Repository: nifi Updated Branches: refs/heads/master b4c8e0179 -> de685a7a7
NIFI-5656 Handly empty "Node Group" property in FileAccessPolicyProvider consistently, add some logs to help with debugging, add test for the invalid group name and for the empty case. This closes #3043. Signed-off-by: Kevin Doran <kdo...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/de685a7a Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/de685a7a Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/de685a7a Branch: refs/heads/master Commit: de685a7a741888c6ffd6468d89b536276975934c Parents: b4c8e01 Author: pepov <peterwilcsins...@gmail.com> Authored: Tue Oct 2 15:21:36 2018 +0200 Committer: Kevin Doran <kdo...@apache.org> Committed: Wed Oct 3 11:12:19 2018 -0400 ---------------------------------------------------------------------- .../authorization/FileAccessPolicyProvider.java | 21 +++++++---- .../FileAccessPolicyProviderTest.java | 39 +++++++++++++++++++- .../src/main/resources/conf/authorizers.xml | 2 + 3 files changed, 53 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/de685a7a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java index b1a6f91..3174e34 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java @@ -232,16 +232,21 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide nodeGroupIdentifier = null; if (nodeGroupName != null) { - for (Group group : userGroupProvider.getGroups()) { - if (group.getName().equals(nodeGroupName)) { - nodeGroupIdentifier = group.getIdentifier(); - break; + if (!StringUtils.isBlank(nodeGroupName)) { + logger.debug("Trying to load node group '{}' from the underlying userGroupProvider", nodeGroupName); + for (Group group : userGroupProvider.getGroups()) { + if (group.getName().equals(nodeGroupName)) { + nodeGroupIdentifier = group.getIdentifier(); + break; + } } - } - if (nodeGroupIdentifier == null) { - throw new AuthorizerCreationException(String.format( + if (nodeGroupIdentifier == null) { + throw new AuthorizerCreationException(String.format( "Authorizations node group '%s' could not be found", nodeGroupName)); + } + } else { + logger.debug("Empty node group name provided"); } } @@ -633,6 +638,7 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide if (node == null) { throw new AuthorizerCreationException("Unable to locate node " + nodeIdentity + " to seed policies."); } + logger.debug("Populating default authorizations for node '{}' ({})", node.getIdentity(), node.getIdentifier()); // grant access to the proxy resource addUserToAccessPolicy(authorizations, ResourceType.Proxy.getValue(), node.getIdentifier(), WRITE_CODE); @@ -645,6 +651,7 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide // authorize dynamic nodes (node group) if (nodeGroupIdentifier != null) { + logger.debug("Populating default authorizations for group '{}' ({})", userGroupProvider.getGroup(nodeGroupIdentifier).getName(), nodeGroupIdentifier); addGroupToAccessPolicy(authorizations, ResourceType.Proxy.getValue(), nodeGroupIdentifier, WRITE_CODE); if (rootGroupId != null) { http://git-wip-us.apache.org/repos/asf/nifi/blob/de685a7a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAccessPolicyProviderTest.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAccessPolicyProviderTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAccessPolicyProviderTest.java index d02ada7..f13f7f1 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAccessPolicyProviderTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAccessPolicyProviderTest.java @@ -767,8 +767,8 @@ public class FileAccessPolicyProviderTest { userGroupProvider.onConfigured(configurationContext); accessPolicyProvider.onConfigured(configurationContext); - User nodeUser1 = userGroupProvider.getUserByIdentity(nodeIdentity1); - User nodeUser2 = userGroupProvider.getUserByIdentity(nodeIdentity2); + assertNotNull(userGroupProvider.getUserByIdentity(nodeIdentity1)); + assertNotNull(userGroupProvider.getUserByIdentity(nodeIdentity2)); AccessPolicy proxyWritePolicy = accessPolicyProvider.getAccessPolicy(ResourceType.Proxy.getValue(), RequestAction.WRITE); @@ -777,6 +777,41 @@ public class FileAccessPolicyProviderTest { } @Test + public void testOnConfiguredWhenNodeGroupEmpty() throws Exception { + final String adminIdentity = "admin-user"; + final String nodeGroupIdentifier = "cluster-nodes"; + + when(configurationContext.getProperty(eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY))) + .thenReturn(new StandardPropertyValue(adminIdentity, null)); + when(configurationContext.getProperty(eq(FileAccessPolicyProvider.PROP_NODE_GROUP_NAME))) + .thenReturn(new StandardPropertyValue("", null)); + + writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE); + writeFile(primaryTenants, TENANTS_FOR_ADMIN_AND_NODE_GROUP); + + userGroupProvider.onConfigured(configurationContext); + accessPolicyProvider.onConfigured(configurationContext); + + assertNull(accessPolicyProvider.getAccessPolicy(ResourceType.Proxy.getValue(), RequestAction.WRITE)); + } + + @Test(expected = AuthorizerCreationException.class) + public void testOnConfiguredWhenNodeGroupDoesNotExist() throws Exception { + final String adminIdentity = "admin-user"; + + when(configurationContext.getProperty(eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY))) + .thenReturn(new StandardPropertyValue(adminIdentity, null)); + when(configurationContext.getProperty(eq(FileAccessPolicyProvider.PROP_NODE_GROUP_NAME))) + .thenReturn(new StandardPropertyValue("nonexistent", null)); + + writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE); + writeFile(primaryTenants, TENANTS_FOR_ADMIN_AND_NODE_GROUP); + + userGroupProvider.onConfigured(configurationContext); + accessPolicyProvider.onConfigured(configurationContext); + } + + @Test public void testOnConfiguredWhenTenantsAndAuthorizationsFileDoesNotExist() { userGroupProvider.onConfigured(configurationContext); accessPolicyProvider.onConfigured(configurationContext); http://git-wip-us.apache.org/repos/asf/nifi/blob/de685a7a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml index b57239a..d6d3c45 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml @@ -241,6 +241,8 @@ - Node Group - The name of a group containing NiFi cluster nodes. The typical use for this is when nodes are dynamically added/removed from the cluster. + + NOTE: The group must exist before starting NiFi. --> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier>