This is an automated email from the ASF dual-hosted git repository.
exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 40014486a4 NIFI-11492 Allow authorization to proceed based on request
groups even if user does not exist
40014486a4 is described below
commit 40014486a408c2676afecad9d20b8c130a4bc8d1
Author: Bryan Bende <[email protected]>
AuthorDate: Thu Jun 22 12:08:00 2023 -0400
NIFI-11492 Allow authorization to proceed based on request groups even if
user does not exist
This closes #7425
Signed-off-by: David Handermann <[email protected]>
---
.../authorization/StandardManagedAuthorizer.java | 23 ++++++---
.../StandardManagedAuthorizerTest.java | 59 +++++++++++++++++++---
2 files changed, 69 insertions(+), 13 deletions(-)
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/main/java/org/apache/nifi/authorization/StandardManagedAuthorizer.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/main/java/org/apache/nifi/authorization/StandardManagedAuthorizer.java
index d115794fd7..09277642cd 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/main/java/org/apache/nifi/authorization/StandardManagedAuthorizer.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/main/java/org/apache/nifi/authorization/StandardManagedAuthorizer.java
@@ -87,11 +87,6 @@ public class StandardManagedAuthorizer implements
ManagedAuthorizer {
final UserAndGroups userAndGroups =
userGroupProvider.getUserAndGroups(request.getIdentity());
- final User user = userAndGroups.getUser();
- if (user == null) {
- return AuthorizationResult.denied(String.format("Unknown user with
identity '%s'.", request.getIdentity()));
- }
-
// combine groups from incoming request with groups from UserAndGroups
because the request may contain groups from
// an external identity provider and the membership may not be
maintained with in any of the UserGroupProviders
@@ -100,9 +95,9 @@ public class StandardManagedAuthorizer implements
ManagedAuthorizer {
final Set<Group> allGroups = new HashSet<>();
allGroups.addAll(userGroups == null ? Collections.emptySet() :
userGroups);
- allGroups.addAll(requestGroups == null ? Collections.emptySet() :
requestGroups);
+ allGroups.addAll(requestGroups);
- if (policy.getUsers().contains(user.getIdentifier()) ||
containsGroup(allGroups, policy)) {
+ if (containsUser(userAndGroups.getUser(), policy) ||
containsGroup(allGroups, policy)) {
return AuthorizationResult.approved();
}
@@ -147,6 +142,20 @@ public class StandardManagedAuthorizer implements
ManagedAuthorizer {
return false;
}
+ /**
+ * Determines if the policy contains the user's identifier.
+ *
+ * @param user the user
+ * @param policy the policy
+ * @return true if the user is non-null and the user's identifies is
contained in the policy's users
+ */
+ private boolean containsUser(final User user, final AccessPolicy policy) {
+ if (user == null || policy.getUsers().isEmpty()) {
+ return false;
+ }
+ return policy.getUsers().contains(user.getIdentifier());
+ }
+
@Override
public String getFingerprint() throws AuthorizationAccessException {
XMLStreamWriter writer = null;
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/test/java/org/apache/nifi/authorization/StandardManagedAuthorizerTest.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/test/java/org/apache/nifi/authorization/StandardManagedAuthorizerTest.java
index ac419ddd6a..d3a6855881 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/test/java/org/apache/nifi/authorization/StandardManagedAuthorizerTest.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization-providers/src/test/java/org/apache/nifi/authorization/StandardManagedAuthorizerTest.java
@@ -366,6 +366,59 @@ public class StandardManagedAuthorizerTest {
assertEquals(AuthorizationResult.approved(),
managedAuthorizer.authorize(request));
}
+ @Test
+ public void
testAuthorizationByRequestGroupsAndUserNotInUserGroupProvider() {
+ final String userIdentity = "userIdentity1";
+ final String groupIdentifier = "groupIdentifier1";
+
+ // group membership will come from the groups on the request
+ final Group group = new Group.Builder()
+ .identifier(groupIdentifier)
+ .name(groupIdentifier)
+ .build();
+
+ final AccessPolicy policy = new AccessPolicy.Builder()
+ .identifier("1")
+ .resource(TEST_RESOURCE.getIdentifier())
+ .addGroup(groupIdentifier)
+ .action(RequestAction.READ)
+ .build();
+
+ final ConfigurableUserGroupProvider userGroupProvider =
mock(ConfigurableUserGroupProvider.class);
+ when(userGroupProvider.getUserAndGroups(userIdentity)).thenReturn(new
UserAndGroups() {
+ // user does not exist in UGP
+ @Override
+ public User getUser() {
+ return null;
+ }
+
+ // no groups for the user in the UGP, groups come from request
+ @Override
+ public Set<Group> getGroups() {
+ return Collections.emptySet();
+ }
+ });
+
+ final ConfigurableAccessPolicyProvider accessPolicyProvider =
mock(ConfigurableAccessPolicyProvider.class);
+
when(accessPolicyProvider.getAccessPolicy(TEST_RESOURCE.getIdentifier(),
RequestAction.READ)).thenReturn(policy);
+
when(accessPolicyProvider.getUserGroupProvider()).thenReturn(userGroupProvider);
+
when(userGroupProvider.getGroupByName(group.getName())).thenReturn(group);
+
+ // simulate groups being passed in on request from NiFiUser
getAllGroups()
+ final AuthorizationRequest request = new AuthorizationRequest.Builder()
+ .identity(userIdentity)
+ .groups(Collections.singleton(group.getName()))
+ .resource(TEST_RESOURCE)
+ .action(RequestAction.READ)
+ .accessAttempt(true)
+ .anonymous(false)
+ .build();
+
+ final StandardManagedAuthorizer managedAuthorizer =
getStandardManagedAuthorizer(accessPolicyProvider);
+ assertEquals(AuthorizationResult.approved(),
managedAuthorizer.authorize(request));
+ }
+
+
@Test
public void testResourceNotFound() {
final String userIdentity = "userIdentity1";
@@ -391,14 +444,8 @@ public class StandardManagedAuthorizerTest {
@Test
public void testUnauthorizedDueToUnknownUser() {
final String userIdentifier = "userIdentifier1";
- final String userIdentity = "userIdentity1";
final String notUser1Identity = "not userIdentity1";
- final User user = new User.Builder()
- .identity(userIdentity)
- .identifier(userIdentifier)
- .build();
-
final AccessPolicy policy = new AccessPolicy.Builder()
.identifier("1")
.resource(TEST_RESOURCE.getIdentifier())