You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by bbende <gi...@git.apache.org> on 2016/05/27 21:10:21 UTC
[GitHub] nifi pull request: NIFI-1916 Updating FileAuthorizer to extend Abs...
GitHub user bbende opened a pull request:
https://github.com/apache/nifi/pull/473
NIFI-1916 Updating FileAuthorizer to extend AbstractPolicyBasedAuthor\u2026
\u2026izer and adding intial loading of data users, groups, and policies
- Implementing CRUD operations and unit tests for Users
- Implementing CRUD operations and unit tests for Groups
- Implementing CRUD operations and unit tests for AccessPolicies
- Adding support for seeding with an initial admin user
- Fixing delete for user and group so it removes references from policies
- Adding example to authorizations.xml
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/bbende/nifi NIFI-1916
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/473.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #473
----
commit 8fd48116d89362f8256c85f0981571ae6cf9612b
Author: Bryan Bende <bb...@apache.org>
Date: 2016-05-25T17:22:05Z
NIFI-1916 Updating FileAuthorizer to extend AbstractPolicyBasedAuthorizer and adding intial loading of data users, groups, and policies
- Implementing CRUD operations and unit tests for Users
- Implementing CRUD operations and unit tests for Groups
- Implementing CRUD operations and unit tests for AccessPolicies
- Adding support for seeding with an initial admin user
- Fixing delete for user and group so it removes references from policies
- Adding example to authorizations.xml
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request #473: NIFI-1916 Updating FileAuthorizer to extend Abstract...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/nifi/pull/473
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi issue #473: NIFI-1916 Updating FileAuthorizer to extend AbstractPolicyB...
Posted by mcgilman <gi...@git.apache.org>.
Github user mcgilman commented on the issue:
https://github.com/apache/nifi/pull/473
@bbende The updates for ensuring thread-safe access looks good as do the converting of existing authorized-users.xml.
+1 Merging to master.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: NIFI-1916 Updating FileAuthorizer to extend AbstractPolic...
Posted by mcgilman <gi...@git.apache.org>.
Github user mcgilman commented on the pull request:
https://github.com/apache/nifi/pull/473
@bbende Just realized that we'll need to introduce some thread safety here. The RevisionManager in the web tier will handle locking during the User/Group/Policy CRUD operations. However, authorization could (will) be happening at the same time out of band of these CRUD operations.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: NIFI-1916 Updating FileAuthorizer to extend AbstractPolic...
Posted by jtstorck <gi...@git.apache.org>.
Github user jtstorck commented on a diff in the pull request:
https://github.com/apache/nifi/pull/473#discussion_r65270822
--- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java ---
@@ -127,153 +145,766 @@ public void onConfigured(final AuthorizerConfigurationContext configurationConte
}
}
- final PropertyValue rawReloadInterval = configurationContext.getProperty("Reload Interval");
+ // load the authorizations
+ load();
+
+ // if there are no users or policies then see if an initial admin was provided
+ if (allUsers.get().isEmpty() && allPolicies.get().isEmpty()) {
+ final PropertyValue initialAdminIdentity = configurationContext.getProperty("Initial Admin Identity");
+ if (initialAdminIdentity != null && !StringUtils.isBlank(initialAdminIdentity.getValue())) {
+ populateInitialAdmin(initialAdminIdentity.getValue());
+ }
+ }
+
+ // if we've copied the authorizations file to a restore directory synchronize it
+ if (restoreAuthorizationsFile != null) {
+ FileUtils.copyFile(authorizationsFile, restoreAuthorizationsFile, false, false, logger);
+ }
+
+ logger.info(String.format("Authorizations file loaded at %s", new Date().toString()));
+
+ } catch (IOException | AuthorizerCreationException | JAXBException | IllegalStateException e) {
+ throw new AuthorizerCreationException(e);
+ }
+ }
+
+ /**
+ * Reloads the authorized users file.
+ *
+ * @throws JAXBException Unable to reload the authorized users file
+ * @throws IOException Unable to sync file with restore
+ * @throws IllegalStateException Unable to sync file with restore
+ */
+ private void load() throws JAXBException, IOException, IllegalStateException {
+ // attempt to unmarshal
+ final Unmarshaller unmarshaller = JAXB_CONTEXT.createUnmarshaller();
+ unmarshaller.setSchema(schema);
+ final JAXBElement<Authorizations> element = unmarshaller.unmarshal(new StreamSource(authorizationsFile), Authorizations.class);
+
+ final Authorizations authorizations = element.getValue();
+
+ if (authorizations.getUsers() == null) {
+ authorizations.setUsers(new Users());
+ }
+ if (authorizations.getGroups() == null) {
+ authorizations.setGroups(new Groups());
+ }
+ if (authorizations.getPolicies() == null) {
+ authorizations.setPolicies(new Policies());
+ }
+
+ this.authorizations.set(authorizations);
+ load(authorizations);
+ }
+
+ /**
+ * Loads the internal data structures from the given Authorizations.
+ *
+ * @param authorizations the Authorizations to populate from
+ */
+ private void load(final Authorizations authorizations) {
+ // load all users
+ final Users users = authorizations.getUsers();
+ final Set<User> allUsers = Collections.unmodifiableSet(createUsers(users));
+
+ // load all groups
+ final Groups groups = authorizations.getGroups();
+ final Set<Group> allGroups = Collections.unmodifiableSet(createGroups(groups, users));
+
+ // load all access policies
+ final Policies policies = authorizations.getPolicies();
+ final Set<AccessPolicy> allPolicies = Collections.unmodifiableSet(createAccessPolicies(policies));
+
+ // create a convenience map to retrieve a user by id
+ final Map<String, User> userByIdMap = Collections.unmodifiableMap(createUserByIdMap(allUsers));
+
+ // create a convenience map to retrieve a user by identity
+ final Map<String, User> userByIdentityMap = Collections.unmodifiableMap(createUserByIdentityMap(allUsers));
+
+ // create a convenience map to retrieve a group by id
+ final Map<String, Group> groupByIdMap = Collections.unmodifiableMap(createGroupByIdMap(allGroups));
+
+ // create a convenience map from resource id to policies
+ final Map<String, Set<AccessPolicy>> resourcePolicies = Collections.unmodifiableMap(createResourcePolicyMap(allPolicies));
--- End diff --
Based on the other names of the maps here, do you think policiesByResourceId is a more descriptive/accurate name for `resourcePolicies`?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi pull request: NIFI-1916 Updating FileAuthorizer to extend AbstractPolic...
Posted by jtstorck <gi...@git.apache.org>.
Github user jtstorck commented on a diff in the pull request:
https://github.com/apache/nifi/pull/473#discussion_r65268067
--- Diff: nifi-api/src/main/java/org/apache/nifi/authorization/AccessPolicy.java ---
@@ -28,15 +28,15 @@
private final String identifier;
--- End diff --
@bbende @mcgilman We discussed adding a description field to AccessPolicy and Group. I created the following JIRA ticket for that effort: https://issues.apache.org/jira/browse/NIFI-1949
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] nifi issue #473: NIFI-1916 Updating FileAuthorizer to extend AbstractPolicyB...
Posted by bbende <gi...@git.apache.org>.
Github user bbende commented on the issue:
https://github.com/apache/nifi/pull/473
@mcgilman updated the PR to address the thread-safety, a summary of the changes...
- Created a single data structure to encapsulate all data structures used by the FileAuthorizer so there can be a single AtomicReference
- Added synchronization to add, update, delete methods to ensure only one thread can modify the internal Authorizations reference
- Included changes to expose the root group id to the authorizer which will be needed to auto-convert old users files
- Brought back the old users.xsd and generation of the jaxb object to prep for auto-converting old users files
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---