This is an automated email from the ASF dual-hosted git repository.
pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 15c3bdeac1 NIFI-12252 Removed Legacy FileAuthorizer
15c3bdeac1 is described below
commit 15c3bdeac1a0c08a0dcc0d4ed05ffc554abed6b1
Author: exceptionfactory <[email protected]>
AuthorDate: Thu Oct 19 15:08:27 2023 -0500
NIFI-12252 Removed Legacy FileAuthorizer
- Removed Legacy Authorized Users File property from FileUserGroupProvider
- Removed unused methods from FileAccessPolicyProvider and
FileUserGroupProvider
Signed-off-by: Pierre Villard <[email protected]>
This closes #7910.
---
.../authorization/FileAccessPolicyProvider.java | 134 +--
.../apache/nifi/authorization/FileAuthorizer.java | 273 -----
.../nifi/authorization/FileUserGroupProvider.java | 79 +-
.../java/org/apache/nifi/authorization/Role.java | 30 -
.../nifi/authorization/RoleAccessPolicy.java | 113 --
.../org.apache.nifi.authorization.Authorizer | 15 -
.../src/main/xsd/legacy-users.xsd | 64 -
.../nifi/authorization/FileAuthorizerTest.java | 1245 --------------------
.../test/resources/authorized-users-multirole.xml | 21 -
.../test/resources/authorized-users-with-dns.xml | 35 -
.../src/test/resources/authorized-users.xml | 35 -
.../src/main/resources/conf/authorizers.xml | 57 +-
12 files changed, 27 insertions(+), 2074 deletions(-)
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java
index 0d2ada3beb..3e6ce2436d 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java
@@ -33,7 +33,6 @@ import org.apache.nifi.util.FlowInfo;
import org.apache.nifi.util.FlowParser;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.file.FileUtils;
-import org.apache.nifi.web.api.dto.PortDTO;
import org.apache.nifi.xml.processing.ProcessingException;
import org.apache.nifi.xml.processing.parsers.StandardDocumentProvider;
import org.apache.nifi.xml.processing.stream.StandardXMLStreamReaderProvider;
@@ -86,18 +85,14 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
private static final String AUTHORIZATIONS_XSD = "/authorizations.xsd";
private static final String JAXB_AUTHORIZATIONS_PATH =
"org.apache.nifi.authorization.file.generated";
- private static final String USERS_XSD = "/legacy-users.xsd";
- private static final String JAXB_USERS_PATH =
"org.apache.nifi.user.generated";
-
- private static final JAXBContext JAXB_AUTHORIZATIONS_CONTEXT =
initializeJaxbContext(JAXB_AUTHORIZATIONS_PATH);
- private static final JAXBContext JAXB_USERS_CONTEXT =
initializeJaxbContext(JAXB_USERS_PATH);
+ private static final JAXBContext JAXB_AUTHORIZATIONS_CONTEXT =
initializeJaxbContext();
/**
* Load the JAXBContext.
*/
- private static JAXBContext initializeJaxbContext(final String contextPath)
{
+ private static JAXBContext initializeJaxbContext() {
try {
- return JAXBContext.newInstance(contextPath,
FileAuthorizer.class.getClassLoader());
+ return JAXBContext.newInstance(JAXB_AUTHORIZATIONS_PATH,
FileAccessPolicyProvider.class.getClassLoader());
} catch (JAXBException e) {
throw new RuntimeException("Unable to create JAXBContext.");
}
@@ -122,7 +117,6 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
static final String PROP_INITIAL_ADMIN_IDENTITY = "Initial Admin Identity";
static final Pattern NODE_IDENTITY_PATTERN =
Pattern.compile(PROP_NODE_IDENTITY_PREFIX + "\\S+");
- private Schema usersSchema;
private Schema authorizationsSchema;
private NiFiProperties properties;
private File authorizationsFile;
@@ -131,9 +125,6 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
private String initialAdminIdentity;
private Set<String> nodeIdentities;
private String nodeGroupIdentifier;
- private List<PortDTO> ports = new ArrayList<>();
- private List<IdentityMapping> identityMappings;
- private List<IdentityMapping> groupMappings;
private UserGroupProvider userGroupProvider;
private UserGroupProviderLookup userGroupProviderLookup;
@@ -145,8 +136,7 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
try {
final SchemaFactory schemaFactory =
SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
- authorizationsSchema =
schemaFactory.newSchema(FileAuthorizer.class.getResource(AUTHORIZATIONS_XSD));
- usersSchema =
schemaFactory.newSchema(FileAuthorizer.class.getResource(USERS_XSD));
+ authorizationsSchema =
schemaFactory.newSchema(FileAccessPolicyProvider.class.getResource(AUTHORIZATIONS_XSD));
} catch (Exception e) {
throw new AuthorizerCreationException(e);
}
@@ -173,7 +163,7 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
// get the authorizations file and ensure it exists
authorizationsFile = new File(authorizationsPath.getValue());
if (!authorizationsFile.exists()) {
- logger.info("Creating new authorizations file at {}", new
Object[] {authorizationsFile.getAbsolutePath()});
+ logger.info("Creating new authorizations file at {}",
authorizationsFile.getAbsolutePath());
saveAuthorizations(new Authorizations());
}
@@ -203,8 +193,7 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
}
// extract the identity mappings from nifi.properties if any are
provided
- identityMappings =
Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
- groupMappings =
Collections.unmodifiableList(IdentityMappingUtil.getGroupMappings(properties));
+ List<IdentityMapping> identityMappings =
Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
// get the value of the initial admin identity
final PropertyValue initialAdminIdentityProp =
configurationContext.getProperty(PROP_INITIAL_ADMIN_IDENTITY);
@@ -217,7 +206,7 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
if (matcher.matches() &&
!StringUtils.isBlank(entry.getValue())) {
final String mappedNodeIdentity =
IdentityMappingUtil.mapIdentity(entry.getValue(), identityMappings);
nodeIdentities.add(mappedNodeIdentity);
- logger.info("Added mapped node {} (raw node identity {})",
new Object[]{mappedNodeIdentity, entry.getValue()});
+ logger.info("Added mapped node {} (raw node identity {})",
mappedNodeIdentity, entry.getValue());
}
}
@@ -255,7 +244,7 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
FileUtils.copyFile(authorizationsFile,
restoreAuthorizationsFile, false, false, logger);
}
- logger.info(String.format("Authorizations file loaded at %s", new
Date().toString()));
+ logger.debug("Authorizations file loaded");
} catch (IOException | AuthorizerCreationException | JAXBException |
IllegalStateException | SAXException e) {
throw new AuthorizerCreationException(e);
}
@@ -419,7 +408,7 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
public synchronized void forciblyInheritFingerprint(final String
fingerprint) throws AuthorizationAccessException {
final List<AccessPolicy> accessPolicies = parsePolicies(fingerprint);
- if (isInheritable(accessPolicies)) {
+ if (isInheritable()) {
logger.debug("Inheriting cluster's Access Policies");
inheritAccessPolicies(accessPolicies);
} else {
@@ -438,28 +427,20 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
@Override
public void checkInheritability(String proposedFingerprint) throws
AuthorizationAccessException, UninheritableAuthorizationsException {
- final List<AccessPolicy> accessPolicies;
- try {
- // ensure we can understand the proposed fingerprint
- accessPolicies = parsePolicies(proposedFingerprint);
- } catch (final AuthorizationAccessException e) {
- throw new UninheritableAuthorizationsException("Unable to parse
the proposed fingerprint: " + e);
- }
-
// ensure we are in a proper state to inherit the fingerprint
- if (!isInheritable(accessPolicies)) {
+ if (!isInheritable()) {
throw new UninheritableAuthorizationsException("Proposed
fingerprint is not inheritable because the current access policies is not
empty.");
}
}
- private boolean isInheritable(final List<AccessPolicy> accessPolicies) {
+ private boolean isInheritable() {
return getAccessPolicies().isEmpty();
}
@Override
public String getFingerprint() throws AuthorizationAccessException {
final List<AccessPolicy> policies = new
ArrayList<>(getAccessPolicies());
- Collections.sort(policies,
Comparator.comparing(AccessPolicy::getIdentifier));
+ policies.sort(Comparator.comparing(AccessPolicy::getIdentifier));
XMLStreamWriter writer = null;
final StringWriter out = new StringWriter();
@@ -634,17 +615,14 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
/**
* Try to parse the flow configuration file to extract the root group id
and port information.
- *
- * @throws SAXException if an error occurs creating the schema
*/
- private void parseFlow() throws SAXException {
+ private void parseFlow() {
final FlowParser flowParser = new FlowParser();
final File flowConfigurationFile =
properties.getFlowConfigurationFile();
final FlowInfo flowInfo = flowParser.parse(flowConfigurationFile);
if (flowInfo != null) {
rootGroupId = flowInfo.getRootGroupId();
- ports = flowInfo.getPorts() == null ? new ArrayList<>() :
flowInfo.getPorts();
}
}
@@ -835,7 +813,6 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
/**
* Sets the given Policy to the state of the provided AccessPolicy. Users
and Groups will be cleared and
* set to match the AccessPolicy, the resource and action will be set to
match the AccessPolicy.
- *
* Does not set the identifier.
*
* @param accessPolicy the AccessPolicy to transfer state from
@@ -859,94 +836,9 @@ public class FileAccessPolicyProvider implements
ConfigurableAccessPolicyProvide
}
}
- /**
- * Adds the given user identifier to the policy if it doesn't already
exist.
- *
- * @param userIdentifier a user identifier
- * @param policy a policy to add the user to
- */
- private void addUserToPolicy(final String userIdentifier, final Policy
policy) {
- // determine if the user already exists in the policy
- boolean userExists = false;
- for (Policy.User policyUser : policy.getUser()) {
- if (policyUser.getIdentifier().equals(userIdentifier)) {
- userExists = true;
- break;
- }
- }
-
- // add the user to the policy if doesn't already exist
- if (!userExists) {
- Policy.User policyUser = new Policy.User();
- policyUser.setIdentifier(userIdentifier);
- policy.getUser().add(policyUser);
- }
- }
-
- /**
- * Adds the given group identifier to the policy if it doesn't already
exist.
- *
- * @param groupIdentifier a group identifier
- * @param policy a policy to add the user to
- */
- private void addGroupToPolicy(final String groupIdentifier, final Policy
policy) {
- // determine if the group already exists in the policy
- boolean groupExists = false;
- for (Policy.Group policyGroup : policy.getGroup()) {
- if (policyGroup.getIdentifier().equals(groupIdentifier)) {
- groupExists = true;
- break;
- }
- }
-
- // add the group to the policy if doesn't already exist
- if (!groupExists) {
- Policy.Group policyGroup = new Policy.Group();
- policyGroup.setIdentifier(groupIdentifier);
- policy.getGroup().add(policyGroup);
- }
- }
-
- /**
- * Finds the Policy matching the resource and action, or creates a new one
and adds it to the list of policies.
- *
- * @param policies the policies to search through
- * @param seedIdentity the seedIdentity to use when creating identifiers
for new policies
- * @param resource the resource for the policy
- * @param action the action string for the police (R or RW)
- * @return the matching policy or a new policy
- */
- private Policy getOrCreatePolicy(final List<Policy> policies, final String
seedIdentity, final String resource, final String action) {
- Policy foundPolicy = null;
-
- // try to find a policy with the same resource and actions
- for (Policy policy : policies) {
- if (policy.getResource().equals(resource) &&
policy.getAction().equals(action)) {
- foundPolicy = policy;
- break;
- }
- }
-
- // if a matching policy wasn't found then create one
- if (foundPolicy == null) {
- final String uuidSeed = resource + action + seedIdentity;
- final String policyIdentifier =
IdentifierUtil.getIdentifier(uuidSeed);
-
- foundPolicy = new Policy();
- foundPolicy.setIdentifier(policyIdentifier);
- foundPolicy.setResource(resource);
- foundPolicy.setAction(action);
-
- policies.add(foundPolicy);
- }
-
- return foundPolicy;
- }
-
/**
* Saves the Authorizations instance by marshalling to a file, then
re-populates the
* in-memory data structures and sets the new holder.
- *
* Synchronized to ensure only one thread writes the file at a time.
*
* @param authorizations the authorizations to save and populate from
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
deleted file mode 100644
index 052f7d5f22..0000000000
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java
+++ /dev/null
@@ -1,273 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization;
-
-import org.apache.nifi.authorization.annotation.AuthorizerContext;
-import org.apache.nifi.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.authorization.exception.AuthorizerCreationException;
-import org.apache.nifi.util.NiFiProperties;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.xml.bind.JAXBException;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Set;
-import java.util.regex.Matcher;
-
-/**
- * Provides authorizes requests to resources using policies persisted in a
file.
- */
-public class FileAuthorizer extends AbstractPolicyBasedAuthorizer {
-
- private static final Logger logger =
LoggerFactory.getLogger(FileAuthorizer.class);
-
- private static final String FILE_USER_GROUP_PROVIDER_ID =
"file-user-group-provider";
- private static final String FILE_ACCESS_POLICY_PROVIDER_ID =
"file-access-policy-provider";
-
- private FileUserGroupProvider userGroupProvider = new
FileUserGroupProvider();
- private FileAccessPolicyProvider accessPolicyProvider = new
FileAccessPolicyProvider();
-
- @Override
- public void initialize(final AuthorizerInitializationContext
initializationContext) throws AuthorizerCreationException {
- // initialize the user group provider
- userGroupProvider.initialize(new
UserGroupProviderInitializationContext() {
- @Override
- public String getIdentifier() {
- return FILE_USER_GROUP_PROVIDER_ID;
- }
-
- @Override
- public UserGroupProviderLookup getUserGroupProviderLookup() {
- return (identifier) -> null;
- }
- });
-
- // initialize the access policy provider
- accessPolicyProvider.initialize(new
AccessPolicyProviderInitializationContext() {
- @Override
- public String getIdentifier() {
- return FILE_ACCESS_POLICY_PROVIDER_ID;
- }
-
- @Override
- public UserGroupProviderLookup getUserGroupProviderLookup() {
- return (identifier) -> {
- if (FILE_USER_GROUP_PROVIDER_ID.equals(identifier)) {
- return userGroupProvider;
- }
-
- return null;
- };
- }
-
- @Override
- public AccessPolicyProviderLookup getAccessPolicyProviderLookup() {
- return (identifier) -> null;
- }
- });
- }
-
- @Override
- public void doOnConfigured(final AuthorizerConfigurationContext
configurationContext) throws AuthorizerCreationException {
- final Map<String, String> configurationProperties =
configurationContext.getProperties();
-
- // relay the relevant config
- final Map<String, String> userGroupProperties = new HashMap<>();
- if
(configurationProperties.containsKey(FileUserGroupProvider.PROP_TENANTS_FILE)) {
- userGroupProperties.put(FileUserGroupProvider.PROP_TENANTS_FILE,
configurationProperties.get(FileUserGroupProvider.PROP_TENANTS_FILE));
- }
-
- // relay the relevant config
- final Map<String, String> accessPolicyProperties = new HashMap<>();
-
accessPolicyProperties.put(FileAccessPolicyProvider.PROP_USER_GROUP_PROVIDER,
FILE_USER_GROUP_PROVIDER_ID);
- if
(configurationProperties.containsKey(FileAccessPolicyProvider.PROP_AUTHORIZATIONS_FILE))
{
-
accessPolicyProperties.put(FileAccessPolicyProvider.PROP_AUTHORIZATIONS_FILE,
configurationProperties.get(FileAccessPolicyProvider.PROP_AUTHORIZATIONS_FILE));
- }
- if
(configurationProperties.containsKey(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY))
{
-
accessPolicyProperties.put(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY,
configurationProperties.get(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY));
- }
-
- // ensure all node identities are seeded into the user provider
- configurationProperties.forEach((property, value) -> {
- final Matcher matcher =
FileAccessPolicyProvider.NODE_IDENTITY_PATTERN.matcher(property);
- if (matcher.matches()) {
- accessPolicyProperties.put(property, value);
-
userGroupProperties.put(property.replace(FileAccessPolicyProvider.PROP_NODE_IDENTITY_PREFIX,
FileUserGroupProvider.PROP_INITIAL_USER_IDENTITY_PREFIX), value);
- }
- });
-
- // ensure the initial admin is seeded into the user provider if
appropriate
- if
(configurationProperties.containsKey(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY))
{
- int i = 0;
- while (true) {
- final String key =
FileUserGroupProvider.PROP_INITIAL_USER_IDENTITY_PREFIX + i++;
- if (!userGroupProperties.containsKey(key)) {
- userGroupProperties.put(key,
configurationProperties.get(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY));
- break;
- }
- }
- }
-
- // configure the user group provider
- userGroupProvider.onConfigured(new
StandardAuthorizerConfigurationContext(FILE_USER_GROUP_PROVIDER_ID,
userGroupProperties));
-
- // configure the access policy provider
- accessPolicyProvider.onConfigured(new
StandardAuthorizerConfigurationContext(FILE_USER_GROUP_PROVIDER_ID,
accessPolicyProperties));
- }
-
- @Override
- public void preDestruction() {
-
- }
-
- // ------------------ Groups ------------------
-
- @Override
- public synchronized Group doAddGroup(Group group) throws
AuthorizationAccessException {
- return userGroupProvider.addGroup(group);
- }
-
- @Override
- public Group getGroup(String identifier) throws
AuthorizationAccessException {
- return userGroupProvider.getGroup(identifier);
- }
-
- @Override
- public Group getGroupByName(String name) throws
AuthorizationAccessException {
- return userGroupProvider.getGroupByName(name);
- }
-
- @Override
- public synchronized Group doUpdateGroup(Group group) throws
AuthorizationAccessException {
- return userGroupProvider.updateGroup(group);
- }
-
- @Override
- public synchronized Group deleteGroup(Group group) throws
AuthorizationAccessException {
- return userGroupProvider.deleteGroup(group);
- }
-
- @Override
- public Set<Group> getGroups() throws AuthorizationAccessException {
- return userGroupProvider.getGroups();
- }
-
- // ------------------ Users ------------------
-
- @Override
- public synchronized User doAddUser(final User user) throws
AuthorizationAccessException {
- return userGroupProvider.addUser(user);
- }
-
- @Override
- public User getUser(final String identifier) throws
AuthorizationAccessException {
- return userGroupProvider.getUser(identifier);
- }
-
- @Override
- public User getUserByIdentity(final String identity) throws
AuthorizationAccessException {
- return userGroupProvider.getUserByIdentity(identity);
- }
-
- @Override
- public synchronized User doUpdateUser(final User user) throws
AuthorizationAccessException {
- return userGroupProvider.updateUser(user);
- }
-
- @Override
- public synchronized User deleteUser(final User user) throws
AuthorizationAccessException {
- return userGroupProvider.deleteUser(user);
- }
-
- @Override
- public Set<User> getUsers() throws AuthorizationAccessException {
- return userGroupProvider.getUsers();
- }
-
- // ------------------ AccessPolicies ------------------
-
- @Override
- public synchronized AccessPolicy doAddAccessPolicy(final AccessPolicy
accessPolicy) throws AuthorizationAccessException {
- return accessPolicyProvider.addAccessPolicy(accessPolicy);
- }
-
- @Override
- public AccessPolicy getAccessPolicy(final String identifier) throws
AuthorizationAccessException {
- return accessPolicyProvider.getAccessPolicy(identifier);
- }
-
- @Override
- public synchronized AccessPolicy updateAccessPolicy(final AccessPolicy
accessPolicy) throws AuthorizationAccessException {
- return accessPolicyProvider.updateAccessPolicy(accessPolicy);
- }
-
- @Override
- public synchronized AccessPolicy deleteAccessPolicy(final AccessPolicy
accessPolicy) throws AuthorizationAccessException {
- return accessPolicyProvider.deleteAccessPolicy(accessPolicy);
- }
-
- @Override
- public Set<AccessPolicy> getAccessPolicies() throws
AuthorizationAccessException {
- return accessPolicyProvider.getAccessPolicies();
- }
-
- @Override
- public void purgePoliciesUsersAndGroups() {
- accessPolicyProvider.purgePolicies(true);
- userGroupProvider.purgeUsersAndGroups();
- }
-
- @Override
- public void backupPoliciesUsersAndGroups() {
- try {
- accessPolicyProvider.backupPolicies();
- userGroupProvider.backupUsersAndGroups();
- } catch (final JAXBException jaxb) {
- throw new AuthorizationAccessException("Failed to backup
policies", jaxb);
- }
- }
-
- @AuthorizerContext
- public void setNiFiProperties(NiFiProperties properties) {
- userGroupProvider.setNiFiProperties(properties);
- accessPolicyProvider.setNiFiProperties(properties);
- }
-
- @Override
- public synchronized UsersAndAccessPolicies getUsersAndAccessPolicies()
throws AuthorizationAccessException {
- final AuthorizationsHolder authorizationsHolder =
accessPolicyProvider.getAuthorizationsHolder();
- final UserGroupHolder userGroupHolder =
userGroupProvider.getUserGroupHolder();
-
- return new UsersAndAccessPolicies() {
- @Override
- public AccessPolicy getAccessPolicy(String resourceIdentifier,
RequestAction action) {
- return
authorizationsHolder.getAccessPolicy(resourceIdentifier, action);
- }
-
- @Override
- public User getUser(String identity) {
- return userGroupHolder.getUser(identity);
- }
-
- @Override
- public Set<Group> getGroups(String userIdentity) {
- return userGroupHolder.getGroups(userIdentity);
- }
- };
- }
-}
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileUserGroupProvider.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileUserGroupProvider.java
index 5e39ff4657..11fbff5d0d 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileUserGroupProvider.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileUserGroupProvider.java
@@ -80,19 +80,14 @@ public class FileUserGroupProvider implements
ConfigurableUserGroupProvider {
private static final String TENANTS_XSD = "/tenants.xsd";
private static final String JAXB_TENANTS_PATH =
"org.apache.nifi.authorization.file.tenants.generated";
-
- private static final String USERS_XSD = "/legacy-users.xsd";
- private static final String JAXB_USERS_PATH =
"org.apache.nifi.user.generated";
-
- private static final JAXBContext JAXB_TENANTS_CONTEXT =
initializeJaxbContext(JAXB_TENANTS_PATH);
- private static final JAXBContext JAXB_USERS_CONTEXT =
initializeJaxbContext(JAXB_USERS_PATH);
+ private static final JAXBContext JAXB_TENANTS_CONTEXT =
initializeJaxbContext();
/**
* Load the JAXBContext.
*/
- private static JAXBContext initializeJaxbContext(final String contextPath)
{
+ private static JAXBContext initializeJaxbContext() {
try {
- return JAXBContext.newInstance(contextPath,
FileAuthorizer.class.getClassLoader());
+ return JAXBContext.newInstance(JAXB_TENANTS_PATH,
FileUserGroupProvider.class.getClassLoader());
} catch (JAXBException e) {
throw new RuntimeException("Unable to create JAXBContext.", e);
}
@@ -111,14 +106,11 @@ public class FileUserGroupProvider implements
ConfigurableUserGroupProvider {
static final String PROP_TENANTS_FILE = "Users File";
static final Pattern INITIAL_USER_IDENTITY_PATTERN =
Pattern.compile(PROP_INITIAL_USER_IDENTITY_PREFIX + "\\S+");
- private Schema usersSchema;
private Schema tenantsSchema;
private NiFiProperties properties;
private File tenantsFile;
private File restoreTenantsFile;
private Set<String> initialUserIdentities;
- private List<IdentityMapping> identityMappings;
- private List<IdentityMapping> groupMappings;
private final AtomicReference<UserGroupHolder> userGroupHolder = new
AtomicReference<>();
@@ -126,8 +118,7 @@ public class FileUserGroupProvider implements
ConfigurableUserGroupProvider {
public void initialize(UserGroupProviderInitializationContext
initializationContext) throws AuthorizerCreationException {
try {
final SchemaFactory schemaFactory =
SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
- tenantsSchema =
schemaFactory.newSchema(FileAuthorizer.class.getResource(TENANTS_XSD));
- usersSchema =
schemaFactory.newSchema(FileAuthorizer.class.getResource(USERS_XSD));
+ tenantsSchema =
schemaFactory.newSchema(FileUserGroupProvider.class.getResource(TENANTS_XSD));
} catch (Exception e) {
throw new AuthorizerCreationException(e);
}
@@ -144,7 +135,7 @@ public class FileUserGroupProvider implements
ConfigurableUserGroupProvider {
// get the tenants file and ensure it exists
tenantsFile = new File(tenantsPath.getValue());
if (!tenantsFile.exists()) {
- logger.info("Creating new users file at {}", new Object[]
{tenantsFile.getAbsolutePath()});
+ logger.info("Creating new users file at {}",
tenantsFile.getAbsolutePath());
saveTenants(new Tenants());
}
@@ -174,8 +165,7 @@ public class FileUserGroupProvider implements
ConfigurableUserGroupProvider {
}
// extract the identity and group mappings from nifi.properties if
any are provided
- identityMappings =
Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
- groupMappings =
Collections.unmodifiableList(IdentityMappingUtil.getGroupMappings(properties));
+ List<IdentityMapping> identityMappings =
Collections.unmodifiableList(IdentityMappingUtil.getIdentityMappings(properties));
// extract any node identities
initialUserIdentities = new HashSet<>();
@@ -193,7 +183,7 @@ public class FileUserGroupProvider implements
ConfigurableUserGroupProvider {
FileUtils.copyFile(tenantsFile, restoreTenantsFile, false,
false, logger);
}
- logger.info(String.format("Users/Groups file loaded at %s", new
Date().toString()));
+ logger.debug("Users/Groups file loaded");
} catch (IOException | AuthorizerCreationException | JAXBException |
IllegalStateException e) {
throw new AuthorizerCreationException(e);
}
@@ -487,7 +477,7 @@ public class FileUserGroupProvider implements
ConfigurableUserGroupProvider {
final UsersAndGroups usersAndGroups = parseUsersAndGroups(fingerprint);
- if (isInheritable(usersAndGroups)) {
+ if (isInheritable()) {
logger.debug("Inheriting cluster's Users & Groups");
inherit(usersAndGroups);
} else {
@@ -526,21 +516,13 @@ public class FileUserGroupProvider implements
ConfigurableUserGroupProvider {
@Override
public void checkInheritability(String proposedFingerprint) throws
AuthorizationAccessException {
- final UsersAndGroups proposedUsersAndGroups;
- try {
- // ensure we understand the proposed fingerprint
- proposedUsersAndGroups = parseUsersAndGroups(proposedFingerprint);
- } catch (final AuthorizationAccessException e) {
- throw new UninheritableAuthorizationsException("Unable to parse
the proposed fingerprint: " + e);
- }
-
// ensure we are in a proper state to inherit the fingerprint
- if (!isInheritable(proposedUsersAndGroups)) {
+ if (!isInheritable()) {
throw new UninheritableAuthorizationsException("Proposed
fingerprint is not inheritable because the current users and groups is not
empty.");
}
}
- private boolean isInheritable(final UsersAndGroups proposedUsersAndGroups)
{
+ private boolean isInheritable() {
final UserGroupHolder usersAndGroups = userGroupHolder.get();
return usersAndGroups.getAllUsers().isEmpty() &&
usersAndGroups.getAllGroups().isEmpty();
}
@@ -725,7 +707,7 @@ public class FileUserGroupProvider implements
ConfigurableUserGroupProvider {
private void populateInitialUsers(final Tenants tenants) {
for (String initialUserIdentity : initialUserIdentities) {
- getOrCreateUser(tenants, initialUserIdentity);
+ createUser(tenants, initialUserIdentity);
}
}
@@ -734,11 +716,10 @@ public class FileUserGroupProvider implements
ConfigurableUserGroupProvider {
*
* @param tenants the Tenants reference
* @param userIdentity the user identity to find or create
- * @return the User from Tenants with the given identity, or a new
instance that was added to Tenants
*/
- private org.apache.nifi.authorization.file.tenants.generated.User
getOrCreateUser(final Tenants tenants, final String userIdentity) {
+ private void createUser(final Tenants tenants, final String userIdentity) {
if (StringUtils.isBlank(userIdentity)) {
- return null;
+ return;
}
org.apache.nifi.authorization.file.tenants.generated.User foundUser =
null;
@@ -756,45 +737,11 @@ public class FileUserGroupProvider implements
ConfigurableUserGroupProvider {
foundUser.setIdentity(userIdentity);
tenants.getUsers().getUser().add(foundUser);
}
-
- return foundUser;
- }
-
- /**
- * Finds the Group with the given name, or creates a new one and adds it
to Tenants.
- *
- * @param tenants the Tenants reference
- * @param groupName the name of the group to look for
- * @return the Group from Tenants with the given name, or a new instance
that was added to Tenants
- */
- private org.apache.nifi.authorization.file.tenants.generated.Group
getOrCreateGroup(final Tenants tenants, final String groupName) {
- if (StringUtils.isBlank(groupName)) {
- return null;
- }
-
- org.apache.nifi.authorization.file.tenants.generated.Group foundGroup
= null;
- for (org.apache.nifi.authorization.file.tenants.generated.Group group
: tenants.getGroups().getGroup()) {
- if (group.getName().equals(groupName)) {
- foundGroup = group;
- break;
- }
- }
-
- if (foundGroup == null) {
- final String newGroupIdentifier =
IdentifierUtil.getIdentifier(groupName);
- foundGroup = new
org.apache.nifi.authorization.file.tenants.generated.Group();
- foundGroup.setIdentifier(newGroupIdentifier);
- foundGroup.setName(groupName);
- tenants.getGroups().getGroup().add(foundGroup);
- }
-
- return foundGroup;
}
/**
* Saves the Authorizations instance by marshalling to a file, then
re-populates the
* in-memory data structures and sets the new holder.
- *
* Synchronized to ensure only one thread writes the file at a time.
*
* @param tenants the tenants to save and populate from
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/Role.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/Role.java
deleted file mode 100644
index 0f7b7401e5..0000000000
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/Role.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization;
-
-/**
- * Legacy Roles prior to the new authorization model.
- */
-public enum Role {
- ROLE_MONITOR,
- ROLE_PROVENANCE,
- ROLE_DFM,
- ROLE_ADMIN,
- ROLE_PROXY,
- ROLE_NIFI;
-
-}
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/RoleAccessPolicy.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/RoleAccessPolicy.java
deleted file mode 100644
index d35aff06a6..0000000000
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/RoleAccessPolicy.java
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization;
-
-import org.apache.nifi.authorization.resource.ResourceType;
-
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-
-/**
- * Defines the mapping from legacy roles to access policies.
- */
-public final class RoleAccessPolicy {
-
- static final String READ_ACTION = "R";
- static final String WRITE_ACTION = "W";
-
- private final String resource;
- private final String action;
-
- private RoleAccessPolicy(final String resource, final String action) {
- this.resource = resource;
- this.action = action;
- }
-
- public String getResource() {
- return resource;
- }
-
- public String getAction() {
- return action;
- }
-
- public static Map<Role,Set<RoleAccessPolicy>> getMappings(final String
rootGroupId) {
- final Map<Role,Set<RoleAccessPolicy>> roleAccessPolicies = new
HashMap<>();
-
- final Set<RoleAccessPolicy> monitorPolicies = new HashSet<>();
- monitorPolicies.add(new RoleAccessPolicy(ResourceType.Flow.getValue(),
READ_ACTION));
- monitorPolicies.add(new
RoleAccessPolicy(ResourceType.Controller.getValue(), READ_ACTION));
- monitorPolicies.add(new
RoleAccessPolicy(ResourceType.System.getValue(), READ_ACTION));
- if (rootGroupId != null) {
- monitorPolicies.add(new
RoleAccessPolicy(ResourceType.ProcessGroup.getValue() + "/" + rootGroupId,
READ_ACTION));
- }
- roleAccessPolicies.put(Role.ROLE_MONITOR,
Collections.unmodifiableSet(monitorPolicies));
-
- final Set<RoleAccessPolicy> provenancePolicies = new HashSet<>();
- provenancePolicies.add(new
RoleAccessPolicy(ResourceType.Provenance.getValue(), READ_ACTION));
- if (rootGroupId != null) {
- provenancePolicies.add(new
RoleAccessPolicy(ResourceType.Data.getValue() +
ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, READ_ACTION));
- provenancePolicies.add(new
RoleAccessPolicy(ResourceType.ProvenanceData.getValue() +
ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, READ_ACTION));
- }
- roleAccessPolicies.put(Role.ROLE_PROVENANCE,
Collections.unmodifiableSet(provenancePolicies));
-
- final Set<RoleAccessPolicy> dfmPolicies = new HashSet<>();
- dfmPolicies.add(new RoleAccessPolicy(ResourceType.Flow.getValue(),
READ_ACTION));
- dfmPolicies.add(new
RoleAccessPolicy(ResourceType.Controller.getValue(), READ_ACTION));
- dfmPolicies.add(new
RoleAccessPolicy(ResourceType.Controller.getValue(), WRITE_ACTION));
- dfmPolicies.add(new RoleAccessPolicy(ResourceType.System.getValue(),
READ_ACTION));
- dfmPolicies.add(new
RoleAccessPolicy(ResourceType.RestrictedComponents.getValue(), WRITE_ACTION));
- if (rootGroupId != null) {
- dfmPolicies.add(new
RoleAccessPolicy(ResourceType.ProcessGroup.getValue() + "/" + rootGroupId,
READ_ACTION));
- dfmPolicies.add(new
RoleAccessPolicy(ResourceType.ProcessGroup.getValue() + "/" + rootGroupId,
WRITE_ACTION));
- dfmPolicies.add(new RoleAccessPolicy(ResourceType.Data.getValue()
+ ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, READ_ACTION));
- dfmPolicies.add(new RoleAccessPolicy(ResourceType.Data.getValue()
+ ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, WRITE_ACTION));
- }
- roleAccessPolicies.put(Role.ROLE_DFM,
Collections.unmodifiableSet(dfmPolicies));
-
- final Set<RoleAccessPolicy> adminPolicies = new HashSet<>();
- adminPolicies.add(new RoleAccessPolicy(ResourceType.Flow.getValue(),
READ_ACTION));
- adminPolicies.add(new
RoleAccessPolicy(ResourceType.Controller.getValue(), READ_ACTION));
- if (rootGroupId != null) {
- adminPolicies.add(new
RoleAccessPolicy(ResourceType.ProcessGroup.getValue() + "/" + rootGroupId,
READ_ACTION));
- }
- adminPolicies.add(new RoleAccessPolicy(ResourceType.Tenant.getValue(),
READ_ACTION));
- adminPolicies.add(new RoleAccessPolicy(ResourceType.Tenant.getValue(),
WRITE_ACTION));
- adminPolicies.add(new RoleAccessPolicy(ResourceType.Policy.getValue(),
READ_ACTION));
- adminPolicies.add(new RoleAccessPolicy(ResourceType.Policy.getValue(),
WRITE_ACTION));
- roleAccessPolicies.put(Role.ROLE_ADMIN,
Collections.unmodifiableSet(adminPolicies));
-
- final Set<RoleAccessPolicy> proxyPolicies = new HashSet<>();
- proxyPolicies.add(new RoleAccessPolicy(ResourceType.Proxy.getValue(),
WRITE_ACTION));
- if (rootGroupId != null) {
- proxyPolicies.add(new
RoleAccessPolicy(ResourceType.Data.getValue() +
ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, READ_ACTION));
- proxyPolicies.add(new
RoleAccessPolicy(ResourceType.Data.getValue() +
ResourceType.ProcessGroup.getValue() + "/" + rootGroupId, WRITE_ACTION));
- }
- roleAccessPolicies.put(Role.ROLE_PROXY,
Collections.unmodifiableSet(proxyPolicies));
-
- final Set<RoleAccessPolicy> nifiPolicies = new HashSet<>();
- nifiPolicies.add(new
RoleAccessPolicy(ResourceType.Controller.getValue(), READ_ACTION));
- nifiPolicies.add(new
RoleAccessPolicy(ResourceType.SiteToSite.getValue(), READ_ACTION));
- roleAccessPolicies.put(Role.ROLE_NIFI,
Collections.unmodifiableSet(nifiPolicies));
-
- return roleAccessPolicies;
- }
-
-}
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer
deleted file mode 100755
index da9c2ee086..0000000000
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer
+++ /dev/null
@@ -1,15 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-org.apache.nifi.authorization.FileAuthorizer
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/xsd/legacy-users.xsd
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/xsd/legacy-users.xsd
deleted file mode 100644
index 4ee1e17226..0000000000
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/xsd/legacy-users.xsd
+++ /dev/null
@@ -1,64 +0,0 @@
-<?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema";>
- <!-- role -->
- <xs:complexType name="Role">
- <xs:attribute name="name">
- <xs:simpleType>
- <xs:restriction base="xs:string">
- <xs:enumeration value="ROLE_MONITOR"/>
- <xs:enumeration value="ROLE_PROVENANCE"/>
- <xs:enumeration value="ROLE_DFM"/>
- <xs:enumeration value="ROLE_ADMIN"/>
- <xs:enumeration value="ROLE_PROXY"/>
- <xs:enumeration value="ROLE_NIFI"/>
- </xs:restriction>
- </xs:simpleType>
- </xs:attribute>
- </xs:complexType>
-
- <!-- user -->
- <xs:complexType name="User">
- <xs:sequence>
- <xs:element name="role" type="Role" minOccurs="0"
maxOccurs="unbounded"/>
- </xs:sequence>
- <xs:attribute name="dn">
- <xs:simpleType>
- <xs:restriction base="xs:string">
- <xs:minLength value="1"/>
- <xs:pattern value=".*[^\s].*"/>
- </xs:restriction>
- </xs:simpleType>
- </xs:attribute>
- <xs:attribute name="group">
- <xs:simpleType>
- <xs:restriction base="xs:string">
- <xs:minLength value="1"/>
- <xs:pattern value=".*[^\s].*"/>
- </xs:restriction>
- </xs:simpleType>
- </xs:attribute>
- </xs:complexType>
-
- <!-- users -->
- <xs:element name="users">
- <xs:complexType>
- <xs:sequence>
- <xs:element name="user" type="User" minOccurs="0"
maxOccurs="unbounded"/>
- </xs:sequence>
- </xs:complexType>
- </xs:element>
-</xs:schema>
\ No newline at end of file
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java
deleted file mode 100644
index b567325554..0000000000
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java
+++ /dev/null
@@ -1,1245 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization;
-
-import org.apache.commons.lang3.SystemUtils;
-import org.apache.nifi.attribute.expression.language.StandardPropertyValue;
-import org.apache.nifi.authorization.AuthorizationResult.Result;
-import org.apache.nifi.authorization.exception.AuthorizerCreationException;
-import org.apache.nifi.authorization.resource.ResourceFactory;
-import org.apache.nifi.authorization.resource.ResourceType;
-import org.apache.nifi.components.PropertyValue;
-import org.apache.nifi.parameter.ParameterLookup;
-import org.apache.nifi.util.NiFiProperties;
-import org.apache.nifi.util.file.FileUtils;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.Assumptions;
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.mockito.Mockito;
-import org.mockito.invocation.InvocationOnMock;
-import org.mockito.stubbing.Answer;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertNull;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
-public class FileAuthorizerTest {
-
- private static final String EMPTY_AUTHORIZATIONS_CONCISE =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
- + "<authorizations/>";
-
- private static final String EMPTY_TENANTS_CONCISE =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
- + "<tenants/>";
-
- private static final String EMPTY_AUTHORIZATIONS =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
- + "<authorizations>"
- + "</authorizations>";
-
- private static final String EMPTY_TENANTS =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
- + "<tenants>"
- + "</tenants>";
-
- private static final String BAD_SCHEMA_AUTHORIZATIONS =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
- + "<authorization>"
- + "</authorization>";
-
- private static final String BAD_SCHEMA_TENANTS =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
- + "<tenant>"
- + "</tenant>";
-
- private static final String SIMPLE_AUTHORIZATION_BY_USER =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" +
- "<authorizations>" +
- " <policies>" +
- " <policy identifier=\"policy-1\" resource=\"/flow\"
action=\"R\">" +
- " <user identifier=\"user-1\" />" +
- " </policy>" +
- " </policies>" +
- "</authorizations>";
-
- private static final String SIMPLE_TENANTS_BY_USER =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" +
- "<tenants>" +
- " <users>" +
- " <user identifier=\"user-1\" identity=\"user-1\"/>" +
- " <user identifier=\"user-2\" identity=\"user-2\"/>" +
- " </users>" +
- "</tenants>";
-
- private static final String AUTHORIZATIONS =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" +
- "<authorizations>" +
- " <policies>" +
- " <policy identifier=\"policy-1\" resource=\"/flow\"
action=\"R\">" +
- " <group identifier=\"group-1\" />" +
- " <group identifier=\"group-2\" />" +
- " <user identifier=\"user-1\" />" +
- " </policy>" +
- " <policy identifier=\"policy-2\" resource=\"/flow\"
action=\"W\">" +
- " <user identifier=\"user-2\" />" +
- " </policy>" +
- " </policies>" +
- "</authorizations>";
-
- private static final String TENANTS =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" +
- "<tenants>" +
- " <groups>" +
- " <group identifier=\"group-1\" name=\"group-1\">" +
- " <user identifier=\"user-1\" />" +
- " </group>" +
- " <group identifier=\"group-2\" name=\"group-2\">" +
- " <user identifier=\"user-2\" />" +
- " </group>" +
- " </groups>" +
- " <users>" +
- " <user identifier=\"user-1\" identity=\"user-1\" />" +
- " <user identifier=\"user-2\" identity=\"user-2\" />" +
- " </users>" +
- "</tenants>";
-
- private static final String TENANTS_FOR_ADMIN_AND_NODES =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" +
- "<tenants>" +
- " <users>" +
- " <user identifier=\"admin-user\"
identity=\"admin-user\"/>" +
- " <user identifier=\"node1\" identity=\"node1\"/>" +
- " <user identifier=\"node2\" identity=\"node2\"/>" +
- " </users>" +
- "</tenants>";
-
- // This is the root group id from the flow.xml.gz in src/test/resources
- private static final String ROOT_GROUP_ID =
"e530e14c-adcf-41c2-b5d6-d9a59ba8765c";
-
- private NiFiProperties properties;
- private FileAuthorizer authorizer;
- private File primaryAuthorizations;
- private File primaryTenants;
- private File restoreAuthorizations;
- private File restoreTenants;
- private File flow;
- private File flowNoPorts;
- private File flowWithDns;
-
- private AuthorizerConfigurationContext configurationContext;
-
- @BeforeAll
- public static void setUpSuite() {
- Assumptions.assumeTrue(!SystemUtils.IS_OS_WINDOWS, "Test only runs on
*nix");
- }
-
- @BeforeEach
- public void setup() throws IOException {
- // primary authorizations
- primaryAuthorizations = new
File("target/authorizations/authorizations.xml");
-
FileUtils.ensureDirectoryExistAndCanAccess(primaryAuthorizations.getParentFile());
-
- // primary tenants
- primaryTenants = new File("target/authorizations/users.xml");
-
FileUtils.ensureDirectoryExistAndCanAccess(primaryTenants.getParentFile());
-
- // restore authorizations
- restoreAuthorizations = new File("target/restore/authorizations.xml");
-
FileUtils.ensureDirectoryExistAndCanAccess(restoreAuthorizations.getParentFile());
-
- // restore authorizations
- restoreTenants = new File("target/restore/users.xml");
-
FileUtils.ensureDirectoryExistAndCanAccess(restoreTenants.getParentFile());
-
- flow = new File("src/test/resources/flow.json.gz");
- FileUtils.ensureDirectoryExistAndCanAccess(flow.getParentFile());
-
- flowNoPorts = new File("src/test/resources/flow-no-ports.json.gz");
-
FileUtils.ensureDirectoryExistAndCanAccess(flowNoPorts.getParentFile());
-
- flowWithDns = new File("src/test/resources/flow-with-dns.json.gz");
-
FileUtils.ensureDirectoryExistAndCanAccess(flowWithDns.getParentFile());
-
- properties = mock(NiFiProperties.class);
-
when(properties.getRestoreDirectory()).thenReturn(restoreAuthorizations.getParentFile());
- when(properties.getFlowConfigurationFile()).thenReturn(flow);
-
- configurationContext = mock(AuthorizerConfigurationContext.class);
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_AUTHORIZATIONS_FILE))).thenReturn(new
StandardPropertyValue(primaryAuthorizations.getPath(), null,
- ParameterLookup.EMPTY));
-
when(configurationContext.getProperty(Mockito.eq(FileUserGroupProvider.PROP_TENANTS_FILE))).thenReturn(new
StandardPropertyValue(primaryTenants.getPath(), null, ParameterLookup.EMPTY));
- when(configurationContext.getProperties()).then((invocation) -> {
- final Map<String, String> properties = new HashMap<>();
-
- final PropertyValue authFile =
configurationContext.getProperty(FileAccessPolicyProvider.PROP_AUTHORIZATIONS_FILE);
- if (authFile != null) {
-
properties.put(FileAccessPolicyProvider.PROP_AUTHORIZATIONS_FILE,
authFile.getValue());
- }
-
- final PropertyValue tenantFile =
configurationContext.getProperty(FileUserGroupProvider.PROP_TENANTS_FILE);
- if (tenantFile != null) {
- properties.put(FileUserGroupProvider.PROP_TENANTS_FILE,
tenantFile.getValue());
- }
-
- final PropertyValue initialAdmin =
configurationContext.getProperty(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY);
- if (initialAdmin != null) {
-
properties.put(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY,
initialAdmin.getValue());
- }
-
- int i = 1;
- while (true) {
- final String key =
FileAccessPolicyProvider.PROP_NODE_IDENTITY_PREFIX + i++;
- final PropertyValue value =
configurationContext.getProperty(key);
- if (value == null) {
- break;
- } else {
- properties.put(key, value.getValue());
- }
- }
-
- return properties;
- });
-
- authorizer = new FileAuthorizer();
- authorizer.setNiFiProperties(properties);
- authorizer.initialize(null);
- }
-
- @AfterEach
- public void cleanup() throws Exception {
- deleteFile(primaryAuthorizations);
- deleteFile(primaryTenants);
- deleteFile(restoreAuthorizations);
- deleteFile(restoreTenants);
- }
-
- @Test
- public void testOnConfiguredWhenInitialAdminNotProvided() throws Exception
{
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
- writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
- authorizer.onConfigured(configurationContext);
-
- final Set<User> users = authorizer.getUsers();
- assertEquals(0, users.size());
-
- final Set<AccessPolicy> policies = authorizer.getAccessPolicies();
- assertEquals(0, policies.size());
- }
-
- @Test
- public void testOnConfiguredWhenInitialAdminProvided() throws Exception {
- final String adminIdentity = "admin-user";
-
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY)))
- .thenReturn(new StandardPropertyValue(adminIdentity, null,
ParameterLookup.EMPTY));
-
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
- writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
- authorizer.onConfigured(configurationContext);
-
- final Set<User> users = authorizer.getUsers();
- assertEquals(1, users.size());
-
- final User adminUser = users.iterator().next();
- assertEquals(adminIdentity, adminUser.getIdentity());
-
- final Set<AccessPolicy> policies = authorizer.getAccessPolicies();
- assertEquals(12, policies.size());
-
- final String rootGroupResource = ResourceType.ProcessGroup.getValue()
+ "/" + ROOT_GROUP_ID;
-
- boolean foundRootGroupPolicy = false;
- for (AccessPolicy policy : policies) {
- if (policy.getResource().equals(rootGroupResource)) {
- foundRootGroupPolicy = true;
- break;
- }
- }
-
- assertTrue(foundRootGroupPolicy);
- }
-
- @Test
- public void testOnConfiguredWhenInitialAdminProvidedAndNoFlowExists()
throws Exception {
- // setup NiFi properties to return a file that does not exist
- properties = mock(NiFiProperties.class);
-
when(properties.getRestoreDirectory()).thenReturn(restoreAuthorizations.getParentFile());
- when(properties.getFlowConfigurationFile()).thenReturn(new
File("src/test/resources/does-not-exist.json.gz"));
- authorizer.setNiFiProperties(properties);
-
- final String adminIdentity = "admin-user";
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY)))
- .thenReturn(new StandardPropertyValue(adminIdentity, null,
ParameterLookup.EMPTY));
-
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
- writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
- authorizer.onConfigured(configurationContext);
-
- final Set<User> users = authorizer.getUsers();
- assertEquals(1, users.size());
-
- final User adminUser = users.iterator().next();
- assertEquals(adminIdentity, adminUser.getIdentity());
-
- final Set<AccessPolicy> policies = authorizer.getAccessPolicies();
- assertEquals(8, policies.size());
-
- final String rootGroupResource = ResourceType.ProcessGroup.getValue()
+ "/" + ROOT_GROUP_ID;
-
- boolean foundRootGroupPolicy = false;
- for (AccessPolicy policy : policies) {
- if (policy.getResource().equals(rootGroupResource)) {
- foundRootGroupPolicy = true;
- break;
- }
- }
-
- assertFalse(foundRootGroupPolicy);
- }
-
- @Test
- public void testOnConfiguredWhenInitialAdminProvidedAndFlowIsNull() throws
Exception {
- // setup NiFi properties to return a file that does not exist
- properties = mock(NiFiProperties.class);
-
when(properties.getRestoreDirectory()).thenReturn(restoreAuthorizations.getParentFile());
- when(properties.getFlowConfigurationFile()).thenReturn(new
File("src/test/resources/does-not-exist.json.gz"));
- authorizer.setNiFiProperties(properties);
-
- final String adminIdentity = "admin-user";
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY)))
- .thenReturn(new StandardPropertyValue(adminIdentity, null,
ParameterLookup.EMPTY));
-
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
- writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
- authorizer.onConfigured(configurationContext);
-
- final Set<User> users = authorizer.getUsers();
- assertEquals(1, users.size());
-
- final User adminUser = users.iterator().next();
- assertEquals(adminIdentity, adminUser.getIdentity());
-
- final Set<AccessPolicy> policies = authorizer.getAccessPolicies();
- assertEquals(8, policies.size());
-
- final String rootGroupResource = ResourceType.ProcessGroup.getValue()
+ "/" + ROOT_GROUP_ID;
-
- boolean foundRootGroupPolicy = false;
- for (AccessPolicy policy : policies) {
- if (policy.getResource().equals(rootGroupResource)) {
- foundRootGroupPolicy = true;
- break;
- }
- }
-
- assertFalse(foundRootGroupPolicy);
- }
-
- @Test
- public void testOnConfiguredWhenInitialAdminProvidedWithIdentityMapping()
throws Exception {
- final Properties props = new Properties();
- props.setProperty("nifi.security.identity.mapping.pattern.dn1",
"^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$");
- props.setProperty("nifi.security.identity.mapping.value.dn1",
"$1_$2_$3");
-
- properties = getNiFiProperties(props);
-
when(properties.getRestoreDirectory()).thenReturn(restoreAuthorizations.getParentFile());
- when(properties.getFlowConfigurationFile()).thenReturn(flow);
- authorizer.setNiFiProperties(properties);
-
- final String adminIdentity = "CN=localhost, OU=Apache NiFi, O=Apache,
L=Santa Monica, ST=CA, C=US";
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY)))
- .thenReturn(new StandardPropertyValue(adminIdentity, null,
ParameterLookup.EMPTY));
-
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
- writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
- authorizer.onConfigured(configurationContext);
-
- final Set<User> users = authorizer.getUsers();
- assertEquals(1, users.size());
-
- final User adminUser = users.iterator().next();
- assertEquals("localhost_Apache NiFi_Apache", adminUser.getIdentity());
- }
-
- @Test
- public void testOnConfiguredWhenNodeIdentitiesProvided() throws Exception {
- final String adminIdentity = "admin-user";
- final String nodeIdentity1 = "node1";
- final String nodeIdentity2 = "node2";
-
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY)))
- .thenReturn(new StandardPropertyValue(adminIdentity, null,
ParameterLookup.EMPTY));
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_NODE_IDENTITY_PREFIX
+ "1")))
- .thenReturn(new StandardPropertyValue(nodeIdentity1, null,
ParameterLookup.EMPTY));
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_NODE_IDENTITY_PREFIX
+ "2")))
- .thenReturn(new StandardPropertyValue(nodeIdentity2, null,
ParameterLookup.EMPTY));
-
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
- writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
- authorizer.onConfigured(configurationContext);
-
- User adminUser = authorizer.getUserByIdentity(adminIdentity);
- assertNotNull(adminUser);
-
- User nodeUser1 = authorizer.getUserByIdentity(nodeIdentity1);
- assertNotNull(nodeUser1);
-
- User nodeUser2 = authorizer.getUserByIdentity(nodeIdentity2);
- assertNotNull(nodeUser2);
-
- AccessPolicy proxyWritePolicy =
authorizer.getUsersAndAccessPolicies().getAccessPolicy(ResourceType.Proxy.getValue(),
RequestAction.WRITE);
-
- assertNotNull(proxyWritePolicy);
-
assertTrue(proxyWritePolicy.getUsers().contains(nodeUser1.getIdentifier()));
-
assertTrue(proxyWritePolicy.getUsers().contains(nodeUser2.getIdentifier()));
- }
-
- @Test
- public void
testOnConfiguredWhenNodeIdentitiesProvidedAndUsersAlreadyExist() throws
Exception {
- final String adminIdentity = "admin-user";
- final String nodeIdentity1 = "node1";
- final String nodeIdentity2 = "node2";
-
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY)))
- .thenReturn(new StandardPropertyValue(adminIdentity, null,
ParameterLookup.EMPTY));
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_NODE_IDENTITY_PREFIX
+ "1")))
- .thenReturn(new StandardPropertyValue(nodeIdentity1, null,
ParameterLookup.EMPTY));
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_NODE_IDENTITY_PREFIX
+ "2")))
- .thenReturn(new StandardPropertyValue(nodeIdentity2, null,
ParameterLookup.EMPTY));
-
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
- writeFile(primaryTenants, TENANTS_FOR_ADMIN_AND_NODES);
- authorizer.onConfigured(configurationContext);
-
- assertEquals(3, authorizer.getUsers().size());
-
- User adminUser = authorizer.getUserByIdentity(adminIdentity);
- assertNotNull(adminUser);
-
- User nodeUser1 = authorizer.getUserByIdentity(nodeIdentity1);
- assertNotNull(nodeUser1);
-
- User nodeUser2 = authorizer.getUserByIdentity(nodeIdentity2);
- assertNotNull(nodeUser2);
-
- AccessPolicy proxyWritePolicy =
authorizer.getUsersAndAccessPolicies().getAccessPolicy(ResourceType.Proxy.getValue(),
RequestAction.WRITE);
-
- assertNotNull(proxyWritePolicy);
-
assertTrue(proxyWritePolicy.getUsers().contains(nodeUser1.getIdentifier()));
-
assertTrue(proxyWritePolicy.getUsers().contains(nodeUser2.getIdentifier()));
- }
-
- @Test
- public void
testOnConfiguredWhenNodeIdentitiesProvidedWithIdentityMappings() throws
Exception {
- final Properties props = new Properties();
- props.setProperty("nifi.security.identity.mapping.pattern.dn1",
"^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$");
- props.setProperty("nifi.security.identity.mapping.value.dn1", "$1");
-
- properties = getNiFiProperties(props);
-
when(properties.getRestoreDirectory()).thenReturn(restoreAuthorizations.getParentFile());
- when(properties.getFlowConfigurationFile()).thenReturn(flow);
- authorizer.setNiFiProperties(properties);
-
- final String adminIdentity = "CN=user1, OU=Apache NiFi, O=Apache,
L=Santa Monica, ST=CA, C=US";
- final String nodeIdentity1 = "CN=node1, OU=Apache NiFi, O=Apache,
L=Santa Monica, ST=CA, C=US";
- final String nodeIdentity2 = "CN=node2, OU=Apache NiFi, O=Apache,
L=Santa Monica, ST=CA, C=US";
-
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY)))
- .thenReturn(new StandardPropertyValue(adminIdentity, null,
ParameterLookup.EMPTY));
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_NODE_IDENTITY_PREFIX
+ "1")))
- .thenReturn(new StandardPropertyValue(nodeIdentity1, null,
ParameterLookup.EMPTY));
-
when(configurationContext.getProperty(Mockito.eq(FileAccessPolicyProvider.PROP_NODE_IDENTITY_PREFIX
+ "2")))
- .thenReturn(new StandardPropertyValue(nodeIdentity2, null,
ParameterLookup.EMPTY));
-
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
- writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
- authorizer.onConfigured(configurationContext);
-
- User adminUser = authorizer.getUserByIdentity("user1");
- assertNotNull(adminUser);
-
- User nodeUser1 = authorizer.getUserByIdentity("node1");
- assertNotNull(nodeUser1);
-
- User nodeUser2 = authorizer.getUserByIdentity("node2");
- assertNotNull(nodeUser2);
- }
-
- @Test
- public void testOnConfiguredWhenTenantsAndAuthorizationsFileDoesNotExist()
{
- authorizer.onConfigured(configurationContext);
- assertEquals(0, authorizer.getAccessPolicies().size());
- assertEquals(0, authorizer.getUsers().size());
- assertEquals(0, authorizer.getGroups().size());
- }
-
- @Test
- public void testOnConfiguredWhenAuthorizationsFileDoesNotExist() throws
Exception {
- writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
- authorizer.onConfigured(configurationContext);
- assertEquals(0, authorizer.getAccessPolicies().size());
- assertEquals(0, authorizer.getUsers().size());
- assertEquals(0, authorizer.getGroups().size());
- }
-
- @Test
- public void testOnConfiguredWhenTenantsFileDoesNotExist() throws Exception
{
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
- authorizer.onConfigured(configurationContext);
- assertEquals(0, authorizer.getAccessPolicies().size());
- assertEquals(0, authorizer.getUsers().size());
- assertEquals(0, authorizer.getGroups().size());
- }
-
- @Test
- public void testOnConfiguredWhenRestoreDoesNotExist() throws Exception {
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
- writeFile(primaryTenants, EMPTY_TENANTS_CONCISE);
- authorizer.onConfigured(configurationContext);
-
- assertEquals(primaryAuthorizations.length(),
restoreAuthorizations.length());
- assertEquals(primaryTenants.length(), restoreTenants.length());
- }
-
- @Test
- public void testOnConfiguredWhenPrimaryDoesNotExist() throws Exception {
- writeFile(restoreAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
- writeFile(restoreTenants, EMPTY_TENANTS_CONCISE);
-
- assertThrows(AuthorizerCreationException.class,
- () -> authorizer.onConfigured(configurationContext));
- }
-
- @Test
- public void
testOnConfiguredWhenPrimaryAuthorizationsDifferentThanRestore() throws
Exception {
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS);
- writeFile(restoreAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
-
- assertThrows(AuthorizerCreationException.class,
- () -> authorizer.onConfigured(configurationContext));
- }
-
- @Test
- public void testOnConfiguredWhenPrimaryTenantsDifferentThanRestore()
throws Exception {
- writeFile(primaryTenants, EMPTY_TENANTS);
- writeFile(restoreTenants, EMPTY_TENANTS_CONCISE);
-
- assertThrows(AuthorizerCreationException.class,
- () -> authorizer.onConfigured(configurationContext));
- }
-
- @Test
- public void testOnConfiguredWithBadAuthorizationsSchema() throws Exception
{
- writeFile(primaryAuthorizations, BAD_SCHEMA_AUTHORIZATIONS);
-
- assertThrows(AuthorizerCreationException.class,
- () -> authorizer.onConfigured(configurationContext));
- }
-
- @Test
- public void testOnConfiguredWithBadTenantsSchema() throws Exception {
- writeFile(primaryTenants, BAD_SCHEMA_TENANTS);
-
- assertThrows(AuthorizerCreationException.class,
- () -> authorizer.onConfigured(configurationContext));
- }
-
- @Test
- public void testAuthorizedUserAction() throws Exception {
- writeFile(primaryAuthorizations, SIMPLE_AUTHORIZATION_BY_USER);
- writeFile(primaryTenants, SIMPLE_TENANTS_BY_USER);
- authorizer.onConfigured(configurationContext);
-
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(ResourceFactory.getFlowResource())
- .identity("user-1")
- .anonymous(false)
- .accessAttempt(true)
- .action(RequestAction.READ)
- .build();
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertTrue(Result.Approved.equals(result.getResult()));
- }
-
- @Test
- public void testUnauthorizedUser() throws Exception {
- writeFile(primaryAuthorizations, SIMPLE_AUTHORIZATION_BY_USER);
- writeFile(primaryTenants, SIMPLE_TENANTS_BY_USER);
- authorizer.onConfigured(configurationContext);
-
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(ResourceFactory.getFlowResource())
- .identity("user-2")
- .anonymous(false)
- .accessAttempt(true)
- .action(RequestAction.READ)
- .build();
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertFalse(Result.Approved.equals(result.getResult()));
- }
-
- @Test
- public void testUnauthorizedAction() throws Exception {
- writeFile(primaryAuthorizations, SIMPLE_AUTHORIZATION_BY_USER);
- writeFile(primaryTenants, SIMPLE_TENANTS_BY_USER);
- authorizer.onConfigured(configurationContext);
-
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(ResourceFactory.getFlowResource())
- .identity("user-1")
- .anonymous(false)
- .accessAttempt(true)
- .action(RequestAction.WRITE)
- .build();
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertFalse(Result.Approved.equals(result.getResult()));
- }
-
- @Test
- public void testGetAllUsersGroupsPolicies() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
-
- final Set<Group> groups = authorizer.getGroups();
- assertEquals(2, groups.size());
-
- boolean foundGroup1 = false;
- boolean foundGroup2 = false;
-
- for (Group group : groups) {
- if (group.getIdentifier().equals("group-1") &&
group.getName().equals("group-1")
- && group.getUsers().size() == 1 &&
group.getUsers().contains("user-1")) {
- foundGroup1 = true;
- } else if (group.getIdentifier().equals("group-2") &&
group.getName().equals("group-2")
- && group.getUsers().size() == 1 &&
group.getUsers().contains("user-2")) {
- foundGroup2 = true;
- }
- }
-
- assertTrue(foundGroup1);
- assertTrue(foundGroup2);
-
- final Set<User> users = authorizer.getUsers();
- assertEquals(2, users.size());
-
- boolean foundUser1 = false;
- boolean foundUser2 = false;
-
- for (User user : users) {
- if (user.getIdentifier().equals("user-1") &&
user.getIdentity().equals("user-1")) {
- foundUser1 = true;
- } else if (user.getIdentifier().equals("user-2") &&
user.getIdentity().equals("user-2")) {
- foundUser2 = true;
- }
- }
-
- assertTrue(foundUser1);
- assertTrue(foundUser2);
-
- final Set<AccessPolicy> policies = authorizer.getAccessPolicies();
- assertEquals(2, policies.size());
-
- boolean foundPolicy1 = false;
- boolean foundPolicy2 = false;
-
- for (AccessPolicy policy : policies) {
- if (policy.getIdentifier().equals("policy-1")
- && policy.getResource().equals("/flow")
- && policy.getAction() == RequestAction.READ
- && policy.getGroups().size() == 2
- && policy.getGroups().contains("group-1")
- && policy.getGroups().contains("group-2")
- && policy.getUsers().size() == 1
- && policy.getUsers().contains("user-1")) {
- foundPolicy1 = true;
- } else if (policy.getIdentifier().equals("policy-2")
- && policy.getResource().equals("/flow")
- && policy.getAction() == RequestAction.WRITE
- && policy.getGroups().size() == 0
- && policy.getUsers().size() == 1
- && policy.getUsers().contains("user-2")) {
- foundPolicy2 = true;
- }
- }
-
- assertTrue(foundPolicy1);
- assertTrue(foundPolicy2);
- }
-
- // --------------- User Tests ------------------------
-
- @Test
- public void testAddUser() throws Exception {
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS);
- writeFile(primaryTenants, EMPTY_TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(0, authorizer.getUsers().size());
-
- final User user = new User.Builder()
- .identifier("user-1")
- .identity("user-identity-1")
- .build();
-
- final User addedUser = authorizer.addUser(user);
- assertNotNull(addedUser);
- assertEquals(user.getIdentifier(), addedUser.getIdentifier());
- assertEquals(user.getIdentity(), addedUser.getIdentity());
-
- final Set<User> users = authorizer.getUsers();
- assertEquals(1, users.size());
- }
-
- @Test
- public void testGetUserByIdentifierWhenFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getUsers().size());
-
- final String identifier = "user-1";
- final User user = authorizer.getUser(identifier);
- assertNotNull(user);
- assertEquals(identifier, user.getIdentifier());
- }
-
- @Test
- public void testGetUserByIdentifierWhenNotFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getUsers().size());
-
- final String identifier = "user-X";
- final User user = authorizer.getUser(identifier);
- assertNull(user);
- }
-
- @Test
- public void testGetUserByIdentityWhenFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getUsers().size());
-
- final String identity = "user-1";
- final User user = authorizer.getUserByIdentity(identity);
- assertNotNull(user);
- assertEquals(identity, user.getIdentifier());
- }
-
- @Test
- public void testGetUserByIdentityWhenNotFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getUsers().size());
-
- final String identity = "user-X";
- final User user = authorizer.getUserByIdentity(identity);
- assertNull(user);
- }
-
- @Test
- public void testDeleteUser() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getUsers().size());
-
- // retrieve user-1 and verify it exists
- final User user = authorizer.getUser("user-1");
- assertEquals("user-1", user.getIdentifier());
-
- // delete user-1
- final User deletedUser = authorizer.deleteUser(user);
- assertNotNull(deletedUser);
- assertEquals("user-1", deletedUser.getIdentifier());
-
- // should be one less user
- assertEquals(1, authorizer.getUsers().size());
- assertNull(authorizer.getUser(user.getIdentifier()));
- }
-
- @Test
- public void testDeleteUserWhenNotFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getUsers().size());
-
- //user that doesn't exist
- final User user = new
User.Builder().identifier("user-X").identity("user-identity-X").build();
-
- // should return null and still have 2 users because nothing was
deleted
- final User deletedUser = authorizer.deleteUser(user);
- assertNull(deletedUser);
- assertEquals(2, authorizer.getUsers().size());
- }
-
- @Test
- public void testUpdateUserWhenFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getUsers().size());
-
- final User user = new User.Builder()
- .identifier("user-1")
- .identity("new-identity")
- .build();
-
- final User updatedUser = authorizer.updateUser(user);
- assertNotNull(updatedUser);
- assertEquals(user.getIdentifier(), updatedUser.getIdentifier());
- assertEquals(user.getIdentity(), updatedUser.getIdentity());
- }
-
- @Test
- public void testUpdateUserWhenNotFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getUsers().size());
-
- final User user = new User.Builder()
- .identifier("user-X")
- .identity("new-identity")
- .build();
-
- final User updatedUser = authorizer.updateUser(user);
- assertNull(updatedUser);
- }
-
- // --------------- Group Tests ------------------------
-
- @Test
- public void testAddGroup() throws Exception {
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS);
- writeFile(primaryTenants, EMPTY_TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(0, authorizer.getGroups().size());
-
- final Group group = new Group.Builder()
- .identifier("group-id-1")
- .name("group-name-1")
- .build();
-
- final Group addedGroup = authorizer.addGroup(group);
- assertNotNull(addedGroup);
- assertEquals(group.getIdentifier(), addedGroup.getIdentifier());
- assertEquals(group.getName(), addedGroup.getName());
- assertEquals(0, addedGroup.getUsers().size());
-
- final Set<Group> groups = authorizer.getGroups();
- assertEquals(1, groups.size());
- }
-
- @Test
- public void testAddGroupWithUser() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getGroups().size());
-
- final Group group = new Group.Builder()
- .identifier("group-id-XXX")
- .name("group-name-XXX")
- .addUser("user-1")
- .build();
-
- final Group addedGroup = authorizer.addGroup(group);
- assertNotNull(addedGroup);
- assertEquals(group.getIdentifier(), addedGroup.getIdentifier());
- assertEquals(group.getName(), addedGroup.getName());
- assertEquals(1, addedGroup.getUsers().size());
-
- final Set<Group> groups = authorizer.getGroups();
- assertEquals(3, groups.size());
- }
-
- @Test
- public void testAddGroupWhenUserDoesNotExist() throws Exception {
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS);
- writeFile(primaryTenants, EMPTY_TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(0, authorizer.getGroups().size());
-
- final Group group = new Group.Builder()
- .identifier("group-id-1")
- .name("group-name-1")
- .addUser("user1")
- .build();
-
- authorizer.addGroup(group);
-
- assertEquals(1, authorizer.getGroups().size());
- }
-
- @Test
- public void testGetGroupByIdentifierWhenFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getGroups().size());
-
- final String identifier = "group-1";
- final Group group = authorizer.getGroup(identifier);
- assertNotNull(group);
- assertEquals(identifier, group.getIdentifier());
- }
-
- @Test
- public void testGetGroupByIdentifierWhenNotFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getGroups().size());
-
- final String identifier = "group-X";
- final Group group = authorizer.getGroup(identifier);
- assertNull(group);
- }
-
- @Test
- public void testDeleteGroupWhenFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getGroups().size());
-
- // retrieve group-1
- final Group group = authorizer.getGroup("group-1");
- assertEquals("group-1", group.getIdentifier());
-
- // delete group-1
- final Group deletedGroup = authorizer.deleteGroup(group);
- assertNotNull(deletedGroup);
- assertEquals("group-1", deletedGroup.getIdentifier());
-
- // verify there is one less overall group
- assertEquals(1, authorizer.getGroups().size());
-
- // verify we can no longer retrieve group-1 by identifier
- assertNull(authorizer.getGroup(group.getIdentifier()));
- }
-
- @Test
- public void testDeleteGroupWhenNotFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getGroups().size());
-
- final Group group = new Group.Builder()
- .identifier("group-id-X")
- .name("group-name-X")
- .build();
-
- final Group deletedGroup = authorizer.deleteGroup(group);
- assertNull(deletedGroup);
- assertEquals(2, authorizer.getGroups().size());
- }
-
- @Test
- public void testUpdateGroupWhenFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getGroups().size());
-
- // verify user-1 is in group-1 before the update
- final Group groupBefore = authorizer.getGroup("group-1");
- assertEquals(1, groupBefore.getUsers().size());
- assertTrue(groupBefore.getUsers().contains("user-1"));
-
- final Group group = new Group.Builder()
- .identifier("group-1")
- .name("new-name")
- .addUser("user-2")
- .build();
-
- final Group updatedGroup = authorizer.updateGroup(group);
- assertEquals(group.getIdentifier(), updatedGroup.getIdentifier());
- assertEquals(group.getName(), updatedGroup.getName());
-
- assertEquals(1, updatedGroup.getUsers().size());
- assertTrue(updatedGroup.getUsers().contains("user-2"));
- }
-
- @Test
- public void testUpdateGroupWhenNotFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getGroups().size());
-
- final Group group = new Group.Builder()
- .identifier("group-X")
- .name("group-X")
- .build();
-
- final Group updatedGroup = authorizer.updateGroup(group);
- assertNull(updatedGroup);
- assertEquals(2, authorizer.getGroups().size());
- }
-
- // --------------- AccessPolicy Tests ------------------------
-
- @Test
- public void testAddAccessPolicy() throws Exception {
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS);
- writeFile(primaryTenants, EMPTY_TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(0, authorizer.getAccessPolicies().size());
-
- final AccessPolicy policy1 = new AccessPolicy.Builder()
- .identifier("policy-1")
- .resource("resource-1")
- .addUser("user-1")
- .addGroup("group-1")
- .action(RequestAction.READ)
- .build();
-
- final AccessPolicy returnedPolicy1 =
authorizer.addAccessPolicy(policy1);
- assertNotNull(returnedPolicy1);
- assertEquals(policy1.getIdentifier(), returnedPolicy1.getIdentifier());
- assertEquals(policy1.getResource(), returnedPolicy1.getResource());
- assertEquals(policy1.getUsers(), returnedPolicy1.getUsers());
- assertEquals(policy1.getGroups(), returnedPolicy1.getGroups());
- assertEquals(policy1.getAction(), returnedPolicy1.getAction());
-
- assertEquals(1, authorizer.getAccessPolicies().size());
-
- // second policy for the same resource
- final AccessPolicy policy2 = new AccessPolicy.Builder()
- .identifier("policy-2")
- .resource("resource-1")
- .addUser("user-1")
- .addGroup("group-1")
- .action(RequestAction.READ)
- .build();
-
- final ManagedAuthorizer managedAuthorizer = (ManagedAuthorizer)
AuthorizerFactory.installIntegrityChecks(authorizer);
- final ConfigurableAccessPolicyProvider accessPolicyProviderWithChecks
= (ConfigurableAccessPolicyProvider)
managedAuthorizer.getAccessPolicyProvider();
- try {
- final AccessPolicy returnedPolicy2 =
accessPolicyProviderWithChecks.addAccessPolicy(policy2);
- fail("Should have thrown exception");
- } catch (Exception e) {
- }
-
- assertEquals(1, authorizer.getAccessPolicies().size());
- }
-
- @Test
- public void testAddAccessPolicyWithEmptyUsersAndGroups() throws Exception {
- writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS);
- writeFile(primaryTenants, EMPTY_TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(0, authorizer.getAccessPolicies().size());
-
- final AccessPolicy policy1 = new AccessPolicy.Builder()
- .identifier("policy-1")
- .resource("resource-1")
- .action(RequestAction.READ)
- .build();
-
- final AccessPolicy returnedPolicy1 =
authorizer.addAccessPolicy(policy1);
- assertNotNull(returnedPolicy1);
- assertEquals(policy1.getIdentifier(), returnedPolicy1.getIdentifier());
- assertEquals(policy1.getResource(), returnedPolicy1.getResource());
- assertEquals(policy1.getUsers(), returnedPolicy1.getUsers());
- assertEquals(policy1.getGroups(), returnedPolicy1.getGroups());
- assertEquals(policy1.getAction(), returnedPolicy1.getAction());
-
- assertEquals(1, authorizer.getAccessPolicies().size());
- }
-
- @Test
- public void testGetAccessPolicy() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getAccessPolicies().size());
-
- final AccessPolicy policy = authorizer.getAccessPolicy("policy-1");
- assertNotNull(policy);
- assertEquals("policy-1", policy.getIdentifier());
- assertEquals("/flow", policy.getResource());
-
- assertEquals(RequestAction.READ, policy.getAction());
-
- assertEquals(1, policy.getUsers().size());
- assertTrue(policy.getUsers().contains("user-1"));
-
- assertEquals(2, policy.getGroups().size());
- assertTrue(policy.getGroups().contains("group-1"));
- assertTrue(policy.getGroups().contains("group-2"));
- }
-
- @Test
- public void testGetAccessPolicyWhenNotFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getAccessPolicies().size());
-
- final AccessPolicy policy = authorizer.getAccessPolicy("policy-X");
- assertNull(policy);
- }
-
- @Test
- public void testUpdateAccessPolicy() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getAccessPolicies().size());
-
- final AccessPolicy policy = new AccessPolicy.Builder()
- .identifier("policy-1")
- .resource("resource-A")
- .addUser("user-A")
- .addGroup("group-A")
- .action(RequestAction.READ)
- .build();
-
- final AccessPolicy updateAccessPolicy =
authorizer.updateAccessPolicy(policy);
- assertNotNull(updateAccessPolicy);
- assertEquals("policy-1", updateAccessPolicy.getIdentifier());
- assertEquals("/flow", updateAccessPolicy.getResource());
-
- assertEquals(1, updateAccessPolicy.getUsers().size());
- assertTrue(updateAccessPolicy.getUsers().contains("user-A"));
-
- assertEquals(1, updateAccessPolicy.getGroups().size());
- assertTrue(updateAccessPolicy.getGroups().contains("group-A"));
-
- assertEquals(RequestAction.READ, updateAccessPolicy.getAction());
- }
-
- @Test
- public void testUpdateAccessPolicyWhenResourceNotFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getAccessPolicies().size());
-
- final AccessPolicy policy = new AccessPolicy.Builder()
- .identifier("policy-XXX")
- .resource("resource-A")
- .addUser("user-A")
- .addGroup("group-A")
- .action(RequestAction.READ)
- .build();
-
- final AccessPolicy updateAccessPolicy =
authorizer.updateAccessPolicy(policy);
- assertNull(updateAccessPolicy);
- }
-
- @Test
- public void testDeleteAccessPolicy() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getAccessPolicies().size());
-
- final AccessPolicy policy = new AccessPolicy.Builder()
- .identifier("policy-1")
- .resource("resource-A")
- .addUser("user-A")
- .addGroup("group-A")
- .action(RequestAction.READ)
- .build();
-
- final AccessPolicy deletedAccessPolicy =
authorizer.deleteAccessPolicy(policy);
- assertNotNull(deletedAccessPolicy);
- assertEquals(policy.getIdentifier(),
deletedAccessPolicy.getIdentifier());
-
- // should have one less policy, and get by policy id should return null
- assertEquals(1, authorizer.getAccessPolicies().size());
- assertNull(authorizer.getAccessPolicy(policy.getIdentifier()));
- }
-
- @Test
- public void testDeleteAccessPolicyWhenNotFound() throws Exception {
- writeFile(primaryAuthorizations, AUTHORIZATIONS);
- writeFile(primaryTenants, TENANTS);
- authorizer.onConfigured(configurationContext);
- assertEquals(2, authorizer.getAccessPolicies().size());
-
- final AccessPolicy policy = new AccessPolicy.Builder()
- .identifier("policy-XXX")
- .resource("resource-A")
- .addUser("user-A")
- .addGroup("group-A")
- .action(RequestAction.READ)
- .build();
-
- final AccessPolicy deletedAccessPolicy =
authorizer.deleteAccessPolicy(policy);
- assertNull(deletedAccessPolicy);
- }
-
- private static void writeFile(final File file, final String content)
throws Exception {
- byte[] bytes = content.getBytes(StandardCharsets.UTF_8);
- try (final FileOutputStream fos = new FileOutputStream(file)) {
- fos.write(bytes);
- }
- }
-
- private static boolean deleteFile(final File file) {
- if (file.isDirectory()) {
- FileUtils.deleteFilesInDir(file, null, null, true, true);
- }
- return FileUtils.deleteFile(file, null, 10);
- }
-
- private NiFiProperties getNiFiProperties(final Properties properties) {
- final NiFiProperties nifiProperties =
Mockito.mock(NiFiProperties.class);
-
when(nifiProperties.getPropertyKeys()).thenReturn(properties.stringPropertyNames());
-
- when(nifiProperties.getProperty(anyString())).then(new
Answer<String>() {
- @Override
- public String answer(InvocationOnMock invocationOnMock) throws
Throwable {
- return
properties.getProperty((String)invocationOnMock.getArguments()[0]);
- }
- });
- return nifiProperties;
- }
-
-}
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/resources/authorized-users-multirole.xml
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/resources/authorized-users-multirole.xml
deleted file mode 100644
index 493ed4b4c3..0000000000
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/resources/authorized-users-multirole.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<users>
- <user dn="user1" group="group1">
- <role name="ROLE_MONITOR"/>
- <role name="ROLE_DFM" />
- </user>
-</users>
\ No newline at end of file
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/resources/authorized-users-with-dns.xml
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/resources/authorized-users-with-dns.xml
deleted file mode 100644
index 7c5d0d05c2..0000000000
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/resources/authorized-users-with-dns.xml
+++ /dev/null
@@ -1,35 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<users>
- <user dn="CN=user1, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US"
group="group1">
- <role name="ROLE_MONITOR"/>
- </user>
- <user dn="CN=user2, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US">
- <role name="ROLE_PROVENANCE"/>
- </user>
- <user dn="CN=user3, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US">
- <role name="ROLE_DFM"/>
- </user>
- <user dn="CN=user4, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US">
- <role name="ROLE_ADMIN"/>
- </user>
- <user dn="CN=user5, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US">
- <role name="ROLE_PROXY"/>
- </user>
- <user dn="CN=user6, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US">
- <role name="ROLE_NIFI"/>
- </user>
-</users>
\ No newline at end of file
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/resources/authorized-users.xml
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/resources/authorized-users.xml
deleted file mode 100644
index 0515a09eec..0000000000
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/resources/authorized-users.xml
+++ /dev/null
@@ -1,35 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<users>
- <user dn="user1" group="group1">
- <role name="ROLE_MONITOR"/>
- </user>
- <user dn="user2">
- <role name="ROLE_PROVENANCE"/>
- </user>
- <user dn="user3">
- <role name="ROLE_DFM"/>
- </user>
- <user dn="user4">
- <role name="ROLE_ADMIN"/>
- </user>
- <user dn="user5">
- <role name="ROLE_PROXY"/>
- </user>
- <user dn="user6">
- <role name="ROLE_NIFI"/>
- </user>
-</users>
\ No newline at end of file
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
index 3b59cb35fe..fdaf70dc9e 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
@@ -33,9 +33,6 @@
- Users File - The file where the FileUserGroupProvider will store
users and groups.
- - Legacy Authorized Users File - The full path to an existing
authorized-users.xml that will be automatically
- be used to load the users and groups into the Users File.
-
- Initial User Identity [unique key] - The identity of a users and
systems to seed the Users File. The name of
each property must be unique, for example: "Initial User Identity
A", "Initial User Identity B",
"Initial User Identity C" or "Initial User Identity 1", "Initial
User Identity 2", "Initial User Identity 3"
@@ -47,8 +44,6 @@
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
- <property name="Legacy Authorized Users File"></property>
-
<property name="Initial User Identity 1"></property>
</userGroupProvider>
@@ -293,17 +288,11 @@
- Initial Admin Identity - The identity of an initial admin user that
will be granted access to the UI and
given the ability to create additional users, groups, and
policies. The value of this property could be
a DN when using certificates or LDAP, or a Kerberos principal.
This property will only be used when there
- are no other policies defined. If this property is specified then
a Legacy Authorized Users File can not be specified.
+ are no other policies defined.
NOTE: Any identity mapping rules specified in nifi.properties will
also be applied to the initial admin identity,
so the value should be the unmapped identity. This identity must
be found in the configured User Group Provider.
- - Legacy Authorized Users File - The full path to an existing
authorized-users.xml that will be automatically
- converted to the new authorizations model. If this property is
specified then an Initial Admin Identity can
- not be specified, and this property will only be used when there
are no other users, groups, and policies defined.
-
- NOTE: Any users in the legacy users file must be found in the
configured User Group Provider.
-
- Node Identity [unique key] - The identity of a NiFi cluster node.
When clustered, a property for each node
should be defined, so that every node knows about every other
node. If not clustered these properties can be ignored.
The name of each property must be unique, for example for a three
node cluster:
@@ -324,7 +313,6 @@
<property name="User Group
Provider">file-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity"></property>
- <property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider>
@@ -343,49 +331,6 @@
<property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
- <!--
- NOTE: This Authorizer has been replaced with the more granular
approach configured above with the Standard
- Managed Authorizer. However, it is still available for backwards
compatibility reasons.
-
- The FileAuthorizer is NiFi's provided authorizer and has the following
properties:
-
- - Authorizations File - The file where the FileAuthorizer will store
policies.
-
- - Users File - The file where the FileAuthorizer will store users and
groups.
-
- - Initial Admin Identity - The identity of an initial admin user that
will be granted access to the UI and
- given the ability to create additional users, groups, and
policies. The value of this property could be
- a DN when using certificates or LDAP, or a Kerberos principal.
This property will only be used when there
- are no other users, groups, and policies defined. If this property
is specified then a Legacy Authorized
- Users File can not be specified.
-
- NOTE: Any identity mapping rules specified in nifi.properties will
also be applied to the initial admin identity,
- so the value should be the unmapped identity.
-
- - Legacy Authorized Users File - The full path to an existing
authorized-users.xml that will be automatically
- converted to the new authorizations model. If this property is
specified then an Initial Admin Identity can
- not be specified, and this property will only be used when there
are no other users, groups, and policies defined.
-
- - Node Identity [unique key] - The identity of a NiFi cluster node.
When clustered, a property for each node
- should be defined, so that every node knows about every other
node. If not clustered these properties can be ignored.
- The name of each property must be unique, for example for a three
node cluster:
- "Node Identity A", "Node Identity B", "Node Identity C" or "Node
Identity 1", "Node Identity 2", "Node Identity 3"
-
- NOTE: Any identity mapping rules specified in nifi.properties will
also be applied to the node identities,
- so the values should be the unmapped identities (i.e. full DN from
a certificate).
- -->
- <!-- <authorizer>
- <identifier>file-provider</identifier>
- <class>org.apache.nifi.authorization.FileAuthorizer</class>
- <property name="Authorizations
File">./conf/authorizations.xml</property>
- <property name="Users File">./conf/users.xml</property>
- <property name="Initial Admin Identity"></property>
- <property name="Legacy Authorized Users File"></property>
-
- <property name="Node Identity 1"></property>
- </authorizer>
- -->
-
<!--
Single User Authorizer requires the configuration of the
SingleUserLoginIdentityProvider
in login-identity-provider.xml and in nifi.properties
