/** * Authorizes the current user for the specified action on the specified resource. This method does imply the user is * directly accessing the specified resource. * * @param authorizer authorizer * @param action action * @param user user */ default void authorize(Authorizer authorizer, RequestAction action, NiFiUser user) throws AccessDeniedException { authorize(authorizer, action, user, null); } }
@Override public void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException { if (user == null) { throw new AccessDeniedException("Unknown user."); } try { Authorizable.super.authorize(authorizer, action, user, resourceContext); } catch (final AccessDeniedException resourceDenied) { // if we're denied from the resource try inheriting try { getParentAuthorizable().authorize(authorizer, action, user, resourceContext); } catch (final AccessDeniedException policiesDenied) { throw resourceDenied; } } } };
@Override public void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException { if (user == null) { throw new AccessDeniedException("Unknown user."); } try { Authorizable.super.authorize(authorizer, action, user, resourceContext); } catch (final AccessDeniedException resourceDenied) { // if we're denied from the resource try inheriting try { getParentAuthorizable().authorize(authorizer, action, user, resourceContext); } catch (final AccessDeniedException policiesDenied) { throw resourceDenied; } } } }
@Override public void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException { if (user == null) { throw new AccessDeniedException("Unknown user."); } getSourceAuthorizable().authorize(authorizer, action, user, resourceContext); getDestinationAuthorizable().authorize(authorizer, action, user, resourceContext); }
/** * Authorize any restrictions for the specified ComponentAuthorizable. * * @param authorizer authorizer * @param authorizable component authorizable */ protected void authorizeRestrictions(final Authorizer authorizer, final ComponentAuthorizable authorizable) { authorizable.getRestrictedAuthorizables().forEach(restrictionAuthorizable -> restrictionAuthorizable.authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser())); }
protected void authorize(final ProvenanceEventRecord event, final NiFiUser user) { if (authorizer == null || user == null) { return; } final Authorizable eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId()); eventAuthorizable.authorize(authorizer, RequestAction.READ, user); }
/** * <p>Authorize the request operation action with the resource using base authorizable and operation authorizable combination.</p> * * <p>This method authorizes the request with the base authorizable first with WRITE action. If the request is allowed, then finish authorization. * If the base authorizable denies the request, then it checks if the user has WRITE permission for '/operation/{componentType}/{id}'.</p> */ public static void authorizeOperation(final Authorizable baseAuthorizable, final Authorizer authorizer, final NiFiUser user) { try { baseAuthorizable.authorize(authorizer, RequestAction.WRITE, user); } catch (AccessDeniedException e) { logger.debug("Authorization failed with {}. Try authorizing with OperationAuthorizable.", baseAuthorizable, e); // Always use WRITE action for operation. new OperationAuthorizable(baseAuthorizable).authorize(authorizer, RequestAction.WRITE, user); } }
@Override public void authorize(final ProvenanceEventRecord event) { if (authorizer == null) { return; } final Authorizable eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId()); eventAuthorizable.authorize(authorizer, RequestAction.READ, user); } }
public void authorize(final ProvenanceEventRecord event, final NiFiUser user) { if (authorizer == null || user == null) { return; } final Authorizable eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId()); eventAuthorizable.authorize(authorizer, RequestAction.READ, user); }
private void authorizeFlowAccess(final NiFiUser user) { // authorize access serviceFacade.authorizeAccess(lookup -> { final Authorizable flow = lookup.getFlow(); flow.authorize(authorizer, RequestAction.READ, user); }); }
private void authorize(final ProvenanceEventRecord event, final NiFiUser user) { if (authorizer == null || user == null) { return; } final Authorizable eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId()); eventAuthorizable.authorize(authorizer, RequestAction.READ, user); }
/** * Authorizes access to the flow. */ private void authorizeCounters(final RequestAction action) { serviceFacade.authorizeAccess(lookup -> { final Authorizable counters = lookup.getCounters(); counters.authorize(authorizer, action, NiFiUserUtils.getNiFiUser()); }); }
private void authorizeResource() { serviceFacade.authorizeAccess(lookup -> { final Authorizable resource = lookup.getResource(); resource.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser()); }); }
/** * Authorizes access to the flow. */ private void authorizeFlow() { serviceFacade.authorizeAccess(lookup -> { final Authorizable flow = lookup.getFlow(); flow.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser()); }); }
/** * Authorizes access to Site To Site details. * <p> * Note: Protected for testing purposes */ protected void authorizeSiteToSite() { serviceFacade.authorizeAccess(lookup -> { final Authorizable siteToSite = lookup.getSiteToSite(); siteToSite.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser()); }); }
private void authorizeProvenanceRequest() { serviceFacade.authorizeAccess(lookup -> { final Authorizable provenance = lookup.getProvenance(); provenance.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser()); }); }
private void authorizeSystem() { serviceFacade.authorizeAccess(lookup -> { final Authorizable system = lookup.getSystem(); system.authorize(authorizer, RequestAction.READ, NiFiUserUtils.getNiFiUser()); }); }
/** * Authorizes access to the flow. */ private void authorizeController(final RequestAction action) { serviceFacade.authorizeAccess(lookup -> { final Authorizable controller = lookup.getController(); controller.authorize(authorizer, action, NiFiUserUtils.getNiFiUser()); }); }
private SnippetAuthorizable authorizeSnippetUsage(final AuthorizableLookup lookup, final String groupId, final String snippetId, final boolean authorizeTransitiveServices) { final NiFiUser user = NiFiUserUtils.getNiFiUser(); // ensure write access to the target process group lookup.getProcessGroup(groupId).getAuthorizable().authorize(authorizer, RequestAction.WRITE, user); // ensure read permission to every component in the snippet including referenced services final SnippetAuthorizable snippet = lookup.getSnippet(snippetId); authorizeSnippet(snippet, authorizer, lookup, RequestAction.READ, true, authorizeTransitiveServices); return snippet; }
@Override default void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException { // if this is a modification request and the reporting task is restricted ensure the user has elevated privileges. if this // is not a modification request, we just want to use the normal rules if (RequestAction.WRITE.equals(action) && isRestricted()) { final Set<Authorizable> restrictedComponentsAuthorizables = RestrictedComponentsAuthorizableFactory.getRestrictedComponentsAuthorizable(getComponentClass()); for (final Authorizable restrictedComponentsAuthorizable : restrictedComponentsAuthorizables) { restrictedComponentsAuthorizable.authorize(authorizer, RequestAction.WRITE, user, resourceContext); } } // defer to the base authorization check ComponentAuthorizable.super.authorize(authorizer, action, user, resourceContext); } }