org.apache.nifi.authorization

Class AbstractPolicyBasedAuthorizer

java.lang.Object

org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer

All Implemented Interfaces:

Authorizer, ManagedAuthorizer

public abstract class AbstractPolicyBasedAuthorizer
extends Object
implements ManagedAuthorizer

An Authorizer that provides management of users, groups, and policies.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private static class	AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups

Field Summary

Fields

Modifier and Type	Field and Description
(package private) static String	ACTIONS_ATTR
private static String	ALLOW_EXTERNAL_DTD
private static String	ALLOW_EXTERNAL_GENERAL_ENTITIES
private static String	ALLOW_EXTERNAL_PARAM_ENTITIES
private static String	DISALLOW_DOCTYPES
(package private) static String	GROUP_ELEMENT
(package private) static String	GROUP_USER_ELEMENT
(package private) static String	IDENTIFIER_ATTR
(package private) static String	IDENTITY_ATTR
private static org.slf4j.Logger	logger
(package private) static String	NAME_ATTR
(package private) static String	POLICY_ELEMENT
(package private) static String	POLICY_GROUP_ELEMENT
(package private) static String	POLICY_USER_ELEMENT
(package private) static String	RESOURCE_ATTR
(package private) static String	USER_ELEMENT
(package private) static XMLOutputFactory	XML_OUTPUT_FACTORY

Constructor Summary

Constructors

Constructor and Description
AbstractPolicyBasedAuthorizer()

Method Summary

Modifier and Type	Method and Description
AccessPolicy	addAccessPolicy(AccessPolicy accessPolicy) Adds the given policy ensuring that multiple policies can not be added for the same resource and action.
Group	addGroup(Group group) Adds a new group.
private void	addPoliciesUsersAndGroups(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups)
User	addUser(User user) Adds the given user.
AuthorizationResult	authorize(AuthorizationRequest request) Determines if the specified user/entity is authorized to access the specified resource within the given context.
protected abstract void	backupPoliciesUsersAndGroups()
void	checkInheritability(String proposedFingerprint) Returns whether the proposed fingerprint is inheritable.
private boolean	containsGroup(Set<Group> userGroups, AccessPolicy policy) Determines if the policy contains one of the user's groups.
abstract AccessPolicy	deleteAccessPolicy(AccessPolicy policy) Deletes the given policy.
abstract Group	deleteGroup(Group group) Deletes the given group.
abstract User	deleteUser(User user) Deletes the given user.
protected abstract AccessPolicy	doAddAccessPolicy(AccessPolicy accessPolicy) Adds the given policy.
abstract Group	doAddGroup(Group group) Adds a new group.
abstract User	doAddUser(User user) Adds the given user.
protected abstract void	doOnConfigured(AuthorizerConfigurationContext configurationContext) Allows sub-classes to take action when onConfigured is called.
abstract Group	doUpdateGroup(Group group) The group represented by the provided instance will be updated based on the provided instance.
abstract User	doUpdateUser(User user) The user represented by the provided instance will be updated based on the provided instance.
void	forciblyInheritFingerprint(String fingerprint) Parses the fingerprint and determines whether or not the fingerprint can be inherited in the same manner as ManagedAuthorizer.inheritFingerprint(String).
abstract Set<AccessPolicy>	getAccessPolicies() Retrieves all access policies.
abstract AccessPolicy	getAccessPolicy(String identifier) Retrieves the policy with the given identifier.
AccessPolicyProvider	getAccessPolicyProvider() Returns the AccessPolicy provider for this managed Authorizer.
String	getFingerprint() Returns a fingerprint representing the authorizations managed by this authorizer.
abstract Group	getGroup(String identifier) Retrieves a Group by id.
abstract Group	getGroupByName(String name) Retrieves a group by name.
abstract Set<Group>	getGroups() Retrieves all groups.
private List<AccessPolicy>	getSortedAccessPolicies()
private List<Group>	getSortedGroups()
private List<User>	getSortedUsers()
abstract User	getUser(String identifier) Retrieves the user with the given identifier.
abstract User	getUserByIdentity(String identity) Retrieves the user with the given identity.
abstract Set<User>	getUsers() Retrieves all users.
abstract UsersAndAccessPolicies	getUsersAndAccessPolicies() Returns the UserAccessPolicies instance.
void	inheritFingerprint(String fingerprint) Parses the fingerprint and adds any users, groups, and policies to the current Authorizer.
private void	inheritPoliciesUsersAndGroups(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups)
private boolean	isInheritable(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups)
void	onConfigured(AuthorizerConfigurationContext configurationContext) Called to configure the Authorizer.
private Document	parseFingerprint(InputStream inputStream)
private Group	parseGroup(Element element)
private AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups	parsePoliciesUsersAndGroups(String fingerprint)
private AccessPolicy	parsePolicy(Element element)
private User	parseUser(Element element)
protected abstract void	purgePoliciesUsersAndGroups()
abstract AccessPolicy	updateAccessPolicy(AccessPolicy accessPolicy) The policy represented by the provided instance will be updated based on the provided instance.
Group	updateGroup(Group group) The group represented by the provided instance will be updated based on the provided instance.
User	updateUser(User user) The user represented by the provided instance will be updated based on the provided instance.
private void	writeGroup(XMLStreamWriter writer, Group group)
private void	writePolicy(XMLStreamWriter writer, AccessPolicy policy)
private void	writeUser(XMLStreamWriter writer, User user)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.nifi.authorization.Authorizer

initialize, preDestruction

Field Detail

logger

private static final org.slf4j.Logger logger

DISALLOW_DOCTYPES

private static final String DISALLOW_DOCTYPES

See Also:

Constant Field Values

ALLOW_EXTERNAL_GENERAL_ENTITIES

private static final String ALLOW_EXTERNAL_GENERAL_ENTITIES

See Also:

Constant Field Values

ALLOW_EXTERNAL_PARAM_ENTITIES

private static final String ALLOW_EXTERNAL_PARAM_ENTITIES

See Also:

Constant Field Values

ALLOW_EXTERNAL_DTD

private static final String ALLOW_EXTERNAL_DTD

See Also:

Constant Field Values

XML_OUTPUT_FACTORY

static final XMLOutputFactory XML_OUTPUT_FACTORY

USER_ELEMENT

static final String USER_ELEMENT

See Also:

Constant Field Values

GROUP_USER_ELEMENT

static final String GROUP_USER_ELEMENT

See Also:

Constant Field Values

GROUP_ELEMENT

static final String GROUP_ELEMENT

See Also:

Constant Field Values

POLICY_ELEMENT

static final String POLICY_ELEMENT

See Also:

Constant Field Values

POLICY_USER_ELEMENT

static final String POLICY_USER_ELEMENT

See Also:

Constant Field Values

POLICY_GROUP_ELEMENT

static final String POLICY_GROUP_ELEMENT

See Also:

Constant Field Values

IDENTIFIER_ATTR

static final String IDENTIFIER_ATTR

See Also:

Constant Field Values

IDENTITY_ATTR

static final String IDENTITY_ATTR

See Also:

Constant Field Values

NAME_ATTR

static final String NAME_ATTR

See Also:

Constant Field Values

RESOURCE_ATTR

static final String RESOURCE_ATTR

See Also:

Constant Field Values

ACTIONS_ATTR

static final String ACTIONS_ATTR

See Also:

Constant Field Values

Constructor Detail

AbstractPolicyBasedAuthorizer

public AbstractPolicyBasedAuthorizer()

Method Detail

onConfigured

public final void onConfigured(AuthorizerConfigurationContext configurationContext)
                        throws AuthorizerCreationException

Description copied from interface: Authorizer

Called to configure the Authorizer.

Specified by:

onConfigured in interface Authorizer

Parameters:

configurationContext - at the time of configuration

Throws:

AuthorizerCreationException - for any issues configuring the provider

doOnConfigured

protected abstract void doOnConfigured(AuthorizerConfigurationContext configurationContext)
                                throws AuthorizerCreationException

Allows sub-classes to take action when onConfigured is called.

Parameters:

configurationContext - the configuration context

Throws:

AuthorizerCreationException - if an error occurs during onConfigured process

authorize

public final AuthorizationResult authorize(AuthorizationRequest request)
                                    throws AuthorizationAccessException

Description copied from interface: Authorizer

Determines if the specified user/entity is authorized to access the specified resource within the given context. These details are all contained in the AuthorizationRequest. NOTE: This method will be called often and frequently. Because of this, if the underlying implementation needs to make remote calls or expensive calculations those should probably be done asynchronously and/or cache the results.

Specified by:

authorize in interface Authorizer

Parameters:

request - The authorization request

Returns:

the authorization result

Throws:

AuthorizationAccessException - if unable to access the policies

containsGroup

private boolean containsGroup(Set<Group> userGroups,
                              AccessPolicy policy)

Determines if the policy contains one of the user's groups.

Parameters:

userGroups - the set of the user's groups

policy - the policy

Returns:

true if one of the Groups in userGroups is contained in the policy

addGroup

public final Group addGroup(Group group)
                     throws AuthorizationAccessException

Adds a new group.

Parameters:

group - the Group to add

Returns:

the added Group

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

IllegalStateException - if a group with the same name already exists

doAddGroup

public abstract Group doAddGroup(Group group)
                          throws AuthorizationAccessException

Adds a new group.

Parameters:

group - the Group to add

Returns:

the added Group

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getGroup

public abstract Group getGroup(String identifier)
                        throws AuthorizationAccessException

Retrieves a Group by id.

Parameters:

identifier - the identifier of the Group to retrieve

Returns:

the Group with the given identifier, or null if no matching group was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getGroupByName

public abstract Group getGroupByName(String name)
                              throws AuthorizationAccessException

Retrieves a group by name.

Parameters:

name - the name of the group to retrieve

Returns:

the group with the given name, or null if no matching group was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

purgePoliciesUsersAndGroups

protected abstract void purgePoliciesUsersAndGroups()

backupPoliciesUsersAndGroups

protected abstract void backupPoliciesUsersAndGroups()

updateGroup

public final Group updateGroup(Group group)
                        throws AuthorizationAccessException

The group represented by the provided instance will be updated based on the provided instance.

Parameters:

group - an updated group instance

Returns:

the updated group instance, or null if no matching group was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

IllegalStateException - if there is already a group with the same name

doUpdateGroup

public abstract Group doUpdateGroup(Group group)
                             throws AuthorizationAccessException

The group represented by the provided instance will be updated based on the provided instance.

Parameters:

group - an updated group instance

Returns:

the updated group instance, or null if no matching group was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

deleteGroup

public abstract Group deleteGroup(Group group)
                           throws AuthorizationAccessException

Deletes the given group.

Parameters:

group - the group to delete

Returns:

the deleted group, or null if no matching group was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getGroups

public abstract Set<Group> getGroups()
                              throws AuthorizationAccessException

Retrieves all groups.

Returns:

a list of groups

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

addUser

public final User addUser(User user)
                   throws AuthorizationAccessException

Adds the given user.

Parameters:

user - the user to add

Returns:

the user that was added

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

IllegalStateException - if there is already a user with the same identity

doAddUser

public abstract User doAddUser(User user)
                        throws AuthorizationAccessException

Adds the given user.

Parameters:

user - the user to add

Returns:

the user that was added

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getUser

public abstract User getUser(String identifier)
                      throws AuthorizationAccessException

Retrieves the user with the given identifier.

Parameters:

identifier - the id of the user to retrieve

Returns:

the user with the given id, or null if no matching user was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getUserByIdentity

public abstract User getUserByIdentity(String identity)
                                throws AuthorizationAccessException

Retrieves the user with the given identity.

Parameters:

identity - the identity of the user to retrieve

Returns:

the user with the given identity, or null if no matching user was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

updateUser

public final User updateUser(User user)
                      throws AuthorizationAccessException

The user represented by the provided instance will be updated based on the provided instance.

Parameters:

user - an updated user instance

Returns:

the updated user instance, or null if no matching user was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

IllegalStateException - if there is already a user with the same identity

doUpdateUser

public abstract User doUpdateUser(User user)
                           throws AuthorizationAccessException

The user represented by the provided instance will be updated based on the provided instance.

Parameters:

user - an updated user instance

Returns:

the updated user instance, or null if no matching user was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

deleteUser

public abstract User deleteUser(User user)
                         throws AuthorizationAccessException

Deletes the given user.

Parameters:

user - the user to delete

Returns:

the user that was deleted, or null if no matching user was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getUsers

public abstract Set<User> getUsers()
                            throws AuthorizationAccessException

Retrieves all users.

Returns:

a list of users

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

addAccessPolicy

public final AccessPolicy addAccessPolicy(AccessPolicy accessPolicy)
                                   throws AuthorizationAccessException

Adds the given policy ensuring that multiple policies can not be added for the same resource and action.

Parameters:

accessPolicy - the policy to add

Returns:

the policy that was added

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

doAddAccessPolicy

protected abstract AccessPolicy doAddAccessPolicy(AccessPolicy accessPolicy)
                                           throws AuthorizationAccessException

Adds the given policy.

Parameters:

accessPolicy - the policy to add

Returns:

the policy that was added

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getAccessPolicy

public abstract AccessPolicy getAccessPolicy(String identifier)
                                      throws AuthorizationAccessException

Retrieves the policy with the given identifier.

Parameters:

identifier - the id of the policy to retrieve

Returns:

the policy with the given id, or null if no matching policy exists

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

updateAccessPolicy

public abstract AccessPolicy updateAccessPolicy(AccessPolicy accessPolicy)
                                         throws AuthorizationAccessException

The policy represented by the provided instance will be updated based on the provided instance.

Parameters:

accessPolicy - an updated policy

Returns:

the updated policy, or null if no matching policy was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

deleteAccessPolicy

public abstract AccessPolicy deleteAccessPolicy(AccessPolicy policy)
                                         throws AuthorizationAccessException

Deletes the given policy.

Parameters:

policy - the policy to delete

Returns:

the deleted policy, or null if no matching policy was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getAccessPolicies

public abstract Set<AccessPolicy> getAccessPolicies()
                                             throws AuthorizationAccessException

Retrieves all access policies.

Returns:

a list of policies

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getUsersAndAccessPolicies

public abstract UsersAndAccessPolicies getUsersAndAccessPolicies()
                                                          throws AuthorizationAccessException

Returns the UserAccessPolicies instance.

Returns:

the UserAccessPolicies instance

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

checkInheritability

public final void checkInheritability(String proposedFingerprint)
                               throws AuthorizationAccessException,
                                      UninheritableAuthorizationsException

Returns whether the proposed fingerprint is inheritable.

Specified by:

checkInheritability in interface ManagedAuthorizer

Parameters:

proposedFingerprint - the proposed fingerprint

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

UninheritableAuthorizationsException - if the proposed fingerprint was uninheritable

isInheritable

private boolean isInheritable(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups)

inheritFingerprint

public final void inheritFingerprint(String fingerprint)
                              throws AuthorizationAccessException

Parses the fingerprint and adds any users, groups, and policies to the current Authorizer.

Specified by:

inheritFingerprint in interface ManagedAuthorizer

Parameters:

fingerprint - the fingerprint that was obtained from calling getFingerprint() on another Authorizer.

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

inheritPoliciesUsersAndGroups

private void inheritPoliciesUsersAndGroups(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups)

addPoliciesUsersAndGroups

private void addPoliciesUsersAndGroups(AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups policiesUsersAndGroups)

forciblyInheritFingerprint

public void forciblyInheritFingerprint(String fingerprint)
                                throws AuthorizationAccessException

Description copied from interface: ManagedAuthorizer

Parses the fingerprint and determines whether or not the fingerprint can be inherited in the same manner as ManagedAuthorizer.inheritFingerprint(String). If so, will inherit as such. Otherwise, a backup of the existing policy provider will be made, if possible, and the policies will be replaced with those in the given fingerprint.

Specified by:

forciblyInheritFingerprint in interface ManagedAuthorizer

Parameters:

fingerprint - the fingerprint to replace the existing policies with

Throws:

AuthorizationAccessException - if unable to perform the operation

parsePoliciesUsersAndGroups

private AbstractPolicyBasedAuthorizer.PoliciesUsersAndGroups parsePoliciesUsersAndGroups(String fingerprint)

parseFingerprint

private Document parseFingerprint(InputStream inputStream)
                           throws IOException

Throws:

IOException

parseUser

private User parseUser(Element element)

parseGroup

private Group parseGroup(Element element)

parsePolicy

private AccessPolicy parsePolicy(Element element)

getAccessPolicyProvider

public final AccessPolicyProvider getAccessPolicyProvider()

Description copied from interface: ManagedAuthorizer

Returns the AccessPolicy provider for this managed Authorizer. Must be non null

Specified by:

getAccessPolicyProvider in interface ManagedAuthorizer

Returns:

the AccessPolicy provider

getFingerprint

public final String getFingerprint()
                            throws AuthorizationAccessException

Returns a fingerprint representing the authorizations managed by this authorizer. The fingerprint will be used for comparison to determine if two policy-based authorizers represent a compatible set of users, groups, and policies.

Specified by:

getFingerprint in interface ManagedAuthorizer

Returns:

the fingerprint for this Authorizer

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

writeUser

private void writeUser(XMLStreamWriter writer,
                       User user)
                throws XMLStreamException

Throws:

XMLStreamException

writeGroup

private void writeGroup(XMLStreamWriter writer,
                        Group group)
                 throws XMLStreamException

Throws:

XMLStreamException

writePolicy

private void writePolicy(XMLStreamWriter writer,
                         AccessPolicy policy)
                  throws XMLStreamException

Throws:

XMLStreamException

getSortedAccessPolicies

private List<AccessPolicy> getSortedAccessPolicies()

getSortedGroups

private List<Group> getSortedGroups()

getSortedUsers

private List<User> getSortedUsers()