org.apache.nifi.authorization

Class AbstractPolicyBasedAuthorizer

java.lang.Object

org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer

All Implemented Interfaces:

Authorizer

public abstract class AbstractPolicyBasedAuthorizer
extends Object
implements Authorizer

An Authorizer that provides management of users, groups, and policies.

Field Summary

Fields

Modifier and Type	Field and Description
(package private) static String	ACTIONS_ATTR
(package private) static DocumentBuilderFactory	DOCUMENT_BUILDER_FACTORY
static String	EMPTY_FINGERPRINT
(package private) static String	GROUP_ELEMENT
(package private) static String	GROUP_USER_ELEMENT
(package private) static String	IDENTIFIER_ATTR
(package private) static String	IDENTITY_ATTR
(package private) static String	NAME_ATTR
(package private) static String	POLICY_ELEMENT
(package private) static String	POLICY_GROUP_ELEMENT
(package private) static String	POLICY_USER_ELEMENT
(package private) static String	RESOURCE_ATTR
(package private) static String	USER_ELEMENT
(package private) static XMLOutputFactory	XML_OUTPUT_FACTORY

Constructor Summary

Constructors

Constructor and Description
AbstractPolicyBasedAuthorizer()

Method Summary

Modifier and Type	Method and Description
AccessPolicy	addAccessPolicy(AccessPolicy accessPolicy) Adds the given policy ensuring that multiple policies can not be added for the same resource and action.
Group	addGroup(Group group) Adds a new group.
User	addUser(User user) Adds the given user.
AuthorizationResult	authorize(AuthorizationRequest request) Determines if the specified user/entity is authorized to access the specified resource within the given context.
private boolean	containsGroup(Set<Group> userGroups, AccessPolicy policy) Determines if the policy contains one of the user's groups.
abstract AccessPolicy	deleteAccessPolicy(AccessPolicy policy) Deletes the given policy.
abstract Group	deleteGroup(Group group) Deletes the given group.
abstract User	deleteUser(User user) Deletes the given user.
protected abstract AccessPolicy	doAddAccessPolicy(AccessPolicy accessPolicy) Adds the given policy.
abstract Group	doAddGroup(Group group) Adds a new group.
abstract User	doAddUser(User user) Adds the given user.
protected abstract void	doOnConfigured(AuthorizerConfigurationContext configurationContext) Allows sub-classes to take action when onConfigured is called.
abstract Group	doUpdateGroup(Group group) The group represented by the provided instance will be updated based on the provided instance.
abstract User	doUpdateUser(User user) The user represented by the provided instance will be updated based on the provided instance.
abstract Set<AccessPolicy>	getAccessPolicies() Retrieves all access policies.
abstract AccessPolicy	getAccessPolicy(String identifier) Retrieves the policy with the given identifier.
String	getFingerprint() Returns a fingerprint representing the authorizations managed by this authorizer.
abstract Group	getGroup(String identifier) Retrieves a Group by id.
abstract Set<Group>	getGroups() Retrieves all groups.
private List<AccessPolicy>	getSortedAccessPolicies()
private List<Group>	getSortedGroups()
private List<User>	getSortedUsers()
abstract User	getUser(String identifier) Retrieves the user with the given identifier.
abstract User	getUserByIdentity(String identity) Retrieves the user with the given identity.
abstract Set<User>	getUsers() Retrieves all users.
abstract UsersAndAccessPolicies	getUsersAndAccessPolicies() Returns the UserAccessPolicies instance.
void	inheritFingerprint(String fingerprint) Parses the fingerprint and adds any users, groups, and policies to the current Authorizer.
void	onConfigured(AuthorizerConfigurationContext configurationContext) Called to configure the Authorizer.
private Group	parseGroup(Element element)
private AccessPolicy	parsePolicy(Element element)
private User	parseUser(Element element)
private boolean	policyExists(AccessPolicy checkAccessPolicy) Checks if another policy exists with the same resource and action as the given policy.
private boolean	tenantExists(String identifier, String identity) Checks if another user exists with the same identity.
abstract AccessPolicy	updateAccessPolicy(AccessPolicy accessPolicy) The policy represented by the provided instance will be updated based on the provided instance.
Group	updateGroup(Group group) The group represented by the provided instance will be updated based on the provided instance.
User	updateUser(User user) The user represented by the provided instance will be updated based on the provided instance.
private void	writeGroup(XMLStreamWriter writer, Group group)
private void	writePolicy(XMLStreamWriter writer, AccessPolicy policy)
private void	writeUser(XMLStreamWriter writer, User user)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.nifi.authorization.Authorizer

initialize, preDestruction

Field Detail

DOCUMENT_BUILDER_FACTORY

static final DocumentBuilderFactory DOCUMENT_BUILDER_FACTORY

XML_OUTPUT_FACTORY

static final XMLOutputFactory XML_OUTPUT_FACTORY

USER_ELEMENT

static final String USER_ELEMENT

See Also:

Constant Field Values

GROUP_USER_ELEMENT

static final String GROUP_USER_ELEMENT

See Also:

Constant Field Values

GROUP_ELEMENT

static final String GROUP_ELEMENT

See Also:

Constant Field Values

POLICY_ELEMENT

static final String POLICY_ELEMENT

See Also:

Constant Field Values

POLICY_USER_ELEMENT

static final String POLICY_USER_ELEMENT

See Also:

Constant Field Values

POLICY_GROUP_ELEMENT

static final String POLICY_GROUP_ELEMENT

See Also:

Constant Field Values

IDENTIFIER_ATTR

static final String IDENTIFIER_ATTR

See Also:

Constant Field Values

IDENTITY_ATTR

static final String IDENTITY_ATTR

See Also:

Constant Field Values

NAME_ATTR

static final String NAME_ATTR

See Also:

Constant Field Values

RESOURCE_ATTR

static final String RESOURCE_ATTR

See Also:

Constant Field Values

ACTIONS_ATTR

static final String ACTIONS_ATTR

See Also:

Constant Field Values

EMPTY_FINGERPRINT

public static final String EMPTY_FINGERPRINT

See Also:

Constant Field Values

Constructor Detail

AbstractPolicyBasedAuthorizer

public AbstractPolicyBasedAuthorizer()

Method Detail

onConfigured

public final void onConfigured(AuthorizerConfigurationContext configurationContext)
                        throws AuthorizerCreationException

Description copied from interface: Authorizer

Called to configure the Authorizer.

Specified by:

onConfigured in interface Authorizer

Parameters:

configurationContext - at the time of configuration

Throws:

AuthorizerCreationException - for any issues configuring the provider

doOnConfigured

protected abstract void doOnConfigured(AuthorizerConfigurationContext configurationContext)
                                throws AuthorizerCreationException

Allows sub-classes to take action when onConfigured is called.

Parameters:

configurationContext - the configuration context

Throws:

AuthorizerCreationException - if an error occurs during onConfigured process

policyExists

private boolean policyExists(AccessPolicy checkAccessPolicy)

Checks if another policy exists with the same resource and action as the given policy.

Parameters:

checkAccessPolicy - an access policy being checked

Returns:

true if another access policy exists with the same resource and action, false otherwise

tenantExists

private boolean tenantExists(String identifier,
                             String identity)

Checks if another user exists with the same identity.

Parameters:

identifier - identity of the user

identity - identity of the user

Returns:

true if another user exists with the same identity, false otherwise

authorize

public final AuthorizationResult authorize(AuthorizationRequest request)
                                    throws AuthorizationAccessException

Description copied from interface: Authorizer

Determines if the specified user/entity is authorized to access the specified resource within the given context.

Specified by:

authorize in interface Authorizer

Parameters:

request - The authorization request

Returns:

the authorization result

Throws:

AuthorizationAccessException - if unable to access the policies

containsGroup

private boolean containsGroup(Set<Group> userGroups,
                              AccessPolicy policy)

Determines if the policy contains one of the user's groups.

Parameters:

userGroups - the set of the user's groups

policy - the policy

Returns:

true if one of the Groups in userGroups is contained in the policy

addGroup

public final Group addGroup(Group group)
                     throws AuthorizationAccessException

Adds a new group.

Parameters:

group - the Group to add

Returns:

the added Group

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

IllegalStateException - if a group with the same name already exists

doAddGroup

public abstract Group doAddGroup(Group group)
                          throws AuthorizationAccessException

Adds a new group.

Parameters:

group - the Group to add

Returns:

the added Group

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getGroup

public abstract Group getGroup(String identifier)
                        throws AuthorizationAccessException

Retrieves a Group by id.

Parameters:

identifier - the identifier of the Group to retrieve

Returns:

the Group with the given identifier, or null if no matching group was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

updateGroup

public final Group updateGroup(Group group)
                        throws AuthorizationAccessException

The group represented by the provided instance will be updated based on the provided instance.

Parameters:

group - an updated group instance

Returns:

the updated group instance, or null if no matching group was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

IllegalStateException - if there is already a group with the same name

doUpdateGroup

public abstract Group doUpdateGroup(Group group)
                             throws AuthorizationAccessException

The group represented by the provided instance will be updated based on the provided instance.

Parameters:

group - an updated group instance

Returns:

the updated group instance, or null if no matching group was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

deleteGroup

public abstract Group deleteGroup(Group group)
                           throws AuthorizationAccessException

Deletes the given group.

Parameters:

group - the group to delete

Returns:

the deleted group, or null if no matching group was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getGroups

public abstract Set<Group> getGroups()
                              throws AuthorizationAccessException

Retrieves all groups.

Returns:

a list of groups

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

addUser

public final User addUser(User user)
                   throws AuthorizationAccessException

Adds the given user.

Parameters:

user - the user to add

Returns:

the user that was added

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

IllegalStateException - if there is already a user with the same identity

doAddUser

public abstract User doAddUser(User user)
                        throws AuthorizationAccessException

Adds the given user.

Parameters:

user - the user to add

Returns:

the user that was added

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getUser

public abstract User getUser(String identifier)
                      throws AuthorizationAccessException

Retrieves the user with the given identifier.

Parameters:

identifier - the id of the user to retrieve

Returns:

the user with the given id, or null if no matching user was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getUserByIdentity

public abstract User getUserByIdentity(String identity)
                                throws AuthorizationAccessException

Retrieves the user with the given identity.

Parameters:

identity - the identity of the user to retrieve

Returns:

the user with the given identity, or null if no matching user was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

updateUser

public final User updateUser(User user)
                      throws AuthorizationAccessException

The user represented by the provided instance will be updated based on the provided instance.

Parameters:

user - an updated user instance

Returns:

the updated user instance, or null if no matching user was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

IllegalStateException - if there is already a user with the same identity

doUpdateUser

public abstract User doUpdateUser(User user)
                           throws AuthorizationAccessException

The user represented by the provided instance will be updated based on the provided instance.

Parameters:

user - an updated user instance

Returns:

the updated user instance, or null if no matching user was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

deleteUser

public abstract User deleteUser(User user)
                         throws AuthorizationAccessException

Deletes the given user.

Parameters:

user - the user to delete

Returns:

the user that was deleted, or null if no matching user was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getUsers

public abstract Set<User> getUsers()
                            throws AuthorizationAccessException

Retrieves all users.

Returns:

a list of users

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

addAccessPolicy

public final AccessPolicy addAccessPolicy(AccessPolicy accessPolicy)
                                   throws AuthorizationAccessException

Adds the given policy ensuring that multiple policies can not be added for the same resource and action.

Parameters:

accessPolicy - the policy to add

Returns:

the policy that was added

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

doAddAccessPolicy

protected abstract AccessPolicy doAddAccessPolicy(AccessPolicy accessPolicy)
                                           throws AuthorizationAccessException

Adds the given policy.

Parameters:

accessPolicy - the policy to add

Returns:

the policy that was added

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getAccessPolicy

public abstract AccessPolicy getAccessPolicy(String identifier)
                                      throws AuthorizationAccessException

Retrieves the policy with the given identifier.

Parameters:

identifier - the id of the policy to retrieve

Returns:

the policy with the given id, or null if no matching policy exists

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

updateAccessPolicy

public abstract AccessPolicy updateAccessPolicy(AccessPolicy accessPolicy)
                                         throws AuthorizationAccessException

The policy represented by the provided instance will be updated based on the provided instance.

Parameters:

accessPolicy - an updated policy

Returns:

the updated policy, or null if no matching policy was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

deleteAccessPolicy

public abstract AccessPolicy deleteAccessPolicy(AccessPolicy policy)
                                         throws AuthorizationAccessException

Deletes the given policy.

Parameters:

policy - the policy to delete

Returns:

the deleted policy, or null if no matching policy was found

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getAccessPolicies

public abstract Set<AccessPolicy> getAccessPolicies()
                                             throws AuthorizationAccessException

Retrieves all access policies.

Returns:

a list of policies

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

getUsersAndAccessPolicies

public abstract UsersAndAccessPolicies getUsersAndAccessPolicies()
                                                          throws AuthorizationAccessException

Returns the UserAccessPolicies instance.

Returns:

the UserAccessPolicies instance

Throws:

AuthorizationAccessException - if there was an unexpected error performing the operation

inheritFingerprint

public final void inheritFingerprint(String fingerprint)
                              throws AuthorizationAccessException

Parses the fingerprint and adds any users, groups, and policies to the current Authorizer.

Parameters:

fingerprint - the fingerprint that was obtained from calling getFingerprint() on another Authorizer.

Throws:

AuthorizationAccessException

parseUser

private User parseUser(Element element)

parseGroup

private Group parseGroup(Element element)

parsePolicy

private AccessPolicy parsePolicy(Element element)

getFingerprint

public final String getFingerprint()
                            throws AuthorizationAccessException

Returns a fingerprint representing the authorizations managed by this authorizer. The fingerprint will be used for comparison to determine if two policy-based authorizers represent a compatible set of users, groups, and policies.

Returns:

the fingerprint for this Authorizer

Throws:

AuthorizationAccessException

writeUser

private void writeUser(XMLStreamWriter writer,
                       User user)
                throws XMLStreamException

Throws:

XMLStreamException

writeGroup

private void writeGroup(XMLStreamWriter writer,
                        Group group)
                 throws XMLStreamException

Throws:

XMLStreamException

writePolicy

private void writePolicy(XMLStreamWriter writer,
                         AccessPolicy policy)
                  throws XMLStreamException

Throws:

XMLStreamException

getSortedAccessPolicies

private List<AccessPolicy> getSortedAccessPolicies()

getSortedGroups

private List<Group> getSortedGroups()

getSortedUsers

private List<User> getSortedUsers()