@Override public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) { return policies.stream() .filter(policy -> policy.getResource().equals(resourceIdentifier) && policy.getAction().equals(action)) .findFirst().orElse(null); }
private void writePolicy(final XMLStreamWriter writer, final AccessPolicy policy) throws XMLStreamException { // sort the users for the policy List<String> policyUsers = new ArrayList<>(policy.getUsers()); Collections.sort(policyUsers); // sort the groups for this policy List<String> policyGroups = new ArrayList<>(policy.getGroups()); Collections.sort(policyGroups); writer.writeStartElement(POLICY_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policy.getIdentifier()); writer.writeAttribute(RESOURCE_ATTR, policy.getResource()); writer.writeAttribute(ACTIONS_ATTR, policy.getAction().name()); for (String policyUser : policyUsers) { writer.writeStartElement(POLICY_USER_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policyUser); writer.writeEndElement(); } for (String policyGroup : policyGroups) { writer.writeStartElement(POLICY_GROUP_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policyGroup); writer.writeEndElement(); } writer.writeEndElement(); }
public static RequestAction valueOfValue(final String action) { if (RequestAction.READ.toString().equals(action)) { return RequestAction.READ; } else if (RequestAction.WRITE.toString().equals(action)) { return RequestAction.WRITE; } else { throw new IllegalArgumentException("Action must be one of [" + READ.toString() + ", " + WRITE.toString() + "]"); } } }
final Resource cloneResource = entry.getValue(); for (final RequestAction action : RequestAction.values()) { final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(action, originalResource.getIdentifier()); final AccessPolicyDTO cloneAccessPolicy = new AccessPolicyDTO(); cloneAccessPolicy.setId(generateId(accessPolicy.getIdentifier(), idGenerationSeed, true)); cloneAccessPolicy.setAction(accessPolicy.getAction().toString()); cloneAccessPolicy.setResource(cloneResource.getIdentifier());
@Override public AccessPolicy createAccessPolicy(final AccessPolicyDTO accessPolicyDTO) { if (supportsConfigurableAuthorizer()) { final ConfigurableAccessPolicyProvider configurableAccessPolicyProvider = (ConfigurableAccessPolicyProvider) accessPolicyProvider; return configurableAccessPolicyProvider.addAccessPolicy(buildAccessPolicy(accessPolicyDTO.getId(), accessPolicyDTO.getResource(), RequestAction.valueOfValue(accessPolicyDTO.getAction()), accessPolicyDTO)); } else { throw new IllegalStateException(MSG_NON_CONFIGURABLE_POLICIES); } }
/** * Clean up the policies for the specified component resource. * * @param componentResource the resource for the component */ private void cleanUpPolicies(final Resource componentResource) { // ensure the authorizer supports configuration if (accessPolicyDAO.supportsConfigurableAuthorizer()) { final List<Resource> resources = new ArrayList<>(); resources.add(componentResource); resources.add(ResourceFactory.getDataResource(componentResource)); resources.add(ResourceFactory.getProvenanceDataResource(componentResource)); resources.add(ResourceFactory.getDataTransferResource(componentResource)); resources.add(ResourceFactory.getPolicyResource(componentResource)); for (final Resource resource : resources) { for (final RequestAction action : RequestAction.values()) { try { // since the component is being deleted, also delete any relevant access policies final AccessPolicy readPolicy = accessPolicyDAO.getAccessPolicy(action, resource.getIdentifier()); if (readPolicy != null) { accessPolicyDAO.deleteAccessPolicy(readPolicy.getIdentifier()); } } catch (final Exception e) { logger.warn(String.format("Unable to remove access policy for %s %s after component removal.", action, resource.getIdentifier()), e); } } } } }
try { final RequestAction action = RequestAction.valueOf(access.getType());
final RequestAction requestAction = RequestAction.valueOfValue(action); final String resource = "/" + rawResource;
/** * Attempts to roll back all policies for the specified component. This includes the component resource, data resource * for the component, view provenance resource for the component, data transfer resource for the component, and policy resource for the component. * * @param componentResource component resource */ private void rollbackClonedPolicy(final Resource componentResource) { if (!accessPolicyDAO.supportsConfigurableAuthorizer()) { return; } final List<Resource> resources = new ArrayList<>(); resources.add(componentResource); resources.add(ResourceFactory.getDataResource(componentResource)); resources.add(ResourceFactory.getProvenanceDataResource(componentResource)); resources.add(ResourceFactory.getDataTransferResource(componentResource)); resources.add(ResourceFactory.getPolicyResource(componentResource)); for (final Resource resource : resources) { for (final RequestAction action : RequestAction.values()) { final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(action, resource.getIdentifier()); if (accessPolicy != null) { try { accessPolicyDAO.deleteAccessPolicy(accessPolicy.getIdentifier()); } catch (final Exception e) { logger.warn(String.format("Unable to clean up cloned access policy for %s %s after failed copy/paste action.", action, componentResource.getIdentifier()), e); } } } } }
try { final RequestAction action = RequestAction.valueOf(access.getType());
private AccessPolicy findAccessPolicy(final RequestAction requestAction, final String resource) { return accessPolicyProvider.getAccessPolicies().stream() .filter(policy -> policy.getAction().equals(requestAction) && policy.getResource().equals(resource)) .findFirst() .orElse(null); }
private void writePolicy(final XMLStreamWriter writer, final AccessPolicy policy) throws XMLStreamException { // sort the users for the policy List<String> policyUsers = new ArrayList<>(policy.getUsers()); Collections.sort(policyUsers); // sort the groups for this policy List<String> policyGroups = new ArrayList<>(policy.getGroups()); Collections.sort(policyGroups); writer.writeStartElement(POLICY_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policy.getIdentifier()); writer.writeAttribute(RESOURCE_ATTR, policy.getResource()); writer.writeAttribute(ACTIONS_ATTR, policy.getAction().name()); for (String policyUser : policyUsers) { writer.writeStartElement(POLICY_USER_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policyUser); writer.writeEndElement(); } for (String policyGroup : policyGroups) { writer.writeStartElement(POLICY_GROUP_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policyGroup); writer.writeEndElement(); } writer.writeEndElement(); }
/** * Formats the name of the specified policy. * * @param policy policy * @return formatted name */ private String formatPolicyName(final AccessPolicy policy) { return policy.getAction().toString() + " " + policy.getResource(); }
RequestAction.valueOfValue(requestAccessPolicy.getAction());
/** * Checks if another policy exists with the same resource and action as the given policy. * * @param checkAccessPolicy an access policy being checked * @return true if another access policy exists with the same resource and action, false otherwise */ private static boolean policyExists(final AccessPolicyProvider accessPolicyProvider, final AccessPolicy checkAccessPolicy) { for (AccessPolicy accessPolicy : accessPolicyProvider.getAccessPolicies()) { if (!accessPolicy.getIdentifier().equals(checkAccessPolicy.getIdentifier()) && accessPolicy.getResource().equals(checkAccessPolicy.getResource()) && accessPolicy.getAction().equals(checkAccessPolicy.getAction())) { return true; } } return false; }
private AccessPolicy parsePolicy(final Element element) { final AccessPolicy.Builder builder = new AccessPolicy.Builder() .identifier(element.getAttribute(IDENTIFIER_ATTR)) .resource(element.getAttribute(RESOURCE_ATTR)); final String actions = element.getAttribute(ACTIONS_ATTR); if (actions.equals(RequestAction.READ.name())) { builder.action(RequestAction.READ); } else if (actions.equals(RequestAction.WRITE.name())) { builder.action(RequestAction.WRITE); } else { throw new IllegalStateException("Unknown Policy Action: " + actions); } NodeList policyUsers = element.getElementsByTagName(POLICY_USER_ELEMENT); for (int i=0; i < policyUsers.getLength(); i++) { Element policyUserNode = (Element) policyUsers.item(i); builder.addUser(policyUserNode.getAttribute(IDENTIFIER_ATTR)); } NodeList policyGroups = element.getElementsByTagName(POLICY_GROUP_ELEMENT); for (int i=0; i < policyGroups.getLength(); i++) { Element policyGroupNode = (Element) policyGroups.item(i); builder.addGroup(policyGroupNode.getAttribute(IDENTIFIER_ATTR)); } return builder.build(); }
@Override public AccessPolicy getAccessPolicy(final RequestAction requestAction, final Authorizable authorizable) { final String resource = authorizable.getResource().getIdentifier(); final AccessPolicy accessPolicy = findAccessPolicy(requestAction, authorizable.getResource().getIdentifier()); if (accessPolicy == null) { final Authorizable parentAuthorizable = authorizable.getParentAuthorizable(); if (parentAuthorizable == null) { throw new ResourceNotFoundException(String.format("Unable to find access policy for %s on %s", requestAction.toString(), resource)); } else { return getAccessPolicy(requestAction, parentAuthorizable); } } return accessPolicy; }
@Override default void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException { // if this is a modification request and the reporting task is restricted ensure the user has elevated privileges. if this // is not a modification request, we just want to use the normal rules if (RequestAction.WRITE.equals(action) && isRestricted()) { final Set<Authorizable> restrictedComponentsAuthorizables = RestrictedComponentsAuthorizableFactory.getRestrictedComponentsAuthorizable(getComponentClass()); for (final Authorizable restrictedComponentsAuthorizable : restrictedComponentsAuthorizables) { restrictedComponentsAuthorizable.authorize(authorizer, RequestAction.WRITE, user, resourceContext); } } // defer to the base authorization check ComponentAuthorizable.super.authorize(authorizer, action, user, resourceContext); } }
private AccessPolicy parsePolicy(final Element element) { final AccessPolicy.Builder builder = new AccessPolicy.Builder() .identifier(element.getAttribute(IDENTIFIER_ATTR)) .resource(element.getAttribute(RESOURCE_ATTR)); final String actions = element.getAttribute(ACTIONS_ATTR); if (actions.equals(RequestAction.READ.name())) { builder.action(RequestAction.READ); } else if (actions.equals(RequestAction.WRITE.name())) { builder.action(RequestAction.WRITE); } else { throw new IllegalStateException("Unknown Policy Action: " + actions); } NodeList policyUsers = element.getElementsByTagName(POLICY_USER_ELEMENT); for (int i=0; i < policyUsers.getLength(); i++) { Element policyUserNode = (Element) policyUsers.item(i); builder.addUser(policyUserNode.getAttribute(IDENTIFIER_ATTR)); } NodeList policyGroups = element.getElementsByTagName(POLICY_GROUP_ELEMENT); for (int i=0; i < policyGroups.getLength(); i++) { Element policyGroupNode = (Element) policyGroups.item(i); builder.addGroup(policyGroupNode.getAttribute(IDENTIFIER_ATTR)); } return builder.build(); }
public AccessPolicySummaryDTO createAccessPolicySummaryDto(final AccessPolicy accessPolicy, final ComponentReferenceEntity componentReference) { if (accessPolicy == null) { return null; } final AccessPolicySummaryDTO dto = new AccessPolicySummaryDTO(); dto.setId(accessPolicy.getIdentifier()); dto.setResource(accessPolicy.getResource()); dto.setAction(accessPolicy.getAction().toString()); dto.setConfigurable(AuthorizerCapabilityDetection.isAccessPolicyConfigurable(authorizer, accessPolicy)); dto.setComponentReference(componentReference); return dto; }