/** * Returns whether the current user is authorized for the specified action on the specified resource. This * method does not imply the user is directly attempting to access the specified resource. If the user is * attempting a direct access use Authorizable.authorize(). * * @param authorizer authorizer * @param action action * @return is authorized */ default boolean isAuthorized(Authorizer authorizer, RequestAction action, NiFiUser user) { return Result.Approved.equals(checkAuthorization(authorizer, action, user).getResult()); }
@Override public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException { final String resourceIdentifier = request.getResource().getIdentifier(); final AccessPolicy policy = accessPolicyProvider.getAccessPolicy(resourceIdentifier, request.getAction()); if (policy == null) { return AuthorizationResult.resourceNotFound(); } final UserAndGroups userAndGroups = userGroupProvider.getUserAndGroups(request.getIdentity()); final User user = userAndGroups.getUser(); if (user == null) { return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity())); } final Set<Group> userGroups = userAndGroups.getGroups(); if (policy.getUsers().contains(user.getIdentifier()) || containsGroup(userGroups, policy)) { return AuthorizationResult.approved(); } return AuthorizationResult.denied(request.getExplanationSupplier().get()); }
@Override public ActionEntity getAction(final Integer actionId) { // get the action final Action action = auditService.getAction(actionId); // ensure the action was found if (action == null) { throw new ResourceNotFoundException(String.format("Unable to find action with id '%s'.", actionId)); } final AuthorizationResult result = authorizeAction(action); final boolean authorized = Result.Approved.equals(result.getResult()); if (!authorized) { throw new AccessDeniedException(result.getExplanation()); } // return the action return entityFactory.createActionEntity(dtoFactory.createActionDto(action), authorized); }
@Override public AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) { if (user == null) { return AuthorizationResult.denied("Unknown user."); } AuthorizationResult result = null; // authorize each element in the chain NiFiUser chainedUser = user; do { try { // perform the current user authorization result = Authorizable.super.checkAuthorization(authorizer, action, chainedUser, resourceContext); // if authorization is not approved, reject if (!Result.Approved.equals(result.getResult())) { return result; } // go to the next user in the chain chainedUser = chainedUser.getChain(); } catch (final ResourceNotFoundException e) { result = AuthorizationResult.denied("Unknown source component."); } } while (chainedUser != null); if (result == null) { result = AuthorizationResult.denied(); } return result; }
@Override public AuthorizationResult checkAuthorization(NiFiUser user) { // perform the authorization of the user by using the underlying component, ensures consistent authorization with raw s2s final PortAuthorizationResult authorizationResult = ((RootGroupPort) inputPort).checkUserAuthorization(user); if (authorizationResult.isAuthorized()) { return AuthorizationResult.approved(); } else { return AuthorizationResult.denied(authorizationResult.getExplanation()); } } };
if (Result.ResourceNotFound.equals(result.getResult())) { final Authorizable parent = getParentAuthorizable(); if (parent == null) { final AuthorizationResult failure = AuthorizationResult.denied("No applicable policies could be found."); throw new AccessDeniedException(failure.getExplanation()); } else { parentProxy.authorize(authorizer, action, user, resourceContext); } else if (Result.Denied.equals(result.getResult())) { throw new AccessDeniedException(result.getExplanation());
@Override public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException { return AuthorizationResult.approved(); }
/** * Creates a new denied AuthorizationResult with a message indicating 'Access is denied'. * * @return a new denied AuthorizationResult */ public static AuthorizationResult denied() { return denied(AuthorizationRequest.DEFAULT_EXPLANATION); }
@Override public AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) { if (user == null) { return AuthorizationResult.denied("Unknown user."); } final AuthorizationResult resourceResult = Authorizable.super.checkAuthorization(authorizer, action, user, resourceContext); // if we're denied from the resource try inheriting if (Result.Denied.equals(resourceResult.getResult())) { return getParentAuthorizable().checkAuthorization(authorizer, action, user, resourceContext); } else { return resourceResult; } }
@Override public AuthorizationResult checkAuthorization(NiFiUser user) { // perform the authorization of the user by using the underlying component, ensures consistent authorization with raw s2s final PortAuthorizationResult authorizationResult = ((RootGroupPort) outputPort).checkUserAuthorization(user); if (authorizationResult.isAuthorized()) { return AuthorizationResult.approved(); } else { return AuthorizationResult.denied(authorizationResult.getExplanation()); } } };
@Override public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException { return AuthorizationResult.approved(); }
private static void audit(final Authorizer authorizer, final AuthorizationRequest request, final AuthorizationResult result) { // audit when... // 1 - the authorizer supports auditing // 2 - the request is an access attempt // 3 - the result is either approved/denied, when resource is not found a subsequent request may be following with the parent resource if (authorizer instanceof AuthorizationAuditor && request.isAccessAttempt() && !Result.ResourceNotFound.equals(result.getResult())) { ((AuthorizationAuditor) authorizer).auditAccessAttempt(request, result); } }
@Override public AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) { if (user == null) { return AuthorizationResult.denied("Unknown user."); } // check the source final AuthorizationResult sourceResult = getSourceAuthorizable().checkAuthorization(authorizer, action, user, resourceContext); if (Result.Denied.equals(sourceResult.getResult())) { return sourceResult; } // check the destination return getDestinationAuthorizable().checkAuthorization(authorizer, action, user, resourceContext); }
@Override public PortAuthorizationResult checkUserAuthorization(NiFiUser user) { if (!secure) { return new StandardPortAuthorizationResult(true, "Site-to-Site is not Secure"); } if (user == null) { final String message = String.format("%s authorization failed because the user is unknown", this, user); logger.warn(message); eventReporter.reportEvent(Severity.WARNING, CATEGORY, message); return new StandardPortAuthorizationResult(false, "User is not known"); } // perform the authorization final Authorizable dataTransferAuthorizable = new DataTransferAuthorizable(this); final AuthorizationResult result = dataTransferAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user); if (!Result.Approved.equals(result.getResult())) { final String message = String.format("%s authorization failed for user %s because %s", this, user.getIdentity(), result.getExplanation()); logger.warn(message); eventReporter.reportEvent(Severity.WARNING, CATEGORY, message); return new StandardPortAuthorizationResult(false, message); } return new StandardPortAuthorizationResult(true, "User is Authorized"); }
@Override public final AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException { final UsersAndAccessPolicies usersAndAccessPolicies = getUsersAndAccessPolicies(); final String resourceIdentifier = request.getResource().getIdentifier(); final AccessPolicy policy = usersAndAccessPolicies.getAccessPolicy(resourceIdentifier, request.getAction()); if (policy == null) { return AuthorizationResult.resourceNotFound(); } final User user = usersAndAccessPolicies.getUser(request.getIdentity()); if (user == null) { return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity())); } final Set<Group> userGroups = usersAndAccessPolicies.getGroups(user.getIdentity()); if (policy.getUsers().contains(user.getIdentifier()) || containsGroup(userGroups, policy)) { return AuthorizationResult.approved(); } return AuthorizationResult.denied(request.getExplanationSupplier().get()); }
public boolean isAuthorized(final ProvenanceEventRecord event, final NiFiUser user) { if (authorizer == null || user == null) { return true; } final Authorizable eventAuthorizable; try { eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId()); } catch (final ResourceNotFoundException rnfe) { return false; } final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user); return Result.Approved.equals(result.getResult()); }
/** * Authorizes access to replay a specified provenance event. Whether to check read data permission can be specified. The context this * method is invoked may have already verified these permissions. Using a flag here as it forces the caller to acknowledge this fact * limiting the possibility of overlooking it. * * @param event event * @param checkReadDataPermissions whether to verify read data permissions */ private AuthorizationResult checkAuthorizationForReplay(final ProvenanceEventRecord event, final boolean checkReadDataPermissions) { // if the connection id isn't specified, then the replay wouldn't be available anyways and we have nothing to authorize against so deny it` if (event.getSourceQueueIdentifier() == null) { return AuthorizationResult.denied("The connection id in the provenance event is unknown."); } final NiFiUser user = NiFiUserUtils.getNiFiUser(); final Authorizable dataAuthorizable = getDataAuthorizable(event); final Map<String, String> eventAttributes = event.getAttributes(); if (checkReadDataPermissions) { // ensure we can read the data final AuthorizationResult result = dataAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, eventAttributes); if (!Result.Approved.equals(result.getResult())) { return result; } } // ensure we can write the data; read the data should have been checked already return dataAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user, eventAttributes); }
/** * Authorizes access to data transfers. * <p> * Note: Protected for testing purposes */ protected void authorizeDataTransfer(final AuthorizableLookup lookup, final ResourceType resourceType, final String identifier) { final NiFiUser user = NiFiUserUtils.getNiFiUser(); // ensure the resource type is correct if (!ResourceType.InputPort.equals(resourceType) && !ResourceType.OutputPort.equals(resourceType)) { throw new IllegalArgumentException("The resource must be an Input or Output Port."); } // get the authorizable final RootGroupPortAuthorizable authorizable; if (ResourceType.InputPort.equals(resourceType)) { authorizable = lookup.getRootGroupInputPort(identifier); } else { authorizable = lookup.getRootGroupOutputPort(identifier); } // perform the authorization final AuthorizationResult authorizationResult = authorizable.checkAuthorization(user); if (!Result.Approved.equals(authorizationResult.getResult())) { throw new AccessDeniedException(authorizationResult.getExplanation()); } }
return AuthorizationResult.approved(); return AuthorizationResult.approved(); } else { return AuthorizationResult.denied(request.getExplanationSupplier().get()); } else { return AuthorizationResult.resourceNotFound();
@Override public boolean isAuthorized(final ProvenanceEventRecord event) { if (authorizer == null || user == null) { return true; } final Authorizable eventAuthorizable; try { eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId()); } catch (final ResourceNotFoundException rnfe) { return false; } final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user); return Result.Approved.equals(result.getResult()); }