Repository: nifi Updated Branches: refs/heads/master 16348b071 -> 698cde69b
NIFI-2453 Making FileAuthorizer perform initial seeding when users and groups are already present Signed-off-by: Yolanda M. Davis <[email protected]> This closes #772 Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/698cde69 Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/698cde69 Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/698cde69 Branch: refs/heads/master Commit: 698cde69bad146e5e577a5f83bf3717920883d72 Parents: 16348b0 Author: Bryan Bende <[email protected]> Authored: Tue Aug 2 10:24:50 2016 -0400 Committer: Yolanda M. Davis <[email protected]> Committed: Wed Aug 3 11:59:03 2016 -0400 ---------------------------------------------------------------------- .../nifi/authorization/FileAuthorizer.java | 77 ++++++++++---------- .../nifi/authorization/FileAuthorizerTest.java | 53 ++++++++++++++ 2 files changed, 93 insertions(+), 37 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/698cde69/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java index a7e41ea..69733a8 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java @@ -257,7 +257,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer { } final AuthorizationsHolder authorizationsHolder = new AuthorizationsHolder(authorizations, tenants); - final boolean emptyAuthorizations = authorizationsHolder.getAllUsers().isEmpty() && authorizationsHolder.getAllPolicies().isEmpty(); + final boolean emptyAuthorizations = authorizationsHolder.getAllPolicies().isEmpty(); final boolean hasInitialAdminIdentity = (initialAdminIdentity != null && !StringUtils.isBlank(initialAdminIdentity)); final boolean hasLegacyAuthorizedUsers = (legacyAuthorizedUsersFile != null && !StringUtils.isBlank(legacyAuthorizedUsersFile)); @@ -319,12 +319,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer { * Creates the initial admin user and policies for access the flow and managing users and policies. */ private void populateInitialAdmin(final Authorizations authorizations, Tenants tenants) { - // generate an identifier and add a User with the given identifier and identity - final UUID adminIdentifier = UUID.nameUUIDFromBytes(initialAdminIdentity.getBytes(StandardCharsets.UTF_8)); - final User adminUser = new User.Builder().identifier(adminIdentifier.toString()).identity(initialAdminIdentity).build(); - - final org.apache.nifi.authorization.file.tenants.generated.User jaxbAdminUser = createJAXBUser(adminUser); - tenants.getUsers().getUser().add(jaxbAdminUser); + final org.apache.nifi.authorization.file.tenants.generated.User adminUser = getOrCreateUser(tenants, initialAdminIdentity); // grant the user read access to the /flow resource addAccessPolicy(authorizations, ResourceType.Flow.getValue(), adminUser.getIdentifier(), READ_CODE); @@ -358,24 +353,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer { */ private void populateNodes(Authorizations authorizations, Tenants tenants) { for (String nodeIdentity : nodeIdentities) { - // see if we have an existing user for the given node identity - org.apache.nifi.authorization.file.tenants.generated.User jaxbNodeUser = null; - for (org.apache.nifi.authorization.file.tenants.generated.User user : tenants.getUsers().getUser()) { - if (user.getIdentity().equals(nodeIdentity)) { - jaxbNodeUser = user; - break; - } - } - - // if we didn't find an existing user then create a new one - if (jaxbNodeUser == null) { - // generate an identifier and add a User with the given identifier and identity - final UUID nodeIdentifier = UUID.nameUUIDFromBytes(nodeIdentity.getBytes(StandardCharsets.UTF_8)); - final User nodeUser = new User.Builder().identifier(nodeIdentifier.toString()).identity(nodeIdentity).build(); - - jaxbNodeUser = createJAXBUser(nodeUser); - tenants.getUsers().getUser().add(jaxbNodeUser); - } + final org.apache.nifi.authorization.file.tenants.generated.User jaxbNodeUser = getOrCreateUser(tenants, nodeIdentity); // grant access to the proxy resource addAccessPolicy(authorizations, ResourceType.Proxy.getValue(), jaxbNodeUser.getIdentifier(), READ_CODE); @@ -433,19 +411,13 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer { for (org.apache.nifi.user.generated.User legacyUser : users.getUser()) { // create the identifier of the new user based on the DN final String legacyUserDn = IdentityMappingUtil.mapIdentity(legacyUser.getDn(), identityMappings); - final String userIdentifier = UUID.nameUUIDFromBytes(legacyUserDn.getBytes(StandardCharsets.UTF_8)).toString(); - - // create the new User and add it to the list of users - org.apache.nifi.authorization.file.tenants.generated.User user = new org.apache.nifi.authorization.file.tenants.generated.User(); - user.setIdentifier(userIdentifier); - user.setIdentity(legacyUserDn); - tenants.getUsers().getUser().add(user); + org.apache.nifi.authorization.file.tenants.generated.User user = getOrCreateUser(tenants, legacyUserDn); // if there was a group name find or create the group and add the user to it org.apache.nifi.authorization.file.tenants.generated.Group group = getOrCreateGroup(tenants, legacyUser.getGroup()); if (group != null) { org.apache.nifi.authorization.file.tenants.generated.Group.User groupUser = new org.apache.nifi.authorization.file.tenants.generated.Group.User(); - groupUser.setIdentifier(userIdentifier); + groupUser.setIdentifier(user.getIdentifier()); group.getUser().add(groupUser); } @@ -464,7 +436,7 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer { roleAccessPolicy.getAction()); // add the user to the policy if it doesn't exist - addUserToPolicy(userIdentifier, policy); + addUserToPolicy(user.getIdentifier(), policy); } } @@ -589,11 +561,42 @@ public class FileAuthorizer extends AbstractPolicyBasedAuthorizer { } /** - * Finds the Group with the given name, or creates a new one and adds it to Authorizations. + * Finds the User with the given identity, or creates a new one and adds it to the Tenants. + * + * @param tenants the Tenants reference + * @param userIdentity the user identity to find or create + * @return the User from Tenants with the given identity, or a new instance that was added to Tenants + */ + private org.apache.nifi.authorization.file.tenants.generated.User getOrCreateUser(final Tenants tenants, final String userIdentity) { + if (StringUtils.isBlank(userIdentity)) { + return null; + } + + org.apache.nifi.authorization.file.tenants.generated.User foundUser = null; + for (org.apache.nifi.authorization.file.tenants.generated.User user : tenants.getUsers().getUser()) { + if (user.getIdentity().equals(userIdentity)) { + foundUser = user; + break; + } + } + + if (foundUser == null) { + final String userIdentifier = UUID.nameUUIDFromBytes(userIdentity.getBytes(StandardCharsets.UTF_8)).toString(); + foundUser = new org.apache.nifi.authorization.file.tenants.generated.User(); + foundUser.setIdentifier(userIdentifier); + foundUser.setIdentity(userIdentity); + tenants.getUsers().getUser().add(foundUser); + } + + return foundUser; + } + + /** + * Finds the Group with the given name, or creates a new one and adds it to Tenants. * - * @param tenants the Authorizations reference + * @param tenants the Tenants reference * @param groupName the name of the group to look for - * @return the Group from Authorizations with the given name, or a new instance + * @return the Group from Tenants with the given name, or a new instance that was added to Tenants */ private org.apache.nifi.authorization.file.tenants.generated.Group getOrCreateGroup(final Tenants tenants, final String groupName) { if (StringUtils.isBlank(groupName)) { http://git-wip-us.apache.org/repos/asf/nifi/blob/698cde69/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java index 5c77e44..565e55a 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java @@ -131,6 +131,16 @@ public class FileAuthorizerTest { " </users>" + "</tenants>"; + private static final String TENANTS_FOR_ADMIN_AND_NODES = + "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" + + "<tenants>" + + " <users>" + + " <user identifier=\"admin-user\" identity=\"admin-user\"/>" + + " <user identifier=\"node1\" identity=\"node1\"/>" + + " <user identifier=\"node2\" identity=\"node2\"/>" + + " </users>" + + "</tenants>"; + // This is the root group id from the flow.xml.gz in src/test/resources private static final String ROOT_GROUP_ID = "e530e14c-adcf-41c2-b5d6-d9a59ba8765c"; @@ -651,6 +661,49 @@ public class FileAuthorizerTest { } @Test + public void testOnConfiguredWhenNodeIdentitiesProvidedAndUsersAlreadyExist() throws Exception { + final String adminIdentity = "admin-user"; + + when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_INITIAL_ADMIN_IDENTITY))) + .thenReturn(new StandardPropertyValue(adminIdentity, null)); + + final String nodeIdentity1 = "node1"; + final String nodeIdentity2 = "node2"; + + final Map<String,String> props = new HashMap<>(); + props.put("Node Identity 1", nodeIdentity1); + props.put("Node Identity 2", nodeIdentity2); + + when(configurationContext.getProperties()).thenReturn(props); + + writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE); + writeFile(primaryTenants, TENANTS_FOR_ADMIN_AND_NODES); + authorizer.onConfigured(configurationContext); + + assertEquals(3, authorizer.getUsers().size()); + + User adminUser = authorizer.getUserByIdentity(adminIdentity); + assertNotNull(adminUser); + + User nodeUser1 = authorizer.getUserByIdentity(nodeIdentity1); + assertNotNull(nodeUser1); + + User nodeUser2 = authorizer.getUserByIdentity(nodeIdentity2); + assertNotNull(nodeUser2); + + AccessPolicy proxyReadPolicy = authorizer.getUsersAndAccessPolicies().getAccessPolicy(ResourceType.Proxy.getValue(), RequestAction.READ); + AccessPolicy proxyWritePolicy = authorizer.getUsersAndAccessPolicies().getAccessPolicy(ResourceType.Proxy.getValue(), RequestAction.WRITE); + + assertNotNull(proxyReadPolicy); + assertTrue(proxyReadPolicy.getUsers().contains(nodeUser1.getIdentifier())); + assertTrue(proxyReadPolicy.getUsers().contains(nodeUser2.getIdentifier())); + + assertNotNull(proxyWritePolicy); + assertTrue(proxyWritePolicy.getUsers().contains(nodeUser1.getIdentifier())); + assertTrue(proxyWritePolicy.getUsers().contains(nodeUser2.getIdentifier())); + } + + @Test public void testOnConfiguredWhenNodeIdentitiesProvidedWithIdentityMappings() throws Exception { final Properties props = new Properties(); props.setProperty("nifi.security.identity.mapping.pattern.dn1", "^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$");
