http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
----------------------------------------------------------------------
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
index 9a310a2..b64a36a 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
@@ -16,52 +16,17 @@
*/
package org.apache.nifi.authorization;
-import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authorization.annotation.AuthorizerContext;
import org.apache.nifi.authorization.exception.AuthorizationAccessException;
import org.apache.nifi.authorization.exception.AuthorizerCreationException;
-import org.apache.nifi.authorization.file.generated.Authorizations;
-import org.apache.nifi.authorization.file.tenants.generated.Groups;
-import org.apache.nifi.authorization.file.generated.Policies;
-import org.apache.nifi.authorization.file.generated.Policy;
-import org.apache.nifi.authorization.file.tenants.generated.Users;
-import org.apache.nifi.authorization.file.tenants.generated.Tenants;
-import org.apache.nifi.authorization.resource.ResourceFactory;
-import org.apache.nifi.authorization.resource.ResourceType;
-import org.apache.nifi.authorization.util.IdentityMapping;
-import org.apache.nifi.authorization.util.IdentityMappingUtil;
-import org.apache.nifi.components.PropertyValue;
import org.apache.nifi.util.NiFiProperties;
-import org.apache.nifi.util.file.FileUtils;
-import org.apache.nifi.web.api.dto.PortDTO;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.xml.sax.SAXException;
-import javax.xml.XMLConstants;
-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.JAXBElement;
-import javax.xml.bind.JAXBException;
-import javax.xml.bind.Marshaller;
-import javax.xml.bind.Unmarshaller;
-import javax.xml.transform.stream.StreamSource;
-import javax.xml.validation.Schema;
-import javax.xml.validation.SchemaFactory;
-import java.io.File;
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Date;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
+import java.util.HashMap;
import java.util.Map;
import java.util.Set;
-import java.util.UUID;
-import java.util.concurrent.atomic.AtomicReference;
import java.util.regex.Matcher;
-import java.util.regex.Pattern;
/**
* Provides authorizes requests to resources using policies persisted in a
file.
@@ -70,687 +35,106 @@ public class FileAuthorizer extends
AbstractPolicyBasedAuthorizer {
private static final Logger logger =
LoggerFactory.getLogger(FileAuthorizer.class);
- private static final String AUTHORIZATIONS_XSD = "/authorizations.xsd";
- private static final String JAXB_AUTHORIZATIONS_PATH =
"org.apache.nifi.authorization.file.generated";
+ private static final String FILE_USER_GROUP_PROVIDER_ID =
"file-user-group-provider";
+ private static final String FILE_ACCESS_POLICY_PROVIDER_ID =
"file-access-policy-provider";
- private static final String TENANTS_XSD = "/tenants.xsd";
- private static final String JAXB_TENANTS_PATH =
"org.apache.nifi.authorization.file.tenants.generated";
-
- private static final String USERS_XSD = "/legacy-users.xsd";
- private static final String JAXB_USERS_PATH =
"org.apache.nifi.user.generated";
-
- private static final JAXBContext JAXB_AUTHORIZATIONS_CONTEXT =
initializeJaxbContext(JAXB_AUTHORIZATIONS_PATH);
- private static final JAXBContext JAXB_TENANTS_CONTEXT =
initializeJaxbContext(JAXB_TENANTS_PATH);
- private static final JAXBContext JAXB_USERS_CONTEXT =
initializeJaxbContext(JAXB_USERS_PATH);
-
- /**
- * Load the JAXBContext.
- */
- private static JAXBContext initializeJaxbContext(final String contextPath)
{
- try {
- return JAXBContext.newInstance(contextPath,
FileAuthorizer.class.getClassLoader());
- } catch (JAXBException e) {
- throw new RuntimeException("Unable to create JAXBContext.");
- }
- }
-
- static final String READ_CODE = "R";
- static final String WRITE_CODE = "W";
-
- static final String PROP_AUTHORIZATIONS_FILE = "Authorizations File";
- static final String PROP_TENANTS_FILE = "Users File";
- static final String PROP_INITIAL_ADMIN_IDENTITY = "Initial Admin Identity";
static final String PROP_LEGACY_AUTHORIZED_USERS_FILE = "Legacy Authorized
Users File";
- static final Pattern NODE_IDENTITY_PATTERN = Pattern.compile("Node
Identity \\S+");
- private Schema usersSchema;
- private Schema tenantsSchema;
- private Schema authorizationsSchema;
- private SchemaFactory schemaFactory;
- private NiFiProperties properties;
- private File tenantsFile;
- private File authorizationsFile;
- private File restoreAuthorizationsFile;
- private File restoreTenantsFile;
- private String rootGroupId;
- private String initialAdminIdentity;
- private String legacyAuthorizedUsersFile;
- private Set<String> nodeIdentities;
- private List<PortDTO> ports = new ArrayList<>();
- private List<IdentityMapping> identityMappings;
-
- private final AtomicReference<AuthorizationsHolder> authorizationsHolder =
new AtomicReference<>();
+ private FileUserGroupProvider userGroupProvider = new
FileUserGroupProvider();
+ private FileAccessPolicyProvider accessPolicyProvider = new
FileAccessPolicyProvider();
@Override
public void initialize(final AuthorizerInitializationContext
initializationContext) throws AuthorizerCreationException {
- try {
- schemaFactory =
SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
- tenantsSchema =
schemaFactory.newSchema(FileAuthorizer.class.getResource(TENANTS_XSD));
- authorizationsSchema =
schemaFactory.newSchema(FileAuthorizer.class.getResource(AUTHORIZATIONS_XSD));
- usersSchema =
schemaFactory.newSchema(FileAuthorizer.class.getResource(USERS_XSD));
- } catch (Exception e) {
- throw new AuthorizerCreationException(e);
- }
- }
-
- @Override
- public void doOnConfigured(final AuthorizerConfigurationContext
configurationContext) throws AuthorizerCreationException {
- try {
- final PropertyValue tenantsPath =
configurationContext.getProperty(PROP_TENANTS_FILE);
- if (StringUtils.isBlank(tenantsPath.getValue())) {
- throw new AuthorizerCreationException("The users file must be
specified.");
- }
-
- // get the tenants file and ensure it exists
- tenantsFile = new File(tenantsPath.getValue());
- if (!tenantsFile.exists()) {
- logger.info("Creating new users file at {}", new Object[]
{tenantsFile.getAbsolutePath()});
- saveTenants(new Tenants());
- }
-
- final PropertyValue authorizationsPath =
configurationContext.getProperty(PROP_AUTHORIZATIONS_FILE);
- if (StringUtils.isBlank(authorizationsPath.getValue())) {
- throw new AuthorizerCreationException("The authorizations file
must be specified.");
- }
-
- // get the authorizations file and ensure it exists
- authorizationsFile = new File(authorizationsPath.getValue());
- if (!authorizationsFile.exists()) {
- logger.info("Creating new authorizations file at {}", new
Object[] {authorizationsFile.getAbsolutePath()});
- saveAuthorizations(new Authorizations());
- }
-
- final File authorizationsFileDirectory =
authorizationsFile.getAbsoluteFile().getParentFile();
- final File tenantsFileDirectory =
tenantsFile.getAbsoluteFile().getParentFile();
-
- // the restore directory is optional and may be null
- final File restoreDirectory = properties.getRestoreDirectory();
- if (restoreDirectory != null) {
- // sanity check that restore directory is a directory,
creating it if necessary
- FileUtils.ensureDirectoryExistAndCanAccess(restoreDirectory);
-
- // check that restore directory is not the same as the
authorizations directory
- if
(authorizationsFileDirectory.getAbsolutePath().equals(restoreDirectory.getAbsolutePath()))
{
- throw new
AuthorizerCreationException(String.format("Authorizations file directory '%s'
is the same as restore directory '%s' ",
- authorizationsFileDirectory.getAbsolutePath(),
restoreDirectory.getAbsolutePath()));
- }
-
- // check that restore directory is not the same as the user's
directory
- if
(tenantsFileDirectory.getAbsolutePath().equals(restoreDirectory.getAbsolutePath()))
{
- throw new AuthorizerCreationException(String.format("Users
file directory '%s' is the same as restore directory '%s' ",
- tenantsFileDirectory.getAbsolutePath(),
restoreDirectory.getAbsolutePath()));
- }
-
- // the restore copy will have same file name, but reside in a
different directory
- restoreAuthorizationsFile = new File(restoreDirectory,
authorizationsFile.getName());
- restoreTenantsFile = new File(restoreDirectory,
tenantsFile.getName());
-
- try {
- // sync the primary copy with the restore copy
- FileUtils.syncWithRestore(authorizationsFile,
restoreAuthorizationsFile, logger);
- FileUtils.syncWithRestore(tenantsFile, restoreTenantsFile,
logger);
- } catch (final IOException | IllegalStateException ioe) {
- throw new AuthorizerCreationException(ioe);
- }
- }
-
- // extract the identity mappings from nifi.properties if any are
provided
- identityMappings =
Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
-
- // get the value of the initial admin identity
- final PropertyValue initialAdminIdentityProp =
configurationContext.getProperty(PROP_INITIAL_ADMIN_IDENTITY);
- initialAdminIdentity = initialAdminIdentityProp == null ? null :
IdentityMappingUtil.mapIdentity(initialAdminIdentityProp.getValue(),
identityMappings);
-
- // get the value of the legacy authorized users file
- final PropertyValue legacyAuthorizedUsersProp =
configurationContext.getProperty(PROP_LEGACY_AUTHORIZED_USERS_FILE);
- legacyAuthorizedUsersFile = legacyAuthorizedUsersProp == null ?
null : legacyAuthorizedUsersProp.getValue();
-
- // extract any node identities
- nodeIdentities = new HashSet<>();
- for (Map.Entry<String,String> entry :
configurationContext.getProperties().entrySet()) {
- Matcher matcher =
NODE_IDENTITY_PATTERN.matcher(entry.getKey());
- if (matcher.matches() &&
!StringUtils.isBlank(entry.getValue())) {
-
nodeIdentities.add(IdentityMappingUtil.mapIdentity(entry.getValue(),
identityMappings));
- }
- }
-
- // load the authorizations
- load();
-
- // if we've copied the authorizations file to a restore directory
synchronize it
- if (restoreAuthorizationsFile != null) {
- FileUtils.copyFile(authorizationsFile,
restoreAuthorizationsFile, false, false, logger);
- }
-
- // if we've copied the authorizations file to a restore directory
synchronize it
- if (restoreTenantsFile != null) {
- FileUtils.copyFile(tenantsFile, restoreTenantsFile, false,
false, logger);
- }
-
- logger.info(String.format("Authorizations file loaded at %s", new
Date().toString()));
-
- } catch (IOException | AuthorizerCreationException | JAXBException |
IllegalStateException | SAXException e) {
- throw new AuthorizerCreationException(e);
- }
- }
-
- /**
- * Loads the authorizations file and populates the AuthorizationsHolder,
only called during start-up.
- *
- * @throws JAXBException Unable to reload the authorized users
file
- * @throws IOException Unable to sync file with restore
- * @throws IllegalStateException Unable to sync file with restore
- */
- private synchronized void load() throws JAXBException, IOException,
IllegalStateException, SAXException {
- // attempt to unmarshal
- final Authorizations authorizations = unmarshallAuthorizations();
- if (authorizations.getPolicies() == null) {
- authorizations.setPolicies(new Policies());
- }
-
- final Tenants tenants = unmarshallTenants();
- if (tenants.getUsers() == null) {
- tenants.setUsers(new Users());
- }
- if (tenants.getGroups() == null) {
- tenants.setGroups(new Groups());
- }
-
- final AuthorizationsHolder authorizationsHolder = new
AuthorizationsHolder(authorizations, tenants);
- final boolean emptyAuthorizations =
authorizationsHolder.getAllPolicies().isEmpty();
- final boolean hasInitialAdminIdentity = (initialAdminIdentity != null
&& !StringUtils.isBlank(initialAdminIdentity));
- final boolean hasLegacyAuthorizedUsers = (legacyAuthorizedUsersFile !=
null && !StringUtils.isBlank(legacyAuthorizedUsersFile));
-
- // if we are starting fresh then we might need to populate an initial
admin or convert legacy users
- if (emptyAuthorizations) {
- parseFlow();
-
- if (hasInitialAdminIdentity && hasLegacyAuthorizedUsers) {
- throw new AuthorizerCreationException("Cannot provide an
Initial Admin Identity and a Legacy Authorized Users File");
- } else if (hasInitialAdminIdentity) {
- logger.info("Populating authorizations for Initial Admin: " +
initialAdminIdentity);
- populateInitialAdmin(authorizations, tenants);
- } else if (hasLegacyAuthorizedUsers) {
- logger.info("Converting " + legacyAuthorizedUsersFile + " to
new authorizations model");
- convertLegacyAuthorizedUsers(authorizations, tenants);
- }
-
- populateNodes(authorizations, tenants);
-
- // save any changes that were made and repopulate the holder
- saveAndRefreshHolder(authorizations, tenants);
- } else {
- this.authorizationsHolder.set(authorizationsHolder);
- }
- }
-
- private Authorizations unmarshallAuthorizations() throws JAXBException {
- final Unmarshaller unmarshaller =
JAXB_AUTHORIZATIONS_CONTEXT.createUnmarshaller();
- unmarshaller.setSchema(authorizationsSchema);
-
- final JAXBElement<Authorizations> element = unmarshaller.unmarshal(new
StreamSource(authorizationsFile), Authorizations.class);
- return element.getValue();
- }
-
- private Tenants unmarshallTenants() throws JAXBException {
- final Unmarshaller unmarshaller =
JAXB_TENANTS_CONTEXT.createUnmarshaller();
- unmarshaller.setSchema(tenantsSchema);
-
- final JAXBElement<Tenants> element = unmarshaller.unmarshal(new
StreamSource(tenantsFile), Tenants.class);
- return element.getValue();
- }
-
- /**
- * Try to parse the flow configuration file to extract the root group id
and port information.
- *
- * @throws SAXException if an error occurs creating the schema
- */
- private void parseFlow() throws SAXException {
- final FlowParser flowParser = new FlowParser();
- final FlowInfo flowInfo =
flowParser.parse(properties.getFlowConfigurationFile());
-
- if (flowInfo != null) {
- rootGroupId = flowInfo.getRootGroupId();
- ports = flowInfo.getPorts() == null ? new ArrayList<>() :
flowInfo.getPorts();
- }
- }
-
- /**
- * Creates the initial admin user and policies for access the flow and
managing users and policies.
- */
- private void populateInitialAdmin(final Authorizations authorizations,
Tenants tenants) {
- final org.apache.nifi.authorization.file.tenants.generated.User
adminUser = getOrCreateUser(tenants, initialAdminIdentity);
-
- // grant the user read access to the /flow resource
- addAccessPolicy(authorizations, ResourceType.Flow.getValue(),
adminUser.getIdentifier(), READ_CODE);
-
- // grant the user read access to the root process group resource
- if (rootGroupId != null) {
- addAccessPolicy(authorizations, ResourceType.Data.getValue() +
ResourceType.ProcessGroup.getValue() + "/" + rootGroupId,
adminUser.getIdentifier(), READ_CODE);
- addAccessPolicy(authorizations, ResourceType.Data.getValue() +
ResourceType.ProcessGroup.getValue() + "/" + rootGroupId,
adminUser.getIdentifier(), WRITE_CODE);
-
- addAccessPolicy(authorizations,
ResourceType.ProcessGroup.getValue() + "/" + rootGroupId,
adminUser.getIdentifier(), READ_CODE);
- addAccessPolicy(authorizations,
ResourceType.ProcessGroup.getValue() + "/" + rootGroupId,
adminUser.getIdentifier(), WRITE_CODE);
- }
-
- // grant the user write to restricted components
- addAccessPolicy(authorizations,
ResourceType.RestrictedComponents.getValue(), adminUser.getIdentifier(),
WRITE_CODE);
-
- // grant the user read/write access to the /tenants resource
- addAccessPolicy(authorizations, ResourceType.Tenant.getValue(),
adminUser.getIdentifier(), READ_CODE);
- addAccessPolicy(authorizations, ResourceType.Tenant.getValue(),
adminUser.getIdentifier(), WRITE_CODE);
-
- // grant the user read/write access to the /policies resource
- addAccessPolicy(authorizations, ResourceType.Policy.getValue(),
adminUser.getIdentifier(), READ_CODE);
- addAccessPolicy(authorizations, ResourceType.Policy.getValue(),
adminUser.getIdentifier(), WRITE_CODE);
-
- // grant the user read/write access to the /controller resource
- addAccessPolicy(authorizations, ResourceType.Controller.getValue(),
adminUser.getIdentifier(), READ_CODE);
- addAccessPolicy(authorizations, ResourceType.Controller.getValue(),
adminUser.getIdentifier(), WRITE_CODE);
- }
-
- /**
- * Creates a user for each node and gives the nodes write permission to
/proxy.
- *
- * @param authorizations the overall authorizations
- */
- private void populateNodes(Authorizations authorizations, Tenants tenants)
{
- for (String nodeIdentity : nodeIdentities) {
- final org.apache.nifi.authorization.file.tenants.generated.User
jaxbNodeUser = getOrCreateUser(tenants, nodeIdentity);
-
- // grant access to the proxy resource
- addAccessPolicy(authorizations, ResourceType.Proxy.getValue(),
jaxbNodeUser.getIdentifier(), WRITE_CODE);
-
- // grant the user read/write access data of the root group
- if (rootGroupId != null) {
- addAccessPolicy(authorizations, ResourceType.Data.getValue() +
ResourceType.ProcessGroup.getValue() + "/" + rootGroupId,
jaxbNodeUser.getIdentifier(), READ_CODE);
- addAccessPolicy(authorizations, ResourceType.Data.getValue() +
ResourceType.ProcessGroup.getValue() + "/" + rootGroupId,
jaxbNodeUser.getIdentifier(), WRITE_CODE);
- }
- }
- }
-
- /**
- * Unmarshalls an existing authorized-users.xml and converts the object
model to the new model.
- *
- * @param authorizations the current Authorizations instance that policies
will be added to
- * @param tenants the current Tenants instance users and groups will be
added to
- * @throws AuthorizerCreationException if the legacy authorized users file
that was provided does not exist
- * @throws JAXBException if the legacy authorized users file that was
provided could not be unmarshalled
- */
- private void convertLegacyAuthorizedUsers(final Authorizations
authorizations, final Tenants tenants) throws AuthorizerCreationException,
JAXBException {
- final File authorizedUsersFile = new File(legacyAuthorizedUsersFile);
- if (!authorizedUsersFile.exists()) {
- throw new AuthorizerCreationException("Legacy Authorized Users
File '" + legacyAuthorizedUsersFile + "' does not exists");
- }
-
- final Unmarshaller unmarshaller =
JAXB_USERS_CONTEXT.createUnmarshaller();
- unmarshaller.setSchema(usersSchema);
-
- final JAXBElement<org.apache.nifi.user.generated.Users> element =
unmarshaller.unmarshal(
- new StreamSource(authorizedUsersFile),
org.apache.nifi.user.generated.Users.class);
-
- final org.apache.nifi.user.generated.Users users = element.getValue();
- if (users.getUser().isEmpty()) {
- logger.info("Legacy Authorized Users File contained no users,
nothing to convert");
- return;
- }
-
- // get all the user DNs into a list
- List<String> userIdentities = new ArrayList<>();
- for (org.apache.nifi.user.generated.User legacyUser : users.getUser())
{
-
userIdentities.add(IdentityMappingUtil.mapIdentity(legacyUser.getDn(),
identityMappings));
- }
-
- // sort the list and pull out the first identity
- Collections.sort(userIdentities);
- final String seedIdentity = userIdentities.get(0);
-
- // create mapping from Role to access policies
- final Map<Role,Set<RoleAccessPolicy>> roleAccessPolicies =
RoleAccessPolicy.getMappings(rootGroupId);
-
- final List<Policy> allPolicies = new ArrayList<>();
-
- for (org.apache.nifi.user.generated.User legacyUser : users.getUser())
{
- // create the identifier of the new user based on the DN
- final String legacyUserDn =
IdentityMappingUtil.mapIdentity(legacyUser.getDn(), identityMappings);
- org.apache.nifi.authorization.file.tenants.generated.User user =
getOrCreateUser(tenants, legacyUserDn);
-
- // if there was a group name find or create the group and add the
user to it
- org.apache.nifi.authorization.file.tenants.generated.Group group =
getOrCreateGroup(tenants, legacyUser.getGroup());
- if (group != null) {
-
org.apache.nifi.authorization.file.tenants.generated.Group.User groupUser = new
org.apache.nifi.authorization.file.tenants.generated.Group.User();
- groupUser.setIdentifier(user.getIdentifier());
- group.getUser().add(groupUser);
+ // initialize the user group provider
+ userGroupProvider.initialize(new
UserGroupProviderInitializationContext() {
+ @Override
+ public String getIdentifier() {
+ return FILE_USER_GROUP_PROVIDER_ID;
}
- // create policies based on the given role
- for (org.apache.nifi.user.generated.Role jaxbRole :
legacyUser.getRole()) {
- Role role = Role.valueOf(jaxbRole.getName());
- Set<RoleAccessPolicy> policies = roleAccessPolicies.get(role);
-
- for (RoleAccessPolicy roleAccessPolicy : policies) {
-
- // get the matching policy, or create a new one
- Policy policy = getOrCreatePolicy(
- allPolicies,
- seedIdentity,
- roleAccessPolicy.getResource(),
- roleAccessPolicy.getAction());
-
- // add the user to the policy if it doesn't exist
- addUserToPolicy(user.getIdentifier(), policy);
- }
+ @Override
+ public UserGroupProviderLookup getUserGroupProviderLookup() {
+ return (identifier) -> null;
}
+ });
- }
-
- // convert any access controls on ports to the appropriate policies
- for (PortDTO portDTO : ports) {
- final Resource resource;
- if (portDTO.getType() != null &&
portDTO.getType().equals("inputPort")) {
- resource =
ResourceFactory.getDataTransferResource(ResourceFactory.getComponentResource(ResourceType.InputPort,
portDTO.getId(), portDTO.getName()));
- } else {
- resource =
ResourceFactory.getDataTransferResource(ResourceFactory.getComponentResource(ResourceType.OutputPort,
portDTO.getId(), portDTO.getName()));
+ // initialize the access policy provider
+ accessPolicyProvider.initialize(new
AccessPolicyProviderInitializationContext() {
+ @Override
+ public String getIdentifier() {
+ return FILE_ACCESS_POLICY_PROVIDER_ID;
}
- if (portDTO.getUserAccessControl() != null) {
- for (String userAccessControl :
portDTO.getUserAccessControl()) {
- // need to perform the identity mapping on the access
control so it matches the identities in the User objects
- final String mappedUserAccessControl =
IdentityMappingUtil.mapIdentity(userAccessControl, identityMappings);
-
- // find a user where the identity is the userAccessControl
- org.apache.nifi.authorization.file.tenants.generated.User
foundUser = null;
- for
(org.apache.nifi.authorization.file.tenants.generated.User jaxbUser :
tenants.getUsers().getUser()) {
- if
(jaxbUser.getIdentity().equals(mappedUserAccessControl)) {
- foundUser = jaxbUser;
- break;
- }
- }
-
- // couldn't find the user matching the access control so
log a warning and skip
- if (foundUser == null) {
- logger.warn("Found port with user access control for
{} but no user exists with this identity, skipping...",
- new Object[] {mappedUserAccessControl});
- continue;
+ @Override
+ public UserGroupProviderLookup getUserGroupProviderLookup() {
+ return (identifier) -> {
+ if (FILE_USER_GROUP_PROVIDER_ID.equals(identifier)) {
+ return userGroupProvider;
}
- // we found the user so create the appropriate policy and
add the user to it
- Policy policy = getOrCreatePolicy(
- allPolicies,
- seedIdentity,
- resource.getIdentifier(),
- WRITE_CODE);
-
- addUserToPolicy(foundUser.getIdentifier(), policy);
- }
- }
-
- if (portDTO.getGroupAccessControl() != null) {
- for (String groupAccessControl :
portDTO.getGroupAccessControl()) {
- // find a group where the name is the groupAccessControl
- org.apache.nifi.authorization.file.tenants.generated.Group
foundGroup = null;
- for
(org.apache.nifi.authorization.file.tenants.generated.Group jaxbGroup :
tenants.getGroups().getGroup()) {
- if (jaxbGroup.getName().equals(groupAccessControl)) {
- foundGroup = jaxbGroup;
- break;
- }
- }
-
- // couldn't find the group matching the access control so
log a warning and skip
- if (foundGroup == null) {
- logger.warn("Found port with group access control for
{} but no group exists with this name, skipping...",
- new Object[] {groupAccessControl});
- continue;
- }
-
- // we found the group so create the appropriate policy and
add all the users to it
- Policy policy = getOrCreatePolicy(
- allPolicies,
- seedIdentity,
- resource.getIdentifier(),
- WRITE_CODE);
-
- addGroupToPolicy(foundGroup.getIdentifier(), policy);
- }
+ return null;
+ };
}
- }
-
- authorizations.getPolicies().getPolicy().addAll(allPolicies);
- }
- /**
- * Adds the given user identifier to the policy if it doesn't already
exist.
- *
- * @param userIdentifier a user identifier
- * @param policy a policy to add the user to
- */
- private void addUserToPolicy(final String userIdentifier, final Policy
policy) {
- // determine if the user already exists in the policy
- boolean userExists = false;
- for (Policy.User policyUser : policy.getUser()) {
- if (policyUser.getIdentifier().equals(userIdentifier)) {
- userExists = true;
- break;
+ @Override
+ public AccessPolicyProviderLookup getAccessPolicyProviderLookup() {
+ return (identifier) -> null;
}
- }
-
- // add the user to the policy if doesn't already exist
- if (!userExists) {
- Policy.User policyUser = new Policy.User();
- policyUser.setIdentifier(userIdentifier);
- policy.getUser().add(policyUser);
- }
+ });
}
- /**
- * Adds the given group identifier to the policy if it doesn't already
exist.
- *
- * @param groupIdentifier a group identifier
- * @param policy a policy to add the user to
- */
- private void addGroupToPolicy(final String groupIdentifier, final Policy
policy) {
- // determine if the group already exists in the policy
- boolean groupExists = false;
- for (Policy.Group policyGroup : policy.getGroup()) {
- if (policyGroup.getIdentifier().equals(groupIdentifier)) {
- groupExists = true;
- break;
- }
- }
-
- // add the group to the policy if doesn't already exist
- if (!groupExists) {
- Policy.Group policyGroup = new Policy.Group();
- policyGroup.setIdentifier(groupIdentifier);
- policy.getGroup().add(policyGroup);
- }
- }
-
- /**
- * Finds the User with the given identity, or creates a new one and adds
it to the Tenants.
- *
- * @param tenants the Tenants reference
- * @param userIdentity the user identity to find or create
- * @return the User from Tenants with the given identity, or a new
instance that was added to Tenants
- */
- private org.apache.nifi.authorization.file.tenants.generated.User
getOrCreateUser(final Tenants tenants, final String userIdentity) {
- if (StringUtils.isBlank(userIdentity)) {
- return null;
- }
-
- org.apache.nifi.authorization.file.tenants.generated.User foundUser =
null;
- for (org.apache.nifi.authorization.file.tenants.generated.User user :
tenants.getUsers().getUser()) {
- if (user.getIdentity().equals(userIdentity)) {
- foundUser = user;
- break;
- }
- }
-
- if (foundUser == null) {
- final String userIdentifier =
UUID.nameUUIDFromBytes(userIdentity.getBytes(StandardCharsets.UTF_8)).toString();
- foundUser = new
org.apache.nifi.authorization.file.tenants.generated.User();
- foundUser.setIdentifier(userIdentifier);
- foundUser.setIdentity(userIdentity);
- tenants.getUsers().getUser().add(foundUser);
- }
-
- return foundUser;
- }
+ @Override
+ public void doOnConfigured(final AuthorizerConfigurationContext
configurationContext) throws AuthorizerCreationException {
+ final Map<String, String> configurationProperties =
configurationContext.getProperties();
- /**
- * Finds the Group with the given name, or creates a new one and adds it
to Tenants.
- *
- * @param tenants the Tenants reference
- * @param groupName the name of the group to look for
- * @return the Group from Tenants with the given name, or a new instance
that was added to Tenants
- */
- private org.apache.nifi.authorization.file.tenants.generated.Group
getOrCreateGroup(final Tenants tenants, final String groupName) {
- if (StringUtils.isBlank(groupName)) {
- return null;
+ // relay the relevant config
+ final Map<String, String> userGroupProperties = new HashMap<>();
+ if
(configurationProperties.containsKey(FileUserGroupProvider.PROP_TENANTS_FILE)) {
+ userGroupProperties.put(FileUserGroupProvider.PROP_TENANTS_FILE,
configurationProperties.get(FileUserGroupProvider.PROP_TENANTS_FILE));
}
-
- org.apache.nifi.authorization.file.tenants.generated.Group foundGroup
= null;
- for (org.apache.nifi.authorization.file.tenants.generated.Group group
: tenants.getGroups().getGroup()) {
- if (group.getName().equals(groupName)) {
- foundGroup = group;
- break;
- }
+ if
(configurationProperties.containsKey(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE))
{
+
userGroupProperties.put(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE,
configurationProperties.get(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE));
}
- if (foundGroup == null) {
- UUID newGroupIdentifier =
UUID.nameUUIDFromBytes(groupName.getBytes(StandardCharsets.UTF_8));
- foundGroup = new
org.apache.nifi.authorization.file.tenants.generated.Group();
- foundGroup.setIdentifier(newGroupIdentifier.toString());
- foundGroup.setName(groupName);
- tenants.getGroups().getGroup().add(foundGroup);
+ // relay the relevant config
+ final Map<String, String> accessPolicyProperties = new HashMap<>();
+
accessPolicyProperties.put(FileAccessPolicyProvider.PROP_USER_GROUP_PROVIDER,
FILE_USER_GROUP_PROVIDER_ID);
+ if
(configurationProperties.containsKey(FileAccessPolicyProvider.PROP_AUTHORIZATIONS_FILE))
{
+
accessPolicyProperties.put(FileAccessPolicyProvider.PROP_AUTHORIZATIONS_FILE,
configurationProperties.get(FileAccessPolicyProvider.PROP_AUTHORIZATIONS_FILE));
}
-
- return foundGroup;
- }
-
- /**
- * Finds the Policy matching the resource and action, or creates a new one
and adds it to the list of policies.
- *
- * @param policies the policies to search through
- * @param seedIdentity the seedIdentity to use when creating identifiers
for new policies
- * @param resource the resource for the policy
- * @param action the action string for the police (R or RW)
- * @return the matching policy or a new policy
- */
- private Policy getOrCreatePolicy(final List<Policy> policies, final String
seedIdentity, final String resource, final String action) {
- Policy foundPolicy = null;
-
- // try to find a policy with the same resource and actions
- for (Policy policy : policies) {
- if (policy.getResource().equals(resource) &&
policy.getAction().equals(action)) {
- foundPolicy = policy;
- break;
- }
+ if
(configurationProperties.containsKey(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY))
{
+
accessPolicyProperties.put(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY,
configurationProperties.get(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY));
}
-
- // if a matching policy wasn't found then create one
- if (foundPolicy == null) {
- final String uuidSeed = resource + action + seedIdentity;
- final UUID policyIdentifier =
UUID.nameUUIDFromBytes(uuidSeed.getBytes(StandardCharsets.UTF_8));
-
- foundPolicy = new Policy();
- foundPolicy.setIdentifier(policyIdentifier.toString());
- foundPolicy.setResource(resource);
- foundPolicy.setAction(action);
-
- policies.add(foundPolicy);
+ if
(configurationProperties.containsKey(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE))
{
+
accessPolicyProperties.put(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE,
configurationProperties.get(FileAuthorizer.PROP_LEGACY_AUTHORIZED_USERS_FILE));
}
- return foundPolicy;
- }
-
- /**
- * Creates and adds an access policy for the given resource, identity, and
actions.
- *
- * @param authorizations the Authorizations instance to add the policy to
- * @param resource the resource for the policy
- * @param identity the identity for the policy
- * @param action the action for the policy
- */
- private void addAccessPolicy(final Authorizations authorizations, final
String resource, final String identity, final String action) {
- // first try to find an existing policy for the given resource and
action
- Policy foundPolicy = null;
- for (Policy policy : authorizations.getPolicies().getPolicy()) {
- if (policy.getResource().equals(resource) &&
policy.getAction().equals(action)) {
- foundPolicy = policy;
- break;
+ // ensure all node identities are seeded into the user provider
+ configurationProperties.forEach((property, value) -> {
+ final Matcher matcher =
FileAccessPolicyProvider.NODE_IDENTITY_PATTERN.matcher(property);
+ if (matcher.matches()) {
+ accessPolicyProperties.put(property, value);
+
userGroupProperties.put(property.replace(FileAccessPolicyProvider.PROP_NODE_IDENTITY_PREFIX,
FileUserGroupProvider.PROP_INITIAL_USER_IDENTITY_PREFIX), value);
}
- }
+ });
- if (foundPolicy == null) {
- // if we didn't find an existing policy create a new one
- final String uuidSeed = resource + identity + action;
- final UUID policyIdentifier =
UUID.nameUUIDFromBytes(uuidSeed.getBytes(StandardCharsets.UTF_8));
-
- final AccessPolicy.Builder builder = new AccessPolicy.Builder()
- .identifier(policyIdentifier.toString())
- .resource(resource)
- .addUser(identity);
-
- if (action.equals(READ_CODE)) {
- builder.action(RequestAction.READ);
- } else if (action.equals(WRITE_CODE)) {
- builder.action(RequestAction.WRITE);
- } else {
- throw new IllegalStateException("Unknown Policy Action: " +
action);
+ // ensure the initial admin is seeded into the user provider if
appropriate
+ if
(configurationProperties.containsKey(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY))
{
+ int i = 0;
+ while (true) {
+ final String key =
FileUserGroupProvider.PROP_INITIAL_USER_IDENTITY_PREFIX + i++;
+ if (!userGroupProperties.containsKey(key)) {
+ userGroupProperties.put(key,
configurationProperties.get(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY));
+ break;
+ }
}
-
- final AccessPolicy accessPolicy = builder.build();
- final Policy jaxbPolicy = createJAXBPolicy(accessPolicy);
- authorizations.getPolicies().getPolicy().add(jaxbPolicy);
- } else {
- // otherwise add the user to the existing policy
- Policy.User policyUser = new Policy.User();
- policyUser.setIdentifier(identity);
- foundPolicy.getUser().add(policyUser);
- }
- }
-
- /**
- * Saves the Authorizations instance by marshalling to a file, then
re-populates the
- * in-memory data structures and sets the new holder.
- *
- * Synchronized to ensure only one thread writes the file at a time.
- *
- * @param authorizations the authorizations to save and populate from
- * @param tenants the tenants to save and populate from
- * @throws AuthorizationAccessException if an error occurs saving the
authorizations
- */
- private synchronized void saveAndRefreshHolder(final Authorizations
authorizations, final Tenants tenants) throws AuthorizationAccessException {
- try {
- saveTenants(tenants);
- saveAuthorizations(authorizations);
-
- final AuthorizationsHolder authorizationsHolder = new
AuthorizationsHolder(authorizations, tenants);
- this.authorizationsHolder.set(authorizationsHolder);
- } catch (JAXBException e) {
- throw new AuthorizationAccessException("Unable to save
Authorizations", e);
}
- }
- private void saveAuthorizations(final Authorizations authorizations)
throws JAXBException {
- final Marshaller marshaller =
JAXB_AUTHORIZATIONS_CONTEXT.createMarshaller();
- marshaller.setSchema(authorizationsSchema);
- marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
- marshaller.marshal(authorizations, authorizationsFile);
- }
+ // configure the user group provider
+ userGroupProvider.onConfigured(new
StandardAuthorizerConfigurationContext(FILE_USER_GROUP_PROVIDER_ID,
userGroupProperties));
- private void saveTenants(final Tenants tenants) throws JAXBException {
- final Marshaller marshaller = JAXB_TENANTS_CONTEXT.createMarshaller();
- marshaller.setSchema(tenantsSchema);
- marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
- marshaller.marshal(tenants, tenantsFile);
- }
-
-
- @AuthorizerContext
- public void setNiFiProperties(NiFiProperties properties) {
- this.properties = properties;
+ // configure the access policy provider
+ accessPolicyProvider.onConfigured(new
StandardAuthorizerConfigurationContext(FILE_USER_GROUP_PROVIDER_ID,
accessPolicyProperties));
}
@Override
@@ -762,434 +146,115 @@ public class FileAuthorizer extends
AbstractPolicyBasedAuthorizer {
@Override
public synchronized Group doAddGroup(Group group) throws
AuthorizationAccessException {
- if (group == null) {
- throw new IllegalArgumentException("Group cannot be null");
- }
-
- final AuthorizationsHolder holder = this.authorizationsHolder.get();
- final Tenants tenants = holder.getTenants();
- final Authorizations authorizations = holder.getAuthorizations();
-
- // determine that all users in the group exist before doing anything,
throw an exception if they don't
- final Set<org.apache.nifi.authorization.file.tenants.generated.User>
jaxbUsers = checkGroupUsers(group, tenants.getUsers().getUser());
-
- // create a new JAXB Group based on the incoming Group
- final org.apache.nifi.authorization.file.tenants.generated.Group
jaxbGroup = new org.apache.nifi.authorization.file.tenants.generated.Group();
- jaxbGroup.setIdentifier(group.getIdentifier());
- jaxbGroup.setName(group.getName());
-
- // add each user to the group
- for (String groupUser : group.getUsers()) {
- org.apache.nifi.authorization.file.tenants.generated.Group.User
jaxbGroupUser = new
org.apache.nifi.authorization.file.tenants.generated.Group.User();
- jaxbGroupUser.setIdentifier(groupUser);
- jaxbGroup.getUser().add(jaxbGroupUser);
- }
-
- tenants.getGroups().getGroup().add(jaxbGroup);
- saveAndRefreshHolder(authorizations, tenants);
-
- return
this.authorizationsHolder.get().getGroupsById().get(group.getIdentifier());
+ return userGroupProvider.addGroup(group);
}
@Override
public Group getGroup(String identifier) throws
AuthorizationAccessException {
- if (identifier == null) {
- return null;
- }
- return authorizationsHolder.get().getGroupsById().get(identifier);
+ return userGroupProvider.getGroup(identifier);
}
@Override
public synchronized Group doUpdateGroup(Group group) throws
AuthorizationAccessException {
- if (group == null) {
- throw new IllegalArgumentException("Group cannot be null");
- }
-
- final AuthorizationsHolder holder = this.authorizationsHolder.get();
- final Tenants tenants = holder.getTenants();
- final Authorizations authorizations = holder.getAuthorizations();
-
- // find the group that needs to be update
- org.apache.nifi.authorization.file.tenants.generated.Group updateGroup
= null;
- for (org.apache.nifi.authorization.file.tenants.generated.Group
jaxbGroup : tenants.getGroups().getGroup()) {
- if (jaxbGroup.getIdentifier().equals(group.getIdentifier())) {
- updateGroup = jaxbGroup;
- break;
- }
- }
-
- // if the group wasn't found return null, otherwise update the group
and save changes
- if (updateGroup == null) {
- return null;
- }
-
- // reset the list of users and add each user to the group
- updateGroup.getUser().clear();
- for (String groupUser : group.getUsers()) {
- org.apache.nifi.authorization.file.tenants.generated.Group.User
jaxbGroupUser = new
org.apache.nifi.authorization.file.tenants.generated.Group.User();
- jaxbGroupUser.setIdentifier(groupUser);
- updateGroup.getUser().add(jaxbGroupUser);
- }
-
- updateGroup.setName(group.getName());
- saveAndRefreshHolder(authorizations, tenants);
-
- return
this.authorizationsHolder.get().getGroupsById().get(group.getIdentifier());
+ return userGroupProvider.updateGroup(group);
}
@Override
public synchronized Group deleteGroup(Group group) throws
AuthorizationAccessException {
- final AuthorizationsHolder holder = this.authorizationsHolder.get();
- final Tenants tenants = holder.getTenants();
- final Authorizations authorizations = holder.getAuthorizations();
-
- final List<org.apache.nifi.authorization.file.tenants.generated.Group>
groups = tenants.getGroups().getGroup();
-
- // for each policy iterate over the group reference and remove the
group reference if it matches the group being deleted
- for (Policy policy : authorizations.getPolicies().getPolicy()) {
- Iterator<Policy.Group> policyGroupIter =
policy.getGroup().iterator();
- while (policyGroupIter.hasNext()) {
- Policy.Group policyGroup = policyGroupIter.next();
- if (policyGroup.getIdentifier().equals(group.getIdentifier()))
{
- policyGroupIter.remove();
- break;
- }
- }
- }
-
- // now remove the actual group from the top-level list of groups
- boolean removedGroup = false;
- Iterator<org.apache.nifi.authorization.file.tenants.generated.Group>
iter = groups.iterator();
- while (iter.hasNext()) {
- org.apache.nifi.authorization.file.tenants.generated.Group
jaxbGroup = iter.next();
- if (group.getIdentifier().equals(jaxbGroup.getIdentifier())) {
- iter.remove();
- removedGroup = true;
- break;
- }
- }
-
- if (removedGroup) {
- saveAndRefreshHolder(authorizations, tenants);
- return group;
- } else {
- return null;
- }
+ return userGroupProvider.deleteGroup(group);
}
@Override
public Set<Group> getGroups() throws AuthorizationAccessException {
- return authorizationsHolder.get().getAllGroups();
- }
-
- private Set<org.apache.nifi.authorization.file.tenants.generated.User>
checkGroupUsers(final Group group, final
List<org.apache.nifi.authorization.file.tenants.generated.User> users) {
- final Set<org.apache.nifi.authorization.file.tenants.generated.User>
jaxbUsers = new HashSet<>();
- for (String groupUser : group.getUsers()) {
- boolean found = false;
- for (org.apache.nifi.authorization.file.tenants.generated.User
jaxbUser : users) {
- if (jaxbUser.getIdentifier().equals(groupUser)) {
- jaxbUsers.add(jaxbUser);
- found = true;
- break;
- }
- }
-
- if (!found) {
- throw new IllegalStateException("Unable to add group because
user " + groupUser + " does not exist");
- }
- }
- return jaxbUsers;
+ return userGroupProvider.getGroups();
}
// ------------------ Users ------------------
@Override
public synchronized User doAddUser(final User user) throws
AuthorizationAccessException {
- if (user == null) {
- throw new IllegalArgumentException("User cannot be null");
- }
-
- final org.apache.nifi.authorization.file.tenants.generated.User
jaxbUser = createJAXBUser(user);
-
- final AuthorizationsHolder holder = this.authorizationsHolder.get();
- final Tenants tenants = holder.getTenants();
- final Authorizations authorizations = holder.getAuthorizations();
- tenants.getUsers().getUser().add(jaxbUser);
-
- saveAndRefreshHolder(authorizations, tenants);
-
- return
this.authorizationsHolder.get().getUsersById().get(user.getIdentifier());
- }
-
- private org.apache.nifi.authorization.file.tenants.generated.User
createJAXBUser(User user) {
- final org.apache.nifi.authorization.file.tenants.generated.User
jaxbUser = new org.apache.nifi.authorization.file.tenants.generated.User();
- jaxbUser.setIdentifier(user.getIdentifier());
- jaxbUser.setIdentity(user.getIdentity());
- return jaxbUser;
+ return userGroupProvider.addUser(user);
}
@Override
public User getUser(final String identifier) throws
AuthorizationAccessException {
- if (identifier == null) {
- return null;
- }
-
- final AuthorizationsHolder holder = authorizationsHolder.get();
- return holder.getUsersById().get(identifier);
+ return userGroupProvider.getUser(identifier);
}
@Override
public User getUserByIdentity(final String identity) throws
AuthorizationAccessException {
- if (identity == null) {
- return null;
- }
-
- final AuthorizationsHolder holder = authorizationsHolder.get();
- return holder.getUsersByIdentity().get(identity);
+ return userGroupProvider.getUserByIdentity(identity);
}
@Override
public synchronized User doUpdateUser(final User user) throws
AuthorizationAccessException {
- if (user == null) {
- throw new IllegalArgumentException("User cannot be null");
- }
-
- final AuthorizationsHolder holder = this.authorizationsHolder.get();
- final Tenants tenants = holder.getTenants();
- final Authorizations authorizations = holder.getAuthorizations();
-
- final List<org.apache.nifi.authorization.file.tenants.generated.User>
users = tenants.getUsers().getUser();
-
- // fine the User that needs to be updated
- org.apache.nifi.authorization.file.tenants.generated.User updateUser =
null;
- for (org.apache.nifi.authorization.file.tenants.generated.User
jaxbUser : users) {
- if (user.getIdentifier().equals(jaxbUser.getIdentifier())) {
- updateUser = jaxbUser;
- break;
- }
- }
-
- // if user wasn't found return null, otherwise update the user and
save changes
- if (updateUser == null) {
- return null;
- } else {
- updateUser.setIdentity(user.getIdentity());
- saveAndRefreshHolder(authorizations, tenants);
-
- return
this.authorizationsHolder.get().getUsersById().get(user.getIdentifier());
- }
+ return userGroupProvider.updateUser(user);
}
@Override
public synchronized User deleteUser(final User user) throws
AuthorizationAccessException {
- if (user == null) {
- throw new IllegalArgumentException("User cannot be null");
- }
-
- final AuthorizationsHolder holder = this.authorizationsHolder.get();
- final Tenants tenants = holder.getTenants();
- final Authorizations authorizations = holder.getAuthorizations();
-
- final List<org.apache.nifi.authorization.file.tenants.generated.User>
users = tenants.getUsers().getUser();
-
- // for each group iterate over the user references and remove the user
reference if it matches the user being deleted
- for (org.apache.nifi.authorization.file.tenants.generated.Group group
: tenants.getGroups().getGroup()) {
-
Iterator<org.apache.nifi.authorization.file.tenants.generated.Group.User>
groupUserIter = group.getUser().iterator();
- while (groupUserIter.hasNext()) {
-
org.apache.nifi.authorization.file.tenants.generated.Group.User groupUser =
groupUserIter.next();
- if (groupUser.getIdentifier().equals(user.getIdentifier())) {
- groupUserIter.remove();
- break;
- }
- }
- }
-
- // remove any references to the user being deleted from policies
- for (Policy policy : authorizations.getPolicies().getPolicy()) {
- Iterator<Policy.User> policyUserIter = policy.getUser().iterator();
- while (policyUserIter.hasNext()) {
- Policy.User policyUser = policyUserIter.next();
- if (policyUser.getIdentifier().equals(user.getIdentifier())) {
- policyUserIter.remove();
- break;
- }
- }
- }
-
- // remove the actual user if it exists
- boolean removedUser = false;
- Iterator<org.apache.nifi.authorization.file.tenants.generated.User>
iter = users.iterator();
- while (iter.hasNext()) {
- org.apache.nifi.authorization.file.tenants.generated.User jaxbUser
= iter.next();
- if (user.getIdentifier().equals(jaxbUser.getIdentifier())) {
- iter.remove();
- removedUser = true;
- break;
- }
- }
-
- if (removedUser) {
- saveAndRefreshHolder(authorizations, tenants);
- return user;
- } else {
- return null;
- }
+ return userGroupProvider.deleteUser(user);
}
@Override
public Set<User> getUsers() throws AuthorizationAccessException {
- return authorizationsHolder.get().getAllUsers();
+ return userGroupProvider.getUsers();
}
// ------------------ AccessPolicies ------------------
@Override
public synchronized AccessPolicy doAddAccessPolicy(final AccessPolicy
accessPolicy) throws AuthorizationAccessException {
- if (accessPolicy == null) {
- throw new IllegalArgumentException("AccessPolicy cannot be null");
- }
-
- // create the new JAXB Policy
- final Policy policy = createJAXBPolicy(accessPolicy);
-
- // add the new Policy to the top-level list of policies
- final AuthorizationsHolder holder = this.authorizationsHolder.get();
- final Tenants tenants = holder.getTenants();
- final Authorizations authorizations = holder.getAuthorizations();
- authorizations.getPolicies().getPolicy().add(policy);
-
- saveAndRefreshHolder(authorizations, tenants);
-
- return
this.authorizationsHolder.get().getPoliciesById().get(accessPolicy.getIdentifier());
- }
-
- private Policy createJAXBPolicy(final AccessPolicy accessPolicy) {
- final Policy policy = new Policy();
- policy.setIdentifier(accessPolicy.getIdentifier());
- policy.setResource(accessPolicy.getResource());
-
- switch (accessPolicy.getAction()) {
- case READ:
- policy.setAction(READ_CODE);
- break;
- case WRITE:
- policy.setAction(WRITE_CODE);
- break;
- default:
- break;
- }
-
- transferUsersAndGroups(accessPolicy, policy);
- return policy;
+ return accessPolicyProvider.addAccessPolicy(accessPolicy);
}
@Override
public AccessPolicy getAccessPolicy(final String identifier) throws
AuthorizationAccessException {
- if (identifier == null) {
- return null;
- }
-
- final AuthorizationsHolder holder = authorizationsHolder.get();
- return holder.getPoliciesById().get(identifier);
+ return accessPolicyProvider.getAccessPolicy(identifier);
}
@Override
public synchronized AccessPolicy updateAccessPolicy(final AccessPolicy
accessPolicy) throws AuthorizationAccessException {
- if (accessPolicy == null) {
- throw new IllegalArgumentException("AccessPolicy cannot be null");
- }
-
- final AuthorizationsHolder holder = this.authorizationsHolder.get();
- final Tenants tenants = holder.getTenants();
- final Authorizations authorizations = holder.getAuthorizations();
-
- // try to find an existing Authorization that matches the policy id
- Policy updatePolicy = null;
- for (Policy policy : authorizations.getPolicies().getPolicy()) {
- if (policy.getIdentifier().equals(accessPolicy.getIdentifier())) {
- updatePolicy = policy;
- break;
- }
- }
-
- // no matching Policy so return null
- if (updatePolicy == null) {
- return null;
- }
-
- // update the Policy, save, reload, and return
- transferUsersAndGroups(accessPolicy, updatePolicy);
- saveAndRefreshHolder(authorizations, tenants);
-
- return
this.authorizationsHolder.get().getPoliciesById().get(accessPolicy.getIdentifier());
+ return accessPolicyProvider.updateAccessPolicy(accessPolicy);
}
@Override
public synchronized AccessPolicy deleteAccessPolicy(final AccessPolicy
accessPolicy) throws AuthorizationAccessException {
- if (accessPolicy == null) {
- throw new IllegalArgumentException("AccessPolicy cannot be null");
- }
-
- final AuthorizationsHolder holder = this.authorizationsHolder.get();
- final Tenants tenants = holder.getTenants();
- final Authorizations authorizations = holder.getAuthorizations();
-
- // find the matching Policy and remove it
- boolean deletedPolicy = false;
- Iterator<Policy> policyIter =
authorizations.getPolicies().getPolicy().iterator();
- while (policyIter.hasNext()) {
- final Policy policy = policyIter.next();
- if (policy.getIdentifier().equals(accessPolicy.getIdentifier())) {
- policyIter.remove();
- deletedPolicy = true;
- break;
- }
- }
-
- // never found a matching Policy so return null
- if (!deletedPolicy) {
- return null;
- }
-
- saveAndRefreshHolder(authorizations, tenants);
- return accessPolicy;
+ return accessPolicyProvider.deleteAccessPolicy(accessPolicy);
}
@Override
public Set<AccessPolicy> getAccessPolicies() throws
AuthorizationAccessException {
- return authorizationsHolder.get().getAllPolicies();
+ return accessPolicyProvider.getAccessPolicies();
}
- @Override
- public UsersAndAccessPolicies getUsersAndAccessPolicies() throws
AuthorizationAccessException {
- return authorizationsHolder.get();
+ @AuthorizerContext
+ public void setNiFiProperties(NiFiProperties properties) {
+ userGroupProvider.setNiFiProperties(properties);
+ accessPolicyProvider.setNiFiProperties(properties);
}
- /**
- * Sets the given Policy to the state of the provided AccessPolicy. Users
and Groups will be cleared and
- * set to match the AccessPolicy, the resource and action will be set to
match the AccessPolicy.
- *
- * Does not set the identifier.
- *
- * @param accessPolicy the AccessPolicy to transfer state from
- * @param policy the Policy to transfer state to
- */
- private void transferUsersAndGroups(AccessPolicy accessPolicy, Policy
policy) {
- // add users to the policy
- policy.getUser().clear();
- for (String userIdentifier : accessPolicy.getUsers()) {
- Policy.User policyUser = new Policy.User();
- policyUser.setIdentifier(userIdentifier);
- policy.getUser().add(policyUser);
- }
+ @Override
+ public synchronized UsersAndAccessPolicies getUsersAndAccessPolicies()
throws AuthorizationAccessException {
+ final AuthorizationsHolder authorizationsHolder =
accessPolicyProvider.getAuthorizationsHolder();
+ final UserGroupHolder userGroupHolder =
userGroupProvider.getUserGroupHolder();
- // add groups to the policy
- policy.getGroup().clear();
- for (String groupIdentifier : accessPolicy.getGroups()) {
- Policy.Group policyGroup = new Policy.Group();
- policyGroup.setIdentifier(groupIdentifier);
- policy.getGroup().add(policyGroup);
- }
+ return new UsersAndAccessPolicies() {
+ @Override
+ public AccessPolicy getAccessPolicy(String resourceIdentifier,
RequestAction action) {
+ return
authorizationsHolder.getAccessPolicy(resourceIdentifier, action);
+ }
+
+ @Override
+ public User getUser(String identity) {
+ return userGroupHolder.getUser(identity);
+ }
+
+ @Override
+ public Set<Group> getGroups(String userIdentity) {
+ return userGroupHolder.getGroups(userIdentity);
+ }
+ };
}
}
