You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by ma...@apache.org on 2016/04/15 22:04:14 UTC
[22/22] nifi git commit: NIFI-1551: - Removing the AuthorityProvider.
- Refactoring REST API in preparation for introduction of the Authorizer. -
Updating UI accordingly. - Removing unneeded properties from nifi.properties.
- Addressing comments from PR.
NIFI-1551:
- Removing the AuthorityProvider.
- Refactoring REST API in preparation for introduction of the Authorizer.
- Updating UI accordingly.
- Removing unneeded properties from nifi.properties.
- Addressing comments from PR.
- This closes #359.
Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/153f63ef
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/153f63ef
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/153f63ef
Branch: refs/heads/master
Commit: 153f63ef43fd4511026653122fbde27e68221a57
Parents: 7db78e8
Author: Matt Gilman <ma...@gmail.com>
Authored: Fri Apr 15 15:53:47 2016 -0400
Committer: Mark Payne <ma...@hotmail.com>
Committed: Fri Apr 15 16:03:00 2016 -0400
----------------------------------------------------------------------
.../authentication/LoginIdentityProvider.java | 4 +-
.../exception/ProviderCreationException.java | 39 +
.../exception/ProviderDestructionException.java | 39 +
.../apache/nifi/authorization/Authority.java | 93 -
.../nifi/authorization/AuthorityProvider.java | 182 --
.../AuthorityProviderConfigurationContext.java | 48 -
.../AuthorityProviderInitializationContext.java | 27 -
.../authorization/AuthorityProviderLookup.java | 25 -
.../authorization/AuthorizationRequest.java | 39 +-
.../apache/nifi/authorization/Authorizer.java | 3 +-
.../authorization/DownloadAuthorization.java | 83 -
.../annotation/AuthorityProviderContext.java | 35 -
.../exception/AuthorityAccessException.java | 33 -
.../IdentityAlreadyExistsException.java | 32 -
.../exception/ProviderCreationException.java | 39 -
.../exception/ProviderDestructionException.java | 39 -
.../exception/UnknownIdentityException.java | 32 -
nifi-assembly/pom.xml | 8 +-
.../org/apache/nifi/util/NiFiProperties.java | 53 +-
.../NiFiProperties/conf/nifi.blank.properties | 6 +-
.../NiFiProperties/conf/nifi.missing.properties | 6 +-
.../NiFiProperties/conf/nifi.properties | 6 +-
.../src/main/asciidoc/administration-guide.adoc | 139 +-
.../cassandra/AbstractCassandraProcessor.java | 2 +-
.../AbstractCassandraProcessorTest.java | 2 +-
.../nifi-framework-nar/pom.xml | 8 -
.../nifi/admin/KeyDataSourceFactoryBean.java | 147 ++
.../nifi/admin/UserDataSourceFactoryBean.java | 244 --
.../org/apache/nifi/admin/dao/AuthorityDAO.java | 59 -
.../org/apache/nifi/admin/dao/DAOFactory.java | 4 -
.../java/org/apache/nifi/admin/dao/UserDAO.java | 128 -
.../nifi/admin/dao/impl/DAOFactoryImpl.java | 12 -
.../admin/dao/impl/StandardAuthorityDAO.java | 172 --
.../nifi/admin/dao/impl/StandardUserDAO.java | 641 -----
.../admin/service/AccountDisabledException.java | 40 -
.../admin/service/AccountNotFoundException.java | 40 -
.../admin/service/AccountPendingException.java | 41 -
.../apache/nifi/admin/service/KeyService.java | 49 +
.../apache/nifi/admin/service/UserService.java | 180 --
.../service/action/AbstractUserAction.java | 97 -
.../admin/service/action/AddActionsAction.java | 3 +-
.../service/action/AdministrationAction.java | 4 +-
.../service/action/AuthorizeDownloadAction.java | 54 -
.../service/action/AuthorizeUserAction.java | 173 --
.../admin/service/action/CreateUserAction.java | 53 -
.../admin/service/action/DeleteKeysAction.java | 3 +-
.../admin/service/action/DeleteUserAction.java | 73 -
.../admin/service/action/DisableUserAction.java | 81 -
.../service/action/DisableUserGroupAction.java | 78 -
.../service/action/FindUserByDnAction.java | 49 -
.../service/action/FindUserByIdAction.java | 46 -
.../admin/service/action/GetActionAction.java | 3 +-
.../admin/service/action/GetActionsAction.java | 6 +-
.../admin/service/action/GetKeyByIdAction.java | 4 +-
.../service/action/GetKeyByIdentityAction.java | 4 +-
.../service/action/GetOrCreateKeyAction.java | 4 +-
.../admin/service/action/GetPreviousValues.java | 8 +-
.../service/action/GetUserGroupAction.java | 50 -
.../admin/service/action/GetUsersAction.java | 39 -
.../service/action/HasPendingUserAccounts.java | 34 -
.../action/InvalidateUserAccountAction.java | 58 -
.../InvalidateUserGroupAccountsAction.java | 45 -
.../service/action/PurgeActionsAction.java | 3 +-
.../action/RequestUserAccountAction.java | 67 -
.../service/action/SeedUserAccountsAction.java | 164 --
.../admin/service/action/UngroupUserAction.java | 69 -
.../service/action/UngroupUserGroupAction.java | 57 -
.../admin/service/action/UpdateUserAction.java | 124 -
.../UpdateUserAuthoritiesCacheAction.java | 73 -
.../service/action/UpdateUserCacheAction.java | 47 -
.../service/action/UpdateUserGroupAction.java | 171 --
.../admin/service/impl/StandardKeyService.java | 161 ++
.../admin/service/impl/StandardUserService.java | 731 ------
.../transaction/impl/StandardTransaction.java | 16 +-
.../impl/StandardTransactionBuilder.java | 8 +-
.../AuthorityProviderFactoryBean.java | 491 ----
.../authorization/AuthorizerFactoryBean.java | 11 +-
...rdAuthorityProviderConfigurationContext.java | 51 -
...dAuthorityProviderInitializationContext.java | 42 -
.../org/apache/nifi/user/AccountStatus.java | 47 -
.../java/org/apache/nifi/user/NiFiUser.java | 101 +-
.../resources/nifi-administration-context.xml | 33 +-
.../src/main/xsd/authority-providers.xsd | 49 -
.../service/action/AuthorizeUserActionTest.java | 433 ----
.../service/action/CreateUserActionTest.java | 144 --
.../service/action/DisableUserActionTest.java | 176 --
.../action/InvalidateUserAccountActionTest.java | 126 -
.../action/RequestUserAccountActionTest.java | 127 -
.../action/SeedUserAccountsActionTest.java | 262 ---
.../action/SetUserAuthoritiesActionTest.java | 223 --
.../apache/nifi/web/api/dto/RevisionDTO.java | 4 +
.../web/api/dto/status/ControllerStatusDTO.java | 15 -
.../org/apache/nifi/web/api/entity/Entity.java | 6 +-
...ControllerServiceReferenceRequestEntity.java | 54 +
.../.gitignore | 1 -
.../nifi-cluster-authorization-provider/pom.xml | 46 -
.../ClusterManagerAuthorizationProvider.java | 225 --
.../NodeAuthorizationProvider.java | 389 ----
.../protocol/message/DoesDnExistMessage.java | 55 -
.../protocol/message/GetAuthoritiesMessage.java | 57 -
.../message/GetGroupForUserMessage.java | 54 -
.../protocol/message/ProtocolMessage.java | 56 -
.../message/jaxb/JaxbProtocolUtils.java | 41 -
.../protocol/message/jaxb/ObjectFactory.java | 44 -
....apache.nifi.authorization.AuthorityProvider | 16 -
.../src/test/resources/conf/nifi.properties | 6 +-
.../nifi-file-authorization-provider/pom.xml | 85 -
.../FileAuthorizationProvider.java | 496 ----
....apache.nifi.authorization.AuthorityProvider | 15 -
.../src/main/xsd/users.xsd | 64 -
.../FileAuthorizationProviderTest.java | 128 -
.../nifi/authorization/FileAuthorizer.java | 18 +-
.../nifi/authorization/FileAuthorizerTest.java | 20 +-
.../org/apache/nifi/groups/ProcessGroup.java | 24 +
.../apache/nifi/controller/FlowController.java | 20 +-
.../nifi/groups/StandardProcessGroup.java | 63 +
.../nifi/spring/FlowControllerFactoryBean.java | 12 +-
.../src/main/resources/nifi-context.xml | 2 +-
.../controller/StandardFlowServiceTest.java | 8 +-
.../scheduling/TestProcessorLifecycle.java | 4 +-
.../src/test/resources/conf/nifi.properties | 6 +-
.../test/resources/nifi-with-remote.properties | 6 +-
.../src/test/resources/nifi.properties | 6 +-
.../org/apache/nifi/nar/ExtensionManager.java | 19 +-
.../nifi/nar/NarThreadContextClassLoader.java | 20 +-
.../resources/NarUnpacker/conf/nifi.properties | 6 +-
.../main/resources/conf/authority-providers.xml | 43 -
.../main/resources/conf/authorized-users.xml | 57 -
.../src/main/resources/conf/authorizers.xml | 28 +
.../src/main/resources/conf/nifi.properties | 8 +-
.../nifi/remote/StandardRootGroupPort.java | 113 +-
.../src/test/resources/nifi.properties | 6 +-
.../org/apache/nifi/audit/FunnelAuditor.java | 9 +-
.../java/org/apache/nifi/audit/PortAuditor.java | 35 +-
.../org/apache/nifi/audit/ProcessorAuditor.java | 20 +-
.../apache/nifi/audit/RelationshipAuditor.java | 18 +-
.../nifi/audit/RemoteProcessGroupAuditor.java | 31 +-
.../org/apache/nifi/audit/SnippetAuditor.java | 45 +-
.../org/apache/nifi/web/NiFiServiceFacade.java | 279 +--
.../web/NiFiWebApiSecurityConfiguration.java | 76 +-
.../nifi/web/StandardNiFiContentAccess.java | 20 +-
.../nifi/web/StandardNiFiServiceFacade.java | 624 ++---
.../StandardNiFiWebConfigurationContext.java | 70 +-
.../apache/nifi/web/StandardNiFiWebContext.java | 60 +-
.../org/apache/nifi/web/api/AccessResource.java | 79 +-
.../nifi/web/api/BulletinBoardResource.java | 37 +-
.../apache/nifi/web/api/ClusterResource.java | 11 +-
.../apache/nifi/web/api/ConnectionResource.java | 659 +-----
.../apache/nifi/web/api/ControllerResource.java | 151 +-
.../nifi/web/api/ControllerServiceResource.java | 365 +--
.../org/apache/nifi/web/api/FunnelResource.java | 339 +--
.../apache/nifi/web/api/HistoryResource.java | 60 +-
.../apache/nifi/web/api/InputPortResource.java | 340 +--
.../org/apache/nifi/web/api/LabelResource.java | 383 +--
.../org/apache/nifi/web/api/NodeResource.java | 9 +-
.../apache/nifi/web/api/OutputPortResource.java | 383 +--
.../nifi/web/api/ProcessGroupResource.java | 2186 ++++++++++++------
.../apache/nifi/web/api/ProcessorResource.java | 485 +---
.../apache/nifi/web/api/ProvenanceResource.java | 94 +-
.../web/api/RemoteProcessGroupResource.java | 450 +---
.../nifi/web/api/ReportingTaskResource.java | 344 +--
.../apache/nifi/web/api/SnippetResource.java | 200 +-
.../nifi/web/api/SystemDiagnosticsResource.java | 3 +-
.../apache/nifi/web/api/TemplateResource.java | 49 +-
.../apache/nifi/web/api/UserGroupResource.java | 465 ----
.../org/apache/nifi/web/api/UserResource.java | 617 -----
.../config/AccountNotFoundExceptionMapper.java | 47 -
.../org/apache/nifi/web/api/dto/DtoFactory.java | 99 +-
.../nifi/web/controller/ControllerFacade.java | 91 +-
.../org/apache/nifi/web/dao/ConnectionDAO.java | 72 +-
.../java/org/apache/nifi/web/dao/FunnelDAO.java | 25 +-
.../java/org/apache/nifi/web/dao/LabelDAO.java | 15 +-
.../java/org/apache/nifi/web/dao/PortDAO.java | 22 +-
.../apache/nifi/web/dao/ProcessGroupDAO.java | 4 +-
.../org/apache/nifi/web/dao/ProcessorDAO.java | 33 +-
.../nifi/web/dao/RemoteProcessGroupDAO.java | 33 +-
.../web/dao/impl/StandardConnectionDAO.java | 146 +-
.../nifi/web/dao/impl/StandardFunnelDAO.java | 60 +-
.../nifi/web/dao/impl/StandardInputPortDAO.java | 73 +-
.../nifi/web/dao/impl/StandardLabelDAO.java | 55 +-
.../web/dao/impl/StandardOutputPortDAO.java | 73 +-
.../web/dao/impl/StandardProcessGroupDAO.java | 12 +-
.../nifi/web/dao/impl/StandardProcessorDAO.java | 93 +-
.../dao/impl/StandardRemoteProcessGroupDAO.java | 92 +-
.../src/main/resources/nifi-web-api-context.xml | 49 +-
.../accesscontrol/AccessTokenEndpointTest.java | 2 +
.../accesscontrol/AdminAccessControlTest.java | 2 +
.../accesscontrol/DfmAccessControlTest.java | 1 +
.../ReadOnlyAccessControlTest.java | 2 +
.../util/NiFiTestAuthorizationProvider.java | 180 --
.../integration/util/NiFiTestAuthorizer.java | 56 +
.../util/NiFiTestLoginIdentityProvider.java | 9 +-
.../nifi/integration/util/NiFiTestServer.java | 2 +-
....apache.nifi.authorization.AuthorityProvider | 15 -
.../org.apache.nifi.authorization.Authorizer | 15 +
.../access-control/authority-providers.xml | 2 +-
.../resources/access-control/nifi.properties | 6 +-
.../web/security/NiFiAuthenticationFilter.java | 105 +-
.../security/NiFiAuthenticationProvider.java | 73 -
.../anonymous/NiFiAnonymousUserFilter.java | 47 +-
.../authorization/NiFiAuthorizationService.java | 171 --
.../security/jwt/JwtAuthenticationFilter.java | 34 +-
.../security/jwt/JwtAuthenticationProvider.java | 56 +
.../jwt/JwtAuthenticationRequestToken.java | 58 +
.../nifi/web/security/jwt/JwtService.java | 12 +-
.../kerberos/KerberosServiceFactoryBean.java | 74 -
.../security/node/NodeAuthorizedUserFilter.java | 4 +-
.../security/otp/OtpAuthenticationFilter.java | 41 +-
.../security/otp/OtpAuthenticationProvider.java | 60 +
.../otp/OtpAuthenticationRequestToken.java | 64 +
.../spring/KerberosServiceFactoryBean.java | 76 +
.../LoginIdentityProviderFactoryBean.java | 35 +-
.../NewAccountAuthorizationRequestToken.java | 40 -
.../token/NewAccountAuthorizationToken.java | 46 -
.../security/token/NiFiAuthenticationToken.java | 50 +
.../token/NiFiAuthorizationRequestToken.java | 54 -
.../security/token/NiFiAuthorizationToken.java | 50 -
.../web/security/user/NewAccountRequest.java | 47 -
.../nifi/web/security/user/NiFiUserDetails.java | 17 +-
.../nifi/web/security/user/NiFiUserUtils.java | 21 -
.../security/x509/X509AuthenticationFilter.java | 36 +-
.../x509/X509AuthenticationProvider.java | 78 +
.../x509/X509AuthenticationRequestToken.java | 75 +
.../x509/ocsp/OcspCertificateValidator.java | 5 +-
.../resources/nifi-web-security-context.xml | 21 +-
.../NiFiAuthorizationServiceTest.java | 249 --
.../nifi/web/security/jwt/JwtServiceTest.java | 14 +-
.../otp/OtpAuthenticationFilterTest.java | 91 +-
.../otp/OtpAuthenticationProviderTest.java | 102 +
.../nifi-framework/nifi-web/nifi-web-ui/pom.xml | 42 -
.../main/resources/filters/canvas.properties | 2 -
.../main/resources/filters/users-min.properties | 18 -
.../src/main/resources/filters/users.properties | 29 -
.../src/main/webapp/WEB-INF/pages/canvas.jsp | 2 -
.../src/main/webapp/WEB-INF/pages/users.jsp | 72 -
.../WEB-INF/partials/canvas/canvas-header.jsp | 1 -
.../canvas/secure-port-configuration.jsp | 82 -
.../partials/canvas/secure-port-details.jsp | 67 -
.../partials/users/group-revoke-dialog.jsp | 22 -
.../partials/users/group-roles-dialog.jsp | 52 -
.../partials/users/user-delete-dialog.jsp | 23 -
.../partials/users/user-details-dialog.jsp | 56 -
.../partials/users/user-group-dialog.jsp | 27 -
.../partials/users/user-revoke-dialog.jsp | 23 -
.../partials/users/user-roles-dialog.jsp | 60 -
.../WEB-INF/partials/users/users-content.jsp | 46 -
.../nifi-web-ui/src/main/webapp/css/header.css | 13 -
.../src/main/webapp/css/port-configuration.css | 133 --
.../src/main/webapp/css/port-details.css | 27 -
.../nifi-web-ui/src/main/webapp/css/users.css | 254 --
.../src/main/webapp/images/iconAdminUser.png | Bin 1960 -> 0 bytes
.../propertytable/jquery.propertytable.js | 2 +-
.../js/nf/bulletin-board/nf-bulletin-board.js | 2 +-
.../src/main/webapp/js/nf/canvas/nf-actions.js | 140 +-
.../webapp/js/nf/canvas/nf-canvas-header.js | 31 +-
.../webapp/js/nf/canvas/nf-canvas-toolbox.js | 175 +-
.../src/main/webapp/js/nf/canvas/nf-canvas.js | 9 +-
.../webapp/js/nf/canvas/nf-component-state.js | 10 +-
.../js/nf/canvas/nf-connection-configuration.js | 108 +-
.../main/webapp/js/nf/canvas/nf-connection.js | 35 +-
.../js/nf/canvas/nf-controller-service.js | 62 +-
.../main/webapp/js/nf/canvas/nf-draggable.js | 26 +-
.../src/main/webapp/js/nf/canvas/nf-funnel.js | 9 +-
.../src/main/webapp/js/nf/canvas/nf-go-to.js | 24 +-
.../js/nf/canvas/nf-label-configuration.js | 33 +-
.../src/main/webapp/js/nf/canvas/nf-label.js | 7 +
.../js/nf/canvas/nf-port-configuration.js | 31 +-
.../src/main/webapp/js/nf/canvas/nf-port.js | 9 +-
.../nf/canvas/nf-process-group-configuration.js | 20 +-
.../webapp/js/nf/canvas/nf-process-group.js | 7 +
.../js/nf/canvas/nf-processor-configuration.js | 2 +-
.../main/webapp/js/nf/canvas/nf-processor.js | 7 +
.../webapp/js/nf/canvas/nf-queue-listing.js | 3 +-
.../nf-remote-process-group-configuration.js | 1 -
.../nf/canvas/nf-remote-process-group-ports.js | 2 -
.../js/nf/canvas/nf-remote-process-group.js | 7 +
.../webapp/js/nf/canvas/nf-reporting-task.js | 23 +-
.../nf/canvas/nf-secure-port-configuration.js | 384 ---
.../js/nf/canvas/nf-secure-port-details.js | 121 -
.../src/main/webapp/js/nf/canvas/nf-settings.js | 42 +-
.../src/main/webapp/js/nf/canvas/nf-snippet.js | 2 +-
.../webapp/js/nf/history/nf-history-model.js | 2 +-
.../webapp/js/nf/history/nf-history-table.js | 2 +-
.../main/webapp/js/nf/nf-connection-details.js | 16 +-
.../main/webapp/js/nf/nf-processor-details.js | 4 +-
.../src/main/webapp/js/nf/nf-status-history.js | 9 +-
.../webapp/js/nf/summary/nf-cluster-search.js | 2 +-
.../webapp/js/nf/summary/nf-summary-table.js | 15 +-
.../main/webapp/js/nf/users/nf-users-table.js | 1075 ---------
.../src/main/webapp/js/nf/users/nf-users.js | 151 --
.../nifi-framework/pom.xml | 2 -
nifi-nar-bundles/nifi-framework-bundle/pom.xml | 10 -
.../apache/nifi/kerberos/KerberosProvider.java | 4 +-
.../java/org/apache/nifi/ldap/LdapProvider.java | 4 +-
294 files changed, 5156 insertions(+), 20914 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java b/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java
index 54becb3..145bdb4 100644
--- a/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java
+++ b/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java
@@ -18,8 +18,8 @@ package org.apache.nifi.authentication;
import org.apache.nifi.authentication.exception.IdentityAccessException;
import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException;
-import org.apache.nifi.authorization.exception.ProviderCreationException;
-import org.apache.nifi.authorization.exception.ProviderDestructionException;
+import org.apache.nifi.authentication.exception.ProviderCreationException;
+import org.apache.nifi.authentication.exception.ProviderDestructionException;
/**
* Identity provider that is able to authentication a user with username/password credentials.
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderCreationException.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderCreationException.java b/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderCreationException.java
new file mode 100644
index 0000000..b352787
--- /dev/null
+++ b/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderCreationException.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.authentication.exception;
+
+/**
+ * Represents the exceptional case when an AuthorityProvider fails instantiated.
+ *
+ */
+public class ProviderCreationException extends RuntimeException {
+
+ public ProviderCreationException() {
+ }
+
+ public ProviderCreationException(String msg) {
+ super(msg);
+ }
+
+ public ProviderCreationException(Throwable cause) {
+ super(cause);
+ }
+
+ public ProviderCreationException(String msg, Throwable cause) {
+ super(msg, cause);
+ }
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderDestructionException.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderDestructionException.java b/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderDestructionException.java
new file mode 100644
index 0000000..1e12146
--- /dev/null
+++ b/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderDestructionException.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.authentication.exception;
+
+/**
+ * Represents the exceptional case when an AuthorityProvider fails destruction.
+ *
+ */
+public class ProviderDestructionException extends RuntimeException {
+
+ public ProviderDestructionException() {
+ }
+
+ public ProviderDestructionException(String msg) {
+ super(msg);
+ }
+
+ public ProviderDestructionException(Throwable cause) {
+ super(cause);
+ }
+
+ public ProviderDestructionException(String msg, Throwable cause) {
+ super(msg, cause);
+ }
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/Authority.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/Authority.java b/nifi-api/src/main/java/org/apache/nifi/authorization/Authority.java
deleted file mode 100644
index 4502c11..0000000
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/Authority.java
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization;
-
-import java.util.EnumSet;
-import java.util.HashSet;
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-/**
- * Authorities that can be assigned to NiFi users.
- */
-public enum Authority {
-
- ROLE_MONITOR,
- ROLE_DFM,
- ROLE_ADMIN,
- ROLE_PROVENANCE,
- ROLE_PROXY,
- ROLE_NIFI;
-
- /**
- * @param rawAuthority string form of authority
- * @return the matching role or null if the specified role does not match
- * any roles
- */
- public static Authority valueOfAuthority(String rawAuthority) {
- Authority desiredAuthority = null;
-
- for (Authority authority : values()) {
- if (authority.toString().equals(rawAuthority)) {
- desiredAuthority = authority;
- break;
- }
- }
-
- return desiredAuthority;
- }
-
- /**
- * @return the string value of each authority
- */
- public static Set<String> getRawAuthorities() {
- Set<String> authorities = new LinkedHashSet<>();
- for (Authority authority : values()) {
- authorities.add(authority.toString());
- }
- return authorities;
- }
-
- public static Set<String> convertAuthorities(Set<Authority> authorities) {
- if (authorities == null) {
- throw new IllegalArgumentException("No authorities have been specified.");
- }
-
- // convert the set
- Set<String> rawAuthorities = new HashSet<>(authorities.size());
- for (Authority authority : authorities) {
- rawAuthorities.add(authority.toString());
- }
- return rawAuthorities;
- }
-
- public static EnumSet<Authority> convertRawAuthorities(Set<String> rawAuthorities) {
- if (rawAuthorities == null) {
- throw new IllegalArgumentException("No authorities have been specified.");
- }
-
- // convert the set
- EnumSet<Authority> authorities = EnumSet.noneOf(Authority.class);
- for (String rawAuthority : rawAuthorities) {
- Authority authority = Authority.valueOfAuthority(rawAuthority);
- if (authority != null) {
- authorities.add(authority);
- }
- }
- return authorities;
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProvider.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProvider.java b/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProvider.java
deleted file mode 100644
index 716216d..0000000
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProvider.java
+++ /dev/null
@@ -1,182 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization;
-
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import org.apache.nifi.authorization.exception.AuthorityAccessException;
-import org.apache.nifi.authorization.exception.IdentityAlreadyExistsException;
-import org.apache.nifi.authorization.exception.ProviderCreationException;
-import org.apache.nifi.authorization.exception.ProviderDestructionException;
-import org.apache.nifi.authorization.exception.UnknownIdentityException;
-
-/**
- * This class allows clients to retrieve the authorities for a given DN.
- */
-public interface AuthorityProvider {
-
- /**
- * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user.
- * @return whether the user with the specified identity is known to this authority
- * provider. It is not necessary for the user to have any authorities
- */
- boolean doesDnExist(String identity) throws AuthorityAccessException;
-
- /**
- * Get the authorities for the specified user. If the specified user exists
- * but does not have any authorities, an empty set should be returned.
- *
- * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user.
- * @return the authorities for the specified user. If the specified user
- * exists but does not have any authorities, an empty set should be returned
- * @throws UnknownIdentityException if identity is not known
- * @throws AuthorityAccessException if unable to access authorities
- */
- Set<Authority> getAuthorities(String identity) throws UnknownIdentityException, AuthorityAccessException;
-
- /**
- * Sets the specified authorities for the specified user.
- *
- * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user.
- * @param authorities the new authorities for the user
- * @throws UnknownIdentityException if identity is not known
- * @throws AuthorityAccessException if unable to access authorities
- */
- void setAuthorities(String identity, Set<Authority> authorities) throws UnknownIdentityException, AuthorityAccessException;
-
- /**
- * Gets the users for the specified authority.
- *
- * @param authority for which to determine membership of
- * @return all users with the specified authority
- * @throws AuthorityAccessException if unable to access authorities
- */
- Set<String> getUsers(Authority authority) throws AuthorityAccessException;
-
- /**
- * Revokes the specified user. Its up to the implementor to determine the
- * semantics of revocation.
- *
- * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user.
- * @throws UnknownIdentityException if the user is not known
- * @throws AuthorityAccessException if unable to access the authorities
- */
- void revokeUser(String identity) throws UnknownIdentityException, AuthorityAccessException;
-
- /**
- * Add the specified user.
- *
- * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user.
- * @param group Optional
- * @throws UnknownIdentityException if the user is not known
- * @throws AuthorityAccessException if unable to access the authorities
- */
- void addUser(String identity, String group) throws IdentityAlreadyExistsException, AuthorityAccessException;
-
- /**
- * Gets the group for the specified user. Return null if the user does not
- * belong to a group.
- *
- * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user.
- * @return the group of the given user
- * @throws UnknownIdentityException if the user is not known
- * @throws AuthorityAccessException if unable to access the authorities
- */
- String getGroupForUser(String identity) throws UnknownIdentityException, AuthorityAccessException;
-
- /**
- * Revokes all users for a specified group. Its up to the implementor to
- * determine the semantics of revocation.
- *
- * @param group to revoke the users of
- * @throws UnknownIdentityException if the user is not known
- * @throws AuthorityAccessException if unable to access the authorities
- */
- void revokeGroup(String group) throws UnknownIdentityException, AuthorityAccessException;
-
- /**
- * Adds the specified users to the specified group.
- *
- * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user.
- * @param group to add users to
- * @throws UnknownIdentityException if the user is not known
- * @throws AuthorityAccessException if unable to access the authorities
- */
- void setUsersGroup(Set<String> identity, String group) throws UnknownIdentityException, AuthorityAccessException;
-
- /**
- * Ungroups the specified user.
- *
- * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user.
- * @throws UnknownIdentityException if the user is not known
- * @throws AuthorityAccessException if unable to access the authorities
- */
- void ungroupUser(String identity) throws UnknownIdentityException, AuthorityAccessException;
-
- /**
- * Ungroups the specified group. Since the semantics of revocation is up to
- * the implementor, this method should do nothing if the specified group
- * does not exist. If an admin revoked this group before calling ungroup, it
- * may or may not exist.
- *
- * @param group to ungroup
- * @throws AuthorityAccessException if unable to access the authorities
- */
- void ungroup(String group) throws AuthorityAccessException;
-
- /**
- * Determines whether the user in the specified dnChain should be able to
- * download the content for the flowfile with the specified attributes.
- *
- * The first identity in the chain is the end user that the request was issued on
- * behalf of. The subsequent identities in the chain represent entities proxying
- * the user's request with the last being the proxy that sent the current
- * request.
- *
- * @param proxyChain proxy chain of user identities that for the download request
- * @param attributes of the flowfile being requested
- * @return the authorization result
- * @throws UnknownIdentityException if the user is not known
- * @throws AuthorityAccessException if unable to access the authorities
- */
- DownloadAuthorization authorizeDownload(List<String> proxyChain, Map<String, String> attributes) throws UnknownIdentityException, AuthorityAccessException;
-
- /**
- * Called immediately after instance creation for implementers to perform
- * additional setup
- *
- * @param initializationContext in which to initialize
- */
- void initialize(AuthorityProviderInitializationContext initializationContext) throws ProviderCreationException;
-
- /**
- * Called to configure the AuthorityProvider.
- *
- * @param configurationContext at the time of configuration
- * @throws ProviderCreationException for any issues configuring the provider
- */
- void onConfigured(AuthorityProviderConfigurationContext configurationContext) throws ProviderCreationException;
-
- /**
- * Called immediately before instance destruction for implementers to
- * release resources.
- *
- * @throws ProviderDestructionException If pre-destruction fails.
- */
- void preDestruction() throws ProviderDestructionException;
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderConfigurationContext.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderConfigurationContext.java b/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderConfigurationContext.java
deleted file mode 100644
index c1ba5df..0000000
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderConfigurationContext.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization;
-
-import java.util.Map;
-
-/**
- *
- */
-public interface AuthorityProviderConfigurationContext {
-
- /**
- * @return identifier for the authority provider
- */
- String getIdentifier();
-
- /**
- * Retrieves all properties the component currently understands regardless
- * of whether a value has been set for them or not. If no value is present
- * then its value is null and thus any registered default for the property
- * descriptor applies.
- *
- * @return Map of all properties
- */
- Map<String, String> getProperties();
-
- /**
- * @param property to lookup the descriptor and value of
- * @return the value the component currently understands for the given
- * PropertyDescriptor. This method does not substitute default
- * PropertyDescriptor values, so the value returned will be null if not set
- */
- String getProperty(String property);
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderInitializationContext.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderInitializationContext.java b/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderInitializationContext.java
deleted file mode 100644
index 7b2f89f..0000000
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderInitializationContext.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization;
-
-/**
- *
- */
-public interface AuthorityProviderInitializationContext {
-
- public String getIdentifier();
-
- public AuthorityProviderLookup getAuthorityProviderLookup();
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderLookup.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderLookup.java b/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderLookup.java
deleted file mode 100644
index dc30967..0000000
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderLookup.java
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization;
-
-/**
- *
- */
-public interface AuthorityProviderLookup {
-
- AuthorityProvider getAuthorityProvider(String identifier);
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorizationRequest.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorizationRequest.java b/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorizationRequest.java
index 9e50e62..7e6999c 100644
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorizationRequest.java
+++ b/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorizationRequest.java
@@ -29,17 +29,22 @@ public class AuthorizationRequest {
private final Resource resource;
private final String identity;
private final RequestAction action;
+ private final boolean isAccessAttempt;
+ private final boolean isAnonymous;
private final Map<String, String> context;
private final Map<String, String> eventAttributes;
private AuthorizationRequest(final Builder builder) {
Objects.requireNonNull(builder.resource, "The resource is required when creating an authorization request");
- Objects.requireNonNull(builder.identity, "The identity of the user is required when creating an authorization request");
Objects.requireNonNull(builder.action, "The action is required when creating an authorization request");
+ Objects.requireNonNull(builder.isAccessAttempt, "Whether this request is an access attempt is request");
+ Objects.requireNonNull(builder.isAnonymous, "Whether this request is being performed by an anonymous user is required");
this.resource = builder.resource;
this.identity = builder.identity;
this.action = builder.action;
+ this.isAccessAttempt = builder.isAccessAttempt;
+ this.isAnonymous = builder.isAnonymous;
this.context = builder.context == null ? null : Collections.unmodifiableMap(builder.context);
this.eventAttributes = builder.context == null ? null : Collections.unmodifiableMap(builder.eventAttributes);
}
@@ -54,7 +59,7 @@ public class AuthorizationRequest {
}
/**
- * The identity accessing the Resource. Not null.
+ * The identity accessing the Resource. May be null if the user could not authenticate.
*
* @return The identity
*/
@@ -63,6 +68,24 @@ public class AuthorizationRequest {
}
/**
+ * Whether this is a direct access attempt of the Resource if if it's being checked as part of another response.
+ *
+ * @return if this is a direct access attempt
+ */
+ public boolean isAccessAttempt() {
+ return isAccessAttempt;
+ }
+
+ /**
+ * Whether the entity accessing is anonymous.
+ *
+ * @return whether the entity is anonymous
+ */
+ public boolean isAnonymous() {
+ return isAnonymous;
+ }
+
+ /**
* The action being taken against the Resource. Not null.
*
* @return The action
@@ -96,6 +119,8 @@ public class AuthorizationRequest {
private Resource resource;
private String identity;
+ private Boolean isAnonymous;
+ private Boolean isAccessAttempt;
private RequestAction action;
private Map<String, String> context;
private Map<String, String> eventAttributes;
@@ -110,6 +135,16 @@ public class AuthorizationRequest {
return this;
}
+ public Builder anonymous(final Boolean isAnonymous) {
+ this.isAnonymous = isAnonymous;
+ return this;
+ }
+
+ public Builder accessAttempt(final Boolean isAccessAttempt) {
+ this.isAccessAttempt = isAccessAttempt;
+ return this;
+ }
+
public Builder action(final RequestAction action) {
this.action = action;
return this;
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/Authorizer.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/Authorizer.java b/nifi-api/src/main/java/org/apache/nifi/authorization/Authorizer.java
index 01a76e4..5aec6f0 100644
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/Authorizer.java
+++ b/nifi-api/src/main/java/org/apache/nifi/authorization/Authorizer.java
@@ -16,7 +16,6 @@
*/
package org.apache.nifi.authorization;
-import org.apache.nifi.authorization.exception.AuthorityAccessException;
import org.apache.nifi.authorization.exception.AuthorizationAccessException;
import org.apache.nifi.authorization.exception.AuthorizerCreationException;
import org.apache.nifi.authorization.exception.AuthorizerDestructionException;
@@ -31,7 +30,7 @@ public interface Authorizer {
*
* @param request The authorization request
* @return the authorization result
- * @throws AuthorityAccessException if unable to access the authorities
+ * @throws AuthorizationAccessException if unable to access the authorities
*/
AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException;
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/DownloadAuthorization.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/DownloadAuthorization.java b/nifi-api/src/main/java/org/apache/nifi/authorization/DownloadAuthorization.java
deleted file mode 100644
index 416f3cf..0000000
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/DownloadAuthorization.java
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization;
-
-/**
- * Represents a decision whether authorization is granted to download content.
- */
-public class DownloadAuthorization {
-
- private static enum Result {
-
- Approved,
- Denied;
- }
-
- private static final DownloadAuthorization APPROVED = new DownloadAuthorization(Result.Approved, null);
-
- private final Result result;
- private final String explanation;
-
- /**
- * Creates a new DownloadAuthorization with the specified result and
- * explanation.
- *
- * @param result of the authorization
- * @param explanation for the authorization attempt
- */
- private DownloadAuthorization(Result result, String explanation) {
- if (Result.Denied.equals(result) && explanation == null) {
- throw new IllegalArgumentException("An explanation is required when the download request is denied.");
- }
-
- this.result = result;
- this.explanation = explanation;
- }
-
- /**
- * @return Whether or not the download request is approved
- */
- public boolean isApproved() {
- return Result.Approved.equals(result);
- }
-
- /**
- * @return If the download request is denied, the reason why. Null otherwise
- */
- public String getExplanation() {
- return explanation;
- }
-
- /**
- * @return a new approved DownloadAuthorization
- */
- public static DownloadAuthorization approved() {
- return APPROVED;
- }
-
- /**
- * Creates a new denied DownloadAuthorization with the specified
- * explanation.
- *
- * @param explanation for why it was denied
- * @return a new denied DownloadAuthorization with the specified explanation
- * @throws IllegalArgumentException if explanation is null
- */
- public static DownloadAuthorization denied(String explanation) {
- return new DownloadAuthorization(Result.Denied, explanation);
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/annotation/AuthorityProviderContext.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/annotation/AuthorityProviderContext.java b/nifi-api/src/main/java/org/apache/nifi/authorization/annotation/AuthorityProviderContext.java
deleted file mode 100644
index 5ac2af7..0000000
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/annotation/AuthorityProviderContext.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization.annotation;
-
-import java.lang.annotation.Documented;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Inherited;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-/**
- *
- *
- */
-@Documented
-@Target({ElementType.FIELD, ElementType.METHOD})
-@Retention(RetentionPolicy.RUNTIME)
-@Inherited
-public @interface AuthorityProviderContext {
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/exception/AuthorityAccessException.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/AuthorityAccessException.java b/nifi-api/src/main/java/org/apache/nifi/authorization/exception/AuthorityAccessException.java
deleted file mode 100644
index be64767..0000000
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/AuthorityAccessException.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization.exception;
-
-/**
- * Represents the case when the DN could not be confirmed because it was unable
- * to access the data store.
- */
-public class AuthorityAccessException extends RuntimeException {
-
- public AuthorityAccessException(String message, Throwable cause) {
- super(message, cause);
- }
-
- public AuthorityAccessException(String message) {
- super(message);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/exception/IdentityAlreadyExistsException.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/IdentityAlreadyExistsException.java b/nifi-api/src/main/java/org/apache/nifi/authorization/exception/IdentityAlreadyExistsException.java
deleted file mode 100644
index ba80b6e..0000000
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/IdentityAlreadyExistsException.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization.exception;
-
-/**
- * Represents the case when the user identity already exists.
- */
-public class IdentityAlreadyExistsException extends RuntimeException {
-
- public IdentityAlreadyExistsException(String message, Throwable cause) {
- super(message, cause);
- }
-
- public IdentityAlreadyExistsException(String message) {
- super(message);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderCreationException.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderCreationException.java b/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderCreationException.java
deleted file mode 100644
index 24ac793..0000000
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderCreationException.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization.exception;
-
-/**
- * Represents the exceptional case when an AuthorityProvider fails instantiated.
- *
- */
-public class ProviderCreationException extends RuntimeException {
-
- public ProviderCreationException() {
- }
-
- public ProviderCreationException(String msg) {
- super(msg);
- }
-
- public ProviderCreationException(Throwable cause) {
- super(cause);
- }
-
- public ProviderCreationException(String msg, Throwable cause) {
- super(msg, cause);
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderDestructionException.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderDestructionException.java b/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderDestructionException.java
deleted file mode 100644
index 985d3fb..0000000
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderDestructionException.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization.exception;
-
-/**
- * Represents the exceptional case when an AuthorityProvider fails destruction.
- *
- */
-public class ProviderDestructionException extends RuntimeException {
-
- public ProviderDestructionException() {
- }
-
- public ProviderDestructionException(String msg) {
- super(msg);
- }
-
- public ProviderDestructionException(Throwable cause) {
- super(cause);
- }
-
- public ProviderDestructionException(String msg, Throwable cause) {
- super(msg, cause);
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/exception/UnknownIdentityException.java
----------------------------------------------------------------------
diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/UnknownIdentityException.java b/nifi-api/src/main/java/org/apache/nifi/authorization/exception/UnknownIdentityException.java
deleted file mode 100644
index 2ada1c7..0000000
--- a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/UnknownIdentityException.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.authorization.exception;
-
-/**
- * Represents the case when an identity cannot be confirmed.
- */
-public class UnknownIdentityException extends RuntimeException {
-
- public UnknownIdentityException(String message, Throwable cause) {
- super(message, cause);
- }
-
- public UnknownIdentityException(String message) {
- super(message);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-assembly/pom.xml
----------------------------------------------------------------------
diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
index 09a8d50..e85c83f 100644
--- a/nifi-assembly/pom.xml
+++ b/nifi-assembly/pom.xml
@@ -325,7 +325,7 @@ language governing permissions and limitations under the License. -->
<nifi.flow.configuration.file>./conf/flow.xml.gz</nifi.flow.configuration.file>
<nifi.flow.configuration.archive.dir>./conf/archive/</nifi.flow.configuration.archive.dir>
<nifi.login.identity.provider.configuration.file>./conf/login-identity-providers.xml</nifi.login.identity.provider.configuration.file>
- <nifi.authority.provider.configuration.file>./conf/authority-providers.xml</nifi.authority.provider.configuration.file>
+ <nifi.authorizer.configuration.file>./conf/authorizers.xml</nifi.authorizer.configuration.file>
<nifi.templates.directory>./conf/templates</nifi.templates.directory>
<nifi.database.directory>./database_repository</nifi.database.directory>
@@ -413,13 +413,9 @@ language governing permissions and limitations under the License. -->
<nifi.security.truststoreType />
<nifi.security.truststorePasswd />
<nifi.security.needClientAuth />
- <nifi.security.authorizedUsers.file>./conf/authorized-users.xml</nifi.security.authorizedUsers.file>
- <nifi.security.user.credential.cache.duration>24 hours</nifi.security.user.credential.cache.duration>
- <nifi.security.user.authority.provider>file-provider</nifi.security.user.authority.provider>
+ <nifi.security.user.authorizer>file-provider</nifi.security.user.authorizer>
<nifi.security.user.login.identity.provider />
<nifi.security.x509.principal.extractor />
- <nifi.security.support.new.account.requests />
- <nifi.security.anonymous.authorities />
<nifi.security.ocsp.responder.url />
<nifi.security.ocsp.responder.certificate />
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
----------------------------------------------------------------------
diff --git a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
index 517b19a..63693bf 100644
--- a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
+++ b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
@@ -28,14 +28,10 @@ import java.nio.file.InvalidPathException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
import java.util.HashMap;
-import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;
-import java.util.Set;
public class NiFiProperties extends Properties {
@@ -48,7 +44,7 @@ public class NiFiProperties extends Properties {
public static final String PROPERTIES_FILE_PATH = "nifi.properties.file.path";
public static final String FLOW_CONFIGURATION_FILE = "nifi.flow.configuration.file";
public static final String FLOW_CONFIGURATION_ARCHIVE_FILE = "nifi.flow.configuration.archive.file";
- public static final String AUTHORITY_PROVIDER_CONFIGURATION_FILE = "nifi.authority.provider.configuration.file";
+ public static final String AUTHORIZER_CONFIGURATION_FILE = "nifi.authorizer.configuration.file";
public static final String LOGIN_IDENTITY_PROVIDER_CONFIGURATION_FILE = "nifi.login.identity.provider.configuration.file";
public static final String REPOSITORY_DATABASE_DIRECTORY = "nifi.database.directory";
public static final String RESTORE_DIRECTORY = "nifi.restore.directory";
@@ -131,13 +127,10 @@ public class NiFiProperties extends Properties {
public static final String SECURITY_TRUSTSTORE_TYPE = "nifi.security.truststoreType";
public static final String SECURITY_TRUSTSTORE_PASSWD = "nifi.security.truststorePasswd";
public static final String SECURITY_NEED_CLIENT_AUTH = "nifi.security.needClientAuth";
- public static final String SECURITY_USER_AUTHORITY_PROVIDER = "nifi.security.user.authority.provider";
+ public static final String SECURITY_USER_AUTHORIZER = "nifi.security.user.authorizer";
public static final String SECURITY_USER_LOGIN_IDENTITY_PROVIDER = "nifi.security.user.login.identity.provider";
public static final String SECURITY_CLUSTER_AUTHORITY_PROVIDER_PORT = "nifi.security.cluster.authority.provider.port";
public static final String SECURITY_CLUSTER_AUTHORITY_PROVIDER_THREADS = "nifi.security.cluster.authority.provider.threads";
- public static final String SECURITY_USER_CREDENTIAL_CACHE_DURATION = "nifi.security.user.credential.cache.duration";
- public static final String SECURITY_SUPPORT_NEW_ACCOUNT_REQUESTS = "nifi.security.support.new.account.requests";
- public static final String SECURITY_ANONYMOUS_AUTHORITIES = "nifi.security.anonymous.authorities";
public static final String SECURITY_OCSP_RESPONDER_URL = "nifi.security.ocsp.responder.url";
public static final String SECURITY_OCSP_RESPONDER_CERTIFICATE = "nifi.security.ocsp.responder.certificate";
@@ -504,10 +497,10 @@ public class NiFiProperties extends Properties {
}
/**
- * @return the user authorities file
+ * @return the user authorizers file
*/
- public File getAuthorityProviderConfiguraitonFile() {
- final String value = getProperty(AUTHORITY_PROVIDER_CONFIGURATION_FILE);
+ public File getAuthorizerConfiguraitonFile() {
+ final String value = getProperty(AUTHORIZER_CONFIGURATION_FILE);
if (StringUtils.isBlank(value)) {
return new File(DEFAULT_AUTHORITY_PROVIDER_CONFIGURATION_FILE);
} else {
@@ -541,40 +534,6 @@ public class NiFiProperties extends Properties {
return needClientAuth;
}
- public String getUserCredentialCacheDuration() {
- return getProperty(SECURITY_USER_CREDENTIAL_CACHE_DURATION,
- DEFAULT_USER_CREDENTIAL_CACHE_DURATION);
- }
-
- public boolean getSupportNewAccountRequests() {
- boolean shouldSupport = true;
- String rawShouldSupport = getProperty(SECURITY_SUPPORT_NEW_ACCOUNT_REQUESTS);
- if ("false".equalsIgnoreCase(rawShouldSupport)) {
- shouldSupport = false;
- }
- return shouldSupport;
- }
-
- @SuppressWarnings("unchecked")
- public Set<String> getAnonymousAuthorities() {
- final Set<String> authorities;
-
- final String rawAnonymousAuthorities = getProperty(SECURITY_ANONYMOUS_AUTHORITIES);
- if (!StringUtils.isEmpty(rawAnonymousAuthorities)) {
- authorities = new HashSet<>();
-
- // parse the raw authorities and trim them
- final List<String> authoritiesList = Arrays.asList(rawAnonymousAuthorities.split(","));
- for (final String authority : authoritiesList) {
- authorities.add(authority.trim());
- }
- } else {
- authorities = Collections.EMPTY_SET;
- }
-
- return authorities;
- }
-
// getters for web properties //
public Integer getPort() {
Integer port = null;
@@ -922,7 +881,7 @@ public class NiFiProperties extends Properties {
* @return true if client certificates are required for access to the REST API
*/
public boolean isClientAuthRequiredForRestApi() {
- return StringUtils.isBlank(getProperty(NiFiProperties.SECURITY_USER_LOGIN_IDENTITY_PROVIDER)) && getAnonymousAuthorities().isEmpty() && !isKerberosServiceSupportEnabled();
+ return StringUtils.isBlank(getProperty(NiFiProperties.SECURITY_USER_LOGIN_IDENTITY_PROVIDER)) && !isKerberosServiceSupportEnabled();
}
public InetSocketAddress getNodeApiAddress() {
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.blank.properties
----------------------------------------------------------------------
diff --git a/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.blank.properties b/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.blank.properties
index 720c050..898cebf 100644
--- a/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.blank.properties
+++ b/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.blank.properties
@@ -83,11 +83,7 @@ nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
nifi.security.needClientAuth=
-nifi.security.authorizedUsers.file=./target/conf/authorized-users.xml
-nifi.security.user.credential.cache.duration=24 hours
-nifi.security.user.authority.provider=nifi.authorization.FileAuthorizationProvider
-nifi.security.support.new.account.requests=
-nifi.security.default.user.roles=
+nifi.security.user.authorizer=
# cluster common properties (cluster manager and nodes must have same values) #
nifi.cluster.protocol.heartbeat.interval=5 sec
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.missing.properties
----------------------------------------------------------------------
diff --git a/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.missing.properties b/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.missing.properties
index 85300ae..786b05f 100644
--- a/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.missing.properties
+++ b/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.missing.properties
@@ -81,11 +81,7 @@ nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
nifi.security.needClientAuth=
-nifi.security.authorizedUsers.file=./target/conf/authorized-users.xml
-nifi.security.user.credential.cache.duration=24 hours
-nifi.security.user.authority.provider=nifi.authorization.FileAuthorizationProvider
-nifi.security.support.new.account.requests=
-nifi.security.default.user.roles=
+nifi.security.user.authorizer=
# cluster common properties (cluster manager and nodes must have same values) #
nifi.cluster.protocol.heartbeat.interval=5 sec
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.properties
----------------------------------------------------------------------
diff --git a/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.properties b/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.properties
index 0ace99e..f9d9b78 100644
--- a/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.properties
+++ b/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.properties
@@ -83,11 +83,7 @@ nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
nifi.security.needClientAuth=
-nifi.security.authorizedUsers.file=./target/conf/authorized-users.xml
-nifi.security.user.credential.cache.duration=24 hours
-nifi.security.user.authority.provider=nifi.authorization.FileAuthorizationProvider
-nifi.security.support.new.account.requests=
-nifi.security.default.user.roles=
+nifi.security.user.authorizer=
# cluster common properties (cluster manager and nodes must have same values) #
nifi.cluster.protocol.heartbeat.interval=5 sec
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-docs/src/main/asciidoc/administration-guide.adoc
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index 86c340a..8d784c6 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -154,9 +154,6 @@ NiFi provides several different configuration options for security purposes. The
by the NiFi cluster protocol. If the Truststore properties are not set, this must be `false`. Otherwise, a value
of `true` indicates that nodes in the cluster will be authenticated and must have certificates that are trusted
by the Truststores.
-|`nifi.security.anonymous.authorities` | Specifies the roles that should be granted to users that connect over HTTPS anonymously. All users can make
- use of anonymous access, however if they have been granted a particular level of access by an administrator
- it will take precedence if they access NiFi using a client certificate or once they have logged in.
|==================================================================================================================================================
Once the above properties have been configured, we can enable the User Interface to be accessed over HTTPS instead of HTTP. This is accomplished
@@ -167,10 +164,10 @@ be accessible from all network interfaces, a value of `0.0.0.0` should be used.
NOTE: It is important when enabling HTTPS that the `nifi.web.http.port` property be unset.
Similar to `nifi.security.needClientAuth`, the web server can be configured to require certificate based client authentication for users accessing
-the User Interface. In order to do this it must be configured to not support username/password authentication (see below) and not grant access to
-anonymous users (see `nifi.security.anonymous.authorities` above). Either of these options will configure the web server to WANT certificate based client
-authentication. This will allow it to support users with certificates and those without that may be logging in with their credentials or those accessing
-anonymously. If username/password authentication and anonymous access are not configured, the web server will REQUIRE certificate based client authentication.
+the User Interface. In order to do this it must be configured to not support username/password authentication (see below). Either of these options
+will configure the web server to WANT certificate based client authentication. This will allow it to support users with certificates and those without
+that may be logging in with their credentials or those accessing anonymously. If username/password authentication and anonymous access are not configured,
+the web server will REQUIRE certificate based client authentication.
Now that the User Interface has been secured, we can easily secure Site-to-Site connections and inner-cluster communications, as well. This is
accomplished by setting the `nifi.remote.input.secure` and `nifi.cluster.protocol.is.secure` properties, respectively, to `true`.
@@ -289,127 +286,6 @@ nifi.security.user.login.identity.provider=kerberos-provider
See also <<kerberos_service>> to allow single sign-on access via client Kerberos tickets.
-Controlling Levels of Access
-----------------------------
-
-Once NiFi is configured to run securely and an authentication mechanism is configured, it is necessary
-to configure who will have access to the system and what types of access those people will have.
-NiFi controls this through the user of an 'Authority Provider.' The Authority Provider is a pluggable
-mechanism for providing authorizations to different users. Which Authority Provider to use is configured
-using two properties in the _nifi.properties_ file.
-
-The `nifi.authority.provider.configuration.file` property specifies the configuration file for Authority Providers.
-The `nifi.security.user.authority.provider` property indicates which of the configured Authority Providers should be
-used.
-
-By default, the `file-provider` Authority Provider is selected and is configured to use the permissions granted in
-the _authorized-users.xml_ file. This is typically sufficient for instances of NiFi that are run in "standalone" mode.
-If the NiFi instance is configured to run in a cluster, the node will typically use the `cluster-node-provider`
-Provider and the Cluster Manager will typically use the `cluster-ncm-provider` Provider. Both of these Providers
-have a default configuration in the _authority-providers.xml_ file but are commented out.
-
-When using the `cluster-node-provider` Provider, all of the authorization is provided by the Cluster Manager. In this
-way, the configuration only has to be maintained in one place and will be consistent across the entire cluster.
-
-When configuring the Cluster Manager or a standalone node, it is necessary to manually designate an ADMIN user
-in the _authorized-users.xml_ file, which is located in the root installation's conf directory.
-After this ADMIN user has been added, s/he may grant access
-to other users, systems, and other instances of NiFi, through the User Interface (UI) without having to manually edit the _authorized-users.xml_
-file. If you are the administrator, you would add yourself as the ADMIN user in this file.
-
-Open the _authorized-users.xml_ file in a text editor. You will notice that it includes a template
-to guide you, with example entries that are commented out.
-
-It is only necessary to manually add one user, the ADMIN user, to this file.
-So, at a minimum, the following example entry should be included and contain the user Distinguished Name (DN)
-in place of "user dn - read only and admin":
-
-----
-<users>
- <user dn="[user dn - read only and admin]">
- <role name="ROLE_ADMIN"/>
- </user>
-</users>
-----
-
-Here is an LDAP example entry using the name John Smith:
-
-----
-<users>
- <user dn="cn=John Smith,ou=people,dc=example,dc=com">
- <role name="ROLE_ADMIN"/>
- </user>
-</users>
-----
-
-Here is a Kerberos example entry using the name John Smith and realm `NIFI.APACHE.ORG`:
-
-----
-<users>
- <user dn="johnsmith@NIFI.APACHE.ORG">
- <role name="ROLE_ADMIN"/>
- </user>
-</users>
-----
-
-After the _authorized-users.xml_ file has been edited and saved, restart NiFi.
-Once the application starts, the ADMIN user is
-able to access the UI at the HTTPS URL that is configured in the _nifi.properties_ file.
-
-From the UI, click on the Users icon ( image:iconUsers.png["Users", width=32] ) in the
-Management Toolbar (upper-right corner of the UI), and the User Management Page opens.
-
-The ADMIN user should be listed. Click on the pencil icon to see this user's role(s). You may edit the
-roles by selecting the appropriate checkboxes.
-
-The following roles are available in NiFi:
-
-[options="header,footer"]
-|========================================================================================================
-| Role Name | Description
-| Administrator | Administrator is able to configure thread pool sizes and user accounts as well as
- purge the dataflow change history.
-| Data Flow Manager | Data Flow Manager is given the ability to manipulate the dataflow. S/he is able to
- add, remove, and manipulate components on the graph; add, remove, and manipulate
- Controller Services and Reporting Tasks; create and manage templates;
- view statistics; and view the bulletin board.
-| Read Only | Users with Read Only access are able to view the dataflow but are unable to change anything.
-| Provenance | Users with Provenance access are able to query the Data Provenance repository and view
- the lineage of data. Additionally, this role provides the ability to view or download
- the content of a FlowFile from a Provenance event (assuming that the content is still
- available in the Content Repository and that the Authority Provider also grants access).
- This access is not provided to users with Read Only
- (unless the user has both Read Only and Provenance roles) because the information provided
- to users with this role can potentially be very sensitive in nature, as all FlowFile attributes
- and data are exposed. In order to Replay a Provenance event, a user is required to have both
- the Provenance role as well as the Data Flow Manager role.
-| NiFi | The NiFi Role is intended to be assigned to machines that will interact with an instance of NiFi
- via Site-to-Site. This role provides the ability to send data to or retrieve data from Root
- Group Ports (but only those that they are given permissions to interact with - see the User Guide
- for more information on providing access to specific Ports) as well as obtain information about
- which Ports exist. Note that this role allows the client to know only about the Ports that it
- has permissions to interact with.
-| Proxy | The Proxy Role is assigned to a system in order to grant that system permission to make requests
- on behalf of a user. For instance, if an HTTP proxy service is used to gain access to the system,
- the certificate being used by that service can be given the Proxy Role.
-|========================================================================================================
-
-
-When users want access to the NiFi UI, they navigate to the configured URL and are
-prompted to request access. When someone has requested access, the ADMIN user sees a star
-on the Users icon in the Management Toolbar, alerting the ADMIN to the fact that a request is
-pending. Upon opening the User Management Page, the pending request is visible, and the ADMIN
-can grant access and click on the pencil icon to set the user's roles appropriately.
-
-The ADMIN may also select multiple users and add them to a "Group". Hold down the Shift key and select
-multiple users, then click the `Group` button in the upper-right corner of the User Management Page.
-Then, provide a name for the group.
-
-The group feature is especially useful when a remote NiFi cluster is connecting to this NiFi using
-a Remote Process Group. In that scenario, all the nodes
-in the remote cluster can be included in the same group. When the ADMIN wants to grant port access to the remote
-cluster, s/he can grant it to the group and avoid having to grant it individually to each node in the cluster.
-
[[encryption]]
Encryption Configuration
------------------------
@@ -1454,15 +1330,8 @@ Security Configuration section of this Administrator's Guide.
|nifi.security.truststoreType|The truststore type. It is blank by default.
|nifi.security.truststorePasswd|The truststore password. It is blank by default.
|nifi.security.needClientAuth|This indicates whether client authentication in the cluster protocol. It is blank by default.
-|nifi.security.user.credential.cache.duration|The length of time to cache user credentials. The default value is 24 hours.
-|nifi.security.user.authority.provider|This indicates what type of authority provider to use. The default value is file-provider, which refers to the file
-configured in the core property `nifi.authority.provider.configuration.file`. Another authority provider may be used, such as when the NiFi instance is part of a cluster. But the default value of file-provider is fine for a standalone instance of NiFi.
|nifi.security.user.login.identity.provider|This indicates what type of login identity provider to use. The default value is blank, can be set to the identifier from a provider
in the file specified in `nifi.login.identity.provider.configuration.file`. Setting this property will trigger NiFi to support username/password authentication.
-|nifi.security.support.new.account.requests|This indicates whether a secure NiFi is configured to allow users to request access. It is blank by default.
-|nifi.security.anonymous.authorities|This indicates what roles to grant to anonymous users accessing NiFi over HTTPS. It is blank by default, but could be
-set to any combination of ROLE_MONITOR, ROLE_DFM, ROLE_ADMIN, ROLE_PROVENANCE, ROLE_NIFI. Leaving this property blank will require that users accessing NiFi
-over HTTPS be authenticated either using a client certificate or their credentials against the configured log identity provider.
|nifi.security.ocsp.responder.url|This is the URL for the Online Certificate Status Protocol (OCSP) responder if one is being used. It is blank by default.
|nifi.security.ocsp.responder.certificate|This is the location of the OCSP responder certificate if one is being used. It is blank by default.
|====
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/main/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessor.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/main/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessor.java b/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/main/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessor.java
index 672a3ee..478ffaf 100644
--- a/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/main/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessor.java
+++ b/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/main/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessor.java
@@ -26,7 +26,7 @@ import com.datastax.driver.core.Session;
import org.apache.avro.Schema;
import org.apache.avro.SchemaBuilder;
import org.apache.commons.lang3.StringUtils;
-import org.apache.nifi.authorization.exception.ProviderCreationException;
+import org.apache.nifi.authentication.exception.ProviderCreationException;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.PropertyValue;
import org.apache.nifi.components.ValidationContext;
http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/test/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessorTest.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/test/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessorTest.java b/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/test/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessorTest.java
index 1f62997..19e2320 100644
--- a/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/test/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessorTest.java
+++ b/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/test/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessorTest.java
@@ -22,7 +22,7 @@ import com.datastax.driver.core.DataType;
import com.datastax.driver.core.Metadata;
import com.datastax.driver.core.Row;
import com.google.common.collect.Sets;
-import org.apache.nifi.authorization.exception.ProviderCreationException;
+import org.apache.nifi.authentication.exception.ProviderCreationException;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.processor.ProcessSession;