Package org.apache.nifi.authorization
Class AbstractPolicyBasedAuthorizer
java.lang.Object
org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer
- All Implemented Interfaces:
Authorizer
,ManagedAuthorizer
An Authorizer that provides management of users, groups, and policies.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprivate static class
-
Field Summary
FieldsModifier and TypeFieldDescription(package private) static final String
private static final String
private static final String
private static final String
private static final String
(package private) static final String
(package private) static final String
(package private) static final String
(package private) static final String
private static final org.slf4j.Logger
(package private) static final String
(package private) static final String
(package private) static final String
(package private) static final String
(package private) static final String
(package private) static final String
(package private) static final XMLOutputFactory
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionfinal AccessPolicy
addAccessPolicy
(AccessPolicy accessPolicy) Adds the given policy ensuring that multiple policies can not be added for the same resource and action.final Group
Adds a new group.private void
addPoliciesUsersAndGroups
(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups) final User
Adds the given user.final AuthorizationResult
authorize
(AuthorizationRequest request) Determines if the specified user/entity is authorized to access the specified resource within the given context.protected abstract void
final void
checkInheritability
(String proposedFingerprint) Returns whether the proposed fingerprint is inheritable.private boolean
containsGroup
(Set<Group> userGroups, AccessPolicy policy) Determines if the policy contains one of the user's groups.abstract AccessPolicy
deleteAccessPolicy
(AccessPolicy policy) Deletes the given policy.abstract Group
deleteGroup
(Group group) Deletes the given group.abstract User
deleteUser
(User user) Deletes the given user.protected abstract AccessPolicy
doAddAccessPolicy
(AccessPolicy accessPolicy) Adds the given policy.abstract Group
doAddGroup
(Group group) Adds a new group.abstract User
Adds the given user.protected abstract void
doOnConfigured
(AuthorizerConfigurationContext configurationContext) Allows sub-classes to take action when onConfigured is called.abstract Group
doUpdateGroup
(Group group) The group represented by the provided instance will be updated based on the provided instance.abstract User
doUpdateUser
(User user) The user represented by the provided instance will be updated based on the provided instance.void
forciblyInheritFingerprint
(String fingerprint) Parses the fingerprint and determines whether or not the fingerprint can be inherited in the same manner asManagedAuthorizer.inheritFingerprint(String)
.abstract Set
<AccessPolicy> Retrieves all access policies.abstract AccessPolicy
getAccessPolicy
(String identifier) Retrieves the policy with the given identifier.final AccessPolicyProvider
Returns the AccessPolicy provider for this managed Authorizer.final String
Returns a fingerprint representing the authorizations managed by this authorizer.abstract Group
Retrieves a Group by id.abstract Group
getGroupByName
(String name) Retrieves a group by name.Retrieves all groups.private List
<AccessPolicy> abstract User
Retrieves the user with the given identifier.abstract User
getUserByIdentity
(String identity) Retrieves the user with the given identity.getUsers()
Retrieves all users.abstract UsersAndAccessPolicies
Returns the UserAccessPolicies instance.final void
inheritFingerprint
(String fingerprint) Parses the fingerprint and adds any users, groups, and policies to the current Authorizer.private void
inheritPoliciesUsersAndGroups
(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups) private boolean
isInheritable
(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups) final void
onConfigured
(AuthorizerConfigurationContext configurationContext) Called to configure the Authorizer.private Document
parseFingerprint
(InputStream inputStream) private Group
parseGroup
(Element element) parsePoliciesUsersAndGroups
(String fingerprint) private AccessPolicy
parsePolicy
(Element element) private User
protected abstract void
abstract AccessPolicy
updateAccessPolicy
(AccessPolicy accessPolicy) The policy represented by the provided instance will be updated based on the provided instance.final Group
updateGroup
(Group group) The group represented by the provided instance will be updated based on the provided instance.final User
updateUser
(User user) The user represented by the provided instance will be updated based on the provided instance.private void
writeGroup
(XMLStreamWriter writer, Group group) private void
writePolicy
(XMLStreamWriter writer, AccessPolicy policy) private void
writeUser
(XMLStreamWriter writer, User user) Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.apache.nifi.authorization.Authorizer
initialize, preDestruction
-
Field Details
-
logger
private static final org.slf4j.Logger logger -
DISALLOW_DOCTYPES
- See Also:
-
ALLOW_EXTERNAL_GENERAL_ENTITIES
- See Also:
-
ALLOW_EXTERNAL_PARAM_ENTITIES
- See Also:
-
ALLOW_EXTERNAL_DTD
- See Also:
-
XML_OUTPUT_FACTORY
-
USER_ELEMENT
- See Also:
-
GROUP_USER_ELEMENT
- See Also:
-
GROUP_ELEMENT
- See Also:
-
POLICY_ELEMENT
- See Also:
-
POLICY_USER_ELEMENT
- See Also:
-
POLICY_GROUP_ELEMENT
- See Also:
-
IDENTIFIER_ATTR
- See Also:
-
IDENTITY_ATTR
- See Also:
-
NAME_ATTR
- See Also:
-
RESOURCE_ATTR
- See Also:
-
ACTIONS_ATTR
- See Also:
-
-
Constructor Details
-
AbstractPolicyBasedAuthorizer
public AbstractPolicyBasedAuthorizer()
-
-
Method Details
-
onConfigured
public final void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException Description copied from interface:Authorizer
Called to configure the Authorizer.- Specified by:
onConfigured
in interfaceAuthorizer
- Parameters:
configurationContext
- at the time of configuration- Throws:
AuthorizerCreationException
- for any issues configuring the provider
-
doOnConfigured
protected abstract void doOnConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException Allows sub-classes to take action when onConfigured is called.- Parameters:
configurationContext
- the configuration context- Throws:
AuthorizerCreationException
- if an error occurs during onConfigured process
-
authorize
public final AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException Description copied from interface:Authorizer
Determines if the specified user/entity is authorized to access the specified resource within the given context. These details are all contained in the AuthorizationRequest. NOTE: This method will be called often and frequently. Because of this, if the underlying implementation needs to make remote calls or expensive calculations those should probably be done asynchronously and/or cache the results.- Specified by:
authorize
in interfaceAuthorizer
- Parameters:
request
- The authorization request- Returns:
- the authorization result
- Throws:
AuthorizationAccessException
- if unable to access the policies
-
containsGroup
Determines if the policy contains one of the user's groups.- Parameters:
userGroups
- the set of the user's groupspolicy
- the policy- Returns:
- true if one of the Groups in userGroups is contained in the policy
-
addGroup
Adds a new group.- Parameters:
group
- the Group to add- Returns:
- the added Group
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operationIllegalStateException
- if a group with the same name already exists
-
doAddGroup
Adds a new group.- Parameters:
group
- the Group to add- Returns:
- the added Group
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
getGroup
Retrieves a Group by id.- Parameters:
identifier
- the identifier of the Group to retrieve- Returns:
- the Group with the given identifier, or null if no matching group was found
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
getGroupByName
Retrieves a group by name.- Parameters:
name
- the name of the group to retrieve- Returns:
- the group with the given name, or null if no matching group was found
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
purgePoliciesUsersAndGroups
protected abstract void purgePoliciesUsersAndGroups() -
backupPoliciesUsersAndGroups
protected abstract void backupPoliciesUsersAndGroups() -
updateGroup
The group represented by the provided instance will be updated based on the provided instance.- Parameters:
group
- an updated group instance- Returns:
- the updated group instance, or null if no matching group was found
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operationIllegalStateException
- if there is already a group with the same name
-
doUpdateGroup
The group represented by the provided instance will be updated based on the provided instance.- Parameters:
group
- an updated group instance- Returns:
- the updated group instance, or null if no matching group was found
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
deleteGroup
Deletes the given group.- Parameters:
group
- the group to delete- Returns:
- the deleted group, or null if no matching group was found
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
getGroups
Retrieves all groups.- Returns:
- a list of groups
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
addUser
Adds the given user.- Parameters:
user
- the user to add- Returns:
- the user that was added
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operationIllegalStateException
- if there is already a user with the same identity
-
doAddUser
Adds the given user.- Parameters:
user
- the user to add- Returns:
- the user that was added
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
getUser
Retrieves the user with the given identifier.- Parameters:
identifier
- the id of the user to retrieve- Returns:
- the user with the given id, or null if no matching user was found
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
getUserByIdentity
Retrieves the user with the given identity.- Parameters:
identity
- the identity of the user to retrieve- Returns:
- the user with the given identity, or null if no matching user was found
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
updateUser
The user represented by the provided instance will be updated based on the provided instance.- Parameters:
user
- an updated user instance- Returns:
- the updated user instance, or null if no matching user was found
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operationIllegalStateException
- if there is already a user with the same identity
-
doUpdateUser
The user represented by the provided instance will be updated based on the provided instance.- Parameters:
user
- an updated user instance- Returns:
- the updated user instance, or null if no matching user was found
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
deleteUser
Deletes the given user.- Parameters:
user
- the user to delete- Returns:
- the user that was deleted, or null if no matching user was found
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
getUsers
Retrieves all users.- Returns:
- a list of users
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
addAccessPolicy
public final AccessPolicy addAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException Adds the given policy ensuring that multiple policies can not be added for the same resource and action.- Parameters:
accessPolicy
- the policy to add- Returns:
- the policy that was added
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
doAddAccessPolicy
protected abstract AccessPolicy doAddAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException Adds the given policy.- Parameters:
accessPolicy
- the policy to add- Returns:
- the policy that was added
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
getAccessPolicy
Retrieves the policy with the given identifier.- Parameters:
identifier
- the id of the policy to retrieve- Returns:
- the policy with the given id, or null if no matching policy exists
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
updateAccessPolicy
public abstract AccessPolicy updateAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException The policy represented by the provided instance will be updated based on the provided instance.- Parameters:
accessPolicy
- an updated policy- Returns:
- the updated policy, or null if no matching policy was found
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
deleteAccessPolicy
public abstract AccessPolicy deleteAccessPolicy(AccessPolicy policy) throws AuthorizationAccessException Deletes the given policy.- Parameters:
policy
- the policy to delete- Returns:
- the deleted policy, or null if no matching policy was found
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
getAccessPolicies
Retrieves all access policies.- Returns:
- a list of policies
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
getUsersAndAccessPolicies
public abstract UsersAndAccessPolicies getUsersAndAccessPolicies() throws AuthorizationAccessExceptionReturns the UserAccessPolicies instance.- Returns:
- the UserAccessPolicies instance
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
checkInheritability
public final void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException Returns whether the proposed fingerprint is inheritable.- Specified by:
checkInheritability
in interfaceManagedAuthorizer
- Parameters:
proposedFingerprint
- the proposed fingerprint- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operationUninheritableAuthorizationsException
- if the proposed fingerprint was uninheritable
-
isInheritable
private boolean isInheritable(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups) -
inheritFingerprint
Parses the fingerprint and adds any users, groups, and policies to the current Authorizer.- Specified by:
inheritFingerprint
in interfaceManagedAuthorizer
- Parameters:
fingerprint
- the fingerprint that was obtained from calling getFingerprint() on another Authorizer.- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
inheritPoliciesUsersAndGroups
private void inheritPoliciesUsersAndGroups(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups) -
addPoliciesUsersAndGroups
private void addPoliciesUsersAndGroups(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups) -
forciblyInheritFingerprint
Description copied from interface:ManagedAuthorizer
Parses the fingerprint and determines whether or not the fingerprint can be inherited in the same manner asManagedAuthorizer.inheritFingerprint(String)
. If so, will inherit as such. Otherwise, a backup of the existing policy provider will be made, if possible, and the policies will be replaced with those in the given fingerprint.- Specified by:
forciblyInheritFingerprint
in interfaceManagedAuthorizer
- Parameters:
fingerprint
- the fingerprint to replace the existing policies with- Throws:
AuthorizationAccessException
- if unable to perform the operation
-
parsePoliciesUsersAndGroups
private AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups parsePoliciesUsersAndGroups(String fingerprint) -
parseFingerprint
- Throws:
IOException
-
parseUser
-
parseGroup
-
parsePolicy
-
getAccessPolicyProvider
Description copied from interface:ManagedAuthorizer
Returns the AccessPolicy provider for this managed Authorizer. Must be non null- Specified by:
getAccessPolicyProvider
in interfaceManagedAuthorizer
- Returns:
- the AccessPolicy provider
-
getFingerprint
Returns a fingerprint representing the authorizations managed by this authorizer. The fingerprint will be used for comparison to determine if two policy-based authorizers represent a compatible set of users, groups, and policies.- Specified by:
getFingerprint
in interfaceManagedAuthorizer
- Returns:
- the fingerprint for this Authorizer
- Throws:
AuthorizationAccessException
- if there was an unexpected error performing the operation
-
writeUser
- Throws:
XMLStreamException
-
writeGroup
- Throws:
XMLStreamException
-
writePolicy
- Throws:
XMLStreamException
-
getSortedAccessPolicies
-
getSortedGroups
-
getSortedUsers
-