You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by bb...@apache.org on 2017/11/07 18:50:22 UTC
[06/17] nifi-registry git commit: NIFIREG-33 Add LDAP and JWT auth
support
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/Group.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/Group.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/Group.java
deleted file mode 100644
index f22dd97..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/Group.java
+++ /dev/null
@@ -1,263 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-import java.nio.charset.StandardCharsets;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Objects;
-import java.util.Set;
-import java.util.UUID;
-
-/**
- * A group that users can belong to.
- */
-public class Group {
-
- private final String identifier;
-
- private final String name;
-
- private final Set<String> users;
-
- private Group(final Builder builder) {
- this.identifier = builder.identifier;
- this.name = builder.name;
- this.users = Collections.unmodifiableSet(new HashSet<>(builder.users));
-
- if (this.identifier == null || this.identifier.trim().isEmpty()) {
- throw new IllegalArgumentException("Identifier can not be null or empty");
- }
-
- if (this.name == null || this.name.trim().isEmpty()) {
- throw new IllegalArgumentException("Name can not be null or empty");
- }
- }
-
- /**
- * @return the identifier of the group
- */
- public String getIdentifier() {
- return identifier;
- }
-
- /**
- * @return the name of the group
- */
- public String getName() {
- return name;
- }
-
- /**
- * @return an unmodifiable set of user identifiers that belong to this group
- */
- public Set<String> getUsers() {
- return users;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (obj == null) {
- return false;
- }
- if (getClass() != obj.getClass()) {
- return false;
- }
-
- final Group other = (Group) obj;
- return Objects.equals(this.identifier, other.identifier);
- }
-
- @Override
- public int hashCode() {
- return Objects.hashCode(this.identifier);
- }
-
- @Override
- public String toString() {
- return String.format("identifier[%s], name[%s]", getIdentifier(), getName());
- }
-
-
- /**
- * Builder for creating Groups.
- */
- public static class Builder {
-
- private String identifier;
- private String name;
- private Set<String> users = new HashSet<>();
- private final boolean fromGroup;
-
- public Builder() {
- this.fromGroup = false;
- }
-
- /**
- * Initializes the builder with the state of the provided group. When using this constructor
- * the identifier field of the builder can not be changed and will result in an IllegalStateException
- * if attempting to do so.
- *
- * @param other the existing access policy to initialize from
- */
- public Builder(final Group other) {
- if (other == null) {
- throw new IllegalArgumentException("Provided group can not be null");
- }
-
- this.identifier = other.getIdentifier();
- this.name = other.getName();
- this.users.clear();
- this.users.addAll(other.getUsers());
- this.fromGroup = true;
- }
-
- /**
- * Sets the identifier of the builder.
- *
- * @param identifier the identifier
- * @return the builder
- * @throws IllegalStateException if this method is called when this builder was constructed from an existing Group
- */
- public Builder identifier(final String identifier) {
- if (fromGroup) {
- throw new IllegalStateException(
- "Identifier can not be changed when initialized from an existing group");
- }
-
- this.identifier = identifier;
- return this;
- }
-
- /**
- * Sets the identifier of the builder to a random UUID.
- *
- * @return the builder
- * @throws IllegalStateException if this method is called when this builder was constructed from an existing Group
- */
- public Builder identifierGenerateRandom() {
- if (fromGroup) {
- throw new IllegalStateException(
- "Identifier can not be changed when initialized from an existing group");
- }
-
- this.identifier = UUID.randomUUID().toString();
- return this;
- }
-
- /**
- * Sets the identifier of the builder with a UUID generated from the specified seed string.
- *
- * @return the builder
- * @throws IllegalStateException if this method is called when this builder was constructed from an existing Group
- */
- public Builder identifierGenerateFromSeed(final String seed) {
- if (fromGroup) {
- throw new IllegalStateException(
- "Identifier can not be changed when initialized from an existing group");
- }
- if (seed == null) {
- throw new IllegalArgumentException("Cannot seed the group identifier with a null value.");
- }
-
- this.identifier = UUID.nameUUIDFromBytes(seed.getBytes(StandardCharsets.UTF_8)).toString();
- return this;
- }
-
- /**
- * Sets the name of the builder.
- *
- * @param name the name
- * @return the builder
- */
- public Builder name(final String name) {
- this.name = name;
- return this;
- }
-
- /**
- * Adds all users from the provided set to the builder's set of users.
- *
- * @param users a set of users to add
- * @return the builder
- */
- public Builder addUsers(final Set<String> users) {
- if (users != null) {
- this.users.addAll(users);
- }
- return this;
- }
-
- /**
- * Adds the given user to the builder's set of users.
- *
- * @param user the user to add
- * @return the builder
- */
- public Builder addUser(final String user) {
- if (user != null) {
- this.users.add(user);
- }
- return this;
- }
-
- /**
- * Removes the given user from the builder's set of users.
- *
- * @param user the user to remove
- * @return the builder
- */
- public Builder removeUser(final String user) {
- if (user != null) {
- this.users.remove(user);
- }
- return this;
- }
-
- /**
- * Removes all users from the provided set from the builder's set of users.
- *
- * @param users the users to remove
- * @return the builder
- */
- public Builder removeUsers(final Set<String> users) {
- if (users != null) {
- this.users.removeAll(users);
- }
- return this;
- }
-
- /**
- * Clears the builder's set of users so that users is non-null with size 0.
- *
- * @return the builder
- */
- public Builder clearUsers() {
- this.users.clear();
- return this;
- }
-
- /**
- * @return a new Group constructed from the state of the builder
- */
- public Group build() {
- return new Group(this);
- }
-
- }
-
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/ManagedAuthorizer.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/ManagedAuthorizer.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/ManagedAuthorizer.java
deleted file mode 100644
index da82f4e..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/ManagedAuthorizer.java
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-import org.apache.nifi.registry.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.registry.authorization.exception.UninheritableAuthorizationsException;
-
-public interface ManagedAuthorizer extends Authorizer {
-
- /**
- * Returns a fingerprint representing the authorizations managed by this authorizer. The fingerprint will be
- * used for comparison to determine if two managed authorizers represent a compatible set of users,
- * groups, and/or policies. Must be non null
- *
- * @return the fingerprint for this Authorizer
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- String getFingerprint() throws AuthorizationAccessException;
-
- /**
- * Parses the fingerprint and adds any users, groups, and policies to the current Authorizer.
- *
- * @param fingerprint the fingerprint that was obtained from calling getFingerprint() on another Authorizer.
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- void inheritFingerprint(final String fingerprint) throws AuthorizationAccessException;
-
- /**
- * When the fingerprints are not equal, this method will check if the proposed fingerprint is inheritable.
- * If the fingerprint is an exact match, this method will not be invoked as there is nothing to inherit.
- *
- * @param proposedFingerprint the proposed fingerprint
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- * @throws UninheritableAuthorizationsException if the proposed fingerprint was uninheritable
- */
- void checkInheritability(final String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException;
-
- /**
- * Returns the AccessPolicy provider for this managed Authorizer. Must be non null
- *
- * @return the AccessPolicy provider
- */
- AccessPolicyProvider getAccessPolicyProvider();
-
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/RequestAction.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/RequestAction.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/RequestAction.java
deleted file mode 100644
index a489ecc..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/RequestAction.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-import java.util.StringJoiner;
-
-/**
- * Actions a user/entity can take on a resource.
- */
-public enum RequestAction {
- READ("read"),
- WRITE("write"),
- DELETE("delete");
-
- private String value;
-
- RequestAction(String value) {
- this.value = value;
- }
-
- @Override
- public String toString() {
- return value.toLowerCase();
- }
-
- public static RequestAction valueOfValue(final String action) {
- if (RequestAction.READ.toString().equalsIgnoreCase(action)) {
- return RequestAction.READ;
- } else if (RequestAction.WRITE.toString().equalsIgnoreCase(action)) {
- return RequestAction.WRITE;
- } else if (RequestAction.DELETE.toString().equalsIgnoreCase(action)) {
- return RequestAction.DELETE;
- } else {
- StringJoiner stringJoiner = new StringJoiner(", ");
- for(RequestAction ra : RequestAction.values()) {
- stringJoiner.add(ra.toString());
- }
- String allowableValues = stringJoiner.toString();
- throw new IllegalArgumentException("Action must be one of [" + allowableValues + "]");
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/Resource.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/Resource.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/Resource.java
deleted file mode 100644
index 711f724..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/Resource.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-/**
- * Resource in an authorization request.
- */
-public interface Resource {
-
- /**
- * The identifier for this resource.
- *
- * @return identifier for this resource
- */
- String getIdentifier();
-
- /**
- * The name of this resource. May be null.
- *
- * @return name of this resource
- */
- String getName();
-
- /**
- * The description of this resource that may be safely used in messages to the client.
- *
- * @return safe description
- */
- String getSafeDescription();
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/User.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/User.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/User.java
deleted file mode 100644
index 79f12a8..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/User.java
+++ /dev/null
@@ -1,188 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-import java.nio.charset.StandardCharsets;
-import java.util.Objects;
-import java.util.UUID;
-
-/**
- * A user to create authorization policies for.
- */
-public class User {
-
- private final String identifier;
-
- private final String identity;
-
- private User(final Builder builder) {
- this.identifier = builder.identifier;
- this.identity = builder.identity;
-
- if (identifier == null || identifier.trim().isEmpty()) {
- throw new IllegalArgumentException("Identifier can not be null or empty");
- }
-
- if (identity == null || identity.trim().isEmpty()) {
- throw new IllegalArgumentException("Identity can not be null or empty");
- }
-
- }
-
- /**
- * @return the identifier of the user
- */
- public String getIdentifier() {
- return identifier;
- }
-
- /**
- * @return the identity string of the user
- */
- public String getIdentity() {
- return identity;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (obj == null) {
- return false;
- }
- if (getClass() != obj.getClass()) {
- return false;
- }
-
- final User other = (User) obj;
- return Objects.equals(this.identifier, other.identifier);
- }
-
- @Override
- public int hashCode() {
- return Objects.hashCode(this.identifier);
- }
-
- @Override
- public String toString() {
- return String.format("identifier[%s], identity[%s]", getIdentifier(), getIdentity());
- }
-
- /**
- * Builder for Users.
- */
- public static class Builder {
-
- private String identifier;
- private String identity;
- private final boolean fromUser;
-
- /**
- * Default constructor for building a new User.
- */
- public Builder() {
- this.fromUser = false;
- }
-
- /**
- * Initializes the builder with the state of the provided user. When using this constructor
- * the identifier field of the builder can not be changed and will result in an IllegalStateException
- * if attempting to do so.
- *
- * @param other the existing user to initialize from
- */
- public Builder(final User other) {
- if (other == null) {
- throw new IllegalArgumentException("Provided user can not be null");
- }
-
- this.identifier = other.getIdentifier();
- this.identity = other.getIdentity();
- this.fromUser = true;
- }
-
- /**
- * Sets the identifier of the builder.
- *
- * @param identifier the identifier to set
- * @return the builder
- * @throws IllegalStateException if this method is called when this builder was constructed from an existing User
- */
- public Builder identifier(final String identifier) {
- if (fromUser) {
- throw new IllegalStateException(
- "Identifier can not be changed when initialized from an existing user");
- }
-
- this.identifier = identifier;
- return this;
- }
-
- /**
- * Sets the identifier of the builder to a random UUID.
- *
- * @return the builder
- * @throws IllegalStateException if this method is called when this builder was constructed from an existing User
- */
- public Builder identifierGenerateRandom() {
- if (fromUser) {
- throw new IllegalStateException(
- "Identifier can not be changed when initialized from an existing user");
- }
-
- this.identifier = UUID.randomUUID().toString();
- return this;
- }
-
- /**
- * Sets the identifier of the builder with a UUID generated from the specified seed string.
- *
- * @return the builder
- * @throws IllegalStateException if this method is called when this builder was constructed from an existing User
- */
- public Builder identifierGenerateFromSeed(final String seed) {
- if (fromUser) {
- throw new IllegalStateException(
- "Identifier can not be changed when initialized from an existing user");
- }
- if (seed == null) {
- throw new IllegalArgumentException("Cannot seed the user identifier with a null value.");
- }
-
- this.identifier = UUID.nameUUIDFromBytes(seed.getBytes(StandardCharsets.UTF_8)).toString();
- return this;
- }
-
- /**
- * Sets the identity of the builder.
- *
- * @param identity the identity to set
- * @return the builder
- */
- public Builder identity(final String identity) {
- this.identity = identity;
- return this;
- }
-
- /**
- * @return a new User constructed from the state of the builder
- */
- public User build() {
- return new User(this);
- }
-
- }
-
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserAndGroups.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserAndGroups.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserAndGroups.java
deleted file mode 100644
index b8f150a..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserAndGroups.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-import java.util.Set;
-
-/**
- * A holder object to provide atomic access to a user and their groups.
- */
-public interface UserAndGroups {
-
- /**
- * Retrieves the user, or null if the user is unknown
- *
- * @return the user with the given identity
- */
- User getUser();
-
- /**
- * Retrieves the groups for the user, or null if the user is unknown or has no groups.
- *
- * @return the set of groups for the given user identity
- */
- Set<Group> getGroups();
-
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserContextKeys.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserContextKeys.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserContextKeys.java
deleted file mode 100644
index daac9e8..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserContextKeys.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-/**
- * Constants for keys that can be passed in the AuthorizationRequest user context Map.
- */
-public enum UserContextKeys {
-
- CLIENT_ADDRESS;
-
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserGroupProvider.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserGroupProvider.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserGroupProvider.java
deleted file mode 100644
index c0460da..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserGroupProvider.java
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-import org.apache.nifi.registry.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.registry.authorization.exception.AuthorizerCreationException;
-import org.apache.nifi.registry.authorization.exception.AuthorizerDestructionException;
-
-import java.util.Set;
-
-/**
- * Provides access to Users and Groups.
- *
- * NOTE: Extensions will be called often and frequently. Because of this, if the underlying implementation needs to
- * make remote calls or expensive calculations those should probably be done asynchronously and/or cache the results.
- *
- * Additionally, extensions need to be thread safe.
- */
-public interface UserGroupProvider {
-
- /**
- * Retrieves all users. Must be non null
- *
- * @return a list of users
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- Set<User> getUsers() throws AuthorizationAccessException;
-
- /**
- * Retrieves the user with the given identifier.
- *
- * @param identifier the id of the user to retrieve
- * @return the user with the given id, or null if no matching user was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- User getUser(String identifier) throws AuthorizationAccessException;
-
- /**
- * Retrieves the user with the given identity.
- *
- * @param identity the identity of the user to retrieve
- * @return the user with the given identity, or null if no matching user was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- User getUserByIdentity(String identity) throws AuthorizationAccessException;
-
- /**
- * Retrieves all groups. Must be non null
- *
- * @return a list of groups
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- Set<Group> getGroups() throws AuthorizationAccessException;
-
- /**
- * Retrieves a Group by id.
- *
- * @param identifier the identifier of the Group to retrieve
- * @return the Group with the given identifier, or null if no matching group was found
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- Group getGroup(String identifier) throws AuthorizationAccessException;
-
- /**
- * Gets a user and their groups. Must be non null. If the user is not known the UserAndGroups.getUser() and
- * UserAndGroups.getGroups() should return null
- *
- * @return the UserAndGroups for the specified identity
- * @throws AuthorizationAccessException if there was an unexpected error performing the operation
- */
- UserAndGroups getUserAndGroups(String identity) throws AuthorizationAccessException;
-
- /**
- * Called immediately after instance creation for implementers to perform additional setup
- *
- * @param initializationContext in which to initialize
- */
- void initialize(UserGroupProviderInitializationContext initializationContext) throws AuthorizerCreationException;
-
- /**
- * Called to configure the Authorizer.
- *
- * @param configurationContext at the time of configuration
- * @throws AuthorizerCreationException for any issues configuring the provider
- */
- void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException;
-
- /**
- * Called immediately before instance destruction for implementers to release resources.
- *
- * @throws AuthorizerDestructionException If pre-destruction fails.
- */
- void preDestruction() throws AuthorizerDestructionException;
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserGroupProviderInitializationContext.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserGroupProviderInitializationContext.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserGroupProviderInitializationContext.java
deleted file mode 100644
index 6a213fa..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserGroupProviderInitializationContext.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-/**
- * Initialization content for UserGroupProviders.
- */
-public interface UserGroupProviderInitializationContext {
-
- /**
- * The identifier of the UserGroupProvider.
- *
- * @return The identifier
- */
- String getIdentifier();
-
- /**
- * The lookup for accessing other configured UserGroupProviders.
- *
- * @return The UserGroupProvider lookup
- */
- UserGroupProviderLookup getUserGroupProviderLookup();
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserGroupProviderLookup.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserGroupProviderLookup.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserGroupProviderLookup.java
deleted file mode 100644
index ddf6124..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/UserGroupProviderLookup.java
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization;
-
-/**
- *
- */
-public interface UserGroupProviderLookup {
-
- /**
- * Looks up the UserGroupProvider with the specified identifier
- *
- * @param identifier The identifier of the UserGroupProvider
- * @return The UserGroupProvider
- */
- UserGroupProvider getUserGroupProvider(String identifier);
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AccessDeniedException.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AccessDeniedException.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AccessDeniedException.java
deleted file mode 100644
index 7b09a6e..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AccessDeniedException.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization.exception;
-
-/**
- * Represents any error that might occur while authorizing user requests.
- */
-public class AccessDeniedException extends RuntimeException {
- private static final long serialVersionUID = -5683444815269084134L;
-
- public AccessDeniedException(Throwable cause) {
- super(cause);
- }
-
- public AccessDeniedException(String message, Throwable cause) {
- super(message, cause);
- }
-
- public AccessDeniedException(String message) {
- super(message);
- }
-
- public AccessDeniedException() {
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AuthorizationAccessException.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AuthorizationAccessException.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AuthorizationAccessException.java
deleted file mode 100644
index 407e182..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AuthorizationAccessException.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization.exception;
-
-/**
- * Represents the case when an authorization decision could not be made because the Authorizer was unable to access the underlying data store.
- */
-public class AuthorizationAccessException extends RuntimeException {
-
- public AuthorizationAccessException(String message, Throwable cause) {
- super(message, cause);
- }
-
- public AuthorizationAccessException(String message) {
- super(message);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AuthorizerCreationException.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AuthorizerCreationException.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AuthorizerCreationException.java
deleted file mode 100644
index 2a7ae36..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AuthorizerCreationException.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization.exception;
-
-/**
- * Represents the exceptional case when an Authorizer fails instantiation.
- *
- */
-public class AuthorizerCreationException extends RuntimeException {
-
- public AuthorizerCreationException() {
- }
-
- public AuthorizerCreationException(String msg) {
- super(msg);
- }
-
- public AuthorizerCreationException(Throwable cause) {
- super(cause);
- }
-
- public AuthorizerCreationException(String msg, Throwable cause) {
- super(msg, cause);
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AuthorizerDestructionException.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AuthorizerDestructionException.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AuthorizerDestructionException.java
deleted file mode 100644
index 0f4a498..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/AuthorizerDestructionException.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization.exception;
-
-/**
- * Represents the exceptional case when an Authorizer fails destruction.
- *
- */
-public class AuthorizerDestructionException extends RuntimeException {
-
- public AuthorizerDestructionException() {
- }
-
- public AuthorizerDestructionException(String msg) {
- super(msg);
- }
-
- public AuthorizerDestructionException(Throwable cause) {
- super(cause);
- }
-
- public AuthorizerDestructionException(String msg, Throwable cause) {
- super(msg, cause);
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/UninheritableAuthorizationsException.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/UninheritableAuthorizationsException.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/UninheritableAuthorizationsException.java
deleted file mode 100644
index fe110f7..0000000
--- a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/authorization/exception/UninheritableAuthorizationsException.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.authorization.exception;
-
-/**
- * Represents the case when the proposed authorizations are not inheritable.
- */
-public class UninheritableAuthorizationsException extends RuntimeException {
-
- public UninheritableAuthorizationsException(String message) {
- super(message);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/AuthenticationResponse.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/AuthenticationResponse.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/AuthenticationResponse.java
new file mode 100644
index 0000000..e6bfeb2
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/AuthenticationResponse.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authentication;
+
+/**
+ * Authentication response for a user login attempt.
+ */
+public class AuthenticationResponse {
+
+ private final String identity;
+ private final String username;
+ private final long expiration;
+ private final String issuer;
+
+ /**
+ * Creates an authentication response. The username and how long the authentication is valid in milliseconds
+ *
+ * @param identity The user identity
+ * @param username The username
+ * @param expiration The expiration in milliseconds
+ * @param issuer The issuer of the token
+ */
+ public AuthenticationResponse(final String identity, final String username, final long expiration, final String issuer) {
+ this.identity = identity;
+ this.username = username;
+ this.expiration = expiration;
+ this.issuer = issuer;
+ }
+
+ public String getIdentity() {
+ return identity;
+ }
+
+ public String getUsername() {
+ return username;
+ }
+
+ public String getIssuer() {
+ return issuer;
+ }
+
+ /**
+ * Returns the expiration of a given authentication in milliseconds.
+ *
+ * @return The expiration in milliseconds
+ */
+ public long getExpiration() {
+ return expiration;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginCredentials.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginCredentials.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginCredentials.java
new file mode 100644
index 0000000..925d36d
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginCredentials.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authentication;
+
+/**
+ * Login credentials for a user.
+ */
+public class LoginCredentials {
+
+ private final String username;
+ private final String password;
+
+ public LoginCredentials(String username, String password) {
+ this.username = username;
+ this.password = password;
+ }
+
+ public String getUsername() {
+ return username;
+ }
+
+ public String getPassword() {
+ return password;
+ }
+}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProvider.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProvider.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProvider.java
new file mode 100644
index 0000000..b74069a
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProvider.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authentication;
+
+import org.apache.nifi.registry.security.authentication.exception.IdentityAccessException;
+import org.apache.nifi.registry.security.authentication.exception.InvalidLoginCredentialsException;
+import org.apache.nifi.registry.security.authentication.exception.ProviderCreationException;
+import org.apache.nifi.registry.security.authentication.exception.ProviderDestructionException;
+
+/**
+ * Identity provider that is able to authentication a user with username/password credentials.
+ */
+public interface LoginIdentityProvider {
+
+ /**
+ * Authenticates the specified login credentials.
+ *
+ * @param credentials the credentials
+ * @return The authentication response
+ * @throws InvalidLoginCredentialsException The login credentials were invalid
+ * @throws IdentityAccessException Unable to register the user due to an issue accessing the underlying storage
+ */
+ AuthenticationResponse authenticate(LoginCredentials credentials) throws InvalidLoginCredentialsException, IdentityAccessException;
+
+ /**
+ * Called immediately after instance creation for implementers to perform additional setup
+ *
+ * @param initializationContext in which to initialize
+ * @throws ProviderCreationException Unable to initialize
+ */
+ void initialize(LoginIdentityProviderInitializationContext initializationContext) throws ProviderCreationException;
+
+ /**
+ * Called to configure the AuthorityProvider.
+ *
+ * @param configurationContext at the time of configuration
+ * @throws ProviderCreationException for any issues configuring the provider
+ */
+ void onConfigured(LoginIdentityProviderConfigurationContext configurationContext) throws ProviderCreationException;
+
+ /**
+ * Called immediately before instance destruction for implementers to release resources.
+ *
+ * @throws ProviderDestructionException If pre-destruction fails.
+ */
+ void preDestruction() throws ProviderDestructionException;
+}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProviderConfigurationContext.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProviderConfigurationContext.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProviderConfigurationContext.java
new file mode 100644
index 0000000..a7f21be
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProviderConfigurationContext.java
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authentication;
+
+import java.util.Map;
+
+/**
+ *
+ */
+public interface LoginIdentityProviderConfigurationContext {
+
+ /**
+ * @return identifier for the authority provider
+ */
+ String getIdentifier();
+
+ /**
+ * Retrieves all properties the component currently understands regardless
+ * of whether a value has been set for them or not. If no value is present
+ * then its value is null and thus any registered default for the property
+ * descriptor applies.
+ *
+ * @return Map of all properties
+ */
+ Map<String, String> getProperties();
+
+ /**
+ * @param property to lookup the descriptor and value of
+ * @return the value the component currently understands for the given
+ * PropertyDescriptor. This method does not substitute default
+ * PropertyDescriptor values, so the value returned will be null if not set
+ */
+ String getProperty(String property);
+}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProviderInitializationContext.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProviderInitializationContext.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProviderInitializationContext.java
new file mode 100644
index 0000000..755c2e8
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProviderInitializationContext.java
@@ -0,0 +1,27 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authentication;
+
+/**
+ *
+ */
+public interface LoginIdentityProviderInitializationContext {
+
+ public String getIdentifier();
+
+ public LoginIdentityProviderLookup getAuthorityProviderLookup();
+}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProviderLookup.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProviderLookup.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProviderLookup.java
new file mode 100644
index 0000000..8720bba
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/LoginIdentityProviderLookup.java
@@ -0,0 +1,23 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authentication;
+
+public interface LoginIdentityProviderLookup {
+
+ LoginIdentityProvider getLoginIdentityProvider(String identifier);
+
+}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/annotation/LoginIdentityProviderContext.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/annotation/LoginIdentityProviderContext.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/annotation/LoginIdentityProviderContext.java
new file mode 100644
index 0000000..1c4d17f
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/annotation/LoginIdentityProviderContext.java
@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authentication.annotation;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Inherited;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ *
+ *
+ */
+@Documented
+@Target({ElementType.FIELD, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Inherited
+public @interface LoginIdentityProviderContext {
+}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/IdentityAccessException.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/IdentityAccessException.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/IdentityAccessException.java
new file mode 100644
index 0000000..fae567a
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/IdentityAccessException.java
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authentication.exception;
+
+/**
+ * Represents the case when the identity could not be confirmed because it was unable
+ * to access the backing store.
+ */
+public class IdentityAccessException extends RuntimeException {
+
+ public IdentityAccessException(String message, Throwable cause) {
+ super(message, cause);
+ }
+
+ public IdentityAccessException(String message) {
+ super(message);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/InvalidLoginCredentialsException.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/InvalidLoginCredentialsException.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/InvalidLoginCredentialsException.java
new file mode 100644
index 0000000..c432857
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/InvalidLoginCredentialsException.java
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authentication.exception;
+
+/**
+ * Represents the case when the identity could not be confirmed because the
+ * login credentials were invalid.
+ */
+public class InvalidLoginCredentialsException extends RuntimeException {
+
+ public InvalidLoginCredentialsException(String message, Throwable cause) {
+ super(message, cause);
+ }
+
+ public InvalidLoginCredentialsException(String message) {
+ super(message);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/ProviderCreationException.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/ProviderCreationException.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/ProviderCreationException.java
new file mode 100644
index 0000000..12844ce
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/ProviderCreationException.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authentication.exception;
+
+/**
+ * Represents the exceptional case when an AuthorityProvider fails instantiated.
+ *
+ */
+public class ProviderCreationException extends RuntimeException {
+
+ public ProviderCreationException() {
+ }
+
+ public ProviderCreationException(String msg) {
+ super(msg);
+ }
+
+ public ProviderCreationException(Throwable cause) {
+ super(cause);
+ }
+
+ public ProviderCreationException(String msg, Throwable cause) {
+ super(msg, cause);
+ }
+}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/ProviderDestructionException.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/ProviderDestructionException.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/ProviderDestructionException.java
new file mode 100644
index 0000000..8a0157b
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authentication/exception/ProviderDestructionException.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authentication.exception;
+
+/**
+ * Represents the exceptional case when an AuthorityProvider fails destruction.
+ *
+ */
+public class ProviderDestructionException extends RuntimeException {
+
+ public ProviderDestructionException() {
+ }
+
+ public ProviderDestructionException(String msg) {
+ super(msg);
+ }
+
+ public ProviderDestructionException(Throwable cause) {
+ super(cause);
+ }
+
+ public ProviderDestructionException(String msg, Throwable cause) {
+ super(msg, cause);
+ }
+}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authorization/AccessPolicy.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authorization/AccessPolicy.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authorization/AccessPolicy.java
new file mode 100644
index 0000000..aa8260b
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authorization/AccessPolicy.java
@@ -0,0 +1,367 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authorization;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Objects;
+import java.util.Set;
+import java.util.UUID;
+
+/**
+ * Defines a policy for a set of userIdentifiers to perform a set of actions on a given resource.
+ */
+public class AccessPolicy {
+
+ private final String identifier;
+
+ private final String resource;
+
+ private final Set<String> users;
+
+ private final Set<String> groups;
+
+ private final RequestAction action;
+
+ private AccessPolicy(final Builder builder) {
+ this.identifier = builder.identifier;
+ this.resource = builder.resource;
+ this.action = builder.action;
+ this.users = Collections.unmodifiableSet(new HashSet<>(builder.users));
+ this.groups = Collections.unmodifiableSet(new HashSet<>(builder.groups));
+
+ if (this.identifier == null || this.identifier.trim().isEmpty()) {
+ throw new IllegalArgumentException("Identifier can not be null or empty");
+ }
+
+ if (this.resource == null) {
+ throw new IllegalArgumentException("Resource can not be null");
+ }
+
+ if (this.action == null) {
+ throw new IllegalArgumentException("Action can not be null");
+ }
+ }
+
+ /**
+ * @return the identifier for this policy
+ */
+ public String getIdentifier() {
+ return identifier;
+ }
+
+ /**
+ * @return the resource for this policy
+ */
+ public String getResource() {
+ return resource;
+ }
+
+ /**
+ * @return an unmodifiable set of user ids for this policy
+ */
+ public Set<String> getUsers() {
+ return users;
+ }
+
+ /**
+ * @return an unmodifiable set of group ids for this policy
+ */
+ public Set<String> getGroups() {
+ return groups;
+ }
+
+ /**
+ * @return the action for this policy
+ */
+ public RequestAction getAction() {
+ return action;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (obj == null) {
+ return false;
+ }
+ if (getClass() != obj.getClass()) {
+ return false;
+ }
+
+ final AccessPolicy other = (AccessPolicy) obj;
+ return Objects.equals(this.identifier, other.identifier);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hashCode(this.identifier);
+ }
+
+ @Override
+ public String toString() {
+ return String.format("identifier[%s], resource[%s], users[%s], groups[%s], action[%s]",
+ getIdentifier(), getResource(), getUsers(), getGroups(), getAction());
+ }
+
+ /**
+ * Builder for Access Policies.
+ */
+ public static class Builder {
+
+ private String identifier;
+ private String resource;
+ private RequestAction action;
+ private Set<String> users = new HashSet<>();
+ private Set<String> groups = new HashSet<>();
+ private final boolean fromPolicy;
+
+ /**
+ * Default constructor for building a new AccessPolicy.
+ */
+ public Builder() {
+ this.fromPolicy = false;
+ }
+
+ /**
+ * Initializes the builder with the state of the provided policy. When using this constructor
+ * the identifier field of the builder can not be changed and will result in an IllegalStateException
+ * if attempting to do so.
+ *
+ * @param other the existing access policy to initialize from
+ */
+ public Builder(final AccessPolicy other) {
+ if (other == null) {
+ throw new IllegalArgumentException("Can not initialize builder with a null access policy");
+ }
+
+ this.identifier = other.getIdentifier();
+ this.resource = other.getResource();
+ this.action = other.getAction();
+ this.users.clear();
+ this.users.addAll(other.getUsers());
+ this.groups.clear();
+ this.groups.addAll(other.getGroups());
+ this.fromPolicy = true;
+ }
+
+ /**
+ * Sets the identifier of the builder.
+ *
+ * @param identifier the identifier to set
+ * @return the builder
+ * @throws IllegalStateException if this method is called when this builder was constructed from an existing Policy
+ */
+ public Builder identifier(final String identifier) {
+ if (fromPolicy) {
+ throw new IllegalStateException(
+ "Identifier can not be changed when initialized from an existing policy");
+ }
+
+ this.identifier = identifier;
+ return this;
+ }
+
+ /**
+ * Sets the identifier of the builder to a random UUID.
+ *
+ * @return the builder
+ * @throws IllegalStateException if this method is called when this builder was constructed from an existing Policy
+ */
+ public Builder identifierGenerateRandom() {
+ if (fromPolicy) {
+ throw new IllegalStateException(
+ "Identifier can not be changed when initialized from an existing policy");
+ }
+
+ this.identifier = UUID.randomUUID().toString();
+ return this;
+ }
+
+ /**
+ * Sets the identifier of the builder with a UUID generated from the specified seed string.
+ *
+ * @return the builder
+ * @throws IllegalStateException if this method is called when this builder was constructed from an existing Policy
+ */
+ public Builder identifierGenerateFromSeed(final String seed) {
+ if (fromPolicy) {
+ throw new IllegalStateException(
+ "Identifier can not be changed when initialized from an existing policy");
+ }
+ if (seed == null) {
+ throw new IllegalArgumentException("Cannot seed the policy identifier with a null value.");
+ }
+
+ this.identifier = UUID.nameUUIDFromBytes(seed.getBytes(StandardCharsets.UTF_8)).toString();
+ return this;
+ }
+
+ /**
+ * Sets the resource of the builder.
+ *
+ * @param resource the resource to set
+ * @return the builder
+ */
+ public Builder resource(final String resource) {
+ this.resource = resource;
+ return this;
+ }
+
+ /**
+ * Adds all the users from the provided set to the builder's set of users.
+ *
+ * @param users the users to add
+ * @return the builder
+ */
+ public Builder addUsers(final Set<String> users) {
+ if (users != null) {
+ this.users.addAll(users);
+ }
+ return this;
+ }
+
+ /**
+ * Adds the given user to the builder's set of users.
+ *
+ * @param user the user to add
+ * @return the builder
+ */
+ public Builder addUser(final String user) {
+ if (user != null) {
+ this.users.add(user);
+ }
+ return this;
+ }
+
+ /**
+ * Removes all users in the provided set from the builder's set of users.
+ *
+ * @param users the users to remove
+ * @return the builder
+ */
+ public Builder removeUsers(final Set<String> users) {
+ if (users != null) {
+ this.users.removeAll(users);
+ }
+ return this;
+ }
+
+ /**
+ * Removes the provided user from the builder's set of users.
+ *
+ * @param user the user to remove
+ * @return the builder
+ */
+ public Builder removeUser(final String user) {
+ if (user != null) {
+ this.users.remove(user);
+ }
+ return this;
+ }
+
+ /**
+ * Clears the builder's set of users so that it is non-null and size == 0.
+ *
+ * @return the builder
+ */
+ public Builder clearUsers() {
+ this.users.clear();
+ return this;
+ }
+
+ /**
+ * Adds all the groups from the provided set to the builder's set of groups.
+ *
+ * @param groups the groups to add
+ * @return the builder
+ */
+ public Builder addGroups(final Set<String> groups) {
+ if (groups != null) {
+ this.groups.addAll(groups);
+ }
+ return this;
+ }
+
+ /**
+ * Adds the given group to the builder's set of groups.
+ *
+ * @param group the group to add
+ * @return the builder
+ */
+ public Builder addGroup(final String group) {
+ if (group != null) {
+ this.groups.add(group);
+ }
+ return this;
+ }
+
+ /**
+ * Removes all groups in the provided set from the builder's set of groups.
+ *
+ * @param groups the groups to remove
+ * @return the builder
+ */
+ public Builder removeGroups(final Set<String> groups) {
+ if (groups != null) {
+ this.groups.removeAll(groups);
+ }
+ return this;
+ }
+
+ /**
+ * Removes the provided groups from the builder's set of groups.
+ *
+ * @param group the group to remove
+ * @return the builder
+ */
+ public Builder removeGroup(final String group) {
+ if (group != null) {
+ this.groups.remove(group);
+ }
+ return this;
+ }
+
+ /**
+ * Clears the builder's set of groups so that it is non-null and size == 0.
+ *
+ * @return the builder
+ */
+ public Builder clearGroups() {
+ this.groups.clear();
+ return this;
+ }
+
+ /**
+ * Sets the action for this builder.
+ *
+ * @param action the action to set
+ * @return the builder
+ */
+ public Builder action(final RequestAction action) {
+ this.action = action;
+ return this;
+ }
+
+ /**
+ * @return a new AccessPolicy constructed from the state of the builder
+ */
+ public AccessPolicy build() {
+ return new AccessPolicy(this);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/90f36dd2/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authorization/AccessPolicyProvider.java
----------------------------------------------------------------------
diff --git a/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authorization/AccessPolicyProvider.java b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authorization/AccessPolicyProvider.java
new file mode 100644
index 0000000..b942ec2
--- /dev/null
+++ b/nifi-registry-security-api/src/main/java/org/apache/nifi/registry/security/authorization/AccessPolicyProvider.java
@@ -0,0 +1,90 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.security.authorization;
+
+import org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException;
+import org.apache.nifi.registry.security.authorization.exception.AuthorizerCreationException;
+import org.apache.nifi.registry.security.authorization.exception.AuthorizerDestructionException;
+
+import java.util.Set;
+
+/**
+ * Provides access to AccessPolicies and the configured UserGroupProvider.
+ *
+ * NOTE: Extensions will be called often and frequently. Because of this, if the underlying implementation needs to
+ * make remote calls or expensive calculations those should probably be done asynchronously and/or cache the results.
+ *
+ * Additionally, extensions need to be thread safe.
+ */
+public interface AccessPolicyProvider {
+
+ /**
+ * Retrieves all access policies. Must be non null
+ *
+ * @return a list of policies
+ * @throws AuthorizationAccessException if there was an unexpected error performing the operation
+ */
+ Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException;
+
+ /**
+ * Retrieves the policy with the given identifier.
+ *
+ * @param identifier the id of the policy to retrieve
+ * @return the policy with the given id, or null if no matching policy exists
+ * @throws AuthorizationAccessException if there was an unexpected error performing the operation
+ */
+ AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException;
+
+ /**
+ * Gets the access policies for the specified resource identifier and request action.
+ *
+ * @param resourceIdentifier the resource identifier
+ * @param action the request action
+ * @return the policy matching the resouce and action, or null if no matching policy exists
+ * @throws AuthorizationAccessException if there was any unexpected error performing the operation
+ */
+ AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) throws AuthorizationAccessException;
+
+ /**
+ * Returns the UserGroupProvider for this managed Authorizer. Must be non null
+ *
+ * @return the UserGroupProvider
+ */
+ UserGroupProvider getUserGroupProvider();
+
+ /**
+ * Called immediately after instance creation for implementers to perform additional setup
+ *
+ * @param initializationContext in which to initialize
+ */
+ void initialize(AccessPolicyProviderInitializationContext initializationContext) throws AuthorizerCreationException;
+
+ /**
+ * Called to configure the Authorizer.
+ *
+ * @param configurationContext at the time of configuration
+ * @throws AuthorizerCreationException for any issues configuring the provider
+ */
+ void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException;
+
+ /**
+ * Called immediately before instance destruction for implementers to release resources.
+ *
+ * @throws AuthorizerDestructionException If pre-destruction fails.
+ */
+ void preDestruction() throws AuthorizerDestructionException;
+}