NIFIREG-70 Authorization Improvements Improves to the Authorization framework and REST API:
- Initial NiFi Proxy Identities get (write, /proxy) + (read, /buckets) - Adds a read-only summary of top-level resource access policies to REST API Tenant class - Moves /resources under /policies - Moves package o.a.n.r.model.authorization to o.a.n.r.authorization This closes #55. Signed-off-by: Bryan Bende <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/nifi-registry/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi-registry/commit/287cc41f Tree: http://git-wip-us.apache.org/repos/asf/nifi-registry/tree/287cc41f Diff: http://git-wip-us.apache.org/repos/asf/nifi-registry/diff/287cc41f Branch: refs/heads/master Commit: 287cc41fbb86cef383a06d7dcfe5ffbc3c7419d4 Parents: 2460c84 Author: Kevin Doran <[email protected]> Authored: Wed Dec 13 10:32:58 2017 -0500 Committer: Bryan Bende <[email protected]> Committed: Thu Dec 14 16:22:56 2017 -0500 ---------------------------------------------------------------------- .../apache/nifi/registry/client/UserClient.java | 2 +- .../registry/client/impl/JerseyUserClient.java | 2 +- .../registry/authorization/AccessPolicy.java | 72 ++++++++++ .../authorization/AccessPolicySummary.java | 72 ++++++++++ .../registry/authorization/CurrentUser.java | 55 ++++++++ .../registry/authorization/Permissions.java | 130 +++++++++++++++++++ .../nifi/registry/authorization/Resource.java | 56 ++++++++ .../authorization/ResourcePermissions.java | 117 +++++++++++++++++ .../nifi/registry/authorization/Tenant.java | 111 ++++++++++++++++ .../nifi/registry/authorization/User.java | 58 +++++++++ .../nifi/registry/authorization/UserGroup.java | 62 +++++++++ .../org/apache/nifi/registry/bucket/Bucket.java | 2 +- .../apache/nifi/registry/bucket/BucketItem.java | 2 +- .../model/authorization/AccessPolicy.java | 72 ---------- .../authorization/AccessPolicySummary.java | 72 ---------- .../model/authorization/CurrentUser.java | 96 -------------- .../model/authorization/Permissions.java | 121 ----------------- .../registry/model/authorization/Resource.java | 56 -------- .../registry/model/authorization/Tenant.java | 98 -------------- .../nifi/registry/model/authorization/User.java | 58 --------- .../registry/model/authorization/UserGroup.java | 62 --------- .../authorization/AuthorizableLookup.java | 7 - .../StandardAuthorizableLookup.java | 22 +--- .../file/FileAccessPolicyProvider.java | 19 ++- .../authorization/resource/ResourceFactory.java | 36 +---- .../authorization/resource/ResourceType.java | 1 - .../registry/service/AuthorizationService.java | 120 +++++++++++------ .../service/AuthorizationServiceSpec.groovy | 27 ++-- .../web/NiFiRegistryResourceConfig.java | 4 +- .../registry/web/api/AccessPolicyResource.java | 30 ++++- .../nifi/registry/web/api/AccessResource.java | 2 +- .../api/AuthorizableApplicationResource.java | 2 +- .../nifi/registry/web/api/ResourceResource.java | 90 ------------- .../nifi/registry/web/api/TenantResource.java | 4 +- .../web/security/PermissionsService.java | 10 +- .../nifi/registry/web/api/SecureFileIT.java | 89 +++++++++++-- .../nifi/registry/web/api/SecureKerberosIT.java | 11 +- .../nifi/registry/web/api/SecureLdapIT.java | 39 +++--- .../web/api/SecureNiFiRegistryClientIT.java | 16 ++- .../web/api/UnsecuredNiFiRegistryClientIT.java | 16 ++- 40 files changed, 1020 insertions(+), 901 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-client/src/main/java/org/apache/nifi/registry/client/UserClient.java ---------------------------------------------------------------------- diff --git a/nifi-registry-client/src/main/java/org/apache/nifi/registry/client/UserClient.java b/nifi-registry-client/src/main/java/org/apache/nifi/registry/client/UserClient.java index 99ce08d..181f7af 100644 --- a/nifi-registry-client/src/main/java/org/apache/nifi/registry/client/UserClient.java +++ b/nifi-registry-client/src/main/java/org/apache/nifi/registry/client/UserClient.java @@ -16,7 +16,7 @@ */ package org.apache.nifi.registry.client; -import org.apache.nifi.registry.model.authorization.CurrentUser; +import org.apache.nifi.registry.authorization.CurrentUser; import java.io.IOException; http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-client/src/main/java/org/apache/nifi/registry/client/impl/JerseyUserClient.java ---------------------------------------------------------------------- diff --git a/nifi-registry-client/src/main/java/org/apache/nifi/registry/client/impl/JerseyUserClient.java b/nifi-registry-client/src/main/java/org/apache/nifi/registry/client/impl/JerseyUserClient.java index 1167266..7625f35 100644 --- a/nifi-registry-client/src/main/java/org/apache/nifi/registry/client/impl/JerseyUserClient.java +++ b/nifi-registry-client/src/main/java/org/apache/nifi/registry/client/impl/JerseyUserClient.java @@ -18,7 +18,7 @@ package org.apache.nifi.registry.client.impl; import org.apache.nifi.registry.client.NiFiRegistryException; import org.apache.nifi.registry.client.UserClient; -import org.apache.nifi.registry.model.authorization.CurrentUser; +import org.apache.nifi.registry.authorization.CurrentUser; import javax.ws.rs.client.WebTarget; import java.io.IOException; http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/AccessPolicy.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/AccessPolicy.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/AccessPolicy.java new file mode 100644 index 0000000..2cf51f0 --- /dev/null +++ b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/AccessPolicy.java @@ -0,0 +1,72 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.registry.authorization; + +import io.swagger.annotations.ApiModel; +import io.swagger.annotations.ApiModelProperty; + +import java.util.Collection; +import java.util.HashSet; +import java.util.Set; + +/** + * Access policy details, including the users and user groups to which the policy applies. + */ +@ApiModel("accessPolicy") +public class AccessPolicy extends AccessPolicySummary { + + private Set<Tenant> users; + private Set<Tenant> userGroups; + + @ApiModelProperty(value = "The set of user IDs associated with this access policy.") + public Set<Tenant> getUsers() { + return users; + } + + public void setUsers(Set<Tenant> users) { + this.users = users; + } + + public void addUsers(Collection<? extends Tenant> users) { + if (users != null) { + if (this.users == null) { + this.users = new HashSet<>(); + } + this.users.addAll(users); + } + } + + @ApiModelProperty(value = "The set of user group IDs associated with this access policy.") + public Set<Tenant> getUserGroups() { + return userGroups; + } + + public void setUserGroups(Set<Tenant> userGroups) { + this.userGroups = userGroups; + } + + public void addUserGroups(Collection<? extends Tenant> userGroups) { + if (userGroups != null) { + if (this.userGroups == null) { + this.userGroups = new HashSet<>(); + } + this.userGroups.addAll(userGroups); + } + } + +} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/AccessPolicySummary.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/AccessPolicySummary.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/AccessPolicySummary.java new file mode 100644 index 0000000..2939b91 --- /dev/null +++ b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/AccessPolicySummary.java @@ -0,0 +1,72 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.nifi.registry.authorization; + +import io.swagger.annotations.ApiModel; +import io.swagger.annotations.ApiModelProperty; + +/** + * Access policy summary of which actions ("read', "write") are allowable for a specified web resource. + */ +@ApiModel("accessPolicySummary") +public class AccessPolicySummary { + + private String identifier; + private String resource; + private String action; + private Boolean configurable; + + @ApiModelProperty("The id of the policy. Set by server at creation time.") + public String getIdentifier() { + return identifier; + } + + public void setIdentifier(String identifier) { + this.identifier = identifier; + } + + @ApiModelProperty("The resource for this access policy.") + public String getResource() { + return resource; + } + + public void setResource(String resource) { + this.resource = resource; + } + + @ApiModelProperty( + value = "The action associated with this access policy.", + allowableValues = "READ, WRITE" + ) + public String getAction() { + return action; + } + + public void setAction(String action) { + this.action = action; + } + + @ApiModelProperty(value = "Indicates if this access policy is configurable, based on which Authorizer has been configured to manage it.", readOnly = true) + public Boolean getConfigurable() { + return configurable; + } + + public void setConfigurable(Boolean configurable) { + this.configurable = configurable; + } +} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/CurrentUser.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/CurrentUser.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/CurrentUser.java new file mode 100644 index 0000000..7b9b4ee --- /dev/null +++ b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/CurrentUser.java @@ -0,0 +1,55 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.registry.authorization; + +import io.swagger.annotations.ApiModel; +import io.swagger.annotations.ApiModelProperty; + +@ApiModel("currentUser") +public class CurrentUser { + + private String identity; + private boolean anonymous; + private ResourcePermissions resourcePermissions; + + @ApiModelProperty("The identity of the current user") + public String getIdentity() { + return identity; + } + + public void setIdentity(String identity) { + this.identity = identity; + } + + @ApiModelProperty("Indicates if the current user is anonymous") + public boolean isAnonymous() { + return anonymous; + } + + public void setAnonymous(boolean anonymous) { + this.anonymous = anonymous; + } + + @ApiModelProperty("The access that the current user has to top level resources") + public ResourcePermissions getResourcePermissions() { + return resourcePermissions; + } + + public void setResourcePermissions(ResourcePermissions resourcePermissions) { + this.resourcePermissions = resourcePermissions; + } +} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/Permissions.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/Permissions.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/Permissions.java new file mode 100644 index 0000000..c76a41f --- /dev/null +++ b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/Permissions.java @@ -0,0 +1,130 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.registry.authorization; + +import io.swagger.annotations.ApiModel; +import io.swagger.annotations.ApiModelProperty; + +@ApiModel("permissions") +public class Permissions { + + private boolean canRead = false; + private boolean canWrite = false; + private boolean canDelete = false; + + public Permissions() { + } + + public Permissions(Permissions permissions) { + if (permissions == null) { + throw new IllegalArgumentException("Cannot call copy constructor with null argument"); + } + + this.canRead = permissions.getCanRead(); + this.canWrite = permissions.getCanWrite(); + this.canDelete = permissions.getCanDelete(); + } + + /** + * @return Indicates whether the user can read a given resource. + */ + @ApiModelProperty( + value = "Indicates whether the user can read a given resource.", + readOnly = true + ) + public boolean getCanRead() { + return canRead; + } + + public void setCanRead(boolean canRead) { + this.canRead = canRead; + } + + public Permissions withCanRead(boolean canRead) { + setCanRead(canRead); + return this; + } + + /** + * @return Indicates whether the user can write a given resource. + */ + @ApiModelProperty( + value = "Indicates whether the user can write a given resource.", + readOnly = true + ) + public boolean getCanWrite() { + return canWrite; + } + + public void setCanWrite(boolean canWrite) { + this.canWrite = canWrite; + } + + public Permissions withCanWrite(boolean canWrite) { + setCanWrite(canWrite); + return this; + } + + /** + * @return Indicates whether the user can delete a given resource. + */ + @ApiModelProperty( + value = "Indicates whether the user can delete a given resource.", + readOnly = true + ) + public boolean getCanDelete() { + return canDelete; + } + + public void setCanDelete(boolean canDelete) { + this.canDelete = canDelete; + } + + public Permissions withCanDelete(boolean canDelete) { + setCanDelete(canDelete); + return this; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + + Permissions that = (Permissions) o; + + if (canRead != that.canRead) return false; + if (canWrite != that.canWrite) return false; + return canDelete == that.canDelete; + } + + @Override + public int hashCode() { + int result = (canRead ? 1 : 0); + result = 31 * result + (canWrite ? 1 : 0); + result = 31 * result + (canDelete ? 1 : 0); + return result; + } + + @Override + public String toString() { + return "Permissions{" + + "canRead=" + canRead + + ", canWrite=" + canWrite + + ", canDelete=" + canDelete + + '}'; + } +} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/Resource.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/Resource.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/Resource.java new file mode 100644 index 0000000..139d729 --- /dev/null +++ b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/Resource.java @@ -0,0 +1,56 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.registry.authorization; + +import io.swagger.annotations.ApiModel; +import io.swagger.annotations.ApiModelProperty; + +@ApiModel("resource") +public class Resource { + + private String identifier; + private String name; + + /** + * The name of the resource. + * + * @return The name of the resource + */ + @ApiModelProperty("The name of the resource.") + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + /** + * The identifier of the resource. + * + * @return The identifier of the resource + */ + @ApiModelProperty("The identifier of the resource.") + public String getIdentifier() { + return identifier; + } + + public void setIdentifier(String identifier) { + this.identifier = identifier; + } + +} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/ResourcePermissions.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/ResourcePermissions.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/ResourcePermissions.java new file mode 100644 index 0000000..78cd10e --- /dev/null +++ b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/ResourcePermissions.java @@ -0,0 +1,117 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.registry.authorization; + +import io.swagger.annotations.ApiModel; +import io.swagger.annotations.ApiModelProperty; + +@ApiModel("resourcePermissions") +public class ResourcePermissions { + + private Permissions buckets = new Permissions(); + private Permissions tenants = new Permissions(); + private Permissions policies = new Permissions(); + private Permissions proxy = new Permissions(); + + @ApiModelProperty("The access that the current user has to any top level resources (a logical 'OR' of all other values)") + public Permissions getAnyTopLevelResource() { + return new Permissions() + .withCanRead(buckets.getCanRead() + || tenants.getCanRead() + || policies.getCanRead() + || proxy.getCanRead()) + .withCanWrite(buckets.getCanWrite() + || tenants.getCanWrite() + || policies.getCanWrite() + || proxy.getCanWrite()) + .withCanDelete(buckets.getCanDelete() + || tenants.getCanDelete() + || policies.getCanDelete() + || proxy.getCanDelete()); + } + + @ApiModelProperty("The access that the current user has to the top level /buckets resource of this NiFi Registry (i.e., access to all buckets)") + public Permissions getBuckets() { + return buckets; + } + + public void setBuckets(Permissions buckets) { + this.buckets = buckets; + } + + @ApiModelProperty("The access that the current user has to the top level /tenants resource of this NiFi Registry") + public Permissions getTenants() { + return tenants; + } + + public void setTenants(Permissions tenants) { + this.tenants = tenants; + } + + @ApiModelProperty("The access that the current user has to the top level /policies resource of this NiFi Registry") + public Permissions getPolicies() { + return policies; + } + + public void setPolicies(Permissions policies) { + this.policies = policies; + } + + @ApiModelProperty("The access that the current user has to the top level /proxy resource of this NiFi Registry") + public Permissions getProxy() { + return proxy; + } + + public void setProxy(Permissions proxy) { + this.proxy = proxy; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + + ResourcePermissions that = (ResourcePermissions) o; + + if (buckets != null ? !buckets.equals(that.buckets) : that.buckets != null) + return false; + if (tenants != null ? !tenants.equals(that.tenants) : that.tenants != null) + return false; + if (policies != null ? !policies.equals(that.policies) : that.policies != null) + return false; + return proxy != null ? proxy.equals(that.proxy) : that.proxy == null; + } + + @Override + public int hashCode() { + int result = buckets != null ? buckets.hashCode() : 0; + result = 31 * result + (tenants != null ? tenants.hashCode() : 0); + result = 31 * result + (policies != null ? policies.hashCode() : 0); + result = 31 * result + (proxy != null ? proxy.hashCode() : 0); + return result; + } + + @Override + public String toString() { + return "ResourcePermissions{" + + "buckets=" + buckets + + ", tenants=" + tenants + + ", policies=" + policies + + ", proxy=" + proxy + + '}'; + } +} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/Tenant.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/Tenant.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/Tenant.java new file mode 100644 index 0000000..68c189e --- /dev/null +++ b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/Tenant.java @@ -0,0 +1,111 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.registry.authorization; + +import io.swagger.annotations.ApiModel; +import io.swagger.annotations.ApiModelProperty; + +import java.util.Collection; +import java.util.HashSet; +import java.util.Set; + +/** + * A tenant of this NiFi Registry + */ +@ApiModel("tenant") +public class Tenant { + + private String identifier; + private String identity; + private Boolean configurable; + private ResourcePermissions resourcePermissions; + private Set<AccessPolicySummary> accessPolicies; + + public Tenant() {} + + public Tenant(String identifier, String identity) { + this.identifier = identifier; + this.identity = identity; + } + + /** + * @return tenant's unique identifier + */ + @ApiModelProperty(value = "The computer-generated identifier of the tenant.", readOnly = true) + public String getIdentifier() { + return identifier; + } + + public void setIdentifier(String identifier) { + this.identifier = identifier; + } + + /** + * @return tenant's identity + */ + @ApiModelProperty(value = "The human-facing identity of the tenant. This can only be changed if the tenant is configurable.") + public String getIdentity() { + return identity; + } + + public void setIdentity(String identity) { + this.identity = identity; + } + + @ApiModelProperty(value = "Indicates if this tenant is configurable, based on which UserGroupProvider has been configured to manage it.", readOnly = true) + public Boolean getConfigurable() { + return configurable; + } + + public void setConfigurable(Boolean configurable) { + this.configurable = configurable; + } + + @ApiModelProperty( + value = "A summary top-level resource access policies granted to this tenant.", + readOnly = true + ) + public ResourcePermissions getResourcePermissions() { + return resourcePermissions; + } + + public void setResourcePermissions(ResourcePermissions resourcePermissions) { + this.resourcePermissions = resourcePermissions; + } + + @ApiModelProperty( + value = "The access policies granted to this tenant.", + readOnly = true + ) + public Set<AccessPolicySummary> getAccessPolicies() { + return accessPolicies; + } + + public void setAccessPolicies(Set<AccessPolicySummary> accessPolicies) { + this.accessPolicies = accessPolicies; + } + + public void addAccessPolicies(Collection<AccessPolicySummary> accessPolicies) { + if (accessPolicies != null) { + if (this.accessPolicies == null) { + this.accessPolicies = new HashSet<>(); + } + this.accessPolicies.addAll(accessPolicies); + } + } + +} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/User.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/User.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/User.java new file mode 100644 index 0000000..6a820ab --- /dev/null +++ b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/User.java @@ -0,0 +1,58 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.registry.authorization; + +import io.swagger.annotations.ApiModel; +import io.swagger.annotations.ApiModelProperty; + +import java.util.Collection; +import java.util.HashSet; +import java.util.Set; + +@ApiModel("user") +public class User extends Tenant { + + private Set<Tenant> userGroups; + + public User() {} + + public User(String identifier, String identity) { + super(identifier, identity); + } + + @ApiModelProperty( + value = "The groups to which the user belongs.", + readOnly = true + ) + public Set<Tenant> getUserGroups() { + return userGroups; + } + + public void setUserGroups(Set<Tenant> userGroups) { + this.userGroups = userGroups; + } + + public void addUserGroups(Collection<? extends Tenant> userGroups) { + if (userGroups != null) { + if (this.userGroups == null) { + this.userGroups = new HashSet<>(); + } + this.userGroups.addAll(userGroups); + } + } + +} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/UserGroup.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/UserGroup.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/UserGroup.java new file mode 100644 index 0000000..cc38c21 --- /dev/null +++ b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/authorization/UserGroup.java @@ -0,0 +1,62 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.registry.authorization; + +import io.swagger.annotations.ApiModel; +import io.swagger.annotations.ApiModelProperty; + +import java.util.Collection; +import java.util.HashSet; +import java.util.Set; + +/** + * A user group, used to apply a single set of authorization policies to a group of users. + */ +@ApiModel("userGroup") +public class UserGroup extends Tenant { + + private Set<Tenant> users; + private Set<AccessPolicySummary> accessPolicies; + + public UserGroup() {} + + public UserGroup(String identifier, String identity) { + super(identifier, identity); + } + + /** + * @return The users that belong to this user group. + */ + @ApiModelProperty(value = "The users that belong to this user group. This can only be changed if this group is configurable.") + public Set<Tenant> getUsers() { + return users; + } + + public void setUsers(Set<Tenant> users) { + this.users = users; + } + + public void addUsers(Collection<? extends Tenant> users) { + if (users != null) { + if (this.users == null) { + this.users = new HashSet<>(); + } + this.users.addAll(users); + } + } + +} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/bucket/Bucket.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/bucket/Bucket.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/bucket/Bucket.java index 929972e..3c6a59d 100644 --- a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/bucket/Bucket.java +++ b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/bucket/Bucket.java @@ -19,7 +19,7 @@ package org.apache.nifi.registry.bucket; import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import org.apache.nifi.registry.link.LinkableEntity; -import org.apache.nifi.registry.model.authorization.Permissions; +import org.apache.nifi.registry.authorization.Permissions; import javax.validation.constraints.Min; import javax.validation.constraints.NotBlank; http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/bucket/BucketItem.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/bucket/BucketItem.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/bucket/BucketItem.java index 9d61a62..745bf81 100644 --- a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/bucket/BucketItem.java +++ b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/bucket/BucketItem.java @@ -19,7 +19,7 @@ package org.apache.nifi.registry.bucket; import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import org.apache.nifi.registry.link.LinkableEntity; -import org.apache.nifi.registry.model.authorization.Permissions; +import org.apache.nifi.registry.authorization.Permissions; import javax.validation.constraints.Min; import javax.validation.constraints.NotBlank; http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/AccessPolicy.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/AccessPolicy.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/AccessPolicy.java deleted file mode 100644 index dffaa7f..0000000 --- a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/AccessPolicy.java +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.nifi.registry.model.authorization; - -import io.swagger.annotations.ApiModel; -import io.swagger.annotations.ApiModelProperty; - -import java.util.Collection; -import java.util.HashSet; -import java.util.Set; - -/** - * Access policy details, including the users and user groups to which the policy applies. - */ -@ApiModel("accessPolicy") -public class AccessPolicy extends AccessPolicySummary { - - private Set<Tenant> users; - private Set<Tenant> userGroups; - - @ApiModelProperty(value = "The set of user IDs associated with this access policy.") - public Set<Tenant> getUsers() { - return users; - } - - public void setUsers(Set<Tenant> users) { - this.users = users; - } - - public void addUsers(Collection<? extends Tenant> users) { - if (users != null) { - if (this.users == null) { - this.users = new HashSet<>(); - } - this.users.addAll(users); - } - } - - @ApiModelProperty(value = "The set of user group IDs associated with this access policy.") - public Set<Tenant> getUserGroups() { - return userGroups; - } - - public void setUserGroups(Set<Tenant> userGroups) { - this.userGroups = userGroups; - } - - public void addUserGroups(Collection<? extends Tenant> userGroups) { - if (userGroups != null) { - if (this.userGroups == null) { - this.userGroups = new HashSet<>(); - } - this.userGroups.addAll(userGroups); - } - } - -} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/AccessPolicySummary.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/AccessPolicySummary.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/AccessPolicySummary.java deleted file mode 100644 index 662c999..0000000 --- a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/AccessPolicySummary.java +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.nifi.registry.model.authorization; - -import io.swagger.annotations.ApiModel; -import io.swagger.annotations.ApiModelProperty; - -/** - * Access policy summary of which actions ("read', "write") are allowable for a specified web resource. - */ -@ApiModel("accessPolicySummary") -public class AccessPolicySummary { - - private String identifier; - private String resource; - private String action; - private Boolean configurable; - - @ApiModelProperty("The id of the policy. Set by server at creation time.") - public String getIdentifier() { - return identifier; - } - - public void setIdentifier(String identifier) { - this.identifier = identifier; - } - - @ApiModelProperty("The resource for this access policy.") - public String getResource() { - return resource; - } - - public void setResource(String resource) { - this.resource = resource; - } - - @ApiModelProperty( - value = "The action associated with this access policy.", - allowableValues = "READ, WRITE" - ) - public String getAction() { - return action; - } - - public void setAction(String action) { - this.action = action; - } - - @ApiModelProperty(value = "Indicates if this access policy is configurable, based on which Authorizer has been configured to manage it.", readOnly = true) - public Boolean getConfigurable() { - return configurable; - } - - public void setConfigurable(Boolean configurable) { - this.configurable = configurable; - } -} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/CurrentUser.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/CurrentUser.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/CurrentUser.java deleted file mode 100644 index 7dbf932..0000000 --- a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/CurrentUser.java +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.registry.model.authorization; - -import io.swagger.annotations.ApiModel; -import io.swagger.annotations.ApiModelProperty; - -@ApiModel("currentUser") -public class CurrentUser { - - private String identity; - private boolean anonymous; - - private Permissions administrationPermissions; - private Permissions bucketsPermissions; - private Permissions tenantsPermissions; - private Permissions policiesPermissions; - private Permissions resourcesPermissions; - - @ApiModelProperty("The identity of the current user") - public String getIdentity() { - return identity; - } - - public void setIdentity(String identity) { - this.identity = identity; - } - - @ApiModelProperty("Indicates if the current user is anonymous") - public boolean isAnonymous() { - return anonymous; - } - - public void setAnonymous(boolean anonymous) { - this.anonymous = anonymous; - } - - @ApiModelProperty("The access that the current user has to the administration section of the NiFi Regsitry UI") - public Permissions getAdministrationPermissions() { - return administrationPermissions; - } - - public void setAdministrationPermissions(Permissions administrationPermissions) { - this.administrationPermissions = administrationPermissions; - } - - @ApiModelProperty("The access that the current user has to the top level /buckets resource of this NiFi Registry") - public Permissions getBucketsPermissions() { - return bucketsPermissions; - } - - public void setBucketsPermissions(Permissions bucketsPermissions) { - this.bucketsPermissions = bucketsPermissions; - } - - @ApiModelProperty("The access that the current user has to the top level /tenants resource of this NiFi Registry") - public Permissions getTenantsPermissions() { - return tenantsPermissions; - } - - public void setTenantsPermissions(Permissions tenantsPermissions) { - this.tenantsPermissions = tenantsPermissions; - } - - @ApiModelProperty("The access that the current user has to the top level /policies resource of this NiFi Registry") - public Permissions getPoliciesPermissions() { - return policiesPermissions; - } - - public void setPoliciesPermissions(Permissions policiesPermissions) { - this.policiesPermissions = policiesPermissions; - } - - @ApiModelProperty("The access that the current user has to the top level /resources resource of this NiFi Registry") - public Permissions getResourcesPermissions() { - return resourcesPermissions; - } - - public void setResourcesPermissions(Permissions resourcesPermissions) { - this.resourcesPermissions = resourcesPermissions; - } -} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/Permissions.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/Permissions.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/Permissions.java deleted file mode 100644 index 1dabc91..0000000 --- a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/Permissions.java +++ /dev/null @@ -1,121 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.registry.model.authorization; - -import io.swagger.annotations.ApiModel; -import io.swagger.annotations.ApiModelProperty; - -@ApiModel("permissions") -public class Permissions { - - private boolean canRead = false; - private boolean canWrite = false; - private boolean canDelete = false; - - public Permissions() { - } - - public Permissions(Permissions permissions) { - if (permissions == null) { - throw new IllegalArgumentException("Cannot call copy constructor with null argument"); - } - - this.canRead = permissions.getCanRead(); - this.canWrite = permissions.getCanWrite(); - this.canDelete = permissions.getCanDelete(); - } - - /** - * @return Indicates whether the user can read a given resource. - */ - @ApiModelProperty( - value = "Indicates whether the user can read a given resource.", - readOnly = true - ) - public boolean getCanRead() { - return canRead; - } - - public void setCanRead(boolean canRead) { - this.canRead = canRead; - } - - public Permissions withCanRead(boolean canRead) { - setCanRead(canRead); - return this; - } - - /** - * @return Indicates whether the user can write a given resource. - */ - @ApiModelProperty( - value = "Indicates whether the user can write a given resource.", - readOnly = true - ) - public boolean getCanWrite() { - return canWrite; - } - - public void setCanWrite(boolean canWrite) { - this.canWrite = canWrite; - } - - public Permissions withCanWrite(boolean canWrite) { - setCanWrite(canWrite); - return this; - } - - /** - * @return Indicates whether the user can delete a given resource. - */ - @ApiModelProperty( - value = "Indicates whether the user can delete a given resource.", - readOnly = true - ) - public boolean getCanDelete() { - return canDelete; - } - - public void setCanDelete(boolean canDelete) { - this.canDelete = canDelete; - } - - public Permissions withCanDelete(boolean canDelete) { - setCanDelete(canDelete); - return this; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - - Permissions that = (Permissions) o; - - if (canRead != that.canRead) return false; - if (canWrite != that.canWrite) return false; - return canDelete == that.canDelete; - } - - @Override - public int hashCode() { - int result = (canRead ? 1 : 0); - result = 31 * result + (canWrite ? 1 : 0); - result = 31 * result + (canDelete ? 1 : 0); - return result; - } -} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/Resource.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/Resource.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/Resource.java deleted file mode 100644 index a428958..0000000 --- a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/Resource.java +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.registry.model.authorization; - -import io.swagger.annotations.ApiModel; -import io.swagger.annotations.ApiModelProperty; - -@ApiModel("resource") -public class Resource { - - private String identifier; - private String name; - - /** - * The name of the resource. - * - * @return The name of the resource - */ - @ApiModelProperty("The name of the resource.") - public String getName() { - return name; - } - - public void setName(String name) { - this.name = name; - } - - /** - * The identifier of the resource. - * - * @return The identifier of the resource - */ - @ApiModelProperty("The identifier of the resource.") - public String getIdentifier() { - return identifier; - } - - public void setIdentifier(String identifier) { - this.identifier = identifier; - } - -} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/Tenant.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/Tenant.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/Tenant.java deleted file mode 100644 index a40fc3e..0000000 --- a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/Tenant.java +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.registry.model.authorization; - -import io.swagger.annotations.ApiModel; -import io.swagger.annotations.ApiModelProperty; - -import java.util.Collection; -import java.util.HashSet; -import java.util.Set; - -/** - * A tenant of this NiFi Registry - */ -@ApiModel("tenant") -public class Tenant { - - private String identifier; - private String identity; - private Boolean configurable; - private Set<AccessPolicySummary> accessPolicies; - - public Tenant() {} - - public Tenant(String identifier, String identity) { - this.identifier = identifier; - this.identity = identity; - } - - /** - * @return tenant's unique identifier - */ - @ApiModelProperty(value = "The computer-generated identifier of the tenant.", readOnly = true) - public String getIdentifier() { - return identifier; - } - - public void setIdentifier(String identifier) { - this.identifier = identifier; - } - - /** - * @return tenant's identity - */ - @ApiModelProperty(value = "The human-facing identity of the tenant. This can only be changed if the tenant is configurable.") - public String getIdentity() { - return identity; - } - - public void setIdentity(String identity) { - this.identity = identity; - } - - @ApiModelProperty(value = "Indicates if this tenant is configurable, based on which UserGroupProvider has been configured to manage it.", readOnly = true) - public Boolean getConfigurable() { - return configurable; - } - - public void setConfigurable(Boolean configurable) { - this.configurable = configurable; - } - - @ApiModelProperty( - value = "The access policies granted to this tenant.", - readOnly = true - ) - public Set<AccessPolicySummary> getAccessPolicies() { - return accessPolicies; - } - - public void setAccessPolicies(Set<AccessPolicySummary> accessPolicies) { - this.accessPolicies = accessPolicies; - } - - public void addAccessPolicies(Collection<AccessPolicySummary> accessPolicies) { - if (accessPolicies != null) { - if (this.accessPolicies == null) { - this.accessPolicies = new HashSet<>(); - } - this.accessPolicies.addAll(accessPolicies); - } - } - -} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/User.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/User.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/User.java deleted file mode 100644 index a477401..0000000 --- a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/User.java +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.registry.model.authorization; - -import io.swagger.annotations.ApiModel; -import io.swagger.annotations.ApiModelProperty; - -import java.util.Collection; -import java.util.HashSet; -import java.util.Set; - -@ApiModel("user") -public class User extends Tenant { - - private Set<Tenant> userGroups; - - public User() {} - - public User(String identifier, String identity) { - super(identifier, identity); - } - - @ApiModelProperty( - value = "The groups to which the user belongs.", - readOnly = true - ) - public Set<Tenant> getUserGroups() { - return userGroups; - } - - public void setUserGroups(Set<Tenant> userGroups) { - this.userGroups = userGroups; - } - - public void addUserGroups(Collection<? extends Tenant> userGroups) { - if (userGroups != null) { - if (this.userGroups == null) { - this.userGroups = new HashSet<>(); - } - this.userGroups.addAll(userGroups); - } - } - -} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/UserGroup.java ---------------------------------------------------------------------- diff --git a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/UserGroup.java b/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/UserGroup.java deleted file mode 100644 index 1d59bdd..0000000 --- a/nifi-registry-data-model/src/main/java/org/apache/nifi/registry/model/authorization/UserGroup.java +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.registry.model.authorization; - -import io.swagger.annotations.ApiModel; -import io.swagger.annotations.ApiModelProperty; - -import java.util.Collection; -import java.util.HashSet; -import java.util.Set; - -/** - * A user group, used to apply a single set of authorization policies to a group of users. - */ -@ApiModel("userGroup") -public class UserGroup extends Tenant { - - private Set<Tenant> users; - private Set<AccessPolicySummary> accessPolicies; - - public UserGroup() {} - - public UserGroup(String identifier, String identity) { - super(identifier, identity); - } - - /** - * @return The users that belong to this user group. - */ - @ApiModelProperty(value = "The users that belong to this user group. This can only be changed if this group is configurable.") - public Set<Tenant> getUsers() { - return users; - } - - public void setUsers(Set<Tenant> users) { - this.users = users; - } - - public void addUsers(Collection<? extends Tenant> users) { - if (users != null) { - if (this.users == null) { - this.users = new HashSet<>(); - } - this.users.addAll(users); - } - } - -} http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/AuthorizableLookup.java ---------------------------------------------------------------------- diff --git a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/AuthorizableLookup.java b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/AuthorizableLookup.java index 2cbe1af..2ba7227 100644 --- a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/AuthorizableLookup.java +++ b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/AuthorizableLookup.java @@ -21,13 +21,6 @@ import org.apache.nifi.registry.security.authorization.resource.Authorizable; public interface AuthorizableLookup { /** - * Get the authorizable for retrieving resources. - * - * @return authorizable - */ - Authorizable getResourcesAuthorizable(); - - /** * Get the authorizable for /proxy. * * @return authorizable http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/StandardAuthorizableLookup.java ---------------------------------------------------------------------- diff --git a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/StandardAuthorizableLookup.java b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/StandardAuthorizableLookup.java index 3d54c62..00d318a 100644 --- a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/StandardAuthorizableLookup.java +++ b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/StandardAuthorizableLookup.java @@ -35,7 +35,7 @@ public class StandardAuthorizableLookup implements AuthorizableLookup { @Override public Resource getResource() { - return ResourceFactory.getTenantResource(); + return ResourceFactory.getTenantsResource(); } }; @@ -51,18 +51,6 @@ public class StandardAuthorizableLookup implements AuthorizableLookup { } }; - private static final Authorizable RESOURCES_AUTHORIZABLE = new Authorizable() { - @Override - public Authorizable getParentAuthorizable() { - return null; - } - - @Override - public Resource getResource() { - return ResourceFactory.getResourceResource(); - } - }; - private static final Authorizable BUCKETS_AUTHORIZABLE = new Authorizable() { @Override public Authorizable getParentAuthorizable() { @@ -88,11 +76,6 @@ public class StandardAuthorizableLookup implements AuthorizableLookup { }; @Override - public Authorizable getResourcesAuthorizable() { - return RESOURCES_AUTHORIZABLE; - } - - @Override public Authorizable getProxyAuthorizable() { return PROXY_AUTHORIZABLE; } @@ -164,9 +147,6 @@ public class StandardAuthorizableLookup implements AuthorizableLookup { case Policy: authorizable = getPoliciesAuthorizable(); break; - case Resource: - authorizable = getResourcesAuthorizable(); - break; case Tenant: authorizable = getTenantsAuthorizable(); break; http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java ---------------------------------------------------------------------- diff --git a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java index 8c3cab2..e4a03f3 100644 --- a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java +++ b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java @@ -34,7 +34,6 @@ import org.apache.nifi.registry.security.authorization.exception.UninheritableAu import org.apache.nifi.registry.security.authorization.file.generated.Authorizations; import org.apache.nifi.registry.security.authorization.file.generated.Policies; import org.apache.nifi.registry.security.authorization.file.generated.Policy; -import org.apache.nifi.registry.security.authorization.resource.ResourceType; import org.apache.nifi.registry.security.exception.SecurityProviderCreationException; import org.apache.nifi.registry.security.exception.SecurityProviderDestructionException; import org.apache.nifi.registry.util.PropertyValue; @@ -117,7 +116,6 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide /* TODO - move this somewhere into nifi-registry-security-framework so it can be applied to any ConfigurableAccessPolicyProvider * (and also gets us away from requiring magic strings here) */ private static final ResourceActionPair[] INITIAL_ADMIN_ACCESS_POLICIES = { - new ResourceActionPair("/resources", READ_CODE), new ResourceActionPair("/tenants", READ_CODE), new ResourceActionPair("/tenants", WRITE_CODE), new ResourceActionPair("/tenants", DELETE_CODE), @@ -130,6 +128,13 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide new ResourceActionPair("/proxy", WRITE_CODE) }; + /* TODO - move this somewhere into nifi-registry-security-framework so it can be applied to any ConfigurableAccessPolicyProvider + * (and also gets us away from requiring magic strings here) */ + private static final ResourceActionPair[] NIFI_ACCESS_POLICIES = { + new ResourceActionPair("/buckets", READ_CODE), + new ResourceActionPair("/proxy", WRITE_CODE) + }; + static final String PROP_NIFI_IDENTITY_PREFIX = "NiFi Identity "; static final String PROP_USER_GROUP_PROVIDER = "User Group Provider"; static final String PROP_AUTHORIZATIONS_FILE = "Authorizations File"; @@ -537,13 +542,15 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide */ private void populateNiFiIdentities(Authorizations authorizations) { for (String nifiIdentity : nifiIdentities) { - final User node = userGroupProvider.getUserByIdentity(nifiIdentity); - if (node == null) { + final User nifiUser = userGroupProvider.getUserByIdentity(nifiIdentity); + if (nifiUser == null) { throw new SecurityProviderCreationException("Unable to locate node " + nifiIdentity + " to seed policies."); } - // grant access to the proxy resource - addUserToAccessPolicy(authorizations, ResourceType.Proxy.getValue(), node.getIdentifier(), WRITE_CODE); + // grant access to the resources needed for initial nifi-proxy identities + for (ResourceActionPair resourceAction : NIFI_ACCESS_POLICIES) { + addUserToAccessPolicy(authorizations, resourceAction.resource, nifiUser.getIdentifier(), resourceAction.actionCode); + } } } http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/ResourceFactory.java ---------------------------------------------------------------------- diff --git a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/ResourceFactory.java b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/ResourceFactory.java index 7882708..b81b873 100644 --- a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/ResourceFactory.java +++ b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/ResourceFactory.java @@ -74,24 +74,7 @@ public final class ResourceFactory { } }; - private final static Resource RESOURCE_RESOURCE = new Resource() { - @Override - public String getIdentifier() { - return ResourceType.Resource.getValue(); - } - - @Override - public String getName() { - return "Resources"; - } - - @Override - public String getSafeDescription() { - return "resources"; - } - }; - - private final static Resource TENANT_RESOURCE = new Resource() { + private final static Resource TENANTS_RESOURCE = new Resource() { @Override public String getIdentifier() { return ResourceType.Tenant.getValue(); @@ -99,7 +82,7 @@ public final class ResourceFactory { @Override public String getName() { - return "Tenant"; + return "Tenants"; } @Override @@ -136,21 +119,12 @@ public final class ResourceFactory { } /** - * Gets the Resource for detailing all available NiFi Resources. - * - * @return The Resource resource - */ - public static Resource getResourceResource() { - return RESOURCE_RESOURCE; - } - - /** * Gets the Resource for accessing Tenants which includes creating, modifying, and deleting Users and UserGroups. * * @return The Resource for accessing Tenants */ - public static Resource getTenantResource() { - return TENANT_RESOURCE; + public static Resource getTenantsResource() { + return TENANTS_RESOURCE; } /** @@ -213,7 +187,7 @@ public final class ResourceFactory { * @param name - Optional, the name of the subresource * @return A resource for this object */ - public static Resource getChildResource(final ResourceType parentResourceType, final String childIdentifier, final String name) { + private static Resource getChildResource(final ResourceType parentResourceType, final String childIdentifier, final String name) { Objects.requireNonNull(parentResourceType, "The base resource type must be specified."); Objects.requireNonNull(childIdentifier, "The child identifier identifier must be specified."); http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/ResourceType.java ---------------------------------------------------------------------- diff --git a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/ResourceType.java b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/ResourceType.java index a49d973..7274b56 100644 --- a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/ResourceType.java +++ b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/ResourceType.java @@ -20,7 +20,6 @@ public enum ResourceType { Bucket("/buckets"), Policy("/policies"), Proxy("/proxy"), - Resource("/resources"), Tenant("/tenants"); final String value; http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/287cc41f/nifi-registry-framework/src/main/java/org/apache/nifi/registry/service/AuthorizationService.java ---------------------------------------------------------------------- diff --git a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/service/AuthorizationService.java b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/service/AuthorizationService.java index 3bb29fb..f3e9c40 100644 --- a/nifi-registry-framework/src/main/java/org/apache/nifi/registry/service/AuthorizationService.java +++ b/nifi-registry-framework/src/main/java/org/apache/nifi/registry/service/AuthorizationService.java @@ -17,14 +17,15 @@ package org.apache.nifi.registry.service; import org.apache.nifi.registry.bucket.Bucket; -import org.apache.nifi.registry.model.authorization.AccessPolicy; -import org.apache.nifi.registry.model.authorization.AccessPolicySummary; -import org.apache.nifi.registry.model.authorization.CurrentUser; -import org.apache.nifi.registry.model.authorization.Permissions; -import org.apache.nifi.registry.model.authorization.Resource; -import org.apache.nifi.registry.model.authorization.Tenant; -import org.apache.nifi.registry.model.authorization.User; -import org.apache.nifi.registry.model.authorization.UserGroup; +import org.apache.nifi.registry.authorization.AccessPolicy; +import org.apache.nifi.registry.authorization.AccessPolicySummary; +import org.apache.nifi.registry.authorization.CurrentUser; +import org.apache.nifi.registry.authorization.Permissions; +import org.apache.nifi.registry.authorization.Resource; +import org.apache.nifi.registry.authorization.Tenant; +import org.apache.nifi.registry.authorization.ResourcePermissions; +import org.apache.nifi.registry.authorization.User; +import org.apache.nifi.registry.authorization.UserGroup; import org.apache.nifi.registry.security.authorization.AccessPolicyProvider; import org.apache.nifi.registry.security.authorization.AccessPolicyProviderInitializationContext; import org.apache.nifi.registry.security.authorization.AuthorizableLookup; @@ -110,25 +111,7 @@ public class AuthorizationService { final CurrentUser currentUser = new CurrentUser(); currentUser.setIdentity(user.getIdentity()); currentUser.setAnonymous(user.isAnonymous()); - - final Permissions bucketsPermissions = getPermissionsForResource(authorizableLookup.getBucketsAuthorizable()); - currentUser.setBucketsPermissions(bucketsPermissions); - - final Permissions policiesPermissions = getPermissionsForResource(authorizableLookup.getPoliciesAuthorizable()); - currentUser.setPoliciesPermissions(policiesPermissions); - - final Permissions tenantsPermissions = getPermissionsForResource(authorizableLookup.getTenantsAuthorizable()); - currentUser.setTenantsPermissions(tenantsPermissions); - - final Permissions resourcesPermissions = getPermissionsForResource(authorizableLookup.getResourcesAuthorizable()); - currentUser.setResourcesPermissions(resourcesPermissions); - - final Permissions administrationPermissions = new Permissions() - .withCanRead(bucketsPermissions.getCanRead() || tenantsPermissions.getCanRead() || policiesPermissions.getCanRead()) - .withCanWrite(bucketsPermissions.getCanWrite() || tenantsPermissions.getCanWrite() || policiesPermissions.getCanWrite()) - .withCanDelete(bucketsPermissions.getCanDelete() || tenantsPermissions.getCanDelete() || policiesPermissions.getCanDelete()); - currentUser.setAdministrationPermissions(administrationPermissions); - + currentUser.setResourcePermissions(getTopLevelPermissions()); return currentUser; } @@ -164,6 +147,26 @@ public class AuthorizationService { return permissions; } + private ResourcePermissions getTopLevelPermissions() { + + NiFiUser user = NiFiUserUtils.getNiFiUser(); + ResourcePermissions resourcePermissions = new ResourcePermissions(); + + final Permissions bucketsPermissions = getPermissionsForResource(authorizableLookup.getBucketsAuthorizable()); + resourcePermissions.setBuckets(bucketsPermissions); + + final Permissions policiesPermissions = getPermissionsForResource(authorizableLookup.getPoliciesAuthorizable()); + resourcePermissions.setPolicies(policiesPermissions); + + final Permissions tenantsPermissions = getPermissionsForResource(authorizableLookup.getTenantsAuthorizable()); + resourcePermissions.setTenants(tenantsPermissions); + + final Permissions proxyPermissions = getPermissionsForResource(authorizableLookup.getProxyAuthorizable()); + resourcePermissions.setProxy(proxyPermissions); + + return resourcePermissions; + } + // ---------------------- User methods ---------------------------------------------- public User createUser(User user) { @@ -442,6 +445,46 @@ public class AuthorizationService { } } + private ResourcePermissions getTopLevelPermissions(String tenantIdentifier) { + ResourcePermissions resourcePermissions = new ResourcePermissions(); + + final Permissions bucketsPermissions = getPermissionsForResource(tenantIdentifier, ResourceFactory.getBucketsResource()); + resourcePermissions.setBuckets(bucketsPermissions); + + final Permissions policiesPermissions = getPermissionsForResource(tenantIdentifier, ResourceFactory.getPoliciesResource()); + resourcePermissions.setPolicies(policiesPermissions); + + final Permissions tenantsPermissions = getPermissionsForResource(tenantIdentifier, ResourceFactory.getTenantsResource()); + resourcePermissions.setTenants(tenantsPermissions); + + final Permissions proxyPermissions = getPermissionsForResource(tenantIdentifier, ResourceFactory.getProxyResource()); + resourcePermissions.setProxy(proxyPermissions); + + return resourcePermissions; + } + + private Permissions getPermissionsForResource(String tenantIdentifier, org.apache.nifi.registry.security.authorization.Resource resource) { + + Permissions permissions = new Permissions(); + permissions.setCanRead(checkTenantBelongsToPolicy(tenantIdentifier, resource, RequestAction.READ)); + permissions.setCanWrite(checkTenantBelongsToPolicy(tenantIdentifier, resource, RequestAction.WRITE)); + permissions.setCanDelete(checkTenantBelongsToPolicy(tenantIdentifier, resource, RequestAction.DELETE)); + return permissions; + + } + + private boolean checkTenantBelongsToPolicy(String tenantIdentifier, org.apache.nifi.registry.security.authorization.Resource resource, RequestAction action) { + org.apache.nifi.registry.security.authorization.AccessPolicy policy = + accessPolicyProvider.getAccessPolicy(resource.getIdentifier(), action); + + if (policy == null) { + return false; + } + + boolean tenantInPolicy = policy.getUsers().contains(tenantIdentifier) || policy.getGroups().contains(tenantIdentifier); + return tenantInPolicy; + } + private List<org.apache.nifi.registry.security.authorization.Resource> getAuthorizableResources() { return getAuthorizableResources(null); } @@ -454,14 +497,11 @@ public class AuthorizationService { resources.add(ResourceFactory.getPoliciesResource()); } if (includeFilter == null || includeFilter.equals(ResourceType.Tenant)) { - resources.add(ResourceFactory.getTenantResource()); + resources.add(ResourceFactory.getTenantsResource()); } if (includeFilter == null || includeFilter.equals(ResourceType.Proxy)) { resources.add(ResourceFactory.getProxyResource()); } - if (includeFilter == null || includeFilter.equals(ResourceType.Resource)) { - resources.add(ResourceFactory.getResourceResource()); - } if (includeFilter == null || includeFilter.equals(ResourceType.Bucket)) { resources.add(ResourceFactory.getBucketsResource()); // add all buckets @@ -473,7 +513,7 @@ public class AuthorizationService { return resources; } - private org.apache.nifi.registry.model.authorization.User userToDTO( + private User userToDTO( final org.apache.nifi.registry.security.authorization.User user) { if (user == null) { return null; @@ -488,12 +528,13 @@ public class AuthorizationService { User userDTO = new User(user.getIdentifier(), user.getIdentity()); userDTO.setConfigurable(AuthorizerCapabilityDetection.isUserConfigurable(authorizer, user)); + userDTO.setResourcePermissions(getTopLevelPermissions(userDTO.getIdentifier())); userDTO.addUserGroups(groupsContainingUser); userDTO.addAccessPolicies(accessPolicySummaries); return userDTO; } - private org.apache.nifi.registry.model.authorization.UserGroup userGroupToDTO( + private UserGroup userGroupToDTO( final org.apache.nifi.registry.security.authorization.Group userGroup) { if (userGroup == null) { return null; @@ -505,12 +546,13 @@ public class AuthorizationService { UserGroup userGroupDTO = new UserGroup(userGroup.getIdentifier(), userGroup.getName()); userGroupDTO.setConfigurable(AuthorizerCapabilityDetection.isGroupConfigurable(authorizer, userGroup)); + userGroupDTO.setResourcePermissions(getTopLevelPermissions(userGroupDTO.getIdentifier())); userGroupDTO.addUsers(userTenants); userGroupDTO.addAccessPolicies(accessPolicySummaries); return userGroupDTO; } - private org.apache.nifi.registry.model.authorization.AccessPolicy accessPolicyToDTO( + private AccessPolicy accessPolicyToDTO( final org.apache.nifi.registry.security.authorization.AccessPolicy accessPolicy) { if (accessPolicy == null) { return null; @@ -541,7 +583,7 @@ public class AuthorizationService { } } - private org.apache.nifi.registry.model.authorization.AccessPolicySummary accessPolicyToSummaryDTO( + private AccessPolicySummary accessPolicyToSummaryDTO( final org.apache.nifi.registry.security.authorization.AccessPolicy accessPolicy) { if (accessPolicy == null) { return null; @@ -584,7 +626,7 @@ public class AuthorizationService { } private static org.apache.nifi.registry.security.authorization.User userFromDTO( - final org.apache.nifi.registry.model.authorization.User userDTO) { + final User userDTO) { if (userDTO == null) { return null; } @@ -595,7 +637,7 @@ public class AuthorizationService { } private static org.apache.nifi.registry.security.authorization.Group userGroupFromDTO( - final org.apache.nifi.registry.model.authorization.UserGroup userGroupDTO) { + final UserGroup userGroupDTO) { if (userGroupDTO == null) { return null; } @@ -610,7 +652,7 @@ public class AuthorizationService { } private static org.apache.nifi.registry.security.authorization.AccessPolicy accessPolicyFromDTO( - final org.apache.nifi.registry.model.authorization.AccessPolicy accessPolicyDTO) { + final AccessPolicy accessPolicyDTO) { org.apache.nifi.registry.security.authorization.AccessPolicy.Builder accessPolicyBuilder = new org.apache.nifi.registry.security.authorization.AccessPolicy.Builder() .identifier(accessPolicyDTO.getIdentifier() != null ? accessPolicyDTO.getIdentifier() : UUID.randomUUID().toString()) @@ -630,7 +672,7 @@ public class AuthorizationService { return accessPolicyBuilder.build(); } - private static org.apache.nifi.registry.model.authorization.AccessPolicy accessPolicyToDTO( + private static AccessPolicy accessPolicyToDTO( final org.apache.nifi.registry.security.authorization.AccessPolicy accessPolicy, final Collection<? extends Tenant> userGroups, final Collection<? extends Tenant> users,
