Repository: nifi Updated Branches: refs/heads/master 478e34082 -> 98cd9ad53
NIFI-4885: - Updating the versioning endpoints to account for the granular access restrictions. This closes #2573. Signed-off-by: Bryan Bende <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/98cd9ad5 Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/98cd9ad5 Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/98cd9ad5 Branch: refs/heads/master Commit: 98cd9ad531433adecbe6b591035d71e92c6e0a26 Parents: 478e340 Author: Matt Gilman <[email protected]> Authored: Wed Mar 21 10:23:49 2018 -0400 Committer: Bryan Bende <[email protected]> Committed: Wed Mar 21 11:45:13 2018 -0400 ---------------------------------------------------------------------- .../nifi/authorization/AuthorizableLookup.java | 10 +++ .../StandardAuthorizableLookup.java | 7 ++- .../nifi/registry/flow/FlowRegistryUtils.java | 14 +++-- .../nifi/web/api/ProcessGroupResource.java | 10 +-- .../apache/nifi/web/api/VersionsResource.java | 64 ++++++++++---------- 5 files changed, 63 insertions(+), 42 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/98cd9ad5/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizableLookup.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizableLookup.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizableLookup.java index 3f95656..363f0a5 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizableLookup.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizableLookup.java @@ -17,6 +17,7 @@ package org.apache.nifi.authorization; import org.apache.nifi.authorization.resource.Authorizable; +import org.apache.nifi.components.ConfigurableComponent; import org.apache.nifi.components.RequiredPermission; import org.apache.nifi.web.api.dto.BundleDTO; import org.apache.nifi.web.api.dto.FlowSnippetDTO; @@ -42,6 +43,15 @@ public interface AuthorizableLookup { ComponentAuthorizable getConfigurableComponent(String type, BundleDTO bundle); /** + * Get the authorizable for the given ConfigurableComponent. This will use a dummy instance of + * the component. + * + * @param configurableComponent the configurable component + * @return authorizable + */ + ComponentAuthorizable getConfigurableComponent(ConfigurableComponent configurableComponent); + + /** * Get the authorizable Processor. * * @param id processor id http://git-wip-us.apache.org/repos/asf/nifi/blob/98cd9ad5/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java index 42b3a55..d70d5fa 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/StandardAuthorizableLookup.java @@ -181,8 +181,13 @@ class StandardAuthorizableLookup implements AuthorizableLookup { @Override public ComponentAuthorizable getConfigurableComponent(final String type, final BundleDTO bundle) { + final ConfigurableComponent configurableComponent = controllerFacade.getTemporaryComponent(type, bundle); + return getConfigurableComponent(configurableComponent); + } + + @Override + public ComponentAuthorizable getConfigurableComponent(ConfigurableComponent configurableComponent) { try { - final ConfigurableComponent configurableComponent = controllerFacade.getTemporaryComponent(type, bundle); return new ConfigurableComponentAuthorizable(configurableComponent); } catch (final Exception e) { throw new AccessDeniedException("Unable to create component to verify if it references any Controller Services."); http://git-wip-us.apache.org/repos/asf/nifi/blob/98cd9ad5/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/registry/flow/FlowRegistryUtils.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/registry/flow/FlowRegistryUtils.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/registry/flow/FlowRegistryUtils.java index b1da06a..1125d9c 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/registry/flow/FlowRegistryUtils.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/registry/flow/FlowRegistryUtils.java @@ -17,9 +17,6 @@ package org.apache.nifi.registry.flow; -import java.util.HashSet; -import java.util.Set; - import org.apache.nifi.annotation.behavior.Restricted; import org.apache.nifi.bundle.BundleCoordinate; import org.apache.nifi.components.ConfigurableComponent; @@ -28,9 +25,14 @@ import org.apache.nifi.util.Tuple; import org.apache.nifi.web.NiFiCoreException; import org.apache.nifi.web.api.dto.BundleDTO; +import java.util.HashSet; +import java.util.Set; + public class FlowRegistryUtils { - public static boolean containsRestrictedComponent(final VersionedProcessGroup group) { + public static Set<ConfigurableComponent> getRestrictedComponents(final VersionedProcessGroup group) { + final Set<ConfigurableComponent> restrictedComponents = new HashSet<>(); + final Set<Tuple<String, BundleCoordinate>> componentTypes = new HashSet<>(); populateComponentTypes(group, componentTypes); @@ -42,11 +44,11 @@ public class FlowRegistryUtils { final boolean isRestricted = component.getClass().isAnnotationPresent(Restricted.class); if (isRestricted) { - return true; + restrictedComponents.add(component); } } - return false; + return restrictedComponents; } private static void populateComponentTypes(final VersionedProcessGroup group, final Set<Tuple<String, BundleCoordinate>> componentTypes) { http://git-wip-us.apache.org/repos/asf/nifi/blob/98cd9ad5/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessGroupResource.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessGroupResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessGroupResource.java index ce266da..2cbcf56 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessGroupResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProcessGroupResource.java @@ -40,6 +40,7 @@ import org.apache.nifi.authorization.user.NiFiUserDetails; import org.apache.nifi.authorization.user.NiFiUserUtils; import org.apache.nifi.bundle.BundleCoordinate; import org.apache.nifi.cluster.manager.NodeResponse; +import org.apache.nifi.components.ConfigurableComponent; import org.apache.nifi.connectable.ConnectableType; import org.apache.nifi.controller.ScheduledState; import org.apache.nifi.controller.serialization.FlowEncodingVersion; @@ -1689,10 +1690,11 @@ public class ProcessGroupResource extends ApplicationResource { // for write access to the RestrictedComponents resource final VersionedFlowSnapshot versionedFlowSnapshot = requestProcessGroupEntity.getVersionedFlowSnapshot(); if (versionedFlowSnapshot != null) { - final boolean containsRestrictedComponent = FlowRegistryUtils.containsRestrictedComponent(versionedFlowSnapshot.getFlowContents()); - if (containsRestrictedComponent) { - lookup.getRestrictedComponents().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); - } + final Set<ConfigurableComponent> restrictedComponents = FlowRegistryUtils.getRestrictedComponents(versionedFlowSnapshot.getFlowContents()); + restrictedComponents.forEach(restrictedComponent -> { + final ComponentAuthorizable restrictedComponentAuthorizable = lookup.getConfigurableComponent(restrictedComponent); + authorizeRestrictions(authorizer, restrictedComponentAuthorizable); + }); } }, () -> { http://git-wip-us.apache.org/repos/asf/nifi/blob/98cd9ad5/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/VersionsResource.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/VersionsResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/VersionsResource.java index 6286ce7..f1a0053 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/VersionsResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/VersionsResource.java @@ -17,31 +17,23 @@ package org.apache.nifi.web.api; -import javax.ws.rs.Consumes; -import javax.ws.rs.DELETE; -import javax.ws.rs.DefaultValue; -import javax.ws.rs.GET; -import javax.ws.rs.HttpMethod; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.QueryParam; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.MultivaluedHashMap; -import javax.ws.rs.core.Response; -import javax.ws.rs.core.Response.Status; - +import io.swagger.annotations.Api; +import io.swagger.annotations.ApiOperation; +import io.swagger.annotations.ApiParam; +import io.swagger.annotations.ApiResponse; +import io.swagger.annotations.ApiResponses; +import io.swagger.annotations.Authorization; import org.apache.commons.lang3.StringUtils; import org.apache.nifi.authorization.AccessDeniedException; import org.apache.nifi.authorization.Authorizer; +import org.apache.nifi.authorization.ComponentAuthorizable; import org.apache.nifi.authorization.ProcessGroupAuthorizable; import org.apache.nifi.authorization.RequestAction; import org.apache.nifi.authorization.resource.Authorizable; import org.apache.nifi.authorization.user.NiFiUser; import org.apache.nifi.authorization.user.NiFiUserUtils; import org.apache.nifi.cluster.manager.NodeResponse; +import org.apache.nifi.components.ConfigurableComponent; import org.apache.nifi.controller.FlowController; import org.apache.nifi.controller.ScheduledState; import org.apache.nifi.controller.service.ControllerServiceState; @@ -85,6 +77,21 @@ import org.apache.nifi.web.util.LifecycleManagementException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; +import javax.ws.rs.DefaultValue; +import javax.ws.rs.GET; +import javax.ws.rs.HttpMethod; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.MultivaluedHashMap; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.Response.Status; import java.io.IOException; import java.net.URI; import java.net.URISyntaxException; @@ -100,13 +107,6 @@ import java.util.concurrent.TimeUnit; import java.util.function.Consumer; import java.util.stream.Collectors; -import io.swagger.annotations.Api; -import io.swagger.annotations.ApiOperation; -import io.swagger.annotations.ApiParam; -import io.swagger.annotations.ApiResponse; -import io.swagger.annotations.ApiResponses; -import io.swagger.annotations.Authorization; - @Path("/versions") @Api(value = "/versions", description = "Endpoint for managing version control for a flow") public class VersionsResource extends ApplicationResource { @@ -1113,10 +1113,11 @@ public class VersionsResource extends ApplicationResource { authorizeProcessGroup(groupAuthorizable, authorizer, lookup, RequestAction.WRITE, true, false, true, true); final VersionedProcessGroup groupContents = flowSnapshot.getFlowContents(); - final boolean containsRestrictedComponents = FlowRegistryUtils.containsRestrictedComponent(groupContents); - if (containsRestrictedComponents) { - lookup.getRestrictedComponents().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); - } + final Set<ConfigurableComponent> restrictedComponents = FlowRegistryUtils.getRestrictedComponents(groupContents); + restrictedComponents.forEach(restrictedComponent -> { + final ComponentAuthorizable restrictedComponentAuthorizable = lookup.getConfigurableComponent(restrictedComponent); + authorizeRestrictions(authorizer, restrictedComponentAuthorizable); + }); }, () -> { // Step 3: Verify that all components in the snapshot exist on all nodes @@ -1269,10 +1270,11 @@ public class VersionsResource extends ApplicationResource { authorizeProcessGroup(groupAuthorizable, authorizer, lookup, RequestAction.WRITE, true, false, true, true); final VersionedProcessGroup groupContents = flowSnapshot.getFlowContents(); - final boolean containsRestrictedComponents = FlowRegistryUtils.containsRestrictedComponent(groupContents); - if (containsRestrictedComponents) { - lookup.getRestrictedComponents().authorize(authorizer, RequestAction.WRITE, NiFiUserUtils.getNiFiUser()); - } + final Set<ConfigurableComponent> restrictedComponents = FlowRegistryUtils.getRestrictedComponents(groupContents); + restrictedComponents.forEach(restrictedComponent -> { + final ComponentAuthorizable restrictedComponentAuthorizable = lookup.getConfigurableComponent(restrictedComponent); + authorizeRestrictions(authorizer, restrictedComponentAuthorizable); + }); }, () -> { // Step 3: Verify that all components in the snapshot exist on all nodes
