Package org.apache.nifi.authorization
Class AbstractPolicyBasedAuthorizer
java.lang.Object
org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer
- All Implemented Interfaces:
Authorizer,ManagedAuthorizer
An Authorizer that provides management of users, groups, and policies.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprivate static class -
Field Summary
FieldsModifier and TypeFieldDescription(package private) static final Stringprivate static final Stringprivate static final Stringprivate static final Stringprivate static final String(package private) static final String(package private) static final String(package private) static final String(package private) static final Stringprivate static final org.slf4j.Logger(package private) static final String(package private) static final String(package private) static final String(package private) static final String(package private) static final String(package private) static final String(package private) static final XMLOutputFactory -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionfinal AccessPolicyaddAccessPolicy(AccessPolicy accessPolicy) Adds the given policy ensuring that multiple policies can not be added for the same resource and action.final GroupAdds a new group.private voidaddPoliciesUsersAndGroups(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups) final UserAdds the given user.final AuthorizationResultauthorize(AuthorizationRequest request) Determines if the specified user/entity is authorized to access the specified resource within the given context.protected abstract voidfinal voidcheckInheritability(String proposedFingerprint) Returns whether the proposed fingerprint is inheritable.private booleancontainsGroup(Set<Group> userGroups, AccessPolicy policy) Determines if the policy contains one of the user's groups.abstract AccessPolicydeleteAccessPolicy(AccessPolicy policy) Deletes the given policy.abstract GroupdeleteGroup(Group group) Deletes the given group.abstract UserdeleteUser(User user) Deletes the given user.protected abstract AccessPolicydoAddAccessPolicy(AccessPolicy accessPolicy) Adds the given policy.abstract GroupdoAddGroup(Group group) Adds a new group.abstract UserAdds the given user.protected abstract voiddoOnConfigured(AuthorizerConfigurationContext configurationContext) Allows sub-classes to take action when onConfigured is called.abstract GroupdoUpdateGroup(Group group) The group represented by the provided instance will be updated based on the provided instance.abstract UserdoUpdateUser(User user) The user represented by the provided instance will be updated based on the provided instance.voidforciblyInheritFingerprint(String fingerprint) Parses the fingerprint and determines whether or not the fingerprint can be inherited in the same manner asManagedAuthorizer.inheritFingerprint(String).abstract Set<AccessPolicy> Retrieves all access policies.abstract AccessPolicygetAccessPolicy(String identifier) Retrieves the policy with the given identifier.final AccessPolicyProviderReturns the AccessPolicy provider for this managed Authorizer.final StringReturns a fingerprint representing the authorizations managed by this authorizer.abstract GroupRetrieves a Group by id.abstract GroupgetGroupByName(String name) Retrieves a group by name.Retrieves all groups.private List<AccessPolicy> abstract UserRetrieves the user with the given identifier.abstract UsergetUserByIdentity(String identity) Retrieves the user with the given identity.getUsers()Retrieves all users.abstract UsersAndAccessPoliciesReturns the UserAccessPolicies instance.final voidinheritFingerprint(String fingerprint) Parses the fingerprint and adds any users, groups, and policies to the current Authorizer.private voidinheritPoliciesUsersAndGroups(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups) private booleanisInheritable(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups) final voidonConfigured(AuthorizerConfigurationContext configurationContext) Called to configure the Authorizer.private DocumentparseFingerprint(InputStream inputStream) private GroupparseGroup(Element element) parsePoliciesUsersAndGroups(String fingerprint) private AccessPolicyparsePolicy(Element element) private Userprotected abstract voidabstract AccessPolicyupdateAccessPolicy(AccessPolicy accessPolicy) The policy represented by the provided instance will be updated based on the provided instance.final GroupupdateGroup(Group group) The group represented by the provided instance will be updated based on the provided instance.final UserupdateUser(User user) The user represented by the provided instance will be updated based on the provided instance.private voidwriteGroup(XMLStreamWriter writer, Group group) private voidwritePolicy(XMLStreamWriter writer, AccessPolicy policy) private voidwriteUser(XMLStreamWriter writer, User user) Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.apache.nifi.authorization.Authorizer
initialize, preDestruction
-
Field Details
-
logger
private static final org.slf4j.Logger logger -
DISALLOW_DOCTYPES
- See Also:
-
ALLOW_EXTERNAL_GENERAL_ENTITIES
- See Also:
-
ALLOW_EXTERNAL_PARAM_ENTITIES
- See Also:
-
ALLOW_EXTERNAL_DTD
- See Also:
-
XML_OUTPUT_FACTORY
-
USER_ELEMENT
- See Also:
-
GROUP_USER_ELEMENT
- See Also:
-
GROUP_ELEMENT
- See Also:
-
POLICY_ELEMENT
- See Also:
-
POLICY_USER_ELEMENT
- See Also:
-
POLICY_GROUP_ELEMENT
- See Also:
-
IDENTIFIER_ATTR
- See Also:
-
IDENTITY_ATTR
- See Also:
-
NAME_ATTR
- See Also:
-
RESOURCE_ATTR
- See Also:
-
ACTIONS_ATTR
- See Also:
-
-
Constructor Details
-
AbstractPolicyBasedAuthorizer
public AbstractPolicyBasedAuthorizer()
-
-
Method Details
-
onConfigured
public final void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException Description copied from interface:AuthorizerCalled to configure the Authorizer.- Specified by:
onConfiguredin interfaceAuthorizer- Parameters:
configurationContext- at the time of configuration- Throws:
AuthorizerCreationException- for any issues configuring the provider
-
doOnConfigured
protected abstract void doOnConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException Allows sub-classes to take action when onConfigured is called.- Parameters:
configurationContext- the configuration context- Throws:
AuthorizerCreationException- if an error occurs during onConfigured process
-
authorize
public final AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException Description copied from interface:AuthorizerDetermines if the specified user/entity is authorized to access the specified resource within the given context. These details are all contained in the AuthorizationRequest. NOTE: This method will be called often and frequently. Because of this, if the underlying implementation needs to make remote calls or expensive calculations those should probably be done asynchronously and/or cache the results.- Specified by:
authorizein interfaceAuthorizer- Parameters:
request- The authorization request- Returns:
- the authorization result
- Throws:
AuthorizationAccessException- if unable to access the policies
-
containsGroup
Determines if the policy contains one of the user's groups.- Parameters:
userGroups- the set of the user's groupspolicy- the policy- Returns:
- true if one of the Groups in userGroups is contained in the policy
-
addGroup
Adds a new group.- Parameters:
group- the Group to add- Returns:
- the added Group
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operationIllegalStateException- if a group with the same name already exists
-
doAddGroup
Adds a new group.- Parameters:
group- the Group to add- Returns:
- the added Group
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
getGroup
Retrieves a Group by id.- Parameters:
identifier- the identifier of the Group to retrieve- Returns:
- the Group with the given identifier, or null if no matching group was found
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
getGroupByName
Retrieves a group by name.- Parameters:
name- the name of the group to retrieve- Returns:
- the group with the given name, or null if no matching group was found
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
purgePoliciesUsersAndGroups
protected abstract void purgePoliciesUsersAndGroups() -
backupPoliciesUsersAndGroups
protected abstract void backupPoliciesUsersAndGroups() -
updateGroup
The group represented by the provided instance will be updated based on the provided instance.- Parameters:
group- an updated group instance- Returns:
- the updated group instance, or null if no matching group was found
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operationIllegalStateException- if there is already a group with the same name
-
doUpdateGroup
The group represented by the provided instance will be updated based on the provided instance.- Parameters:
group- an updated group instance- Returns:
- the updated group instance, or null if no matching group was found
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
deleteGroup
Deletes the given group.- Parameters:
group- the group to delete- Returns:
- the deleted group, or null if no matching group was found
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
getGroups
Retrieves all groups.- Returns:
- a list of groups
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
addUser
Adds the given user.- Parameters:
user- the user to add- Returns:
- the user that was added
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operationIllegalStateException- if there is already a user with the same identity
-
doAddUser
Adds the given user.- Parameters:
user- the user to add- Returns:
- the user that was added
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
getUser
Retrieves the user with the given identifier.- Parameters:
identifier- the id of the user to retrieve- Returns:
- the user with the given id, or null if no matching user was found
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
getUserByIdentity
Retrieves the user with the given identity.- Parameters:
identity- the identity of the user to retrieve- Returns:
- the user with the given identity, or null if no matching user was found
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
updateUser
The user represented by the provided instance will be updated based on the provided instance.- Parameters:
user- an updated user instance- Returns:
- the updated user instance, or null if no matching user was found
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operationIllegalStateException- if there is already a user with the same identity
-
doUpdateUser
The user represented by the provided instance will be updated based on the provided instance.- Parameters:
user- an updated user instance- Returns:
- the updated user instance, or null if no matching user was found
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
deleteUser
Deletes the given user.- Parameters:
user- the user to delete- Returns:
- the user that was deleted, or null if no matching user was found
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
getUsers
Retrieves all users.- Returns:
- a list of users
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
addAccessPolicy
public final AccessPolicy addAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException Adds the given policy ensuring that multiple policies can not be added for the same resource and action.- Parameters:
accessPolicy- the policy to add- Returns:
- the policy that was added
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
doAddAccessPolicy
protected abstract AccessPolicy doAddAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException Adds the given policy.- Parameters:
accessPolicy- the policy to add- Returns:
- the policy that was added
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
getAccessPolicy
Retrieves the policy with the given identifier.- Parameters:
identifier- the id of the policy to retrieve- Returns:
- the policy with the given id, or null if no matching policy exists
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
updateAccessPolicy
public abstract AccessPolicy updateAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException The policy represented by the provided instance will be updated based on the provided instance.- Parameters:
accessPolicy- an updated policy- Returns:
- the updated policy, or null if no matching policy was found
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
deleteAccessPolicy
public abstract AccessPolicy deleteAccessPolicy(AccessPolicy policy) throws AuthorizationAccessException Deletes the given policy.- Parameters:
policy- the policy to delete- Returns:
- the deleted policy, or null if no matching policy was found
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
getAccessPolicies
Retrieves all access policies.- Returns:
- a list of policies
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
getUsersAndAccessPolicies
public abstract UsersAndAccessPolicies getUsersAndAccessPolicies() throws AuthorizationAccessExceptionReturns the UserAccessPolicies instance.- Returns:
- the UserAccessPolicies instance
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
checkInheritability
public final void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException Returns whether the proposed fingerprint is inheritable.- Specified by:
checkInheritabilityin interfaceManagedAuthorizer- Parameters:
proposedFingerprint- the proposed fingerprint- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operationUninheritableAuthorizationsException- if the proposed fingerprint was uninheritable
-
isInheritable
private boolean isInheritable(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups) -
inheritFingerprint
Parses the fingerprint and adds any users, groups, and policies to the current Authorizer.- Specified by:
inheritFingerprintin interfaceManagedAuthorizer- Parameters:
fingerprint- the fingerprint that was obtained from calling getFingerprint() on another Authorizer.- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
inheritPoliciesUsersAndGroups
private void inheritPoliciesUsersAndGroups(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups) -
addPoliciesUsersAndGroups
private void addPoliciesUsersAndGroups(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups) -
forciblyInheritFingerprint
Description copied from interface:ManagedAuthorizerParses the fingerprint and determines whether or not the fingerprint can be inherited in the same manner asManagedAuthorizer.inheritFingerprint(String). If so, will inherit as such. Otherwise, a backup of the existing policy provider will be made, if possible, and the policies will be replaced with those in the given fingerprint.- Specified by:
forciblyInheritFingerprintin interfaceManagedAuthorizer- Parameters:
fingerprint- the fingerprint to replace the existing policies with- Throws:
AuthorizationAccessException- if unable to perform the operation
-
parsePoliciesUsersAndGroups
private AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups parsePoliciesUsersAndGroups(String fingerprint) -
parseFingerprint
- Throws:
IOException
-
parseUser
-
parseGroup
-
parsePolicy
-
getAccessPolicyProvider
Description copied from interface:ManagedAuthorizerReturns the AccessPolicy provider for this managed Authorizer. Must be non null- Specified by:
getAccessPolicyProviderin interfaceManagedAuthorizer- Returns:
- the AccessPolicy provider
-
getFingerprint
Returns a fingerprint representing the authorizations managed by this authorizer. The fingerprint will be used for comparison to determine if two policy-based authorizers represent a compatible set of users, groups, and policies.- Specified by:
getFingerprintin interfaceManagedAuthorizer- Returns:
- the fingerprint for this Authorizer
- Throws:
AuthorizationAccessException- if there was an unexpected error performing the operation
-
writeUser
- Throws:
XMLStreamException
-
writeGroup
- Throws:
XMLStreamException
-
writePolicy
- Throws:
XMLStreamException
-
getSortedAccessPolicies
-
getSortedGroups
-
getSortedUsers
-