private String getIdentity(final NiFiUser user) { return (user == null || user.isAnonymous()) ? null : user.getIdentity(); }
/** * Builds the proxy chain for the specified user. * * @param user The current user * @return The proxy chain for that user in List form */ public static List<String> buildProxiedEntitiesChain(final NiFiUser user) { // calculate the dn chain final List<String> proxyChain = new ArrayList<>(); // build the dn chain NiFiUser chainedUser = user; while (chainedUser != null) { // add the entry for this user if (chainedUser.isAnonymous()) { // use an empty string to represent an anonymous user in the proxy entities chain proxyChain.add(StringUtils.EMPTY); } else { proxyChain.add(chainedUser.getIdentity()); } // go to the next user in the chain chainedUser = chainedUser.getChain(); } return proxyChain; } }
@Override public Response toResponse(AccessDeniedException exception) { // get the current user NiFiUser user = NiFiUserUtils.getNiFiUser(); // if the user was authenticated - forbidden, otherwise unauthorized... the user may be null if the // AccessDeniedException was thrown from a /access endpoint that isn't subject to the security // filter chain. for instance, one that performs kerberos negotiation final Response.Status status; if (user == null || user.isAnonymous()) { status = Status.UNAUTHORIZED; } else { status = Status.FORBIDDEN; } final String identity; if (user == null) { identity = "<no user found>"; } else { identity = user.toString(); } logger.info(String.format("%s does not have permission to access the requested resource. %s Returning %s response.", identity, exception.getMessage(), status)); if (logger.isDebugEnabled()) { logger.debug(StringUtils.EMPTY, exception); } return Response.status(status) .entity(String.format("%s Contact the system administrator.", exception.getMessage())) .type("text/plain") .build(); }
.identity(user.getIdentity()) .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(false) .action(RequestAction.WRITE)
.identity(user.getIdentity()) .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(false) .action(action)
.identity(user.getIdentity()) .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(true) .action(action)
@Override public CurrentUserEntity getCurrentUser() { final NiFiUser user = NiFiUserUtils.getNiFiUser(); final CurrentUserEntity entity = new CurrentUserEntity(); entity.setIdentity(user.getIdentity()); entity.setAnonymous(user.isAnonymous()); entity.setProvenancePermissions(dtoFactory.createPermissionsDto(authorizableLookup.getProvenance())); entity.setCountersPermissions(dtoFactory.createPermissionsDto(authorizableLookup.getCounters())); entity.setTenantsPermissions(dtoFactory.createPermissionsDto(authorizableLookup.getTenant())); entity.setControllerPermissions(dtoFactory.createPermissionsDto(authorizableLookup.getController())); entity.setPoliciesPermissions(dtoFactory.createPermissionsDto(authorizableLookup.getPolicies())); entity.setSystemPermissions(dtoFactory.createPermissionsDto(authorizableLookup.getSystem())); entity.setCanVersionFlows(CollectionUtils.isNotEmpty(flowRegistryClient.getRegistryIdentifiers())); entity.setRestrictedComponentsPermissions(dtoFactory.createPermissionsDto(authorizableLookup.getRestrictedComponents())); final Set<ComponentRestrictionPermissionDTO> componentRestrictionPermissions = new HashSet<>(); Arrays.stream(RequiredPermission.values()).forEach(requiredPermission -> { final PermissionsDTO restrictionPermissions = dtoFactory.createPermissionsDto(authorizableLookup.getRestrictedComponents(requiredPermission)); final RequiredPermissionDTO requiredPermissionDto = new RequiredPermissionDTO(); requiredPermissionDto.setId(requiredPermission.getPermissionIdentifier()); requiredPermissionDto.setLabel(requiredPermission.getPermissionLabel()); final ComponentRestrictionPermissionDTO componentRestrictionPermissionDto = new ComponentRestrictionPermissionDTO(); componentRestrictionPermissionDto.setRequiredPermission(requiredPermissionDto); componentRestrictionPermissionDto.setPermissions(restrictionPermissions); componentRestrictionPermissions.add(componentRestrictionPermissionDto); }); entity.setComponentRestrictionPermissions(componentRestrictionPermissions); return entity; }