NIFI-1551: - Removing the AuthorityProvider. - Refactoring REST API in preparation for introduction of the Authorizer. - Updating UI accordingly. - Removing unneeded properties from nifi.properties. - Addressing comments from PR. - This closes #359.
Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/153f63ef Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/153f63ef Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/153f63ef Branch: refs/heads/master Commit: 153f63ef43fd4511026653122fbde27e68221a57 Parents: 7db78e8 Author: Matt Gilman <matt.c.gil...@gmail.com> Authored: Fri Apr 15 15:53:47 2016 -0400 Committer: Mark Payne <marka...@hotmail.com> Committed: Fri Apr 15 16:03:00 2016 -0400 ---------------------------------------------------------------------- .../authentication/LoginIdentityProvider.java | 4 +- .../exception/ProviderCreationException.java | 39 + .../exception/ProviderDestructionException.java | 39 + .../apache/nifi/authorization/Authority.java | 93 - .../nifi/authorization/AuthorityProvider.java | 182 -- .../AuthorityProviderConfigurationContext.java | 48 - .../AuthorityProviderInitializationContext.java | 27 - .../authorization/AuthorityProviderLookup.java | 25 - .../authorization/AuthorizationRequest.java | 39 +- .../apache/nifi/authorization/Authorizer.java | 3 +- .../authorization/DownloadAuthorization.java | 83 - .../annotation/AuthorityProviderContext.java | 35 - .../exception/AuthorityAccessException.java | 33 - .../IdentityAlreadyExistsException.java | 32 - .../exception/ProviderCreationException.java | 39 - .../exception/ProviderDestructionException.java | 39 - .../exception/UnknownIdentityException.java | 32 - nifi-assembly/pom.xml | 8 +- .../org/apache/nifi/util/NiFiProperties.java | 53 +- .../NiFiProperties/conf/nifi.blank.properties | 6 +- .../NiFiProperties/conf/nifi.missing.properties | 6 +- .../NiFiProperties/conf/nifi.properties | 6 +- .../src/main/asciidoc/administration-guide.adoc | 139 +- .../cassandra/AbstractCassandraProcessor.java | 2 +- .../AbstractCassandraProcessorTest.java | 2 +- .../nifi-framework-nar/pom.xml | 8 - .../nifi/admin/KeyDataSourceFactoryBean.java | 147 ++ .../nifi/admin/UserDataSourceFactoryBean.java | 244 -- .../org/apache/nifi/admin/dao/AuthorityDAO.java | 59 - .../org/apache/nifi/admin/dao/DAOFactory.java | 4 - .../java/org/apache/nifi/admin/dao/UserDAO.java | 128 - .../nifi/admin/dao/impl/DAOFactoryImpl.java | 12 - .../admin/dao/impl/StandardAuthorityDAO.java | 172 -- .../nifi/admin/dao/impl/StandardUserDAO.java | 641 ----- .../admin/service/AccountDisabledException.java | 40 - .../admin/service/AccountNotFoundException.java | 40 - .../admin/service/AccountPendingException.java | 41 - .../apache/nifi/admin/service/KeyService.java | 49 + .../apache/nifi/admin/service/UserService.java | 180 -- .../service/action/AbstractUserAction.java | 97 - .../admin/service/action/AddActionsAction.java | 3 +- .../service/action/AdministrationAction.java | 4 +- .../service/action/AuthorizeDownloadAction.java | 54 - .../service/action/AuthorizeUserAction.java | 173 -- .../admin/service/action/CreateUserAction.java | 53 - .../admin/service/action/DeleteKeysAction.java | 3 +- .../admin/service/action/DeleteUserAction.java | 73 - .../admin/service/action/DisableUserAction.java | 81 - .../service/action/DisableUserGroupAction.java | 78 - .../service/action/FindUserByDnAction.java | 49 - .../service/action/FindUserByIdAction.java | 46 - .../admin/service/action/GetActionAction.java | 3 +- .../admin/service/action/GetActionsAction.java | 6 +- .../admin/service/action/GetKeyByIdAction.java | 4 +- .../service/action/GetKeyByIdentityAction.java | 4 +- .../service/action/GetOrCreateKeyAction.java | 4 +- .../admin/service/action/GetPreviousValues.java | 8 +- .../service/action/GetUserGroupAction.java | 50 - .../admin/service/action/GetUsersAction.java | 39 - .../service/action/HasPendingUserAccounts.java | 34 - .../action/InvalidateUserAccountAction.java | 58 - .../InvalidateUserGroupAccountsAction.java | 45 - .../service/action/PurgeActionsAction.java | 3 +- .../action/RequestUserAccountAction.java | 67 - .../service/action/SeedUserAccountsAction.java | 164 -- .../admin/service/action/UngroupUserAction.java | 69 - .../service/action/UngroupUserGroupAction.java | 57 - .../admin/service/action/UpdateUserAction.java | 124 - .../UpdateUserAuthoritiesCacheAction.java | 73 - .../service/action/UpdateUserCacheAction.java | 47 - .../service/action/UpdateUserGroupAction.java | 171 -- .../admin/service/impl/StandardKeyService.java | 161 ++ .../admin/service/impl/StandardUserService.java | 731 ------ .../transaction/impl/StandardTransaction.java | 16 +- .../impl/StandardTransactionBuilder.java | 8 +- .../AuthorityProviderFactoryBean.java | 491 ---- .../authorization/AuthorizerFactoryBean.java | 11 +- ...rdAuthorityProviderConfigurationContext.java | 51 - ...dAuthorityProviderInitializationContext.java | 42 - .../org/apache/nifi/user/AccountStatus.java | 47 - .../java/org/apache/nifi/user/NiFiUser.java | 101 +- .../resources/nifi-administration-context.xml | 33 +- .../src/main/xsd/authority-providers.xsd | 49 - .../service/action/AuthorizeUserActionTest.java | 433 ---- .../service/action/CreateUserActionTest.java | 144 -- .../service/action/DisableUserActionTest.java | 176 -- .../action/InvalidateUserAccountActionTest.java | 126 - .../action/RequestUserAccountActionTest.java | 127 - .../action/SeedUserAccountsActionTest.java | 262 --- .../action/SetUserAuthoritiesActionTest.java | 223 -- .../apache/nifi/web/api/dto/RevisionDTO.java | 4 + .../web/api/dto/status/ControllerStatusDTO.java | 15 - .../org/apache/nifi/web/api/entity/Entity.java | 6 +- ...ControllerServiceReferenceRequestEntity.java | 54 + .../.gitignore | 1 - .../nifi-cluster-authorization-provider/pom.xml | 46 - .../ClusterManagerAuthorizationProvider.java | 225 -- .../NodeAuthorizationProvider.java | 389 ---- .../protocol/message/DoesDnExistMessage.java | 55 - .../protocol/message/GetAuthoritiesMessage.java | 57 - .../message/GetGroupForUserMessage.java | 54 - .../protocol/message/ProtocolMessage.java | 56 - .../message/jaxb/JaxbProtocolUtils.java | 41 - .../protocol/message/jaxb/ObjectFactory.java | 44 - ....apache.nifi.authorization.AuthorityProvider | 16 - .../src/test/resources/conf/nifi.properties | 6 +- .../nifi-file-authorization-provider/pom.xml | 85 - .../FileAuthorizationProvider.java | 496 ---- ....apache.nifi.authorization.AuthorityProvider | 15 - .../src/main/xsd/users.xsd | 64 - .../FileAuthorizationProviderTest.java | 128 - .../nifi/authorization/FileAuthorizer.java | 18 +- .../nifi/authorization/FileAuthorizerTest.java | 20 +- .../org/apache/nifi/groups/ProcessGroup.java | 24 + .../apache/nifi/controller/FlowController.java | 20 +- .../nifi/groups/StandardProcessGroup.java | 63 + .../nifi/spring/FlowControllerFactoryBean.java | 12 +- .../src/main/resources/nifi-context.xml | 2 +- .../controller/StandardFlowServiceTest.java | 8 +- .../scheduling/TestProcessorLifecycle.java | 4 +- .../src/test/resources/conf/nifi.properties | 6 +- .../test/resources/nifi-with-remote.properties | 6 +- .../src/test/resources/nifi.properties | 6 +- .../org/apache/nifi/nar/ExtensionManager.java | 19 +- .../nifi/nar/NarThreadContextClassLoader.java | 20 +- .../resources/NarUnpacker/conf/nifi.properties | 6 +- .../main/resources/conf/authority-providers.xml | 43 - .../main/resources/conf/authorized-users.xml | 57 - .../src/main/resources/conf/authorizers.xml | 28 + .../src/main/resources/conf/nifi.properties | 8 +- .../nifi/remote/StandardRootGroupPort.java | 113 +- .../src/test/resources/nifi.properties | 6 +- .../org/apache/nifi/audit/FunnelAuditor.java | 9 +- .../java/org/apache/nifi/audit/PortAuditor.java | 35 +- .../org/apache/nifi/audit/ProcessorAuditor.java | 20 +- .../apache/nifi/audit/RelationshipAuditor.java | 18 +- .../nifi/audit/RemoteProcessGroupAuditor.java | 31 +- .../org/apache/nifi/audit/SnippetAuditor.java | 45 +- .../org/apache/nifi/web/NiFiServiceFacade.java | 279 +-- .../web/NiFiWebApiSecurityConfiguration.java | 76 +- .../nifi/web/StandardNiFiContentAccess.java | 20 +- .../nifi/web/StandardNiFiServiceFacade.java | 624 ++--- .../StandardNiFiWebConfigurationContext.java | 70 +- .../apache/nifi/web/StandardNiFiWebContext.java | 60 +- .../org/apache/nifi/web/api/AccessResource.java | 79 +- .../nifi/web/api/BulletinBoardResource.java | 37 +- .../apache/nifi/web/api/ClusterResource.java | 11 +- .../apache/nifi/web/api/ConnectionResource.java | 659 +----- .../apache/nifi/web/api/ControllerResource.java | 151 +- .../nifi/web/api/ControllerServiceResource.java | 365 +-- .../org/apache/nifi/web/api/FunnelResource.java | 339 +-- .../apache/nifi/web/api/HistoryResource.java | 60 +- .../apache/nifi/web/api/InputPortResource.java | 340 +-- .../org/apache/nifi/web/api/LabelResource.java | 383 +-- .../org/apache/nifi/web/api/NodeResource.java | 9 +- .../apache/nifi/web/api/OutputPortResource.java | 383 +-- .../nifi/web/api/ProcessGroupResource.java | 2186 ++++++++++++------ .../apache/nifi/web/api/ProcessorResource.java | 485 +--- .../apache/nifi/web/api/ProvenanceResource.java | 94 +- .../web/api/RemoteProcessGroupResource.java | 450 +--- .../nifi/web/api/ReportingTaskResource.java | 344 +-- .../apache/nifi/web/api/SnippetResource.java | 200 +- .../nifi/web/api/SystemDiagnosticsResource.java | 3 +- .../apache/nifi/web/api/TemplateResource.java | 49 +- .../apache/nifi/web/api/UserGroupResource.java | 465 ---- .../org/apache/nifi/web/api/UserResource.java | 617 ----- .../config/AccountNotFoundExceptionMapper.java | 47 - .../org/apache/nifi/web/api/dto/DtoFactory.java | 99 +- .../nifi/web/controller/ControllerFacade.java | 91 +- .../org/apache/nifi/web/dao/ConnectionDAO.java | 72 +- .../java/org/apache/nifi/web/dao/FunnelDAO.java | 25 +- .../java/org/apache/nifi/web/dao/LabelDAO.java | 15 +- .../java/org/apache/nifi/web/dao/PortDAO.java | 22 +- .../apache/nifi/web/dao/ProcessGroupDAO.java | 4 +- .../org/apache/nifi/web/dao/ProcessorDAO.java | 33 +- .../nifi/web/dao/RemoteProcessGroupDAO.java | 33 +- .../web/dao/impl/StandardConnectionDAO.java | 146 +- .../nifi/web/dao/impl/StandardFunnelDAO.java | 60 +- .../nifi/web/dao/impl/StandardInputPortDAO.java | 73 +- .../nifi/web/dao/impl/StandardLabelDAO.java | 55 +- .../web/dao/impl/StandardOutputPortDAO.java | 73 +- .../web/dao/impl/StandardProcessGroupDAO.java | 12 +- .../nifi/web/dao/impl/StandardProcessorDAO.java | 93 +- .../dao/impl/StandardRemoteProcessGroupDAO.java | 92 +- .../src/main/resources/nifi-web-api-context.xml | 49 +- .../accesscontrol/AccessTokenEndpointTest.java | 2 + .../accesscontrol/AdminAccessControlTest.java | 2 + .../accesscontrol/DfmAccessControlTest.java | 1 + .../ReadOnlyAccessControlTest.java | 2 + .../util/NiFiTestAuthorizationProvider.java | 180 -- .../integration/util/NiFiTestAuthorizer.java | 56 + .../util/NiFiTestLoginIdentityProvider.java | 9 +- .../nifi/integration/util/NiFiTestServer.java | 2 +- ....apache.nifi.authorization.AuthorityProvider | 15 - .../org.apache.nifi.authorization.Authorizer | 15 + .../access-control/authority-providers.xml | 2 +- .../resources/access-control/nifi.properties | 6 +- .../web/security/NiFiAuthenticationFilter.java | 105 +- .../security/NiFiAuthenticationProvider.java | 73 - .../anonymous/NiFiAnonymousUserFilter.java | 47 +- .../authorization/NiFiAuthorizationService.java | 171 -- .../security/jwt/JwtAuthenticationFilter.java | 34 +- .../security/jwt/JwtAuthenticationProvider.java | 56 + .../jwt/JwtAuthenticationRequestToken.java | 58 + .../nifi/web/security/jwt/JwtService.java | 12 +- .../kerberos/KerberosServiceFactoryBean.java | 74 - .../security/node/NodeAuthorizedUserFilter.java | 4 +- .../security/otp/OtpAuthenticationFilter.java | 41 +- .../security/otp/OtpAuthenticationProvider.java | 60 + .../otp/OtpAuthenticationRequestToken.java | 64 + .../spring/KerberosServiceFactoryBean.java | 76 + .../LoginIdentityProviderFactoryBean.java | 35 +- .../NewAccountAuthorizationRequestToken.java | 40 - .../token/NewAccountAuthorizationToken.java | 46 - .../security/token/NiFiAuthenticationToken.java | 50 + .../token/NiFiAuthorizationRequestToken.java | 54 - .../security/token/NiFiAuthorizationToken.java | 50 - .../web/security/user/NewAccountRequest.java | 47 - .../nifi/web/security/user/NiFiUserDetails.java | 17 +- .../nifi/web/security/user/NiFiUserUtils.java | 21 - .../security/x509/X509AuthenticationFilter.java | 36 +- .../x509/X509AuthenticationProvider.java | 78 + .../x509/X509AuthenticationRequestToken.java | 75 + .../x509/ocsp/OcspCertificateValidator.java | 5 +- .../resources/nifi-web-security-context.xml | 21 +- .../NiFiAuthorizationServiceTest.java | 249 -- .../nifi/web/security/jwt/JwtServiceTest.java | 14 +- .../otp/OtpAuthenticationFilterTest.java | 91 +- .../otp/OtpAuthenticationProviderTest.java | 102 + .../nifi-framework/nifi-web/nifi-web-ui/pom.xml | 42 - .../main/resources/filters/canvas.properties | 2 - .../main/resources/filters/users-min.properties | 18 - .../src/main/resources/filters/users.properties | 29 - .../src/main/webapp/WEB-INF/pages/canvas.jsp | 2 - .../src/main/webapp/WEB-INF/pages/users.jsp | 72 - .../WEB-INF/partials/canvas/canvas-header.jsp | 1 - .../canvas/secure-port-configuration.jsp | 82 - .../partials/canvas/secure-port-details.jsp | 67 - .../partials/users/group-revoke-dialog.jsp | 22 - .../partials/users/group-roles-dialog.jsp | 52 - .../partials/users/user-delete-dialog.jsp | 23 - .../partials/users/user-details-dialog.jsp | 56 - .../partials/users/user-group-dialog.jsp | 27 - .../partials/users/user-revoke-dialog.jsp | 23 - .../partials/users/user-roles-dialog.jsp | 60 - .../WEB-INF/partials/users/users-content.jsp | 46 - .../nifi-web-ui/src/main/webapp/css/header.css | 13 - .../src/main/webapp/css/port-configuration.css | 133 -- .../src/main/webapp/css/port-details.css | 27 - .../nifi-web-ui/src/main/webapp/css/users.css | 254 -- .../src/main/webapp/images/iconAdminUser.png | Bin 1960 -> 0 bytes .../propertytable/jquery.propertytable.js | 2 +- .../js/nf/bulletin-board/nf-bulletin-board.js | 2 +- .../src/main/webapp/js/nf/canvas/nf-actions.js | 140 +- .../webapp/js/nf/canvas/nf-canvas-header.js | 31 +- .../webapp/js/nf/canvas/nf-canvas-toolbox.js | 175 +- .../src/main/webapp/js/nf/canvas/nf-canvas.js | 9 +- .../webapp/js/nf/canvas/nf-component-state.js | 10 +- .../js/nf/canvas/nf-connection-configuration.js | 108 +- .../main/webapp/js/nf/canvas/nf-connection.js | 35 +- .../js/nf/canvas/nf-controller-service.js | 62 +- .../main/webapp/js/nf/canvas/nf-draggable.js | 26 +- .../src/main/webapp/js/nf/canvas/nf-funnel.js | 9 +- .../src/main/webapp/js/nf/canvas/nf-go-to.js | 24 +- .../js/nf/canvas/nf-label-configuration.js | 33 +- .../src/main/webapp/js/nf/canvas/nf-label.js | 7 + .../js/nf/canvas/nf-port-configuration.js | 31 +- .../src/main/webapp/js/nf/canvas/nf-port.js | 9 +- .../nf/canvas/nf-process-group-configuration.js | 20 +- .../webapp/js/nf/canvas/nf-process-group.js | 7 + .../js/nf/canvas/nf-processor-configuration.js | 2 +- .../main/webapp/js/nf/canvas/nf-processor.js | 7 + .../webapp/js/nf/canvas/nf-queue-listing.js | 3 +- .../nf-remote-process-group-configuration.js | 1 - .../nf/canvas/nf-remote-process-group-ports.js | 2 - .../js/nf/canvas/nf-remote-process-group.js | 7 + .../webapp/js/nf/canvas/nf-reporting-task.js | 23 +- .../nf/canvas/nf-secure-port-configuration.js | 384 --- .../js/nf/canvas/nf-secure-port-details.js | 121 - .../src/main/webapp/js/nf/canvas/nf-settings.js | 42 +- .../src/main/webapp/js/nf/canvas/nf-snippet.js | 2 +- .../webapp/js/nf/history/nf-history-model.js | 2 +- .../webapp/js/nf/history/nf-history-table.js | 2 +- .../main/webapp/js/nf/nf-connection-details.js | 16 +- .../main/webapp/js/nf/nf-processor-details.js | 4 +- .../src/main/webapp/js/nf/nf-status-history.js | 9 +- .../webapp/js/nf/summary/nf-cluster-search.js | 2 +- .../webapp/js/nf/summary/nf-summary-table.js | 15 +- .../main/webapp/js/nf/users/nf-users-table.js | 1075 --------- .../src/main/webapp/js/nf/users/nf-users.js | 151 -- .../nifi-framework/pom.xml | 2 - nifi-nar-bundles/nifi-framework-bundle/pom.xml | 10 - .../apache/nifi/kerberos/KerberosProvider.java | 4 +- .../java/org/apache/nifi/ldap/LdapProvider.java | 4 +- 294 files changed, 5156 insertions(+), 20914 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java b/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java index 54becb3..145bdb4 100644 --- a/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java +++ b/nifi-api/src/main/java/org/apache/nifi/authentication/LoginIdentityProvider.java @@ -18,8 +18,8 @@ package org.apache.nifi.authentication; import org.apache.nifi.authentication.exception.IdentityAccessException; import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException; -import org.apache.nifi.authorization.exception.ProviderCreationException; -import org.apache.nifi.authorization.exception.ProviderDestructionException; +import org.apache.nifi.authentication.exception.ProviderCreationException; +import org.apache.nifi.authentication.exception.ProviderDestructionException; /** * Identity provider that is able to authentication a user with username/password credentials. http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderCreationException.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderCreationException.java b/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderCreationException.java new file mode 100644 index 0000000..b352787 --- /dev/null +++ b/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderCreationException.java @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.authentication.exception; + +/** + * Represents the exceptional case when an AuthorityProvider fails instantiated. + * + */ +public class ProviderCreationException extends RuntimeException { + + public ProviderCreationException() { + } + + public ProviderCreationException(String msg) { + super(msg); + } + + public ProviderCreationException(Throwable cause) { + super(cause); + } + + public ProviderCreationException(String msg, Throwable cause) { + super(msg, cause); + } +} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderDestructionException.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderDestructionException.java b/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderDestructionException.java new file mode 100644 index 0000000..1e12146 --- /dev/null +++ b/nifi-api/src/main/java/org/apache/nifi/authentication/exception/ProviderDestructionException.java @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.authentication.exception; + +/** + * Represents the exceptional case when an AuthorityProvider fails destruction. + * + */ +public class ProviderDestructionException extends RuntimeException { + + public ProviderDestructionException() { + } + + public ProviderDestructionException(String msg) { + super(msg); + } + + public ProviderDestructionException(Throwable cause) { + super(cause); + } + + public ProviderDestructionException(String msg, Throwable cause) { + super(msg, cause); + } +} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/Authority.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/Authority.java b/nifi-api/src/main/java/org/apache/nifi/authorization/Authority.java deleted file mode 100644 index 4502c11..0000000 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/Authority.java +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.authorization; - -import java.util.EnumSet; -import java.util.HashSet; -import java.util.LinkedHashSet; -import java.util.Set; - -/** - * Authorities that can be assigned to NiFi users. - */ -public enum Authority { - - ROLE_MONITOR, - ROLE_DFM, - ROLE_ADMIN, - ROLE_PROVENANCE, - ROLE_PROXY, - ROLE_NIFI; - - /** - * @param rawAuthority string form of authority - * @return the matching role or null if the specified role does not match - * any roles - */ - public static Authority valueOfAuthority(String rawAuthority) { - Authority desiredAuthority = null; - - for (Authority authority : values()) { - if (authority.toString().equals(rawAuthority)) { - desiredAuthority = authority; - break; - } - } - - return desiredAuthority; - } - - /** - * @return the string value of each authority - */ - public static Set<String> getRawAuthorities() { - Set<String> authorities = new LinkedHashSet<>(); - for (Authority authority : values()) { - authorities.add(authority.toString()); - } - return authorities; - } - - public static Set<String> convertAuthorities(Set<Authority> authorities) { - if (authorities == null) { - throw new IllegalArgumentException("No authorities have been specified."); - } - - // convert the set - Set<String> rawAuthorities = new HashSet<>(authorities.size()); - for (Authority authority : authorities) { - rawAuthorities.add(authority.toString()); - } - return rawAuthorities; - } - - public static EnumSet<Authority> convertRawAuthorities(Set<String> rawAuthorities) { - if (rawAuthorities == null) { - throw new IllegalArgumentException("No authorities have been specified."); - } - - // convert the set - EnumSet<Authority> authorities = EnumSet.noneOf(Authority.class); - for (String rawAuthority : rawAuthorities) { - Authority authority = Authority.valueOfAuthority(rawAuthority); - if (authority != null) { - authorities.add(authority); - } - } - return authorities; - } -} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProvider.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProvider.java b/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProvider.java deleted file mode 100644 index 716216d..0000000 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProvider.java +++ /dev/null @@ -1,182 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.authorization; - -import java.util.List; -import java.util.Map; -import java.util.Set; -import org.apache.nifi.authorization.exception.AuthorityAccessException; -import org.apache.nifi.authorization.exception.IdentityAlreadyExistsException; -import org.apache.nifi.authorization.exception.ProviderCreationException; -import org.apache.nifi.authorization.exception.ProviderDestructionException; -import org.apache.nifi.authorization.exception.UnknownIdentityException; - -/** - * This class allows clients to retrieve the authorities for a given DN. - */ -public interface AuthorityProvider { - - /** - * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user. - * @return whether the user with the specified identity is known to this authority - * provider. It is not necessary for the user to have any authorities - */ - boolean doesDnExist(String identity) throws AuthorityAccessException; - - /** - * Get the authorities for the specified user. If the specified user exists - * but does not have any authorities, an empty set should be returned. - * - * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user. - * @return the authorities for the specified user. If the specified user - * exists but does not have any authorities, an empty set should be returned - * @throws UnknownIdentityException if identity is not known - * @throws AuthorityAccessException if unable to access authorities - */ - Set<Authority> getAuthorities(String identity) throws UnknownIdentityException, AuthorityAccessException; - - /** - * Sets the specified authorities for the specified user. - * - * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user. - * @param authorities the new authorities for the user - * @throws UnknownIdentityException if identity is not known - * @throws AuthorityAccessException if unable to access authorities - */ - void setAuthorities(String identity, Set<Authority> authorities) throws UnknownIdentityException, AuthorityAccessException; - - /** - * Gets the users for the specified authority. - * - * @param authority for which to determine membership of - * @return all users with the specified authority - * @throws AuthorityAccessException if unable to access authorities - */ - Set<String> getUsers(Authority authority) throws AuthorityAccessException; - - /** - * Revokes the specified user. Its up to the implementor to determine the - * semantics of revocation. - * - * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user. - * @throws UnknownIdentityException if the user is not known - * @throws AuthorityAccessException if unable to access the authorities - */ - void revokeUser(String identity) throws UnknownIdentityException, AuthorityAccessException; - - /** - * Add the specified user. - * - * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user. - * @param group Optional - * @throws UnknownIdentityException if the user is not known - * @throws AuthorityAccessException if unable to access the authorities - */ - void addUser(String identity, String group) throws IdentityAlreadyExistsException, AuthorityAccessException; - - /** - * Gets the group for the specified user. Return null if the user does not - * belong to a group. - * - * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user. - * @return the group of the given user - * @throws UnknownIdentityException if the user is not known - * @throws AuthorityAccessException if unable to access the authorities - */ - String getGroupForUser(String identity) throws UnknownIdentityException, AuthorityAccessException; - - /** - * Revokes all users for a specified group. Its up to the implementor to - * determine the semantics of revocation. - * - * @param group to revoke the users of - * @throws UnknownIdentityException if the user is not known - * @throws AuthorityAccessException if unable to access the authorities - */ - void revokeGroup(String group) throws UnknownIdentityException, AuthorityAccessException; - - /** - * Adds the specified users to the specified group. - * - * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user. - * @param group to add users to - * @throws UnknownIdentityException if the user is not known - * @throws AuthorityAccessException if unable to access the authorities - */ - void setUsersGroup(Set<String> identity, String group) throws UnknownIdentityException, AuthorityAccessException; - - /** - * Ungroups the specified user. - * - * @param identity of the user. The identity may be a dn, an email, a username, or any string that identities the user. - * @throws UnknownIdentityException if the user is not known - * @throws AuthorityAccessException if unable to access the authorities - */ - void ungroupUser(String identity) throws UnknownIdentityException, AuthorityAccessException; - - /** - * Ungroups the specified group. Since the semantics of revocation is up to - * the implementor, this method should do nothing if the specified group - * does not exist. If an admin revoked this group before calling ungroup, it - * may or may not exist. - * - * @param group to ungroup - * @throws AuthorityAccessException if unable to access the authorities - */ - void ungroup(String group) throws AuthorityAccessException; - - /** - * Determines whether the user in the specified dnChain should be able to - * download the content for the flowfile with the specified attributes. - * - * The first identity in the chain is the end user that the request was issued on - * behalf of. The subsequent identities in the chain represent entities proxying - * the user's request with the last being the proxy that sent the current - * request. - * - * @param proxyChain proxy chain of user identities that for the download request - * @param attributes of the flowfile being requested - * @return the authorization result - * @throws UnknownIdentityException if the user is not known - * @throws AuthorityAccessException if unable to access the authorities - */ - DownloadAuthorization authorizeDownload(List<String> proxyChain, Map<String, String> attributes) throws UnknownIdentityException, AuthorityAccessException; - - /** - * Called immediately after instance creation for implementers to perform - * additional setup - * - * @param initializationContext in which to initialize - */ - void initialize(AuthorityProviderInitializationContext initializationContext) throws ProviderCreationException; - - /** - * Called to configure the AuthorityProvider. - * - * @param configurationContext at the time of configuration - * @throws ProviderCreationException for any issues configuring the provider - */ - void onConfigured(AuthorityProviderConfigurationContext configurationContext) throws ProviderCreationException; - - /** - * Called immediately before instance destruction for implementers to - * release resources. - * - * @throws ProviderDestructionException If pre-destruction fails. - */ - void preDestruction() throws ProviderDestructionException; -} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderConfigurationContext.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderConfigurationContext.java b/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderConfigurationContext.java deleted file mode 100644 index c1ba5df..0000000 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderConfigurationContext.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.authorization; - -import java.util.Map; - -/** - * - */ -public interface AuthorityProviderConfigurationContext { - - /** - * @return identifier for the authority provider - */ - String getIdentifier(); - - /** - * Retrieves all properties the component currently understands regardless - * of whether a value has been set for them or not. If no value is present - * then its value is null and thus any registered default for the property - * descriptor applies. - * - * @return Map of all properties - */ - Map<String, String> getProperties(); - - /** - * @param property to lookup the descriptor and value of - * @return the value the component currently understands for the given - * PropertyDescriptor. This method does not substitute default - * PropertyDescriptor values, so the value returned will be null if not set - */ - String getProperty(String property); -} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderInitializationContext.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderInitializationContext.java b/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderInitializationContext.java deleted file mode 100644 index 7b2f89f..0000000 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderInitializationContext.java +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.authorization; - -/** - * - */ -public interface AuthorityProviderInitializationContext { - - public String getIdentifier(); - - public AuthorityProviderLookup getAuthorityProviderLookup(); -} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderLookup.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderLookup.java b/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderLookup.java deleted file mode 100644 index dc30967..0000000 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorityProviderLookup.java +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.authorization; - -/** - * - */ -public interface AuthorityProviderLookup { - - AuthorityProvider getAuthorityProvider(String identifier); -} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorizationRequest.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorizationRequest.java b/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorizationRequest.java index 9e50e62..7e6999c 100644 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorizationRequest.java +++ b/nifi-api/src/main/java/org/apache/nifi/authorization/AuthorizationRequest.java @@ -29,17 +29,22 @@ public class AuthorizationRequest { private final Resource resource; private final String identity; private final RequestAction action; + private final boolean isAccessAttempt; + private final boolean isAnonymous; private final Map<String, String> context; private final Map<String, String> eventAttributes; private AuthorizationRequest(final Builder builder) { Objects.requireNonNull(builder.resource, "The resource is required when creating an authorization request"); - Objects.requireNonNull(builder.identity, "The identity of the user is required when creating an authorization request"); Objects.requireNonNull(builder.action, "The action is required when creating an authorization request"); + Objects.requireNonNull(builder.isAccessAttempt, "Whether this request is an access attempt is request"); + Objects.requireNonNull(builder.isAnonymous, "Whether this request is being performed by an anonymous user is required"); this.resource = builder.resource; this.identity = builder.identity; this.action = builder.action; + this.isAccessAttempt = builder.isAccessAttempt; + this.isAnonymous = builder.isAnonymous; this.context = builder.context == null ? null : Collections.unmodifiableMap(builder.context); this.eventAttributes = builder.context == null ? null : Collections.unmodifiableMap(builder.eventAttributes); } @@ -54,7 +59,7 @@ public class AuthorizationRequest { } /** - * The identity accessing the Resource. Not null. + * The identity accessing the Resource. May be null if the user could not authenticate. * * @return The identity */ @@ -63,6 +68,24 @@ public class AuthorizationRequest { } /** + * Whether this is a direct access attempt of the Resource if if it's being checked as part of another response. + * + * @return if this is a direct access attempt + */ + public boolean isAccessAttempt() { + return isAccessAttempt; + } + + /** + * Whether the entity accessing is anonymous. + * + * @return whether the entity is anonymous + */ + public boolean isAnonymous() { + return isAnonymous; + } + + /** * The action being taken against the Resource. Not null. * * @return The action @@ -96,6 +119,8 @@ public class AuthorizationRequest { private Resource resource; private String identity; + private Boolean isAnonymous; + private Boolean isAccessAttempt; private RequestAction action; private Map<String, String> context; private Map<String, String> eventAttributes; @@ -110,6 +135,16 @@ public class AuthorizationRequest { return this; } + public Builder anonymous(final Boolean isAnonymous) { + this.isAnonymous = isAnonymous; + return this; + } + + public Builder accessAttempt(final Boolean isAccessAttempt) { + this.isAccessAttempt = isAccessAttempt; + return this; + } + public Builder action(final RequestAction action) { this.action = action; return this; http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/Authorizer.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/Authorizer.java b/nifi-api/src/main/java/org/apache/nifi/authorization/Authorizer.java index 01a76e4..5aec6f0 100644 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/Authorizer.java +++ b/nifi-api/src/main/java/org/apache/nifi/authorization/Authorizer.java @@ -16,7 +16,6 @@ */ package org.apache.nifi.authorization; -import org.apache.nifi.authorization.exception.AuthorityAccessException; import org.apache.nifi.authorization.exception.AuthorizationAccessException; import org.apache.nifi.authorization.exception.AuthorizerCreationException; import org.apache.nifi.authorization.exception.AuthorizerDestructionException; @@ -31,7 +30,7 @@ public interface Authorizer { * * @param request The authorization request * @return the authorization result - * @throws AuthorityAccessException if unable to access the authorities + * @throws AuthorizationAccessException if unable to access the authorities */ AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException; http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/DownloadAuthorization.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/DownloadAuthorization.java b/nifi-api/src/main/java/org/apache/nifi/authorization/DownloadAuthorization.java deleted file mode 100644 index 416f3cf..0000000 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/DownloadAuthorization.java +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.authorization; - -/** - * Represents a decision whether authorization is granted to download content. - */ -public class DownloadAuthorization { - - private static enum Result { - - Approved, - Denied; - } - - private static final DownloadAuthorization APPROVED = new DownloadAuthorization(Result.Approved, null); - - private final Result result; - private final String explanation; - - /** - * Creates a new DownloadAuthorization with the specified result and - * explanation. - * - * @param result of the authorization - * @param explanation for the authorization attempt - */ - private DownloadAuthorization(Result result, String explanation) { - if (Result.Denied.equals(result) && explanation == null) { - throw new IllegalArgumentException("An explanation is required when the download request is denied."); - } - - this.result = result; - this.explanation = explanation; - } - - /** - * @return Whether or not the download request is approved - */ - public boolean isApproved() { - return Result.Approved.equals(result); - } - - /** - * @return If the download request is denied, the reason why. Null otherwise - */ - public String getExplanation() { - return explanation; - } - - /** - * @return a new approved DownloadAuthorization - */ - public static DownloadAuthorization approved() { - return APPROVED; - } - - /** - * Creates a new denied DownloadAuthorization with the specified - * explanation. - * - * @param explanation for why it was denied - * @return a new denied DownloadAuthorization with the specified explanation - * @throws IllegalArgumentException if explanation is null - */ - public static DownloadAuthorization denied(String explanation) { - return new DownloadAuthorization(Result.Denied, explanation); - } -} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/annotation/AuthorityProviderContext.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/annotation/AuthorityProviderContext.java b/nifi-api/src/main/java/org/apache/nifi/authorization/annotation/AuthorityProviderContext.java deleted file mode 100644 index 5ac2af7..0000000 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/annotation/AuthorityProviderContext.java +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.authorization.annotation; - -import java.lang.annotation.Documented; -import java.lang.annotation.ElementType; -import java.lang.annotation.Inherited; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; - -/** - * - * - */ -@Documented -@Target({ElementType.FIELD, ElementType.METHOD}) -@Retention(RetentionPolicy.RUNTIME) -@Inherited -public @interface AuthorityProviderContext { -} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/exception/AuthorityAccessException.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/AuthorityAccessException.java b/nifi-api/src/main/java/org/apache/nifi/authorization/exception/AuthorityAccessException.java deleted file mode 100644 index be64767..0000000 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/AuthorityAccessException.java +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.authorization.exception; - -/** - * Represents the case when the DN could not be confirmed because it was unable - * to access the data store. - */ -public class AuthorityAccessException extends RuntimeException { - - public AuthorityAccessException(String message, Throwable cause) { - super(message, cause); - } - - public AuthorityAccessException(String message) { - super(message); - } - -} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/exception/IdentityAlreadyExistsException.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/IdentityAlreadyExistsException.java b/nifi-api/src/main/java/org/apache/nifi/authorization/exception/IdentityAlreadyExistsException.java deleted file mode 100644 index ba80b6e..0000000 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/IdentityAlreadyExistsException.java +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.authorization.exception; - -/** - * Represents the case when the user identity already exists. - */ -public class IdentityAlreadyExistsException extends RuntimeException { - - public IdentityAlreadyExistsException(String message, Throwable cause) { - super(message, cause); - } - - public IdentityAlreadyExistsException(String message) { - super(message); - } - -} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderCreationException.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderCreationException.java b/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderCreationException.java deleted file mode 100644 index 24ac793..0000000 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderCreationException.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.authorization.exception; - -/** - * Represents the exceptional case when an AuthorityProvider fails instantiated. - * - */ -public class ProviderCreationException extends RuntimeException { - - public ProviderCreationException() { - } - - public ProviderCreationException(String msg) { - super(msg); - } - - public ProviderCreationException(Throwable cause) { - super(cause); - } - - public ProviderCreationException(String msg, Throwable cause) { - super(msg, cause); - } -} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderDestructionException.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderDestructionException.java b/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderDestructionException.java deleted file mode 100644 index 985d3fb..0000000 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/ProviderDestructionException.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.authorization.exception; - -/** - * Represents the exceptional case when an AuthorityProvider fails destruction. - * - */ -public class ProviderDestructionException extends RuntimeException { - - public ProviderDestructionException() { - } - - public ProviderDestructionException(String msg) { - super(msg); - } - - public ProviderDestructionException(Throwable cause) { - super(cause); - } - - public ProviderDestructionException(String msg, Throwable cause) { - super(msg, cause); - } -} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-api/src/main/java/org/apache/nifi/authorization/exception/UnknownIdentityException.java ---------------------------------------------------------------------- diff --git a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/UnknownIdentityException.java b/nifi-api/src/main/java/org/apache/nifi/authorization/exception/UnknownIdentityException.java deleted file mode 100644 index 2ada1c7..0000000 --- a/nifi-api/src/main/java/org/apache/nifi/authorization/exception/UnknownIdentityException.java +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.nifi.authorization.exception; - -/** - * Represents the case when an identity cannot be confirmed. - */ -public class UnknownIdentityException extends RuntimeException { - - public UnknownIdentityException(String message, Throwable cause) { - super(message, cause); - } - - public UnknownIdentityException(String message) { - super(message); - } - -} http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-assembly/pom.xml ---------------------------------------------------------------------- diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml index 09a8d50..e85c83f 100644 --- a/nifi-assembly/pom.xml +++ b/nifi-assembly/pom.xml @@ -325,7 +325,7 @@ language governing permissions and limitations under the License. --> <nifi.flow.configuration.file>./conf/flow.xml.gz</nifi.flow.configuration.file> <nifi.flow.configuration.archive.dir>./conf/archive/</nifi.flow.configuration.archive.dir> <nifi.login.identity.provider.configuration.file>./conf/login-identity-providers.xml</nifi.login.identity.provider.configuration.file> - <nifi.authority.provider.configuration.file>./conf/authority-providers.xml</nifi.authority.provider.configuration.file> + <nifi.authorizer.configuration.file>./conf/authorizers.xml</nifi.authorizer.configuration.file> <nifi.templates.directory>./conf/templates</nifi.templates.directory> <nifi.database.directory>./database_repository</nifi.database.directory> @@ -413,13 +413,9 @@ language governing permissions and limitations under the License. --> <nifi.security.truststoreType /> <nifi.security.truststorePasswd /> <nifi.security.needClientAuth /> - <nifi.security.authorizedUsers.file>./conf/authorized-users.xml</nifi.security.authorizedUsers.file> - <nifi.security.user.credential.cache.duration>24 hours</nifi.security.user.credential.cache.duration> - <nifi.security.user.authority.provider>file-provider</nifi.security.user.authority.provider> + <nifi.security.user.authorizer>file-provider</nifi.security.user.authorizer> <nifi.security.user.login.identity.provider /> <nifi.security.x509.principal.extractor /> - <nifi.security.support.new.account.requests /> - <nifi.security.anonymous.authorities /> <nifi.security.ocsp.responder.url /> <nifi.security.ocsp.responder.certificate /> http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java ---------------------------------------------------------------------- diff --git a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java index 517b19a..63693bf 100644 --- a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java +++ b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java @@ -28,14 +28,10 @@ import java.nio.file.InvalidPathException; import java.nio.file.Path; import java.nio.file.Paths; import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; import java.util.HashMap; -import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Properties; -import java.util.Set; public class NiFiProperties extends Properties { @@ -48,7 +44,7 @@ public class NiFiProperties extends Properties { public static final String PROPERTIES_FILE_PATH = "nifi.properties.file.path"; public static final String FLOW_CONFIGURATION_FILE = "nifi.flow.configuration.file"; public static final String FLOW_CONFIGURATION_ARCHIVE_FILE = "nifi.flow.configuration.archive.file"; - public static final String AUTHORITY_PROVIDER_CONFIGURATION_FILE = "nifi.authority.provider.configuration.file"; + public static final String AUTHORIZER_CONFIGURATION_FILE = "nifi.authorizer.configuration.file"; public static final String LOGIN_IDENTITY_PROVIDER_CONFIGURATION_FILE = "nifi.login.identity.provider.configuration.file"; public static final String REPOSITORY_DATABASE_DIRECTORY = "nifi.database.directory"; public static final String RESTORE_DIRECTORY = "nifi.restore.directory"; @@ -131,13 +127,10 @@ public class NiFiProperties extends Properties { public static final String SECURITY_TRUSTSTORE_TYPE = "nifi.security.truststoreType"; public static final String SECURITY_TRUSTSTORE_PASSWD = "nifi.security.truststorePasswd"; public static final String SECURITY_NEED_CLIENT_AUTH = "nifi.security.needClientAuth"; - public static final String SECURITY_USER_AUTHORITY_PROVIDER = "nifi.security.user.authority.provider"; + public static final String SECURITY_USER_AUTHORIZER = "nifi.security.user.authorizer"; public static final String SECURITY_USER_LOGIN_IDENTITY_PROVIDER = "nifi.security.user.login.identity.provider"; public static final String SECURITY_CLUSTER_AUTHORITY_PROVIDER_PORT = "nifi.security.cluster.authority.provider.port"; public static final String SECURITY_CLUSTER_AUTHORITY_PROVIDER_THREADS = "nifi.security.cluster.authority.provider.threads"; - public static final String SECURITY_USER_CREDENTIAL_CACHE_DURATION = "nifi.security.user.credential.cache.duration"; - public static final String SECURITY_SUPPORT_NEW_ACCOUNT_REQUESTS = "nifi.security.support.new.account.requests"; - public static final String SECURITY_ANONYMOUS_AUTHORITIES = "nifi.security.anonymous.authorities"; public static final String SECURITY_OCSP_RESPONDER_URL = "nifi.security.ocsp.responder.url"; public static final String SECURITY_OCSP_RESPONDER_CERTIFICATE = "nifi.security.ocsp.responder.certificate"; @@ -504,10 +497,10 @@ public class NiFiProperties extends Properties { } /** - * @return the user authorities file + * @return the user authorizers file */ - public File getAuthorityProviderConfiguraitonFile() { - final String value = getProperty(AUTHORITY_PROVIDER_CONFIGURATION_FILE); + public File getAuthorizerConfiguraitonFile() { + final String value = getProperty(AUTHORIZER_CONFIGURATION_FILE); if (StringUtils.isBlank(value)) { return new File(DEFAULT_AUTHORITY_PROVIDER_CONFIGURATION_FILE); } else { @@ -541,40 +534,6 @@ public class NiFiProperties extends Properties { return needClientAuth; } - public String getUserCredentialCacheDuration() { - return getProperty(SECURITY_USER_CREDENTIAL_CACHE_DURATION, - DEFAULT_USER_CREDENTIAL_CACHE_DURATION); - } - - public boolean getSupportNewAccountRequests() { - boolean shouldSupport = true; - String rawShouldSupport = getProperty(SECURITY_SUPPORT_NEW_ACCOUNT_REQUESTS); - if ("false".equalsIgnoreCase(rawShouldSupport)) { - shouldSupport = false; - } - return shouldSupport; - } - - @SuppressWarnings("unchecked") - public Set<String> getAnonymousAuthorities() { - final Set<String> authorities; - - final String rawAnonymousAuthorities = getProperty(SECURITY_ANONYMOUS_AUTHORITIES); - if (!StringUtils.isEmpty(rawAnonymousAuthorities)) { - authorities = new HashSet<>(); - - // parse the raw authorities and trim them - final List<String> authoritiesList = Arrays.asList(rawAnonymousAuthorities.split(",")); - for (final String authority : authoritiesList) { - authorities.add(authority.trim()); - } - } else { - authorities = Collections.EMPTY_SET; - } - - return authorities; - } - // getters for web properties // public Integer getPort() { Integer port = null; @@ -922,7 +881,7 @@ public class NiFiProperties extends Properties { * @return true if client certificates are required for access to the REST API */ public boolean isClientAuthRequiredForRestApi() { - return StringUtils.isBlank(getProperty(NiFiProperties.SECURITY_USER_LOGIN_IDENTITY_PROVIDER)) && getAnonymousAuthorities().isEmpty() && !isKerberosServiceSupportEnabled(); + return StringUtils.isBlank(getProperty(NiFiProperties.SECURITY_USER_LOGIN_IDENTITY_PROVIDER)) && !isKerberosServiceSupportEnabled(); } public InetSocketAddress getNodeApiAddress() { http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.blank.properties ---------------------------------------------------------------------- diff --git a/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.blank.properties b/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.blank.properties index 720c050..898cebf 100644 --- a/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.blank.properties +++ b/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.blank.properties @@ -83,11 +83,7 @@ nifi.security.truststore= nifi.security.truststoreType= nifi.security.truststorePasswd= nifi.security.needClientAuth= -nifi.security.authorizedUsers.file=./target/conf/authorized-users.xml -nifi.security.user.credential.cache.duration=24 hours -nifi.security.user.authority.provider=nifi.authorization.FileAuthorizationProvider -nifi.security.support.new.account.requests= -nifi.security.default.user.roles= +nifi.security.user.authorizer= # cluster common properties (cluster manager and nodes must have same values) # nifi.cluster.protocol.heartbeat.interval=5 sec http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.missing.properties ---------------------------------------------------------------------- diff --git a/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.missing.properties b/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.missing.properties index 85300ae..786b05f 100644 --- a/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.missing.properties +++ b/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.missing.properties @@ -81,11 +81,7 @@ nifi.security.truststore= nifi.security.truststoreType= nifi.security.truststorePasswd= nifi.security.needClientAuth= -nifi.security.authorizedUsers.file=./target/conf/authorized-users.xml -nifi.security.user.credential.cache.duration=24 hours -nifi.security.user.authority.provider=nifi.authorization.FileAuthorizationProvider -nifi.security.support.new.account.requests= -nifi.security.default.user.roles= +nifi.security.user.authorizer= # cluster common properties (cluster manager and nodes must have same values) # nifi.cluster.protocol.heartbeat.interval=5 sec http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.properties ---------------------------------------------------------------------- diff --git a/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.properties b/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.properties index 0ace99e..f9d9b78 100644 --- a/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.properties +++ b/nifi-commons/nifi-properties/src/test/resources/NiFiProperties/conf/nifi.properties @@ -83,11 +83,7 @@ nifi.security.truststore= nifi.security.truststoreType= nifi.security.truststorePasswd= nifi.security.needClientAuth= -nifi.security.authorizedUsers.file=./target/conf/authorized-users.xml -nifi.security.user.credential.cache.duration=24 hours -nifi.security.user.authority.provider=nifi.authorization.FileAuthorizationProvider -nifi.security.support.new.account.requests= -nifi.security.default.user.roles= +nifi.security.user.authorizer= # cluster common properties (cluster manager and nodes must have same values) # nifi.cluster.protocol.heartbeat.interval=5 sec http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-docs/src/main/asciidoc/administration-guide.adoc ---------------------------------------------------------------------- diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc index 86c340a..8d784c6 100644 --- a/nifi-docs/src/main/asciidoc/administration-guide.adoc +++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc @@ -154,9 +154,6 @@ NiFi provides several different configuration options for security purposes. The by the NiFi cluster protocol. If the Truststore properties are not set, this must be `false`. Otherwise, a value of `true` indicates that nodes in the cluster will be authenticated and must have certificates that are trusted by the Truststores. -|`nifi.security.anonymous.authorities` | Specifies the roles that should be granted to users that connect over HTTPS anonymously. All users can make - use of anonymous access, however if they have been granted a particular level of access by an administrator - it will take precedence if they access NiFi using a client certificate or once they have logged in. |================================================================================================================================================== Once the above properties have been configured, we can enable the User Interface to be accessed over HTTPS instead of HTTP. This is accomplished @@ -167,10 +164,10 @@ be accessible from all network interfaces, a value of `0.0.0.0` should be used. NOTE: It is important when enabling HTTPS that the `nifi.web.http.port` property be unset. Similar to `nifi.security.needClientAuth`, the web server can be configured to require certificate based client authentication for users accessing -the User Interface. In order to do this it must be configured to not support username/password authentication (see below) and not grant access to -anonymous users (see `nifi.security.anonymous.authorities` above). Either of these options will configure the web server to WANT certificate based client -authentication. This will allow it to support users with certificates and those without that may be logging in with their credentials or those accessing -anonymously. If username/password authentication and anonymous access are not configured, the web server will REQUIRE certificate based client authentication. +the User Interface. In order to do this it must be configured to not support username/password authentication (see below). Either of these options +will configure the web server to WANT certificate based client authentication. This will allow it to support users with certificates and those without +that may be logging in with their credentials or those accessing anonymously. If username/password authentication and anonymous access are not configured, +the web server will REQUIRE certificate based client authentication. Now that the User Interface has been secured, we can easily secure Site-to-Site connections and inner-cluster communications, as well. This is accomplished by setting the `nifi.remote.input.secure` and `nifi.cluster.protocol.is.secure` properties, respectively, to `true`. @@ -289,127 +286,6 @@ nifi.security.user.login.identity.provider=kerberos-provider See also <<kerberos_service>> to allow single sign-on access via client Kerberos tickets. -Controlling Levels of Access ----------------------------- - -Once NiFi is configured to run securely and an authentication mechanism is configured, it is necessary -to configure who will have access to the system and what types of access those people will have. -NiFi controls this through the user of an 'Authority Provider.' The Authority Provider is a pluggable -mechanism for providing authorizations to different users. Which Authority Provider to use is configured -using two properties in the _nifi.properties_ file. - -The `nifi.authority.provider.configuration.file` property specifies the configuration file for Authority Providers. -The `nifi.security.user.authority.provider` property indicates which of the configured Authority Providers should be -used. - -By default, the `file-provider` Authority Provider is selected and is configured to use the permissions granted in -the _authorized-users.xml_ file. This is typically sufficient for instances of NiFi that are run in "standalone" mode. -If the NiFi instance is configured to run in a cluster, the node will typically use the `cluster-node-provider` -Provider and the Cluster Manager will typically use the `cluster-ncm-provider` Provider. Both of these Providers -have a default configuration in the _authority-providers.xml_ file but are commented out. - -When using the `cluster-node-provider` Provider, all of the authorization is provided by the Cluster Manager. In this -way, the configuration only has to be maintained in one place and will be consistent across the entire cluster. - -When configuring the Cluster Manager or a standalone node, it is necessary to manually designate an ADMIN user -in the _authorized-users.xml_ file, which is located in the root installation's conf directory. -After this ADMIN user has been added, s/he may grant access -to other users, systems, and other instances of NiFi, through the User Interface (UI) without having to manually edit the _authorized-users.xml_ -file. If you are the administrator, you would add yourself as the ADMIN user in this file. - -Open the _authorized-users.xml_ file in a text editor. You will notice that it includes a template -to guide you, with example entries that are commented out. - -It is only necessary to manually add one user, the ADMIN user, to this file. -So, at a minimum, the following example entry should be included and contain the user Distinguished Name (DN) -in place of "user dn - read only and admin": - ----- -<users> - <user dn="[user dn - read only and admin]"> - <role name="ROLE_ADMIN"/> - </user> -</users> ----- - -Here is an LDAP example entry using the name John Smith: - ----- -<users> - <user dn="cn=John Smith,ou=people,dc=example,dc=com"> - <role name="ROLE_ADMIN"/> - </user> -</users> ----- - -Here is a Kerberos example entry using the name John Smith and realm `NIFI.APACHE.ORG`: - ----- -<users> - <user dn="johnsm...@nifi.apache.org"> - <role name="ROLE_ADMIN"/> - </user> -</users> ----- - -After the _authorized-users.xml_ file has been edited and saved, restart NiFi. -Once the application starts, the ADMIN user is -able to access the UI at the HTTPS URL that is configured in the _nifi.properties_ file. - -From the UI, click on the Users icon ( image:iconUsers.png["Users", width=32] ) in the -Management Toolbar (upper-right corner of the UI), and the User Management Page opens. - -The ADMIN user should be listed. Click on the pencil icon to see this user's role(s). You may edit the -roles by selecting the appropriate checkboxes. - -The following roles are available in NiFi: - -[options="header,footer"] -|======================================================================================================== -| Role Name | Description -| Administrator | Administrator is able to configure thread pool sizes and user accounts as well as - purge the dataflow change history. -| Data Flow Manager | Data Flow Manager is given the ability to manipulate the dataflow. S/he is able to - add, remove, and manipulate components on the graph; add, remove, and manipulate - Controller Services and Reporting Tasks; create and manage templates; - view statistics; and view the bulletin board. -| Read Only | Users with Read Only access are able to view the dataflow but are unable to change anything. -| Provenance | Users with Provenance access are able to query the Data Provenance repository and view - the lineage of data. Additionally, this role provides the ability to view or download - the content of a FlowFile from a Provenance event (assuming that the content is still - available in the Content Repository and that the Authority Provider also grants access). - This access is not provided to users with Read Only - (unless the user has both Read Only and Provenance roles) because the information provided - to users with this role can potentially be very sensitive in nature, as all FlowFile attributes - and data are exposed. In order to Replay a Provenance event, a user is required to have both - the Provenance role as well as the Data Flow Manager role. -| NiFi | The NiFi Role is intended to be assigned to machines that will interact with an instance of NiFi - via Site-to-Site. This role provides the ability to send data to or retrieve data from Root - Group Ports (but only those that they are given permissions to interact with - see the User Guide - for more information on providing access to specific Ports) as well as obtain information about - which Ports exist. Note that this role allows the client to know only about the Ports that it - has permissions to interact with. -| Proxy | The Proxy Role is assigned to a system in order to grant that system permission to make requests - on behalf of a user. For instance, if an HTTP proxy service is used to gain access to the system, - the certificate being used by that service can be given the Proxy Role. -|======================================================================================================== - - -When users want access to the NiFi UI, they navigate to the configured URL and are -prompted to request access. When someone has requested access, the ADMIN user sees a star -on the Users icon in the Management Toolbar, alerting the ADMIN to the fact that a request is -pending. Upon opening the User Management Page, the pending request is visible, and the ADMIN -can grant access and click on the pencil icon to set the user's roles appropriately. - -The ADMIN may also select multiple users and add them to a "Group". Hold down the Shift key and select -multiple users, then click the `Group` button in the upper-right corner of the User Management Page. -Then, provide a name for the group. - -The group feature is especially useful when a remote NiFi cluster is connecting to this NiFi using -a Remote Process Group. In that scenario, all the nodes -in the remote cluster can be included in the same group. When the ADMIN wants to grant port access to the remote -cluster, s/he can grant it to the group and avoid having to grant it individually to each node in the cluster. - [[encryption]] Encryption Configuration ------------------------ @@ -1454,15 +1330,8 @@ Security Configuration section of this Administrator's Guide. |nifi.security.truststoreType|The truststore type. It is blank by default. |nifi.security.truststorePasswd|The truststore password. It is blank by default. |nifi.security.needClientAuth|This indicates whether client authentication in the cluster protocol. It is blank by default. -|nifi.security.user.credential.cache.duration|The length of time to cache user credentials. The default value is 24 hours. -|nifi.security.user.authority.provider|This indicates what type of authority provider to use. The default value is file-provider, which refers to the file -configured in the core property `nifi.authority.provider.configuration.file`. Another authority provider may be used, such as when the NiFi instance is part of a cluster. But the default value of file-provider is fine for a standalone instance of NiFi. |nifi.security.user.login.identity.provider|This indicates what type of login identity provider to use. The default value is blank, can be set to the identifier from a provider in the file specified in `nifi.login.identity.provider.configuration.file`. Setting this property will trigger NiFi to support username/password authentication. -|nifi.security.support.new.account.requests|This indicates whether a secure NiFi is configured to allow users to request access. It is blank by default. -|nifi.security.anonymous.authorities|This indicates what roles to grant to anonymous users accessing NiFi over HTTPS. It is blank by default, but could be -set to any combination of ROLE_MONITOR, ROLE_DFM, ROLE_ADMIN, ROLE_PROVENANCE, ROLE_NIFI. Leaving this property blank will require that users accessing NiFi -over HTTPS be authenticated either using a client certificate or their credentials against the configured log identity provider. |nifi.security.ocsp.responder.url|This is the URL for the Online Certificate Status Protocol (OCSP) responder if one is being used. It is blank by default. |nifi.security.ocsp.responder.certificate|This is the location of the OCSP responder certificate if one is being used. It is blank by default. |==== http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/main/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessor.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/main/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessor.java b/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/main/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessor.java index 672a3ee..478ffaf 100644 --- a/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/main/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessor.java +++ b/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/main/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessor.java @@ -26,7 +26,7 @@ import com.datastax.driver.core.Session; import org.apache.avro.Schema; import org.apache.avro.SchemaBuilder; import org.apache.commons.lang3.StringUtils; -import org.apache.nifi.authorization.exception.ProviderCreationException; +import org.apache.nifi.authentication.exception.ProviderCreationException; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyValue; import org.apache.nifi.components.ValidationContext; http://git-wip-us.apache.org/repos/asf/nifi/blob/153f63ef/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/test/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessorTest.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/test/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessorTest.java b/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/test/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessorTest.java index 1f62997..19e2320 100644 --- a/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/test/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessorTest.java +++ b/nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/test/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessorTest.java @@ -22,7 +22,7 @@ import com.datastax.driver.core.DataType; import com.datastax.driver.core.Metadata; import com.datastax.driver.core.Row; import com.google.common.collect.Sets; -import org.apache.nifi.authorization.exception.ProviderCreationException; +import org.apache.nifi.authentication.exception.ProviderCreationException; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.processor.ProcessContext; import org.apache.nifi.processor.ProcessSession;