@Override public String getUsername() { return user.getIdentity(); }
if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) { userContext = new HashMap<>(); userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress()); } else { userContext = null; .identity(user.getIdentity()) .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(false) .action(RequestAction.WRITE)
/** * Builds the proxy chain for the specified user. * * @param user The current user * @return The proxy chain for that user in List form */ public static List<String> buildProxiedEntitiesChain(final NiFiUser user) { // calculate the dn chain final List<String> proxyChain = new ArrayList<>(); // build the dn chain NiFiUser chainedUser = user; while (chainedUser != null) { // add the entry for this user if (chainedUser.isAnonymous()) { // use an empty string to represent an anonymous user in the proxy entities chain proxyChain.add(StringUtils.EMPTY); } else { proxyChain.add(chainedUser.getIdentity()); } // go to the next user in the chain chainedUser = chainedUser.getChain(); } return proxyChain; } }
private String getIdentity(final NiFiUser user) { return (user == null || user.isAnonymous()) ? null : user.getIdentity(); }
@Override public Response toResponse(AccessDeniedException exception) { // get the current user NiFiUser user = NiFiUserUtils.getNiFiUser(); // if the user was authenticated - forbidden, otherwise unauthorized... the user may be null if the // AccessDeniedException was thrown from a /access endpoint that isn't subject to the security // filter chain. for instance, one that performs kerberos negotiation final Response.Status status; if (user == null || user.isAnonymous()) { status = Status.UNAUTHORIZED; } else { status = Status.FORBIDDEN; } final String identity; if (user == null) { identity = "<no user found>"; } else { identity = user.toString(); } logger.info(String.format("%s does not have permission to access the requested resource. %s Returning %s response.", identity, exception.getMessage(), status)); if (logger.isDebugEnabled()) { logger.debug(StringUtils.EMPTY, exception); } return Response.status(status) .entity(String.format("%s Contact the system administrator.", exception.getMessage())) .type("text/plain") .build(); }
@Override public void authorize(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) throws AccessDeniedException { if (user == null) { throw new AccessDeniedException("Unknown user."); } // authorize each element in the chain NiFiUser chainedUser = user; do { try { // perform the current user authorization Authorizable.super.authorize(authorizer, action, chainedUser, resourceContext); // go to the next user in the chain chainedUser = chainedUser.getChain(); } catch (final ResourceNotFoundException e) { throw new AccessDeniedException("Unknown source component."); } } while (chainedUser != null); } }
@Override public CurrentUserEntity getCurrentUser() { final NiFiUser user = NiFiUserUtils.getNiFiUser(); final CurrentUserEntity entity = new CurrentUserEntity(); entity.setIdentity(user.getIdentity()); entity.setAnonymous(user.isAnonymous()); entity.setProvenancePermissions(dtoFactory.createPermissionsDto(authorizableLookup.getProvenance())); entity.setCountersPermissions(dtoFactory.createPermissionsDto(authorizableLookup.getCounters())); entity.setTenantsPermissions(dtoFactory.createPermissionsDto(authorizableLookup.getTenant())); entity.setControllerPermissions(dtoFactory.createPermissionsDto(authorizableLookup.getController())); entity.setPoliciesPermissions(dtoFactory.createPermissionsDto(authorizableLookup.getPolicies())); entity.setSystemPermissions(dtoFactory.createPermissionsDto(authorizableLookup.getSystem())); entity.setCanVersionFlows(CollectionUtils.isNotEmpty(flowRegistryClient.getRegistryIdentifiers())); entity.setRestrictedComponentsPermissions(dtoFactory.createPermissionsDto(authorizableLookup.getRestrictedComponents())); final Set<ComponentRestrictionPermissionDTO> componentRestrictionPermissions = new HashSet<>(); Arrays.stream(RequiredPermission.values()).forEach(requiredPermission -> { final PermissionsDTO restrictionPermissions = dtoFactory.createPermissionsDto(authorizableLookup.getRestrictedComponents(requiredPermission)); final RequiredPermissionDTO requiredPermissionDto = new RequiredPermissionDTO(); requiredPermissionDto.setId(requiredPermission.getPermissionIdentifier()); requiredPermissionDto.setLabel(requiredPermission.getPermissionLabel()); final ComponentRestrictionPermissionDTO componentRestrictionPermissionDto = new ComponentRestrictionPermissionDTO(); componentRestrictionPermissionDto.setRequiredPermission(requiredPermissionDto); componentRestrictionPermissionDto.setPermissions(restrictionPermissions); componentRestrictionPermissions.add(componentRestrictionPermissionDto); }); entity.setComponentRestrictionPermissions(componentRestrictionPermissions); return entity; }
@Override public AuthorizationResult checkAuthorization(Authorizer authorizer, RequestAction action, NiFiUser user, Map<String, String> resourceContext) { if (user == null) { return AuthorizationResult.denied("Unknown user."); } AuthorizationResult result = null; // authorize each element in the chain NiFiUser chainedUser = user; do { try { // perform the current user authorization result = Authorizable.super.checkAuthorization(authorizer, action, chainedUser, resourceContext); // if authorization is not approved, reject if (!Result.Approved.equals(result.getResult())) { return result; } // go to the next user in the chain chainedUser = chainedUser.getChain(); } catch (final ResourceNotFoundException e) { result = AuthorizationResult.denied("Unknown source component."); } } while (chainedUser != null); if (result == null) { result = AuthorizationResult.denied(); } return result; }
@Override public boolean equals(Object obj) { if (obj == null) { return false; } if (!(obj instanceof NiFiUser)) { return false; } final NiFiUser other = (NiFiUser) obj; return Objects.equals(this.identity, other.getIdentity()); }
if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) { userContext = new HashMap<>(); userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress()); } else { userContext = null; final Resource requestedResource = getRequestedResource(); final AuthorizationRequest request = new AuthorizationRequest.Builder() .identity(user.getIdentity()) .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(false) .action(action)
public static String getNiFiUserIdentity() { // get the nifi user to extract the username NiFiUser user = NiFiUserUtils.getNiFiUser(); if (user == null) { return "unknown"; } else { return user.getIdentity(); } }
if (user.getClientAddress() != null && !user.getClientAddress().trim().isEmpty()) { userContext = new HashMap<>(); userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), user.getClientAddress()); } else { userContext = null; final Resource requestedResource = getRequestedResource(); final AuthorizationRequest request = new AuthorizationRequest.Builder() .identity(user.getIdentity()) .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(true) .action(action)
@Override public void doFilter(final ServletRequest req, final ServletResponse resp, final FilterChain filterChain) throws IOException, ServletException { final HttpServletRequest request = (HttpServletRequest) req; // only log http requests has https requests are logged elsewhere if ("http".equalsIgnoreCase(request.getScheme())) { final NiFiUser user = NiFiUserUtils.getNiFiUser(); // get the user details for the log message String identity = "<no user found>"; if (user != null) { identity = user.getIdentity(); } // log the request attempt - response details will be logged later logger.info(String.format("Attempting request for (%s) %s %s (source ip: %s)", identity, request.getMethod(), request.getRequestURL().toString(), request.getRemoteAddr())); } // continue the filter chain filterChain.doFilter(req, resp); }
@Override public QuerySubmission retrieveQuerySubmission(final String queryIdentifier, final NiFiUser user) { final QuerySubmission submission = querySubmissionMap.get(queryIdentifier); final String userId = submission.getSubmitterIdentity(); if (user == null && userId == null) { return submission; } if (user == null) { throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because no user id was provided"); } if (userId == null || userId.equals(user.getIdentity())) { return submission; } throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because " + user.getIdentity() + " is not the user who submitted the request"); }
@Override public QuerySubmission retrieveQuerySubmission(final String queryIdentifier, final NiFiUser user) { final QuerySubmission submission = querySubmissionMap.get(queryIdentifier); final String userId = submission.getSubmitterIdentity(); if (user == null && userId == null) { return submission; } if (user == null) { throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because no user id was provided in the provenance request."); } if (userId == null || userId.equals(user.getIdentity())) { return submission; } throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because " + user.getIdentity() + " is not the user who submitted the request."); }
@Override public QuerySubmission retrieveQuerySubmission(final String queryIdentifier, final NiFiUser user) { final QuerySubmission submission = querySubmissionMap.get(queryIdentifier); final String userId = submission.getSubmitterIdentity(); if (user == null && userId == null) { return submission; } if (user == null) { throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because no user id was provided in the provenance request."); } if (userId == null || userId.equals(user.getIdentity())) { return submission; } throw new AccessDeniedException("Cannot retrieve Provenance Query Submission because " + user.getIdentity() + " is not the user who submitted the request."); }
@Override public ComputeLineageSubmission retrieveLineageSubmission(String lineageIdentifier, final NiFiUser user) { final ComputeLineageSubmission submission = lineageSubmissionMap.get(lineageIdentifier); final String userId = submission.getSubmitterIdentity(); if (user == null && userId == null) { return submission; } if (user == null) { throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because no user id was provided in the lineage request."); } if (userId == null || userId.equals(user.getIdentity())) { return submission; } throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because " + user.getIdentity() + " is not the user who submitted the request."); }
@Override public AsyncLineageSubmission retrieveLineageSubmission(final String lineageIdentifier, final NiFiUser user) { final AsyncLineageSubmission submission = lineageSubmissionMap.get(lineageIdentifier); final String userId = submission.getSubmitterIdentity(); if (user == null && userId == null) { return submission; } if (user == null) { throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because no user id was provided in the lineage request."); } if (userId == null || userId.equals(user.getIdentity())) { return submission; } throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because " + user.getIdentity() + " is not the user who submitted the request."); }
@Override public AsyncLineageSubmission retrieveLineageSubmission(final String lineageIdentifier, final NiFiUser user) { final AsyncLineageSubmission submission = lineageSubmissionMap.get(lineageIdentifier); final String userId = submission.getSubmitterIdentity(); if (user == null && userId == null) { return submission; } if (user == null) { throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because no user id was provided"); } if (userId == null || userId.equals(user.getIdentity())) { return submission; } throw new AccessDeniedException("Cannot retrieve Provenance Lineage Submission because " + user.getIdentity() + " is not the user who submitted the request"); }
@Override public String getCurrentUserIdentity() { final NiFiUser user = NiFiUserUtils.getNiFiUser(); authorizeFlowAccess(user); return user.getIdentity(); }