if (Result.Approved.equals(dataResult.getResult())) { final ContentAvailability contentAvailability = flowController.getContentAvailability(event); dto.setReplayAvailable(contentAvailability.isReplayable() && Result.Approved.equals(replayAuthorized.getResult())); dto.setReplayExplanation(contentAvailability.isReplayable() && !Result.Approved.equals(replayAuthorized.getResult()) ? replayAuthorized.getExplanation() : contentAvailability.getReasonNotReplayable()); dto.setSourceConnectionIdentifier(event.getSourceQueueIdentifier()); } else {
@Override public PortAuthorizationResult checkUserAuthorization(NiFiUser user) { if (!secure) { return new StandardPortAuthorizationResult(true, "Site-to-Site is not Secure"); } if (user == null) { final String message = String.format("%s authorization failed because the user is unknown", this, user); logger.warn(message); eventReporter.reportEvent(Severity.WARNING, CATEGORY, message); return new StandardPortAuthorizationResult(false, "User is not known"); } // perform the authorization final Authorizable dataTransferAuthorizable = new DataTransferAuthorizable(this); final AuthorizationResult result = dataTransferAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user); if (!Result.Approved.equals(result.getResult())) { final String message = String.format("%s authorization failed for user %s because %s", this, user.getIdentity(), result.getExplanation()); logger.warn(message); eventReporter.reportEvent(Severity.WARNING, CATEGORY, message); return new StandardPortAuthorizationResult(false, message); } return new StandardPortAuthorizationResult(true, "User is Authorized"); }
public boolean isAuthorized(final ProvenanceEventRecord event, final NiFiUser user) { if (authorizer == null || user == null) { return true; } final Authorizable eventAuthorizable; try { if (event.isRemotePortType()) { eventAuthorizable = resourceFactory.createRemoteDataAuthorizable(event.getComponentId()); } else { eventAuthorizable = resourceFactory.createLocalDataAuthorizable(event.getComponentId()); } } catch (final ResourceNotFoundException rnfe) { return false; } final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, event.getAttributes()); return Result.Approved.equals(result.getResult()); }
@Override default AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) { // if this is a modification request and the reporting task is restricted ensure the user has elevated privileges. if this // is not a modification request, we just want to use the normal rules if (RequestAction.WRITE.equals(action) && isRestricted()) { final Set<Authorizable> restrictedComponentsAuthorizables = RestrictedComponentsAuthorizableFactory.getRestrictedComponentsAuthorizable(getComponentClass()); for (final Authorizable restrictedComponentsAuthorizable : restrictedComponentsAuthorizables) { final AuthorizationResult result = restrictedComponentsAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user, resourceContext); if (Result.Denied.equals(result.getResult())) { return result; } } } // defer to the base authorization check return ComponentAuthorizable.super.checkAuthorization(authorizer, action, user, resourceContext); }
if (Result.ResourceNotFound.equals(result.getResult())) { final Authorizable parent = getParentAuthorizable(); if (parent == null) {
if (Result.ResourceNotFound.equals(result.getResult())) { final Authorizable parent = getParentAuthorizable(); if (parent == null) { parentProxy.authorize(authorizer, action, user, resourceContext); } else if (Result.Denied.equals(result.getResult())) { throw new AccessDeniedException(result.getExplanation());
if (Result.Approved.equals(connectable.checkAuthorization(authorizer, RequestAction.READ, user).getResult())) { dto.setComponentName(connectable.getName()); } else { if (Result.Approved.equals(remoteGroupPort.checkAuthorization(authorizer, RequestAction.READ, user).getResult())) { dto.setComponentName(remoteGroupPort.getName()); } else { if (Result.Approved.equals(connection.checkAuthorization(authorizer, RequestAction.READ, user).getResult())) { String name = connection.getName(); final Collection<Relationship> relationships = connection.getRelationships();
return Result.Approved.equals(result.getResult());
return Result.Approved.equals(result.getResult());
@Override public AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) { if (user == null) { return AuthorizationResult.denied("Unknown user."); } AuthorizationResult result = null; // authorize each element in the chain NiFiUser chainedUser = user; do { try { // perform the current user authorization result = Authorizable.super.checkAuthorization(authorizer, action, chainedUser, resourceContext); // if authorization is not approved, reject if (!Result.Approved.equals(result.getResult())) { return result; } // go to the next user in the chain chainedUser = chainedUser.getChain(); } catch (final ResourceNotFoundException e) { result = AuthorizationResult.denied("Unknown source component."); } } while (chainedUser != null); if (result == null) { result = AuthorizationResult.denied(); } return result; }
@Override public HistoryDTO getActions(final HistoryQueryDTO historyQueryDto) { // extract the query criteria final HistoryQuery historyQuery = new HistoryQuery(); historyQuery.setStartDate(historyQueryDto.getStartDate()); historyQuery.setEndDate(historyQueryDto.getEndDate()); historyQuery.setSourceId(historyQueryDto.getSourceId()); historyQuery.setUserIdentity(historyQueryDto.getUserIdentity()); historyQuery.setOffset(historyQueryDto.getOffset()); historyQuery.setCount(historyQueryDto.getCount()); historyQuery.setSortColumn(historyQueryDto.getSortColumn()); historyQuery.setSortOrder(historyQueryDto.getSortOrder()); // perform the query final History history = auditService.getActions(historyQuery); // only retain authorized actions final HistoryDTO historyDto = dtoFactory.createHistoryDto(history); if (history.getActions() != null) { final List<ActionEntity> actionEntities = new ArrayList<>(); for (final Action action : history.getActions()) { final AuthorizationResult result = authorizeAction(action); actionEntities.add(entityFactory.createActionEntity(dtoFactory.createActionDto(action), Result.Approved.equals(result.getResult()))); } historyDto.setActions(actionEntities); } // create the response return historyDto; }
/** * Authorizes access to replay a specified provenance event. Whether to check read data permission can be specified. The context this * method is invoked may have already verified these permissions. Using a flag here as it forces the caller to acknowledge this fact * limiting the possibility of overlooking it. * * @param event event * @param checkReadDataPermissions whether to verify read data permissions */ private AuthorizationResult checkAuthorizationForReplay(final ProvenanceEventRecord event, final boolean checkReadDataPermissions) { // if the connection id isn't specified, then the replay wouldn't be available anyways and we have nothing to authorize against so deny it` if (event.getSourceQueueIdentifier() == null) { return AuthorizationResult.denied("The connection id in the provenance event is unknown."); } final NiFiUser user = NiFiUserUtils.getNiFiUser(); final Authorizable dataAuthorizable = getDataAuthorizable(event); final Map<String, String> eventAttributes = event.getAttributes(); if (checkReadDataPermissions) { // ensure we can read the data final AuthorizationResult result = dataAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user, eventAttributes); if (!Result.Approved.equals(result.getResult())) { return result; } } // ensure we can write the data; read the data should have been checked already return dataAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user, eventAttributes); }
/** * Authorizes access to data transfers. * <p> * Note: Protected for testing purposes */ protected void authorizeDataTransfer(final AuthorizableLookup lookup, final ResourceType resourceType, final String identifier) { final NiFiUser user = NiFiUserUtils.getNiFiUser(); // ensure the resource type is correct if (!ResourceType.InputPort.equals(resourceType) && !ResourceType.OutputPort.equals(resourceType)) { throw new IllegalArgumentException("The resource must be an Input or Output Port."); } // get the authorizable final RootGroupPortAuthorizable authorizable; if (ResourceType.InputPort.equals(resourceType)) { authorizable = lookup.getRootGroupInputPort(identifier); } else { authorizable = lookup.getRootGroupOutputPort(identifier); } // perform the authorization final AuthorizationResult authorizationResult = authorizable.checkAuthorization(user); if (!Result.Approved.equals(authorizationResult.getResult())) { throw new AccessDeniedException(authorizationResult.getExplanation()); } }
@Override public PortAuthorizationResult checkUserAuthorization(NiFiUser user) { if (!secure) { return new StandardPortAuthorizationResult(true, "Site-to-Site is not Secure"); } if (user == null) { final String message = String.format("%s authorization failed because the user is unknown", this, user); logger.warn(message); eventReporter.reportEvent(Severity.WARNING, CATEGORY, message); return new StandardPortAuthorizationResult(false, "User is not known"); } // perform the authorization final Authorizable dataTransferAuthorizable = new DataTransferAuthorizable(this); final AuthorizationResult result = dataTransferAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user); if (!Result.Approved.equals(result.getResult())) { final String message = String.format("%s authorization failed for user %s because %s", this, user.getIdentity(), result.getExplanation()); logger.warn(message); eventReporter.reportEvent(Severity.WARNING, CATEGORY, message); return new StandardPortAuthorizationResult(false, message); } return new StandardPortAuthorizationResult(true, "User is Authorized"); }
@Override public ActionEntity getAction(final Integer actionId) { // get the action final Action action = auditService.getAction(actionId); // ensure the action was found if (action == null) { throw new ResourceNotFoundException(String.format("Unable to find action with id '%s'.", actionId)); } final AuthorizationResult result = authorizeAction(action); final boolean authorized = Result.Approved.equals(result.getResult()); if (!authorized) { throw new AccessDeniedException(result.getExplanation()); } // return the action return entityFactory.createActionEntity(dtoFactory.createActionDto(action), authorized); }
/** * Creates a new AuthorizationResult with the specified result and explanation. * * @param result of the authorization * @param explanation for the authorization attempt */ private AuthorizationResult(Result result, String explanation) { if (Result.Denied.equals(result) && explanation == null) { throw new IllegalArgumentException("An explanation is required when the authorization request is denied."); } if (Result.ResourceNotFound.equals(result) && explanation == null) { throw new IllegalArgumentException("An explanation is required when the authorization request is resource not found."); } this.result = result; this.explanation = explanation; }
@Override default AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) { // if this is a modification request and the reporting task is restricted ensure the user has elevated privileges. if this // is not a modification request, we just want to use the normal rules if (RequestAction.WRITE.equals(action) && isRestricted()) { final Set<Authorizable> restrictedComponentsAuthorizables = RestrictedComponentsAuthorizableFactory.getRestrictedComponentsAuthorizable(getComponentClass()); for (final Authorizable restrictedComponentsAuthorizable : restrictedComponentsAuthorizables) { final AuthorizationResult result = restrictedComponentsAuthorizable.checkAuthorization(authorizer, RequestAction.WRITE, user, resourceContext); if (Result.Denied.equals(result.getResult())) { return result; } } } // defer to the base authorization check return ComponentAuthorizable.super.checkAuthorization(authorizer, action, user, resourceContext); }
@Override public boolean isAuthorized(final ProvenanceEventRecord event) { if (authorizer == null || user == null) { return true; } final Authorizable eventAuthorizable; try { eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId()); } catch (final ResourceNotFoundException rnfe) { return false; } final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user); return Result.Approved.equals(result.getResult()); }
public boolean isAuthorized(final ProvenanceEventRecord event, final NiFiUser user) { if (authorizer == null || user == null) { return true; } final Authorizable eventAuthorizable; try { eventAuthorizable = resourceFactory.createProvenanceDataAuthorizable(event.getComponentId()); } catch (final ResourceNotFoundException rnfe) { return false; } final AuthorizationResult result = eventAuthorizable.checkAuthorization(authorizer, RequestAction.READ, user); return Result.Approved.equals(result.getResult()); }
@Override public AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) { if (user == null) { return AuthorizationResult.denied("Unknown user."); } final AuthorizationResult resourceResult = Authorizable.super.checkAuthorization(authorizer, action, user, resourceContext); // if we're denied from the resource try inheriting if (Result.Denied.equals(resourceResult.getResult())) { return getParentAuthorizable().checkAuthorization(authorizer, action, user, resourceContext); } else { return resourceResult; } }