You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by kd...@apache.org on 2018/10/03 15:12:37 UTC

nifi git commit: NIFI-5656 Handly empty "Node Group" property in FileAccessPolicyProvider consistently, add some logs to help with debugging, add test for the invalid group name and for the empty case.

Repository: nifi
Updated Branches:
  refs/heads/master b4c8e0179 -> de685a7a7


NIFI-5656 Handly empty "Node Group" property in FileAccessPolicyProvider consistently, add some logs to help with debugging, add test for the invalid group name and for the empty case.

This closes #3043.

Signed-off-by: Kevin Doran <kd...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/de685a7a
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/de685a7a
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/de685a7a

Branch: refs/heads/master
Commit: de685a7a741888c6ffd6468d89b536276975934c
Parents: b4c8e01
Author: pepov <pe...@gmail.com>
Authored: Tue Oct 2 15:21:36 2018 +0200
Committer: Kevin Doran <kd...@apache.org>
Committed: Wed Oct 3 11:12:19 2018 -0400

----------------------------------------------------------------------
 .../authorization/FileAccessPolicyProvider.java | 21 +++++++----
 .../FileAccessPolicyProviderTest.java           | 39 +++++++++++++++++++-
 .../src/main/resources/conf/authorizers.xml     |  2 +
 3 files changed, 53 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/nifi/blob/de685a7a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java
index b1a6f91..3174e34 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java
@@ -232,16 +232,21 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
             nodeGroupIdentifier = null;
 
             if (nodeGroupName != null) {
-                for (Group group : userGroupProvider.getGroups()) {
-                    if (group.getName().equals(nodeGroupName)) {
-                        nodeGroupIdentifier = group.getIdentifier();
-                        break;
+                if (!StringUtils.isBlank(nodeGroupName)) {
+                    logger.debug("Trying to load node group '{}' from the underlying userGroupProvider", nodeGroupName);
+                    for (Group group : userGroupProvider.getGroups()) {
+                        if (group.getName().equals(nodeGroupName)) {
+                            nodeGroupIdentifier = group.getIdentifier();
+                            break;
+                        }
                     }
-                }
 
-                if (nodeGroupIdentifier == null) {
-                    throw new AuthorizerCreationException(String.format(
+                    if (nodeGroupIdentifier == null) {
+                        throw new AuthorizerCreationException(String.format(
                             "Authorizations node group '%s' could not be found", nodeGroupName));
+                    }
+                } else {
+                    logger.debug("Empty node group name provided");
                 }
             }
 
@@ -633,6 +638,7 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
             if (node == null) {
                 throw new AuthorizerCreationException("Unable to locate node " + nodeIdentity + " to seed policies.");
             }
+            logger.debug("Populating default authorizations for node '{}' ({})", node.getIdentity(), node.getIdentifier());
             // grant access to the proxy resource
             addUserToAccessPolicy(authorizations, ResourceType.Proxy.getValue(), node.getIdentifier(), WRITE_CODE);
 
@@ -645,6 +651,7 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
 
         // authorize dynamic nodes (node group)
         if (nodeGroupIdentifier != null) {
+            logger.debug("Populating default authorizations for group '{}' ({})", userGroupProvider.getGroup(nodeGroupIdentifier).getName(), nodeGroupIdentifier);
             addGroupToAccessPolicy(authorizations, ResourceType.Proxy.getValue(), nodeGroupIdentifier, WRITE_CODE);
 
             if (rootGroupId != null) {

http://git-wip-us.apache.org/repos/asf/nifi/blob/de685a7a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAccessPolicyProviderTest.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAccessPolicyProviderTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAccessPolicyProviderTest.java
index d02ada7..f13f7f1 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAccessPolicyProviderTest.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAccessPolicyProviderTest.java
@@ -767,8 +767,8 @@ public class FileAccessPolicyProviderTest {
         userGroupProvider.onConfigured(configurationContext);
         accessPolicyProvider.onConfigured(configurationContext);
 
-        User nodeUser1 = userGroupProvider.getUserByIdentity(nodeIdentity1);
-        User nodeUser2 = userGroupProvider.getUserByIdentity(nodeIdentity2);
+        assertNotNull(userGroupProvider.getUserByIdentity(nodeIdentity1));
+        assertNotNull(userGroupProvider.getUserByIdentity(nodeIdentity2));
 
         AccessPolicy proxyWritePolicy = accessPolicyProvider.getAccessPolicy(ResourceType.Proxy.getValue(), RequestAction.WRITE);
 
@@ -777,6 +777,41 @@ public class FileAccessPolicyProviderTest {
     }
 
     @Test
+    public void testOnConfiguredWhenNodeGroupEmpty() throws Exception {
+        final String adminIdentity = "admin-user";
+        final String nodeGroupIdentifier = "cluster-nodes";
+
+        when(configurationContext.getProperty(eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY)))
+            .thenReturn(new StandardPropertyValue(adminIdentity, null));
+        when(configurationContext.getProperty(eq(FileAccessPolicyProvider.PROP_NODE_GROUP_NAME)))
+            .thenReturn(new StandardPropertyValue("", null));
+
+        writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
+        writeFile(primaryTenants, TENANTS_FOR_ADMIN_AND_NODE_GROUP);
+
+        userGroupProvider.onConfigured(configurationContext);
+        accessPolicyProvider.onConfigured(configurationContext);
+
+        assertNull(accessPolicyProvider.getAccessPolicy(ResourceType.Proxy.getValue(), RequestAction.WRITE));
+    }
+
+    @Test(expected = AuthorizerCreationException.class)
+    public void testOnConfiguredWhenNodeGroupDoesNotExist() throws Exception {
+        final String adminIdentity = "admin-user";
+
+        when(configurationContext.getProperty(eq(FileAccessPolicyProvider.PROP_INITIAL_ADMIN_IDENTITY)))
+            .thenReturn(new StandardPropertyValue(adminIdentity, null));
+        when(configurationContext.getProperty(eq(FileAccessPolicyProvider.PROP_NODE_GROUP_NAME)))
+            .thenReturn(new StandardPropertyValue("nonexistent", null));
+
+        writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE);
+        writeFile(primaryTenants, TENANTS_FOR_ADMIN_AND_NODE_GROUP);
+
+        userGroupProvider.onConfigured(configurationContext);
+        accessPolicyProvider.onConfigured(configurationContext);
+    }
+
+    @Test
     public void testOnConfiguredWhenTenantsAndAuthorizationsFileDoesNotExist() {
         userGroupProvider.onConfigured(configurationContext);
         accessPolicyProvider.onConfigured(configurationContext);

http://git-wip-us.apache.org/repos/asf/nifi/blob/de685a7a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
index b57239a..d6d3c45 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/authorizers.xml
@@ -241,6 +241,8 @@
 
         - Node Group - The name of a group containing NiFi cluster nodes. The typical use for this is when nodes are dynamically
             added/removed from the cluster.
+
+            NOTE: The group must exist before starting NiFi.
     -->
     <accessPolicyProvider>
         <identifier>file-access-policy-provider</identifier>