From 2964ef24c05ceb6a8e84e73d34f6b64f8f85b863 Mon Sep 17 00:00:00 2001 From: Bryan Bende Date: Tue, 2 Aug 2016 10:24:50 -0400 Subject: [PATCH] NIFI-2453 Making FileAuthorizer perform initial seeding when users and groups are already present --- .../nifi/authorization/FileAuthorizer.java | 77 ++++++++++--------- .../authorization/FileAuthorizerTest.java | 53 +++++++++++++ 2 files changed, 93 insertions(+), 37 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java index a7e41ea1f4e1..69733a8a657c 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAuthorizer.java @@ -257,7 +257,7 @@ private synchronized void load() throws JAXBException, IOException, IllegalState } final AuthorizationsHolder authorizationsHolder = new AuthorizationsHolder(authorizations, tenants); - final boolean emptyAuthorizations = authorizationsHolder.getAllUsers().isEmpty() && authorizationsHolder.getAllPolicies().isEmpty(); + final boolean emptyAuthorizations = authorizationsHolder.getAllPolicies().isEmpty(); final boolean hasInitialAdminIdentity = (initialAdminIdentity != null && !StringUtils.isBlank(initialAdminIdentity)); final boolean hasLegacyAuthorizedUsers = (legacyAuthorizedUsersFile != null && !StringUtils.isBlank(legacyAuthorizedUsersFile)); @@ -319,12 +319,7 @@ private void parseFlow() throws SAXException { * Creates the initial admin user and policies for access the flow and managing users and policies. */ private void populateInitialAdmin(final Authorizations authorizations, Tenants tenants) { - // generate an identifier and add a User with the given identifier and identity - final UUID adminIdentifier = UUID.nameUUIDFromBytes(initialAdminIdentity.getBytes(StandardCharsets.UTF_8)); - final User adminUser = new User.Builder().identifier(adminIdentifier.toString()).identity(initialAdminIdentity).build(); - - final org.apache.nifi.authorization.file.tenants.generated.User jaxbAdminUser = createJAXBUser(adminUser); - tenants.getUsers().getUser().add(jaxbAdminUser); + final org.apache.nifi.authorization.file.tenants.generated.User adminUser = getOrCreateUser(tenants, initialAdminIdentity); // grant the user read access to the /flow resource addAccessPolicy(authorizations, ResourceType.Flow.getValue(), adminUser.getIdentifier(), READ_CODE); @@ -358,24 +353,7 @@ private void populateInitialAdmin(final Authorizations authorizations, Tenants t */ private void populateNodes(Authorizations authorizations, Tenants tenants) { for (String nodeIdentity : nodeIdentities) { - // see if we have an existing user for the given node identity - org.apache.nifi.authorization.file.tenants.generated.User jaxbNodeUser = null; - for (org.apache.nifi.authorization.file.tenants.generated.User user : tenants.getUsers().getUser()) { - if (user.getIdentity().equals(nodeIdentity)) { - jaxbNodeUser = user; - break; - } - } - - // if we didn't find an existing user then create a new one - if (jaxbNodeUser == null) { - // generate an identifier and add a User with the given identifier and identity - final UUID nodeIdentifier = UUID.nameUUIDFromBytes(nodeIdentity.getBytes(StandardCharsets.UTF_8)); - final User nodeUser = new User.Builder().identifier(nodeIdentifier.toString()).identity(nodeIdentity).build(); - - jaxbNodeUser = createJAXBUser(nodeUser); - tenants.getUsers().getUser().add(jaxbNodeUser); - } + final org.apache.nifi.authorization.file.tenants.generated.User jaxbNodeUser = getOrCreateUser(tenants, nodeIdentity); // grant access to the proxy resource addAccessPolicy(authorizations, ResourceType.Proxy.getValue(), jaxbNodeUser.getIdentifier(), READ_CODE); @@ -433,19 +411,13 @@ private void convertLegacyAuthorizedUsers(final Authorizations authorizations, f for (org.apache.nifi.user.generated.User legacyUser : users.getUser()) { // create the identifier of the new user based on the DN final String legacyUserDn = IdentityMappingUtil.mapIdentity(legacyUser.getDn(), identityMappings); - final String userIdentifier = UUID.nameUUIDFromBytes(legacyUserDn.getBytes(StandardCharsets.UTF_8)).toString(); - - // create the new User and add it to the list of users - org.apache.nifi.authorization.file.tenants.generated.User user = new org.apache.nifi.authorization.file.tenants.generated.User(); - user.setIdentifier(userIdentifier); - user.setIdentity(legacyUserDn); - tenants.getUsers().getUser().add(user); + org.apache.nifi.authorization.file.tenants.generated.User user = getOrCreateUser(tenants, legacyUserDn); // if there was a group name find or create the group and add the user to it org.apache.nifi.authorization.file.tenants.generated.Group group = getOrCreateGroup(tenants, legacyUser.getGroup()); if (group != null) { org.apache.nifi.authorization.file.tenants.generated.Group.User groupUser = new org.apache.nifi.authorization.file.tenants.generated.Group.User(); - groupUser.setIdentifier(userIdentifier); + groupUser.setIdentifier(user.getIdentifier()); group.getUser().add(groupUser); } @@ -464,7 +436,7 @@ private void convertLegacyAuthorizedUsers(final Authorizations authorizations, f roleAccessPolicy.getAction()); // add the user to the policy if it doesn't exist - addUserToPolicy(userIdentifier, policy); + addUserToPolicy(user.getIdentifier(), policy); } } @@ -589,11 +561,42 @@ private void addGroupToPolicy(final String groupIdentifier, final Policy policy) } /** - * Finds the Group with the given name, or creates a new one and adds it to Authorizations. + * Finds the User with the given identity, or creates a new one and adds it to the Tenants. + * + * @param tenants the Tenants reference + * @param userIdentity the user identity to find or create + * @return the User from Tenants with the given identity, or a new instance that was added to Tenants + */ + private org.apache.nifi.authorization.file.tenants.generated.User getOrCreateUser(final Tenants tenants, final String userIdentity) { + if (StringUtils.isBlank(userIdentity)) { + return null; + } + + org.apache.nifi.authorization.file.tenants.generated.User foundUser = null; + for (org.apache.nifi.authorization.file.tenants.generated.User user : tenants.getUsers().getUser()) { + if (user.getIdentity().equals(userIdentity)) { + foundUser = user; + break; + } + } + + if (foundUser == null) { + final String userIdentifier = UUID.nameUUIDFromBytes(userIdentity.getBytes(StandardCharsets.UTF_8)).toString(); + foundUser = new org.apache.nifi.authorization.file.tenants.generated.User(); + foundUser.setIdentifier(userIdentifier); + foundUser.setIdentity(userIdentity); + tenants.getUsers().getUser().add(foundUser); + } + + return foundUser; + } + + /** + * Finds the Group with the given name, or creates a new one and adds it to Tenants. * - * @param tenants the Authorizations reference + * @param tenants the Tenants reference * @param groupName the name of the group to look for - * @return the Group from Authorizations with the given name, or a new instance + * @return the Group from Tenants with the given name, or a new instance that was added to Tenants */ private org.apache.nifi.authorization.file.tenants.generated.Group getOrCreateGroup(final Tenants tenants, final String groupName) { if (StringUtils.isBlank(groupName)) { diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java index 5c77e44b215c..565e55a559eb 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/test/java/org/apache/nifi/authorization/FileAuthorizerTest.java @@ -131,6 +131,16 @@ public class FileAuthorizerTest { " " + ""; + private static final String TENANTS_FOR_ADMIN_AND_NODES = + "" + + "" + + " " + + " " + + " " + + " " + + " " + + ""; + // This is the root group id from the flow.xml.gz in src/test/resources private static final String ROOT_GROUP_ID = "e530e14c-adcf-41c2-b5d6-d9a59ba8765c"; @@ -650,6 +660,49 @@ public void testOnConfiguredWhenNodeIdentitiesProvided() throws Exception { assertTrue(proxyWritePolicy.getUsers().contains(nodeUser2.getIdentifier())); } + @Test + public void testOnConfiguredWhenNodeIdentitiesProvidedAndUsersAlreadyExist() throws Exception { + final String adminIdentity = "admin-user"; + + when(configurationContext.getProperty(Mockito.eq(FileAuthorizer.PROP_INITIAL_ADMIN_IDENTITY))) + .thenReturn(new StandardPropertyValue(adminIdentity, null)); + + final String nodeIdentity1 = "node1"; + final String nodeIdentity2 = "node2"; + + final Map props = new HashMap<>(); + props.put("Node Identity 1", nodeIdentity1); + props.put("Node Identity 2", nodeIdentity2); + + when(configurationContext.getProperties()).thenReturn(props); + + writeFile(primaryAuthorizations, EMPTY_AUTHORIZATIONS_CONCISE); + writeFile(primaryTenants, TENANTS_FOR_ADMIN_AND_NODES); + authorizer.onConfigured(configurationContext); + + assertEquals(3, authorizer.getUsers().size()); + + User adminUser = authorizer.getUserByIdentity(adminIdentity); + assertNotNull(adminUser); + + User nodeUser1 = authorizer.getUserByIdentity(nodeIdentity1); + assertNotNull(nodeUser1); + + User nodeUser2 = authorizer.getUserByIdentity(nodeIdentity2); + assertNotNull(nodeUser2); + + AccessPolicy proxyReadPolicy = authorizer.getUsersAndAccessPolicies().getAccessPolicy(ResourceType.Proxy.getValue(), RequestAction.READ); + AccessPolicy proxyWritePolicy = authorizer.getUsersAndAccessPolicies().getAccessPolicy(ResourceType.Proxy.getValue(), RequestAction.WRITE); + + assertNotNull(proxyReadPolicy); + assertTrue(proxyReadPolicy.getUsers().contains(nodeUser1.getIdentifier())); + assertTrue(proxyReadPolicy.getUsers().contains(nodeUser2.getIdentifier())); + + assertNotNull(proxyWritePolicy); + assertTrue(proxyWritePolicy.getUsers().contains(nodeUser1.getIdentifier())); + assertTrue(proxyWritePolicy.getUsers().contains(nodeUser2.getIdentifier())); + } + @Test public void testOnConfiguredWhenNodeIdentitiesProvidedWithIdentityMappings() throws Exception { final Properties props = new Properties();