Apache/nifi
1
0
Fork 0
mirror of https://github.com/apache/nifi.git synced 2025-02-07 18:48:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

NIFI-5656 Handly empty "Node Group" property in FileAccessPolicyProvider consistently, add some logs to help with debugging, add test for the invalid group name and for the empty case.

Browse Source 
This closes #3043.

Signed-off-by: Kevin Doran <kdoran@apache.org>
This commit is contained in:
pepov 2018-10-02 15:21:36 +02:00 committed by Kevin Doran
parent b4c8e0179b
commit de685a7a74
No known key found for this signature in database
GPG Key ID: 5621A6244B77AC02
3 changed files with 53 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java
View File

@ -232,16 +232,21 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
nodeGroupIdentifier = null;
if (nodeGroupName != null) {
for (Group group : userGroupProvider.getGroups()) {
if (group.getName().equals(nodeGroupName)) {
nodeGroupIdentifier = group.getIdentifier();
break;
if (!StringUtils.isBlank(nodeGroupName)) {
logger.debug("Trying to load node group '{}' from the underlying userGroupProvider", nodeGroupName);
for (Group group : userGroupProvider.getGroups()) {
if (group.getName().equals(nodeGroupName)) {
nodeGroupIdentifier = group.getIdentifier();
break;
}
}
}
if (nodeGroupIdentifier == null) {
throw new AuthorizerCreationException(String.format(
if (nodeGroupIdentifier == null) {
throw new AuthorizerCreationException(String.format(
"Authorizations node group '%s' could not be found", nodeGroupName));
}
} else {
logger.debug("Empty node group name provided");
}
}
@ -633,6 +638,7 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
if (node == null) {
throw new AuthorizerCreationException("Unable to locate node " + nodeIdentity + " to seed policies.");
}
logger.debug("Populating default authorizations for node '{}' ({})", node.getIdentity(), node.getIdentifier());
// grant access to the proxy resource
addUserToAccessPolicy(authorizations, ResourceType.Proxy.getValue(), node.getIdentifier(), WRITE_CODE);
@ -645,6 +651,7 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
// authorize dynamic nodes (node group)
if (nodeGroupIdentifier != null) {
logger.debug("Populating default authorizations for group '{}' ({})", userGroupProvider.getGroup(nodeGroupIdentifier).getName(), nodeGroupIdentifier);
addGroupToAccessPolicy(authorizations, ResourceType.Proxy.getValue(), nodeGroupIdentifier, WRITE_CODE);
if (rootGroupId != null) {

39
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAccessPolicyProviderTest.java
View File

@ -767,8 +767,8 @@ public class FileAccessPolicyProviderTest {
userGroupProvider.onConfigured(configurationContext);
accessPolicyProvider.onConfigured(configurationContext);
User nodeUser1 = userGroupProvider.getUserByIdentity(nodeIdentity1);
User nodeUser2 = userGroupProvider.getUserByIdentity(nodeIdentity2);
assertNotNull(userGroupProvider.getUserByIdentity(nodeIdentity1));
assertNotNull(userGroupProvider.getUserByIdentity(nodeIdentity2));
AccessPolicy proxyWritePolicy = accessPolicyProvider.getAccessPolicy(ResourceType.Proxy.getValue(), RequestAction.WRITE);
@ -776,6 +776,41 @@ public class FileAccessPolicyProviderTest {
assertTrue(proxyWritePolicy.getGroups().contains(nodeGroupIdentifier));
}
@Test
public void testOnConfiguredWhenNodeGroupEmpty() throws Exception {
final String adminIdentity = "admin-user";
final String nodeGroupIdentifier = "cluster-nodes";
when(configurationContext.getProperty(eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY)))
.thenReturn(new StandardPropertyValue(adminIdentity, null));
when(configurationContext.getProperty(eq(FileAccessPolicyProvider.PROP_NODE_GROUP_NAME)))
.thenReturn(new StandardPropertyValue("", null));
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, TENANTS_FOR_ADMIN_AND_NODE_GROUP);
userGroupProvider.onConfigured(configurationContext);
accessPolicyProvider.onConfigured(configurationContext);
assertNull(accessPolicyProvider.getAccessPolicy(ResourceType.Proxy.getValue(), RequestAction.WRITE));
}
@Test(expected = AuthorizerCreationException.class)
public void testOnConfiguredWhenNodeGroupDoesNotExist() throws Exception {
final String adminIdentity = "admin-user";
when(configurationContext.getProperty(eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY)))
.thenReturn(new StandardPropertyValue(adminIdentity, null));
when(configurationContext.getProperty(eq(FileAccessPolicyProvider.PROP_NODE_GROUP_NAME)))
.thenReturn(new StandardPropertyValue("nonexistent", null));
writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
writeFile(primaryTenants, TENANTS_FOR_ADMIN_AND_NODE_GROUP);
userGroupProvider.onConfigured(configurationContext);
accessPolicyProvider.onConfigured(configurationContext);
}
@Test
public void testOnConfiguredWhenTenantsAndAuthorizationsFileDoesNotExist() {
userGroupProvider.onConfigured(configurationContext);

2
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
View File

@ -241,6 +241,8 @@
- Node Group - The name of a group containing NiFi cluster nodes. The typical use for this is when nodes are dynamically
added/removed from the cluster.
NOTE: The group must exist before starting NiFi.
-->
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>