nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: Ranger-plugin authorises "anonymous" for /flow
Date Mon, 09 Apr 2018 13:28:09 GMT
Hello,

I don't see any issue with the code you linked to. It's saying "if the
ranger policies say the operation is allowed, then return approved".

Is '{USER}' a special syntax in Ranger? or are you using that as a
placeholder in email so you don't have to provide the real user
identity?

I haven't seen that syntax before so just trying to understand what
{USER} and {OWNER} mean here.

-Bryan


On Mon, Apr 9, 2018 at 3:55 AM, Meixner, Johannes
<johannes@perceivon.net> wrote:
> I'm trying to harden my NiFi instance's authorizations and auditing using
> Ranger (which is backed by an LDAP instance).
>
> In Ranger I have defined a couple of resources defined to be authorized for
> the nifi nodes' CNs (from SSL certs), `{USER}` and `{OWNER}`.
>
> Turns out that if I add `{USER}` to the resource containing "/flow" I can
> read the flow as anonymous user, which is exactly the opposite of what I
> want.
>
> Some digging last week lead me to believe that this is due to the way
> RangerNiFiAuthorizer.java [1] does authorizations. Note, I could be on the
> completely wrong track here.
>
> Is there any way to prevent `anonymous` from doing anything in NiFi,
> through Ranger?
>
> Best regards
> Johannes Meixner
>
>
> [1]
> https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java#L185-L188

Mime
View raw message