nifi-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bbe...@apache.org
Subject [nifi-registry] branch master updated: NIFIREG-325: support for node identity group - updated admin guide - adjusting PR / fixing issues found during review
Date Tue, 08 Oct 2019 15:10:55 GMT
This is an automated email from the ASF dual-hosted git repository.

bbende pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi-registry.git


The following commit(s) were added to refs/heads/master by this push:
     new a1d7960  NIFIREG-325: support for node identity group - updated admin guide - adjusting
PR / fixing issues found during review
a1d7960 is described below

commit a1d79608745d3a1a47c8c05d15e6d8e30e4d607c
Author: Endre Zoltan Kovacs <andrewsmith87@protonmail.com>
AuthorDate: Thu Oct 3 20:13:03 2019 +0200

    NIFIREG-325: support for node identity group
    - updated admin guide
    - adjusting PR / fixing issues found during review
    
    This closes #235.
    
    Signed-off-by: Bryan Bende <bbende@apache.org>
---
 .../src/main/asciidoc/administration-guide.adoc    |  1 +
 .../file/FileAccessPolicyProvider.java             | 56 ++++++++++++++++++++++
 .../src/main/resources/conf/authorizers.xml        |  4 ++
 3 files changed, 61 insertions(+)

diff --git a/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc
b/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc
index 765e62f..b9bc1df 100644
--- a/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc
@@ -348,6 +348,7 @@ The default AccessPolicyProvider is the FileAccessPolicyProvider, however,
you c
 |`Authorizations File`| The file where the FileAccessPolicyProvider will store policies.
By default, _authorizations.xml_ in the `conf` directory is chosen.
 |`Initial Admin Identity`| The identity of an initial admin user that will be granted access
to the UI and given the ability to create additional users, groups, and policies. For example,
a certificate DN, LDAP identity, or Kerberos principal.
 |`NiFi Identity`| The identity of a NiFi instance/node that will be accessing this registry.
Each NiFi Identity will be granted permission to proxy user requests, as well as read any
bucket to perform synchronization status checks.
+|`NiFi Group Name`| The name of the group, whose members are NiFi instance/node identities,
that will be accessing this registry. The members of this group will be granted permission
to proxy user requests, as well as read any bucket to perform synchronization checks.
 |==================================================================================================================================================
 
 NOTE: The identities configured in the Initial Admin Identity and NiFi Identity properties
must be available in the configured User Group Provider. Initial Admin Identity and NiFi Identity
properties are only read by NiFi Registry when the Authorizations File is missing or empty
on startup in order to seed the initial Authorizations File.
diff --git a/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java
b/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java
index 5eb1874..8c32ab8 100644
--- a/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java
+++ b/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/file/FileAccessPolicyProvider.java
@@ -24,6 +24,7 @@ import org.apache.nifi.registry.security.authorization.AccessPolicy;
 import org.apache.nifi.registry.security.authorization.AccessPolicyProviderInitializationContext;
 import org.apache.nifi.registry.security.authorization.AuthorizerConfigurationContext;
 import org.apache.nifi.registry.security.authorization.ConfigurableAccessPolicyProvider;
+import org.apache.nifi.registry.security.authorization.Group;
 import org.apache.nifi.registry.security.authorization.RequestAction;
 import org.apache.nifi.registry.security.authorization.User;
 import org.apache.nifi.registry.security.authorization.UserGroupProvider;
@@ -73,6 +74,7 @@ import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.regex.Matcher;
@@ -147,6 +149,7 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
 
     static final String PROP_NIFI_IDENTITY_PREFIX = "NiFi Identity ";
     static final String PROP_USER_GROUP_PROVIDER = "User Group Provider";
+    static final String PROP_NIFI_GROUP_NAME = "NiFi Group Name";
     static final String PROP_AUTHORIZATIONS_FILE = "Authorizations File";
     static final String PROP_INITIAL_ADMIN_IDENTITY = "Initial Admin Identity";
     static final Pattern NIFI_IDENTITY_PATTERN = Pattern.compile(PROP_NIFI_IDENTITY_PREFIX
+ "\\S+");
@@ -156,6 +159,7 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
     private File authorizationsFile;
     private String initialAdminIdentity;
     private Set<String> nifiIdentities;
+    private String nifiIdentityGroupIdentifier;
     private List<IdentityMapping> identityMappings;
 
     private UserGroupProvider userGroupProvider;
@@ -215,6 +219,23 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
                 }
             }
 
+            PropertyValue identityGroupNameProp = configurationContext.getProperty(PROP_NIFI_GROUP_NAME);
+            String identityGroupName = (identityGroupNameProp != null && identityGroupNameProp.isSet())
? identityGroupNameProp.getValue() : null;
+            if (!StringUtils.isBlank(identityGroupName)) {
+                logger.debug("{} is: {}", PROP_NIFI_GROUP_NAME, identityGroupName);
+                Set<Group> groups = userGroupProvider.getGroups();
+                logger.trace("All authorization groups: {}", groups);
+                Optional<Group> identityGroupsOptional =
+                        groups.stream()
+                            .filter(group -> group.getName().equals(identityGroupName))
+                            .findFirst();
+                Group identityGroup = identityGroupsOptional
+                        .orElseThrow(() ->
+                            new SecurityProviderCreationException(String.format("Authorizations
node group '%s' could not be found", identityGroupName))
+                        );
+                logger.debug("Identity Group is: {}", identityGroup);
+                nifiIdentityGroupIdentifier = identityGroup.getIdentifier();
+            }
             // load the authorizations
             load();
 
@@ -508,6 +529,13 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
                 populateNiFiIdentities(authorizations);
             }
 
+            if (!StringUtils.isEmpty(nifiIdentityGroupIdentifier)) {
+                logger.info("Populating proxy authorizations for NiFi identity group: [{}]",
nifiIdentityGroupIdentifier);
+                // grant access to the resources needed for initial nifi-proxy identities
+                for (ResourceActionPair resourceAction : NIFI_ACCESS_POLICIES) {
+                    addGroupToAccessPolicy(authorizations, resourceAction.resource, nifiIdentityGroupIdentifier,
resourceAction.actionCode);
+                }
+            }
             saveAndRefreshHolder(authorizations);
         } else {
             this.authorizationsHolder.set(authorizationsHolder);
@@ -564,6 +592,34 @@ public class FileAccessPolicyProvider implements ConfigurableAccessPolicyProvide
         }
     }
 
+    private void addGroupToAccessPolicy(Authorizations authorizations, String resource, String
nifiIdentityGroupIdentifier, String action) {
+    Optional<Policy> policyOptional = authorizations.getPolicies().getPolicy().stream()
+            .filter(policy -> policy.getResource().equals(resource))
+            .filter(policy -> policy.getAction().equals(action))
+        .findAny();
+    if (policyOptional.isPresent()) {
+        Policy policy = policyOptional.get();
+        Policy.Group group = new Policy.Group();
+        group.setIdentifier(nifiIdentityGroupIdentifier);
+        policy.getGroup().add(group);
+    } else {
+        AccessPolicy.Builder accessPolicyBuilder =
+            new AccessPolicy.Builder()
+              .identifierGenerateFromSeed(resource + action)
+              .resource(resource)
+              .addGroup(nifiIdentityGroupIdentifier);
+      if (action.equals(READ_CODE)) {
+          accessPolicyBuilder.action(RequestAction.READ);
+      } else if (action.equals(WRITE_CODE)) {
+          accessPolicyBuilder.action(RequestAction.WRITE);
+      } else if (action.equals(DELETE_CODE)) {
+          accessPolicyBuilder.action(RequestAction.DELETE);
+      } else {
+          throw new IllegalStateException("Unknown Policy Action: " + action);
+      }
+      authorizations.getPolicies().getPolicy().add(createJAXBPolicy(accessPolicyBuilder.build()));
+    }
+  }
 
     /**
      * Creates and adds an access policy for the given resource, identity, and actions to
the specified authorizations.
diff --git a/nifi-registry-core/nifi-registry-resources/src/main/resources/conf/authorizers.xml
b/nifi-registry-core/nifi-registry-resources/src/main/resources/conf/authorizers.xml
index 26999d4..9f63754 100644
--- a/nifi-registry-core/nifi-registry-resources/src/main/resources/conf/authorizers.xml
+++ b/nifi-registry-core/nifi-registry-resources/src/main/resources/conf/authorizers.xml
@@ -232,6 +232,9 @@
             NOTE: Any identity mapping rules specified in nifi-registry.properties will also
be applied to the nifi identities,
             so the values should be the unmapped identities (i.e. full DN from a certificate).
This identity must be found
             in the configured User Group Provider.
+        - NiFi Group Name: The name of the group, whose members are NiFi instance/node identities,
+            that will have access to this NiFi Registry and will be able to act as a proxy
on behalf of a NiFi Registry end user.
+            The members of this group will be granted permission to proxy user requests,
as well as read any bucket to perform synchronization checks.
     -->
     <accessPolicyProvider>
         <identifier>file-access-policy-provider</identifier>
@@ -239,6 +242,7 @@
         <property name="User Group Provider">file-user-group-provider</property>
         <property name="Authorizations File">./conf/authorizations.xml</property>
         <property name="Initial Admin Identity"><!-- CN=abc, OU=xyz --></property>
+        <property name="NiFi Group Name"></property>
 
         <!--<property name="NiFi Identity 1"></property>-->
     </accessPolicyProvider>


Mime
View raw message