@Override public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException { final String resourceIdentifier = request.getResource().getIdentifier(); final AccessPolicy policy = accessPolicyProvider.getAccessPolicy(resourceIdentifier, request.getAction()); if (policy == null) { return AuthorizationResult.resourceNotFound(); } final UserAndGroups userAndGroups = userGroupProvider.getUserAndGroups(request.getIdentity()); final User user = userAndGroups.getUser(); if (user == null) { return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity())); } final Set<Group> userGroups = userAndGroups.getGroups(); if (policy.getUsers().contains(user.getIdentifier()) || containsGroup(userGroups, policy)) { return AuthorizationResult.approved(); } return AuthorizationResult.denied(request.getExplanationSupplier().get()); }
public AuthorizationRequest build() { return new AuthorizationRequest(this); } }
@Override public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException { final String identity = request.getIdentity(); final Set<String> userGroups = request.getGroups(); final String resourceIdentifier = request.getResource().getIdentifier(); if (request.getUserContext() != null) { clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name()); } else { clientIp = null; rangerRequest.setAction(request.getAction().name()); rangerRequest.setAccessType(request.getAction().name()); rangerRequest.setUser(identity); rangerRequest.setUserGroups(userGroups); if (request.isAccessAttempt()) { synchronized (resultLookup) { resultLookup.put(request, result); final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier(), request.getAction()); return AuthorizationResult.denied(request.getExplanationSupplier().get()); } else {
private static void audit(final Authorizer authorizer, final AuthorizationRequest request, final AuthorizationResult result) { // audit when... // 1 - the authorizer supports auditing // 2 - the request is an access attempt // 3 - the result is either approved/denied, when resource is not found a subsequent request may be following with the parent resource if (authorizer instanceof AuthorizationAuditor && request.isAccessAttempt() && !Result.ResourceNotFound.equals(result.getResult())) { ((AuthorizationAuditor) authorizer).auditAccessAttempt(request, result); } }
@Override public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) { final RangerAccessResult rangerResult; synchronized (resultLookup) { rangerResult = resultLookup.remove(request); } if (rangerResult != null && rangerResult.getIsAudited()) { AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult); // update the event with the originally requested resource event.setResourceType(RANGER_NIFI_RESOURCE_NAME); event.setResourcePath(request.getRequestedResource().getIdentifier()); defaultAuditHandler.logAuthzAudit(event); } }
@Override public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException { final String identity = request.getIdentity(); final Set<String> userGroups = request.getGroups(); final String resourceIdentifier = request.getResource().getIdentifier(); if (request.getUserContext() != null) { clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name()); } else { clientIp = null; rangerRequest.setAction(request.getAction().name()); rangerRequest.setAccessType(request.getAction().name()); rangerRequest.setUser(identity); rangerRequest.setUserGroups(userGroups); if (request.isAccessAttempt()) { synchronized (resultLookup) { resultLookup.put(request, result); final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier(), request.getAction()); return AuthorizationResult.denied(request.getExplanationSupplier().get()); } else {
@Override public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) { final RangerAccessResult rangerResult; synchronized (resultLookup) { rangerResult = resultLookup.remove(request); } if (rangerResult != null && rangerResult.getIsAudited()) { AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult); // update the event with the originally requested resource event.setResourceType(RANGER_NIFI_RESOURCE_NAME); event.setResourcePath(request.getRequestedResource().getIdentifier()); defaultAuditHandler.logAuthzAudit(event); } }
@Override public final AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException { final UsersAndAccessPolicies usersAndAccessPolicies = getUsersAndAccessPolicies(); final String resourceIdentifier = request.getResource().getIdentifier(); final AccessPolicy policy = usersAndAccessPolicies.getAccessPolicy(resourceIdentifier, request.getAction()); if (policy == null) { return AuthorizationResult.resourceNotFound(); } final User user = usersAndAccessPolicies.getUser(request.getIdentity()); if (user == null) { return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity())); } final Set<Group> userGroups = usersAndAccessPolicies.getGroups(user.getIdentity()); if (policy.getUsers().contains(user.getIdentifier()) || containsGroup(userGroups, policy)) { return AuthorizationResult.approved(); } return AuthorizationResult.denied(request.getExplanationSupplier().get()); }