You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by bb...@apache.org on 2017/11/07 18:50:25 UTC
[09/17] nifi-registry git commit: NIFIREG-33 Add LDAP and JWT auth
support
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/AbstractPolicyBasedAuthorizer.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/AbstractPolicyBasedAuthorizer.java b/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/AbstractPolicyBasedAuthorizer.java
deleted file mode 100644
index 718ecc7..0000000
--- a/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/AbstractPolicyBasedAuthorizer.java
+++ /dev/null
@@ -1,824 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-import org.apache.nifi.registry.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.registry.authorization.exception.AuthorizerCreationException;
-import org.apache.nifi.registry.authorization.exception.AuthorizerDestructionException;
-import org.apache.nifi.registry.authorization.exception.UninheritableAuthorizationsException;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
-import org.xml.sax.SAXException;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.stream.XMLOutputFactory;
-import javax.xml.stream.XMLStreamException;
-import javax.xml.stream.XMLStreamWriter;
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.StringWriter;
-import java.nio.charset.StandardCharsets;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.List;
-import java.util.Set;
-
-/**
- * An Authorizer that provides management of users, groups, and policies.
- */
-public abstract class AbstractPolicyBasedAuthorizer implements ManagedAuthorizer {
-
- static final DocumentBuilderFactory DOCUMENT_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
- static final XMLOutputFactory XML_OUTPUT_FACTORY = XMLOutputFactory.newInstance();
-
- static final String USER_ELEMENT = "user";
- static final String GROUP_USER_ELEMENT = "groupUser";
- static final String GROUP_ELEMENT = "group";
- static final String POLICY_ELEMENT = "policy";
- static final String POLICY_USER_ELEMENT = "policyUser";
- static final String POLICY_GROUP_ELEMENT = "policyGroup";
- static final String IDENTIFIER_ATTR = "identifier";
- static final String IDENTITY_ATTR = "identity";
- static final String NAME_ATTR = "name";
- static final String RESOURCE_ATTR = "resource";
- static final String ACTIONS_ATTR = "actions";
-
- @Override
- public final void onConfigured(final AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
- doOnConfigured(configurationContext);
- }
-
- /**
- * Allows sub-classes to take action when onConfigured is called.
- *
- * @param configurationContext the configuration context
- * @throws AuthorizerCreationException if an error occurs during onConfigured process
- */
- protected abstract void doOnConfigured(final AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException;
-
- @Override
- public final AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
- final UsersAndAccessPolicies usersAndAccessPolicies = getUsersAndAccessPolicies();
- final String resourceIdentifier = request.getResource().getIdentifier();
-
- final AccessPolicy policy = usersAndAccessPolicies.getAccessPolicy(resourceIdentifier, request.getAction());
- if (policy == null) {
- return AuthorizationResult.resourceNotFound();
- }
-
- final User user = usersAndAccessPolicies.getUser(request.getIdentity());
- if (user == null) {
- return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity()));
- }
-
- final Set<Group> userGroups = usersAndAccessPolicies.getGroups(user.getIdentity());
- if (policy.getUsers().contains(user.getIdentifier()) || containsGroup(userGroups, policy)) {
- return AuthorizationResult.approved();
- }
-
- return AuthorizationResult.denied(request.getExplanationSupplier().get());
- }
-
- /**
- * Determines if the policy contains one of the user's groups.
- *
- * @param userGroups the set of the user's groups
- * @param policy the policy
- * @return true if one of the Groups in userGroups is contained in the policy
- */
- private boolean containsGroup(final Set<Group> userGroups, final AccessPolicy policy) {
- if (userGroups.isEmpty() || policy.getGroups().isEmpty()) {
- return false;
- }
-
- for (Group userGroup : userGroups) {
- if (policy.getGroups().contains(userGroup.getIdentifier())) {
- return true;
- }
- }
-
- return false;
- }
-
- /**
- * Adds a new group.
- *
- * @param group the Group to add
- * @return the added Group
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- * @throws IllegalStateException if a group with the same name already exists
- */
- public final synchronized Group addGroup(Group group) throws AuthorizationAccessException {
- return doAddGroup(group);
- }
-
- /**
- * Adds a new group.
- *
- * @param group the Group to add
- * @return the added Group
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract Group doAddGroup(Group group) throws AuthorizationAccessException;
-
- /**
- * Retrieves a Group by id.
- *
- * @param identifier the identifier of the Group to retrieve
- * @return the Group with the given identifier, or null if no matching group was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract Group getGroup(String identifier) throws AuthorizationAccessException;
-
- /**
- * The group represented by the provided instance will be updated based on the provided instance.
- *
- * @param group an updated group instance
- * @return the updated group instance, or null if no matching group was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- * @throws IllegalStateException if there is already a group with the same name
- */
- public final synchronized Group updateGroup(Group group) throws AuthorizationAccessException {
- return doUpdateGroup(group);
- }
-
- /**
- * The group represented by the provided instance will be updated based on the provided instance.
- *
- * @param group an updated group instance
- * @return the updated group instance, or null if no matching group was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract Group doUpdateGroup(Group group) throws AuthorizationAccessException;
-
- /**
- * Deletes the given group.
- *
- * @param group the group to delete
- * @return the deleted group, or null if no matching group was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract Group deleteGroup(Group group) throws AuthorizationAccessException;
-
- /**
- * Deletes the group with the given identifier.
- *
- * @param groupIdentifier the id of the group to delete
- * @return the deleted group, or null if no matching group was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract Group deleteGroup(String groupIdentifier) throws AuthorizationAccessException;
-
- /**
- * Retrieves all groups.
- *
- * @return a list of groups
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract Set<Group> getGroups() throws AuthorizationAccessException;
-
-
- /**
- * Adds the given user.
- *
- * @param user the user to add
- * @return the user that was added
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- * @throws IllegalStateException if there is already a user with the same identity
- */
- public final synchronized User addUser(User user) throws AuthorizationAccessException {
- return doAddUser(user);
- }
-
- /**
- * Adds the given user.
- *
- * @param user the user to add
- * @return the user that was added
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract User doAddUser(User user) throws AuthorizationAccessException;
-
- /**
- * Retrieves the user with the given identifier.
- *
- * @param identifier the id of the user to retrieve
- * @return the user with the given id, or null if no matching user was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract User getUser(String identifier) throws AuthorizationAccessException;
-
- /**
- * Retrieves the user with the given identity.
- *
- * @param identity the identity of the user to retrieve
- * @return the user with the given identity, or null if no matching user was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract User getUserByIdentity(String identity) throws AuthorizationAccessException;
-
- /**
- * The user represented by the provided instance will be updated based on the provided instance.
- *
- * @param user an updated user instance
- * @return the updated user instance, or null if no matching user was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- * @throws IllegalStateException if there is already a user with the same identity
- */
- public final synchronized User updateUser(final User user) throws AuthorizationAccessException {
- return doUpdateUser(user);
- }
-
- /**
- * The user represented by the provided instance will be updated based on the provided instance.
- *
- * @param user an updated user instance
- * @return the updated user instance, or null if no matching user was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract User doUpdateUser(User user) throws AuthorizationAccessException;
-
- /**
- * Deletes the given user.
- *
- * @param user the user to delete
- * @return the user that was deleted, or null if no matching user was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract User deleteUser(User user) throws AuthorizationAccessException;
-
- /**
- * Deletes the user with the given id.
- *
- * @param userIdentifier the identifier of the user to delete
- * @return the user that was deleted, or null if no matching user was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract User deleteUser(String userIdentifier) throws AuthorizationAccessException;
-
- /**
- * Retrieves all users.
- *
- * @return a list of users
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract Set<User> getUsers() throws AuthorizationAccessException;
-
- /**
- * Adds the given policy ensuring that multiple policies can not be added for the same resource and action.
- *
- * @param accessPolicy the policy to add
- * @return the policy that was added
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public final synchronized AccessPolicy addAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
- return doAddAccessPolicy(accessPolicy);
- }
-
- /**
- * Adds the given policy.
- *
- * @param accessPolicy the policy to add
- * @return the policy that was added
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- protected abstract AccessPolicy doAddAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException;
-
- /**
- * Retrieves the policy with the given identifier.
- *
- * @param identifier the id of the policy to retrieve
- * @return the policy with the given id, or null if no matching policy exists
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException;
-
- /**
- * The policy represented by the provided instance will be updated based on the provided instance.
- *
- * @param accessPolicy an updated policy
- * @return the updated policy, or null if no matching policy was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract AccessPolicy updateAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException;
-
- /**
- * Deletes the given policy.
- *
- * @param policy the policy to delete
- * @return the deleted policy, or null if no matching policy was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract AccessPolicy deleteAccessPolicy(AccessPolicy policy) throws AuthorizationAccessException;
-
- /**
- * Deletes the policy with the given id.
- *
- * @param policyIdentifier the id of the policy to delete
- * @return the deleted policy, or null if no matching policy was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract AccessPolicy deleteAccessPolicy(String policyIdentifier) throws AuthorizationAccessException;
-
- /**
- * Retrieves all access policies.
- *
- * @return a list of policies
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException;
-
- /**
- * Returns the UserAccessPolicies instance.
- *
- * @return the UserAccessPolicies instance
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- public abstract UsersAndAccessPolicies getUsersAndAccessPolicies() throws AuthorizationAccessException;
-
- /**
- * Returns whether the proposed fingerprint is inheritable.
- *
- * @param proposedFingerprint the proposed fingerprint
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- * @throws UninheritableAuthorizationsException if the proposed fingerprint was uninheritable
- */
- @Override
- public final void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
- try {
- // ensure we understand the proposed fingerprint
- parsePoliciesUsersAndGroups(proposedFingerprint);
- } catch (final AuthorizationAccessException e) {
- throw new UninheritableAuthorizationsException("Unable to parse proposed fingerprint: " + e);
- }
-
- final List<User> users = getSortedUsers();
- final List<Group> groups = getSortedGroups();
- final List<AccessPolicy> accessPolicies = getSortedAccessPolicies();
-
- // ensure we're in a state to inherit
- if (!users.isEmpty() || !groups.isEmpty() || !accessPolicies.isEmpty()) {
- throw new UninheritableAuthorizationsException("Proposed fingerprint is not inheritable because the current Authorizations is not empty..");
- }
- }
-
- /**
- * Parses the fingerprint and adds any users, groups, and policies to the current Authorizer.
- *
- * @param fingerprint the fingerprint that was obtained from calling getFingerprint() on another Authorizer.
- */
- @Override
- public final void inheritFingerprint(final String fingerprint) throws AuthorizationAccessException {
- if (fingerprint == null || fingerprint.trim().isEmpty()) {
- return;
- }
-
- final PoliciesUsersAndGroups policiesUsersAndGroups = parsePoliciesUsersAndGroups(fingerprint);
- policiesUsersAndGroups.getUsers().forEach(user -> addUser(user));
- policiesUsersAndGroups.getGroups().forEach(group -> addGroup(group));
- policiesUsersAndGroups.getAccessPolicies().forEach(policy -> addAccessPolicy(policy));
- }
-
- private PoliciesUsersAndGroups parsePoliciesUsersAndGroups(final String fingerprint) {
- final List<AccessPolicy> accessPolicies = new ArrayList<>();
- final List<User> users = new ArrayList<>();
- final List<Group> groups = new ArrayList<>();
-
- final byte[] fingerprintBytes = fingerprint.getBytes(StandardCharsets.UTF_8);
- try (final ByteArrayInputStream in = new ByteArrayInputStream(fingerprintBytes)) {
- final DocumentBuilder docBuilder = DOCUMENT_BUILDER_FACTORY.newDocumentBuilder();
- final Document document = docBuilder.parse(in);
- final Element rootElement = document.getDocumentElement();
-
- // parse all the users and add them to the current authorizer
- NodeList userNodes = rootElement.getElementsByTagName(USER_ELEMENT);
- for (int i=0; i < userNodes.getLength(); i++) {
- Node userNode = userNodes.item(i);
- users.add(parseUser((Element) userNode));
- }
-
- // parse all the groups and add them to the current authorizer
- NodeList groupNodes = rootElement.getElementsByTagName(GROUP_ELEMENT);
- for (int i=0; i < groupNodes.getLength(); i++) {
- Node groupNode = groupNodes.item(i);
- groups.add(parseGroup((Element) groupNode));
- }
-
- // parse all the policies and add them to the current authorizer
- NodeList policyNodes = rootElement.getElementsByTagName(POLICY_ELEMENT);
- for (int i=0; i < policyNodes.getLength(); i++) {
- Node policyNode = policyNodes.item(i);
- accessPolicies.add(parsePolicy((Element) policyNode));
- }
- } catch (SAXException | ParserConfigurationException | IOException e) {
- throw new AuthorizationAccessException("Unable to parse fingerprint", e);
- }
-
- return new PoliciesUsersAndGroups(accessPolicies, users, groups);
- }
-
- private User parseUser(final Element element) {
- final User.Builder builder = new User.Builder()
- .identifier(element.getAttribute(IDENTIFIER_ATTR))
- .identity(element.getAttribute(IDENTITY_ATTR));
-
- return builder.build();
- }
-
- private Group parseGroup(final Element element) {
- final Group.Builder builder = new Group.Builder()
- .identifier(element.getAttribute(IDENTIFIER_ATTR))
- .name(element.getAttribute(NAME_ATTR));
-
- NodeList groupUsers = element.getElementsByTagName(GROUP_USER_ELEMENT);
- for (int i=0; i < groupUsers.getLength(); i++) {
- Element groupUserNode = (Element) groupUsers.item(i);
- builder.addUser(groupUserNode.getAttribute(IDENTIFIER_ATTR));
- }
-
- return builder.build();
- }
-
- private AccessPolicy parsePolicy(final Element element) {
- final AccessPolicy.Builder builder = new AccessPolicy.Builder()
- .identifier(element.getAttribute(IDENTIFIER_ATTR))
- .resource(element.getAttribute(RESOURCE_ATTR));
-
- final String actions = element.getAttribute(ACTIONS_ATTR);
- if (actions.equals(RequestAction.READ.name())) {
- builder.action(RequestAction.READ);
- } else if (actions.equals(RequestAction.WRITE.name())) {
- builder.action(RequestAction.WRITE);
- } else if (actions.equals(RequestAction.DELETE.name())) {
- builder.action(RequestAction.DELETE);
- } else {
- throw new IllegalStateException("Unknown Policy Action: " + actions);
- }
-
- NodeList policyUsers = element.getElementsByTagName(POLICY_USER_ELEMENT);
- for (int i=0; i < policyUsers.getLength(); i++) {
- Element policyUserNode = (Element) policyUsers.item(i);
- builder.addUser(policyUserNode.getAttribute(IDENTIFIER_ATTR));
- }
-
- NodeList policyGroups = element.getElementsByTagName(POLICY_GROUP_ELEMENT);
- for (int i=0; i < policyGroups.getLength(); i++) {
- Element policyGroupNode = (Element) policyGroups.item(i);
- builder.addGroup(policyGroupNode.getAttribute(IDENTIFIER_ATTR));
- }
-
- return builder.build();
- }
-
- @Override
- public final AccessPolicyProvider getAccessPolicyProvider() {
- return new ConfigurableAccessPolicyProvider() {
- @Override
- public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.getAccessPolicies();
- }
-
- @Override
- public AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.getAccessPolicy(identifier);
- }
-
- @Override
- public AccessPolicy addAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.addAccessPolicy(accessPolicy);
- }
-
- @Override
- public AccessPolicy updateAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.updateAccessPolicy(accessPolicy);
- }
-
- @Override
- public AccessPolicy deleteAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.deleteAccessPolicy(accessPolicy);
- }
-
- @Override
- public AccessPolicy deleteAccessPolicy(String accessPolicyIdentifier) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.deleteAccessPolicy(accessPolicyIdentifier);
- }
-
- @Override
- public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) throws AuthorizationAccessException {
- final UsersAndAccessPolicies usersAndAccessPolicies = AbstractPolicyBasedAuthorizer.this.getUsersAndAccessPolicies();
- return usersAndAccessPolicies.getAccessPolicy(resourceIdentifier, action);
- }
-
- @Override
- public String getFingerprint() throws AuthorizationAccessException {
- // fingerprint is managed by the encapsulating class
- throw new UnsupportedOperationException();
- }
-
- @Override
- public void inheritFingerprint(String fingerprint) throws AuthorizationAccessException {
- // fingerprint is managed by the encapsulating class
- throw new UnsupportedOperationException();
- }
-
- @Override
- public void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
- // fingerprint is managed by the encapsulating class
- throw new UnsupportedOperationException();
- }
-
- @Override
- public UserGroupProvider getUserGroupProvider() {
- return new ConfigurableUserGroupProvider() {
- @Override
- public User addUser(User user) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.addUser(user);
- }
-
- @Override
- public User updateUser(User user) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.updateUser(user);
- }
-
- @Override
- public User deleteUser(User user) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.deleteUser(user);
- }
-
- @Override
- public User deleteUser(String userIdentifier) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.deleteUser(userIdentifier);
- }
-
- @Override
- public Group addGroup(Group group) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.addGroup(group);
- }
-
- @Override
- public Group updateGroup(Group group) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.updateGroup(group);
- }
-
- @Override
- public Group deleteGroup(Group group) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.deleteGroup(group);
- }
-
- @Override
- public Group deleteGroup(String groupIdentifier) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.deleteGroup(groupIdentifier);
- }
-
- @Override
- public Set<User> getUsers() throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.getUsers();
- }
-
- @Override
- public User getUser(String identifier) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.getUser(identifier);
- }
-
- @Override
- public User getUserByIdentity(String identity) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.getUserByIdentity(identity);
- }
-
- @Override
- public Set<Group> getGroups() throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.getGroups();
- }
-
- @Override
- public Group getGroup(String identifier) throws AuthorizationAccessException {
- return AbstractPolicyBasedAuthorizer.this.getGroup(identifier);
- }
-
- @Override
- public UserAndGroups getUserAndGroups(String identity) throws AuthorizationAccessException {
- final UsersAndAccessPolicies usersAndAccessPolicies = AbstractPolicyBasedAuthorizer.this.getUsersAndAccessPolicies();
- final User user = usersAndAccessPolicies.getUser(identity);
- final Set<Group> groups = usersAndAccessPolicies.getGroups(identity);
-
- return new UserAndGroups() {
- @Override
- public User getUser() {
- return user;
- }
-
- @Override
- public Set<Group> getGroups() {
- return groups;
- }
- };
- }
-
- @Override
- public String getFingerprint() throws AuthorizationAccessException {
- // fingerprint is managed by the encapsulating class
- throw new UnsupportedOperationException();
- }
-
- @Override
- public void inheritFingerprint(String fingerprint) throws AuthorizationAccessException {
- // fingerprint is managed by the encapsulating class
- throw new UnsupportedOperationException();
- }
-
- @Override
- public void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
- // fingerprint is managed by the encapsulating class
- throw new UnsupportedOperationException();
- }
-
- @Override
- public void initialize(UserGroupProviderInitializationContext initializationContext) throws AuthorizerCreationException {
- }
-
- @Override
- public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
- }
-
- @Override
- public void preDestruction() throws AuthorizerDestructionException {
- }
- };
- }
-
- @Override
- public void initialize(AccessPolicyProviderInitializationContext initializationContext) throws AuthorizerCreationException {
- }
-
- @Override
- public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
- }
-
- @Override
- public void preDestruction() throws AuthorizerDestructionException {
- }
- };
- }
-
- /**
- * Returns a fingerprint representing the authorizations managed by this authorizer. The fingerprint will be
- * used for comparison to determine if two policy-based authorizers represent a compatible set of users,
- * groups, and policies.
- *
- * @return the fingerprint for this Authorizer
- */
- @Override
- public final String getFingerprint() throws AuthorizationAccessException {
- final List<User> users = getSortedUsers();
- final List<Group> groups = getSortedGroups();
- final List<AccessPolicy> policies = getSortedAccessPolicies();
-
- XMLStreamWriter writer = null;
- final StringWriter out = new StringWriter();
- try {
- writer = XML_OUTPUT_FACTORY.createXMLStreamWriter(out);
- writer.writeStartDocument();
- writer.writeStartElement("authorizations");
-
- for (User user : users) {
- writeUser(writer, user);
- }
- for (Group group : groups) {
- writeGroup(writer, group);
- }
- for (AccessPolicy policy : policies) {
- writePolicy(writer, policy);
- }
-
- writer.writeEndElement();
- writer.writeEndDocument();
- writer.flush();
- } catch (XMLStreamException e) {
- throw new AuthorizationAccessException("Unable to generate fingerprint", e);
- } finally {
- if (writer != null) {
- try {
- writer.close();
- } catch (XMLStreamException e) {
- // nothing to do here
- }
- }
- }
-
- return out.toString();
- }
-
- private void writeUser(final XMLStreamWriter writer, final User user) throws XMLStreamException {
- writer.writeStartElement(USER_ELEMENT);
- writer.writeAttribute(IDENTIFIER_ATTR, user.getIdentifier());
- writer.writeAttribute(IDENTITY_ATTR, user.getIdentity());
- writer.writeEndElement();
- }
-
- private void writeGroup(final XMLStreamWriter writer, final Group group) throws XMLStreamException {
- List<String> users = new ArrayList<>(group.getUsers());
- Collections.sort(users);
-
- writer.writeStartElement(GROUP_ELEMENT);
- writer.writeAttribute(IDENTIFIER_ATTR, group.getIdentifier());
- writer.writeAttribute(NAME_ATTR, group.getName());
-
- for (String user : users) {
- writer.writeStartElement(GROUP_USER_ELEMENT);
- writer.writeAttribute(IDENTIFIER_ATTR, user);
- writer.writeEndElement();
- }
-
- writer.writeEndElement();
- }
-
- private void writePolicy(final XMLStreamWriter writer, final AccessPolicy policy) throws XMLStreamException {
- // sort the users for the policy
- List<String> policyUsers = new ArrayList<>(policy.getUsers());
- Collections.sort(policyUsers);
-
- // sort the groups for this policy
- List<String> policyGroups = new ArrayList<>(policy.getGroups());
- Collections.sort(policyGroups);
-
- writer.writeStartElement(POLICY_ELEMENT);
- writer.writeAttribute(IDENTIFIER_ATTR, policy.getIdentifier());
- writer.writeAttribute(RESOURCE_ATTR, policy.getResource());
- writer.writeAttribute(ACTIONS_ATTR, policy.getAction().name());
-
- for (String policyUser : policyUsers) {
- writer.writeStartElement(POLICY_USER_ELEMENT);
- writer.writeAttribute(IDENTIFIER_ATTR, policyUser);
- writer.writeEndElement();
- }
-
- for (String policyGroup : policyGroups) {
- writer.writeStartElement(POLICY_GROUP_ELEMENT);
- writer.writeAttribute(IDENTIFIER_ATTR, policyGroup);
- writer.writeEndElement();
- }
-
- writer.writeEndElement();
- }
-
- private List<AccessPolicy> getSortedAccessPolicies() {
- final List<AccessPolicy> policies = new ArrayList<>(getAccessPolicies());
- Collections.sort(policies, Comparator.comparing(AccessPolicy::getIdentifier));
- return policies;
- }
-
- private List<Group> getSortedGroups() {
- final List<Group> groups = new ArrayList<>(getGroups());
- Collections.sort(groups, Comparator.comparing(Group::getIdentifier));
- return groups;
- }
-
- private List<User> getSortedUsers() {
- final List<User> users = new ArrayList<>(getUsers());
- Collections.sort(users, Comparator.comparing(User::getIdentifier));
- return users;
- }
-
- private static class PoliciesUsersAndGroups {
- final List<AccessPolicy> accessPolicies;
- final List<User> users;
- final List<Group> groups;
-
- public PoliciesUsersAndGroups(List<AccessPolicy> accessPolicies, List<User> users, List<Group> groups) {
- this.accessPolicies = accessPolicies;
- this.users = users;
- this.groups = groups;
- }
-
- public List<AccessPolicy> getAccessPolicies() {
- return accessPolicies;
- }
-
- public List<User> getUsers() {
- return users;
- }
-
- public List<Group> getGroups() {
- return groups;
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/StandardAuthorizerConfigurationContext.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/StandardAuthorizerConfigurationContext.java b/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/StandardAuthorizerConfigurationContext.java
deleted file mode 100644
index 798f974..0000000
--- a/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/StandardAuthorizerConfigurationContext.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-import org.apache.nifi.registry.util.PropertyValue;
-import org.apache.nifi.registry.util.StandardPropertyValue;
-
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- *
- */
-public class StandardAuthorizerConfigurationContext implements AuthorizerConfigurationContext {
-
- private final String identifier;
- private final Map<String, String> properties;
-
- public StandardAuthorizerConfigurationContext(String identifier, Map<String, String> properties) {
- this.identifier = identifier;
- this.properties = Collections.unmodifiableMap(new HashMap<String, String>(properties));
- }
-
- @Override
- public String getIdentifier() {
- return identifier;
- }
-
- @Override
- public Map<String, String> getProperties() {
- return properties;
- }
-
- @Override
- public PropertyValue getProperty(String property) {
- return new StandardPropertyValue(properties.get(property));
- }
-
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/StandardAuthorizerInitializationContext.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/StandardAuthorizerInitializationContext.java b/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/StandardAuthorizerInitializationContext.java
deleted file mode 100644
index e23a93e..0000000
--- a/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/StandardAuthorizerInitializationContext.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-/**
- *
- */
-public class StandardAuthorizerInitializationContext implements AuthorizerInitializationContext {
-
- private final String identifier;
- private final UserGroupProviderLookup userGroupProviderLookup;
- private final AccessPolicyProviderLookup accessPolicyProviderLookup;
- private final AuthorizerLookup authorizerLookup;
-
- public StandardAuthorizerInitializationContext(String identifier, UserGroupProviderLookup userGroupProviderLookup,
- AccessPolicyProviderLookup accessPolicyProviderLookup, AuthorizerLookup authorizerLookup) {
- this.identifier = identifier;
- this.userGroupProviderLookup = userGroupProviderLookup;
- this.accessPolicyProviderLookup = accessPolicyProviderLookup;
- this.authorizerLookup = authorizerLookup;
- }
-
- @Override
- public String getIdentifier() {
- return identifier;
- }
-
- public AuthorizerLookup getAuthorizerLookup() {
- return authorizerLookup;
- }
-
- @Override
- public AccessPolicyProviderLookup getAccessPolicyProviderLookup() {
- return accessPolicyProviderLookup;
- }
-
- @Override
- public UserGroupProviderLookup getUserGroupProviderLookup() {
- return userGroupProviderLookup;
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/UsersAndAccessPolicies.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/UsersAndAccessPolicies.java b/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/UsersAndAccessPolicies.java
deleted file mode 100644
index 7e05c9c..0000000
--- a/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/UsersAndAccessPolicies.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-import java.util.Set;
-
-/**
- * A holder object to provide atomic access to policies for a given resource and users by
- * identity. Implementations must ensure consistent access to the data backing this instance.
- */
-public interface UsersAndAccessPolicies {
-
- /**
- * Retrieves the set of access policies for a given resource and action.
- *
- * @param resourceIdentifier the resource identifier to retrieve policies for
- * @param action the action to retrieve policies for
- * @return the access policy for the given resource and action
- */
- AccessPolicy getAccessPolicy(final String resourceIdentifier, final RequestAction action);
-
- /**
- * Retrieves a user by an identity string.
- *
- * @param identity the identity of the user to retrieve
- * @return the user with the given identity
- */
- User getUser(final String identity);
-
- /**
- * Retrieves the groups for a given user identity.
- *
- * @param userIdentity a user identity
- * @return the set of groups for the given user identity
- */
- Set<Group> getGroups(final String userIdentity);
-
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/annotation/AuthorizerContext.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/annotation/AuthorizerContext.java b/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/annotation/AuthorizerContext.java
deleted file mode 100644
index 131238c..0000000
--- a/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/annotation/AuthorizerContext.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization.annotation;
-
-import java.lang.annotation.Documented;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Inherited;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-/**
- *
- *
- */
-@Documented
-@Target({ElementType.FIELD, ElementType.METHOD})
-@Retention(RetentionPolicy.RUNTIME)
-@Inherited
-public @interface AuthorizerContext {
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/file/AuthorizationsHolder.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/file/AuthorizationsHolder.java b/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/file/AuthorizationsHolder.java
deleted file mode 100644
index 38a1571..0000000
--- a/nifi-registry-security-api-impl/src/main/java/org/apache/nifi/registry/authorization/file/AuthorizationsHolder.java
+++ /dev/null
@@ -1,187 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization.file;
-
-
-import org.apache.nifi.registry.authorization.file.generated.Authorizations;
-import org.apache.nifi.registry.authorization.file.generated.Policies;
-import org.apache.nifi.registry.authorization.AccessPolicy;
-import org.apache.nifi.registry.authorization.RequestAction;
-
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-
-/**
- * A holder to provide atomic access to data structures.
- */
-public class AuthorizationsHolder {
-
- private final Authorizations authorizations;
-
- private final Set<AccessPolicy> allPolicies;
- private final Map<String, Set<AccessPolicy>> policiesByResource;
- private final Map<String, AccessPolicy> policiesById;
-
- /**
- * Creates a new holder and populates all convenience authorizations data structures.
- *
- * @param authorizations the current authorizations instance
- */
- public AuthorizationsHolder(final Authorizations authorizations) {
- this.authorizations = authorizations;
-
- // load all access policies
- final Policies policies = authorizations.getPolicies();
- final Set<AccessPolicy> allPolicies = Collections.unmodifiableSet(createAccessPolicies(policies));
-
- // create a convenience map from resource id to policies
- final Map<String, Set<AccessPolicy>> policiesByResourceMap = Collections.unmodifiableMap(createResourcePolicyMap(allPolicies));
-
- // create a convenience map from policy id to policy
- final Map<String, AccessPolicy> policiesByIdMap = Collections.unmodifiableMap(createPoliciesByIdMap(allPolicies));
-
- // set all the holders
- this.allPolicies = allPolicies;
- this.policiesByResource = policiesByResourceMap;
- this.policiesById = policiesByIdMap;
- }
-
- /**
- * Creates AccessPolicies from the JAXB Policies.
- *
- * @param policies the JAXB Policies element
- * @return a set of AccessPolicies corresponding to the provided Resources
- */
- private Set<AccessPolicy> createAccessPolicies(org.apache.nifi.registry.authorization.file.generated.Policies policies) {
- Set<AccessPolicy> allPolicies = new HashSet<>();
- if (policies == null || policies.getPolicy() == null) {
- return allPolicies;
- }
-
- // load the new authorizations
- for (final org.apache.nifi.registry.authorization.file.generated.Policy policy : policies.getPolicy()) {
- final String policyIdentifier = policy.getIdentifier();
- final String resourceIdentifier = policy.getResource();
-
- // start a new builder and set the policy and resource identifiers
- final AccessPolicy.Builder builder = new AccessPolicy.Builder()
- .identifier(policyIdentifier)
- .resource(resourceIdentifier);
-
- // add each user identifier
- for (org.apache.nifi.registry.authorization.file.generated.Policy.User user : policy.getUser()) {
- builder.addUser(user.getIdentifier());
- }
-
- // add each group identifier
- for (org.apache.nifi.registry.authorization.file.generated.Policy.Group group : policy.getGroup()) {
- builder.addGroup(group.getIdentifier());
- }
-
- // add the appropriate request actions
- final String authorizationCode = policy.getAction();
- if (authorizationCode.equals(FileAccessPolicyProvider.READ_CODE)) {
- builder.action(RequestAction.READ);
- } else if (authorizationCode.equals(FileAccessPolicyProvider.WRITE_CODE)){
- builder.action(RequestAction.WRITE);
- } else if (authorizationCode.equals(FileAccessPolicyProvider.DELETE_CODE)){
- builder.action(RequestAction.DELETE);
- } else {
- throw new IllegalStateException("Unknown Policy Action: " + authorizationCode);
- }
-
- // build the policy and add it to the map
- allPolicies.add(builder.build());
- }
-
- return allPolicies;
- }
-
- /**
- * Creates a map from resource identifier to the set of policies for the given resource.
- *
- * @param allPolicies the set of all policies
- * @return a map from resource identifier to policies
- */
- private Map<String, Set<AccessPolicy>> createResourcePolicyMap(final Set<AccessPolicy> allPolicies) {
- Map<String, Set<AccessPolicy>> resourcePolicies = new HashMap<>();
-
- for (AccessPolicy policy : allPolicies) {
- Set<AccessPolicy> policies = resourcePolicies.get(policy.getResource());
- if (policies == null) {
- policies = new HashSet<>();
- resourcePolicies.put(policy.getResource(), policies);
- }
- policies.add(policy);
- }
-
- return resourcePolicies;
- }
-
- /**
- * Creates a Map from policy identifier to AccessPolicy.
- *
- * @param policies the set of all access policies
- * @return the Map from policy identifier to AccessPolicy
- */
- private Map<String, AccessPolicy> createPoliciesByIdMap(final Set<AccessPolicy> policies) {
- Map<String,AccessPolicy> policyMap = new HashMap<>();
- for (AccessPolicy policy : policies) {
- policyMap.put(policy.getIdentifier(), policy);
- }
- return policyMap;
- }
-
- public Authorizations getAuthorizations() {
- return authorizations;
- }
-
- public Set<AccessPolicy> getAllPolicies() {
- return allPolicies;
- }
-
- public Map<String, Set<AccessPolicy>> getPoliciesByResource() {
- return policiesByResource;
- }
-
- public Map<String, AccessPolicy> getPoliciesById() {
- return policiesById;
- }
-
- public AccessPolicy getAccessPolicy(final String resourceIdentifier, final RequestAction action) {
- if (resourceIdentifier == null) {
- throw new IllegalArgumentException("Resource Identifier cannot be null");
- }
-
- final Set<AccessPolicy> resourcePolicies = policiesByResource.get(resourceIdentifier);
- if (resourcePolicies == null) {
- return null;
- }
-
- for (AccessPolicy accessPolicy : resourcePolicies) {
- if (accessPolicy.getAction() == action) {
- return accessPolicy;
- }
- }
-
- return null;
- }
-
-}