(id);
// ensure write permission to the reporting task
reportingTask.getAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// ensure write permission to the parent process group
reportingTask.getAuthorizable().getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// verify any referenced services
AuthorizeControllerServiceReference.authorizeControllerServiceReferences(reportingTask, authorizer, lookup, false);
},

6
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SnippetResource.java
View File

@ -301,7 +301,8 @@ public class SnippetResource extends ApplicationResource {
value = "Deletes the components in a snippet and discards the snippet",
response = SnippetEntity.class,
authorizations = {
@Authorization(value = "Write - /{component-type}/{uuid} - For each component in the Snippet and their descendant components", type = "")
@Authorization(value = "Write - /{component-type}/{uuid} - For each component in the Snippet and their descendant components", type = ""),
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = ""),
}
)
@ApiResponses(
@ -338,6 +339,9 @@ public class SnippetResource extends ApplicationResource {
// ensure write permission to every component in the snippet excluding referenced services
final SnippetAuthorizable snippet = lookup.getSnippet(snippetId);
authorizeSnippet(snippet, authorizer, lookup, RequestAction.WRITE, true, false);
// ensure write permission to the parent process group
snippet.getParentProcessGroup().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
},
() -> serviceFacade.verifyDeleteSnippet(snippetId, requestRevisions.stream().map(rev -> rev.getComponentId()).collect(Collectors.toSet())),
(revisions, entity) -> {

8
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/TemplateResource.java
View File

@ -165,7 +165,8 @@ public class TemplateResource extends ApplicationResource {
value = "Deletes a template",
response = TemplateEntity.class,
authorizations = {
@Authorization(value = "Write - /templates/{uuid}", type = "")
@Authorization(value = "Write - /templates/{uuid}", type = ""),
@Authorization(value = "Write - Parent Process Group - /process-groups/{uuid}", type = "")
}
)
@ApiResponses(
@ -197,7 +198,12 @@ public class TemplateResource extends ApplicationResource {
requestTemplateEntity,
lookup -> {
final Authorizable template = lookup.getTemplate(id).getAuthorizable();
// ensure write permission to the template
template.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
// ensure write permission to the parent process group
template.getParentAuthorizable().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser());
},
null,
(templateEntity) -> {

2
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiFlowTestAuthorizer.java
View File

@ -33,7 +33,7 @@ public class NiFiFlowTestAuthorizer implements Authorizer {
public static final String NO_POLICY_COMPONENT_NAME = "No policies";
public static final String PROXY_DN = "CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US";
public static final String PROXY_DN = "CN=localhost, OU=NIFI";
public static final String NONE_USER_DN = "none@nifi";
public static final String READ_USER_DN = "read@nifi";

2
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java
View File

@ -33,7 +33,7 @@ public class NiFiTestAuthorizer implements Authorizer {
public static final String NO_POLICY_COMPONENT_NAME = "No policies";
public static final String PROXY_DN = "CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US";
public static final String PROXY_DN = "CN=localhost, OU=NIFI";
public static final String NONE_USER_DN = "none@nifi";
public static final String READ_USER_DN = "read@nifi";

BIN
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/localhost-ks.jks Executable file → Normal file
View File

Binary file not shown.

BIN
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/localhost-ts.jks Executable file → Normal file
View File

Binary file not shown.

5
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-canvas-utils.js
View File

@ -953,6 +953,11 @@ nf.CanvasUtils = (function () {
return false;
}
// ensure the user has write permissions to the current process group
if (nf.Canvas.canWrite() === false) {
return false;
}
if (nf.CanvasUtils.canModify(selection) === false) {
return false;
}

34
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-controller-services.js
View File

@ -505,7 +505,37 @@ nf.ControllerServices = (function () {
if (nf.Common.isDefinedAndNotNull(dataContext.component.parentGroupId)) {
return dataContext.component.parentGroupId;
} else {
return 'Controller'
return 'Controller';
}
};
/**
* Determines if the user has write permissions for the parent of the specified controller service.
*
* @param dataContext
* @returns {boolean} whether the user has write permissions for the parent of the controller service
*/
var canWriteControllerServiceParent = function (dataContext) {
// we know the process group for this controller service is part
// of the current breadcrumb trail
var canWriteProcessGroupParent = function (processGroupId) {
var breadcrumbs = nf.ng.Bridge.injector.get('breadcrumbsCtrl').getBreadcrumbs();
var isAuthorized = false;
$.each(breadcrumbs, function (_, breadcrumbEntity) {
if (breadcrumbEntity.id === processGroupId) {
isAuthorized = breadcrumbEntity.permissions.canWrite;
return false;
}
});
return isAuthorized;
};
if (nf.Common.isDefinedAndNotNull(dataContext.component.parentGroupId)) {
return canWriteProcessGroupParent(dataContext.component.parentGroupId);
} else {
return nf.Common.canModifyController();
}
};
@ -650,7 +680,7 @@ nf.ControllerServices = (function () {
}
}
if (dataContext.permissions.canWrite) {
if (dataContext.permissions.canWrite && canWriteControllerServiceParent(dataContext)) {
markup += '<div class="pointer delete-controller-service fa fa-trash" title="Remove" style="margin-top: 2px; margin-right: 3px;" ></div>';
}

2
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-settings.js
View File

@ -754,7 +754,7 @@ nf.Settings = (function () {
}
}
if (dataContext.permissions.canWrite) {
if (dataContext.permissions.canWrite && nf.Common.canModifyController()) {
markup += '<div title="Remove" class="pointer delete-reporting-task fa fa-trash" style="margin-top: 2px; margin-right: 3px;" ></div>';
}