Repository: nifi Updated Branches: refs/heads/master 2ec43076f -> c27763a12
http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer new file mode 100755 index 0000000..607d979 --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer @@ -0,0 +1,15 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java new file mode 100644 index 0000000..6a12ba7 --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java @@ -0,0 +1,69 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.nifi.ranger.authorization; + +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.util.ServicePolicies; +import org.junit.Assert; +import org.junit.Test; + +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.HashMap; + +public class TestRangerBasePluginWithPolicies { + + @Test + public void testDoesPolicyExist() { + final String resourceIdentifier1 = "resource1"; + RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1); + + final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>(); + policy1Resources.put(resourceIdentifier1, resource1); + + final RangerPolicy policy1 = new RangerPolicy(); + policy1.setResources(policy1Resources); + + final String resourceIdentifier2 = "resource2"; + RangerPolicy.RangerPolicyResource resource2 = new RangerPolicy.RangerPolicyResource(resourceIdentifier2); + + final Map<String, RangerPolicy.RangerPolicyResource> policy2Resources = new HashMap<>(); + policy2Resources.put(resourceIdentifier2, resource2); + + final RangerPolicy policy2 = new RangerPolicy(); + policy2.setResources(policy2Resources); + + final List<RangerPolicy> policies = new ArrayList<>(); + policies.add(policy1); + policies.add(policy2); + + final ServicePolicies servicePolicies = new ServicePolicies(); + servicePolicies.setPolicies(policies); + + // set all the policies in the plugin + final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi"); + pluginWithPolicies.setPolicies(servicePolicies); + + Assert.assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1)); + Assert.assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2)); + Assert.assertFalse(pluginWithPolicies.doesPolicyExist("resource3")); + } + +} http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java new file mode 100644 index 0000000..876b3f3 --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java @@ -0,0 +1,561 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.nifi.ranger.authorization; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.nifi.authorization.AuthorizationRequest; +import org.apache.nifi.authorization.AuthorizationResult; +import org.apache.nifi.authorization.Authorizer; +import org.apache.nifi.authorization.AuthorizerConfigurationContext; +import org.apache.nifi.authorization.AuthorizerInitializationContext; +import org.apache.nifi.authorization.RequestAction; +import org.apache.nifi.authorization.Resource; +import org.apache.nifi.authorization.UserContextKeys; +import org.apache.nifi.authorization.exception.AuthorizerCreationException; +import org.apache.nifi.util.MockPropertyValue; +import org.apache.nifi.util.NiFiProperties; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; +import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Ignore; +import org.junit.Test; +import org.mockito.ArgumentMatcher; +import org.mockito.Mockito; + +import javax.security.auth.login.LoginException; +import java.io.File; +import java.util.HashMap; +import java.util.Map; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.mockito.Matchers.notNull; +import static org.mockito.Mockito.argThat; +import static org.mockito.Mockito.eq; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +public class TestRangerNiFiAuthorizer { + + private MockRangerNiFiAuthorizer authorizer; + private RangerBasePluginWithPolicies rangerBasePlugin; + private AuthorizerConfigurationContext configurationContext; + private NiFiProperties nifiProperties; + + private String serviceType = "nifiService"; + private String appId = "nifiAppId"; + + private RangerAccessResult allowedResult; + private RangerAccessResult notAllowedResult; + + @Before + public void setup() { + // have to initialize this system property before anything else + File krb5conf = new File("src/test/resources/krb5.conf"); + assertTrue(krb5conf.exists()); + System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath()); + + // rest the authentication to simple in case any tests set it to kerberos + final Configuration securityConf = new Configuration(); + securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple"); + UserGroupInformation.setConfiguration(securityConf); + + configurationContext = createMockConfigContext(); + rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class); + authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin); + authorizer.onConfigured(configurationContext); + + assertFalse(UserGroupInformation.isSecurityEnabled()); + + allowedResult = Mockito.mock(RangerAccessResult.class); + when(allowedResult.getIsAllowed()).thenReturn(true); + + notAllowedResult = Mockito.mock(RangerAccessResult.class); + when(notAllowedResult.getIsAllowed()).thenReturn(false); + } + + private AuthorizerConfigurationContext createMockConfigContext() { + AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class); + + when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP))) + .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml", null)); + + when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP))) + .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml", null)); + + when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_APP_ID_PROP))) + .thenReturn(new MockPropertyValue(appId, null)); + + when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP))) + .thenReturn(new MockPropertyValue(serviceType, null)); + + return configurationContext; + } + + @Test + public void testOnConfigured() { + verify(rangerBasePlugin, times(1)).init(); + + assertEquals(appId, authorizer.mockRangerBasePlugin.getAppId()); + assertEquals(serviceType, authorizer.mockRangerBasePlugin.getServiceType()); + } + + @Test + public void testKerberosEnabledWithoutKeytab() { + when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_KERBEROS_ENABLED_PROP))) + .thenReturn(new MockPropertyValue("true", null)); + + nifiProperties = Mockito.mock(NiFiProperties.class); + when(nifiProperties.getKerberosServicePrincipal()).thenReturn(""); + + authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin); + authorizer.setNiFiProperties(nifiProperties); + + try { + authorizer.onConfigured(configurationContext); + Assert.fail("Should have thrown exception"); + } catch (AuthorizerCreationException e) { + // want to make sure this exception is from our authorizer code + veryifyOnlyAuthorizerCreationExceptions(e); + } + } + + @Test + public void testKerberosEnabledWithoutPrincipal() { + when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_KERBEROS_ENABLED_PROP))) + .thenReturn(new MockPropertyValue("true", null)); + + nifiProperties = Mockito.mock(NiFiProperties.class); + when(nifiProperties.getKerberosKeytabLocation()).thenReturn(""); + + authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin); + authorizer.setNiFiProperties(nifiProperties); + + try { + authorizer.onConfigured(configurationContext); + Assert.fail("Should have thrown exception"); + } catch (AuthorizerCreationException e) { + // want to make sure this exception is from our authorizer code + veryifyOnlyAuthorizerCreationExceptions(e); + } + } + + @Test + public void testKerberosEnabledWithoutKeytabOrPrincipal() { + when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_KERBEROS_ENABLED_PROP))) + .thenReturn(new MockPropertyValue("true", null)); + + nifiProperties = Mockito.mock(NiFiProperties.class); + when(nifiProperties.getKerberosKeytabLocation()).thenReturn(""); + when(nifiProperties.getKerberosServicePrincipal()).thenReturn(""); + + authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin); + authorizer.setNiFiProperties(nifiProperties); + + try { + authorizer.onConfigured(configurationContext); + Assert.fail("Should have thrown exception"); + } catch (AuthorizerCreationException e) { + // want to make sure this exception is from our authorizer code + veryifyOnlyAuthorizerCreationExceptions(e); + } + } + + private void veryifyOnlyAuthorizerCreationExceptions(AuthorizerCreationException e) { + boolean foundOtherException = false; + Throwable cause = e.getCause(); + while (cause != null) { + if (!(cause instanceof AuthorizerCreationException)) { + foundOtherException = true; + break; + } + cause = cause.getCause(); + } + assertFalse(foundOtherException); + } + + @Test + public void testKerberosEnabled() { + when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_KERBEROS_ENABLED_PROP))) + .thenReturn(new MockPropertyValue("true", null)); + + nifiProperties = Mockito.mock(NiFiProperties.class); + when(nifiProperties.getKerberosKeytabLocation()).thenReturn("test"); + when(nifiProperties.getKerberosServicePrincipal()).thenReturn("test"); + + authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin); + authorizer.setNiFiProperties(nifiProperties); + + try { + authorizer.onConfigured(configurationContext); + Assert.fail("Should have thrown exception"); + } catch (AuthorizerCreationException e) { + // getting a LoginException here means we attempted to login which is what we want + boolean foundLoginException = false; + Throwable cause = e.getCause(); + while (cause != null) { + if (cause instanceof LoginException) { + foundLoginException = true; + break; + } + cause = cause.getCause(); + } + assertTrue(foundLoginException); + } + } + + @Test + public void testApprovedWithDirectAccess() { + final String systemResource = "/system"; + final RequestAction action = RequestAction.WRITE; + final String user = "admin"; + final String clientIp = "192.168.1.1"; + + final Map<String,String> userContext = new HashMap<>(); + userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), clientIp); + + // the incoming NiFi request to test + final AuthorizationRequest request = new AuthorizationRequest.Builder() + .resource(new MockResource(systemResource, systemResource)) + .action(action) + .identity(user) + .resourceContext(new HashMap<>()) + .userContext(userContext) + .accessAttempt(true) + .anonymous(false) + .build(); + + // the expected Ranger resource and request that are created + final RangerAccessResourceImpl resource = new RangerAccessResourceImpl(); + resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource); + + final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl(); + expectedRangerRequest.setResource(resource); + expectedRangerRequest.setAction(request.getAction().name()); + expectedRangerRequest.setAccessType(request.getAction().name()); + expectedRangerRequest.setUser(request.getIdentity()); + expectedRangerRequest.setClientIPAddress(clientIp); + + // a non-null result processor should be used for direct access + when(rangerBasePlugin.isAccessAllowed( + argThat(new RangerAccessRequestMatcher(expectedRangerRequest)), + notNull(RangerAccessResultProcessor.class)) + ).thenReturn(allowedResult); + + final AuthorizationResult result = authorizer.authorize(request); + assertEquals(AuthorizationResult.approved().getResult(), result.getResult()); + } + + @Test + public void testApprovedWithNonDirectAccess() { + final String systemResource = "/system"; + final RequestAction action = RequestAction.WRITE; + final String user = "admin"; + + // the incoming NiFi request to test + final AuthorizationRequest request = new AuthorizationRequest.Builder() + .resource(new MockResource(systemResource, systemResource)) + .action(action) + .identity(user) + .resourceContext(new HashMap<>()) + .accessAttempt(false) + .anonymous(false) + .build(); + + // the expected Ranger resource and request that are created + final RangerAccessResourceImpl resource = new RangerAccessResourceImpl(); + resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource); + + final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl(); + expectedRangerRequest.setResource(resource); + expectedRangerRequest.setAction(request.getAction().name()); + expectedRangerRequest.setAccessType(request.getAction().name()); + expectedRangerRequest.setUser(request.getIdentity()); + + // no result processor should be provided used non-direct access + when(rangerBasePlugin.isAccessAllowed( + argThat(new RangerAccessRequestMatcher(expectedRangerRequest)), + eq(null)) + ).thenReturn(allowedResult); + + final AuthorizationResult result = authorizer.authorize(request); + assertEquals(AuthorizationResult.approved().getResult(), result.getResult()); + } + + @Test + public void testResourceNotFound() { + final String systemResource = "/system"; + final RequestAction action = RequestAction.WRITE; + final String user = "admin"; + + // the incoming NiFi request to test + final AuthorizationRequest request = new AuthorizationRequest.Builder() + .resource(new MockResource(systemResource, systemResource)) + .action(action) + .identity(user) + .resourceContext(new HashMap<>()) + .accessAttempt(true) + .anonymous(false) + .build(); + + // the expected Ranger resource and request that are created + final RangerAccessResourceImpl resource = new RangerAccessResourceImpl(); + resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource); + + final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl(); + expectedRangerRequest.setResource(resource); + expectedRangerRequest.setAction(request.getAction().name()); + expectedRangerRequest.setAccessType(request.getAction().name()); + expectedRangerRequest.setUser(request.getIdentity()); + + // no result processor should be provided used non-direct access + when(rangerBasePlugin.isAccessAllowed( + argThat(new RangerAccessRequestMatcher(expectedRangerRequest)), + notNull(RangerAccessResultProcessor.class)) + ).thenReturn(notAllowedResult); + + // return false when checking if a policy exists for the resource + when(rangerBasePlugin.doesPolicyExist(systemResource)).thenReturn(false); + + final AuthorizationResult result = authorizer.authorize(request); + assertEquals(AuthorizationResult.resourceNotFound().getResult(), result.getResult()); + } + + @Test + public void testDenied() { + final String systemResource = "/system"; + final RequestAction action = RequestAction.WRITE; + final String user = "admin"; + + // the incoming NiFi request to test + final AuthorizationRequest request = new AuthorizationRequest.Builder() + .resource(new MockResource(systemResource, systemResource)) + .action(action) + .identity(user) + .resourceContext(new HashMap<>()) + .accessAttempt(true) + .anonymous(false) + .build(); + + // the expected Ranger resource and request that are created + final RangerAccessResourceImpl resource = new RangerAccessResourceImpl(); + resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource); + + final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl(); + expectedRangerRequest.setResource(resource); + expectedRangerRequest.setAction(request.getAction().name()); + expectedRangerRequest.setAccessType(request.getAction().name()); + expectedRangerRequest.setUser(request.getIdentity()); + + // no result processor should be provided used non-direct access + when(rangerBasePlugin.isAccessAllowed( + argThat(new RangerAccessRequestMatcher(expectedRangerRequest)), + notNull(RangerAccessResultProcessor.class)) + ).thenReturn(notAllowedResult); + + // return true when checking if a policy exists for the resource + when(rangerBasePlugin.doesPolicyExist(systemResource)).thenReturn(true); + + final AuthorizationResult result = authorizer.authorize(request); + assertEquals(AuthorizationResult.denied().getResult(), result.getResult()); + } + + @Test + public void testRangerAdminApproved() { + runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, AuthorizationResult.approved().getResult()); + } + + @Test + public void testRangerAdminDenied() { + runRangerAdminTest("/flow", AuthorizationResult.denied().getResult()); + } + + private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) { + configurationContext = createMockConfigContext(); + + final String rangerAdminIdentity = "ranger-admin"; + when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP))) + .thenReturn(new MockPropertyValue(rangerAdminIdentity, null)); + + rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class); + authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin); + authorizer.onConfigured(configurationContext); + + final RequestAction action = RequestAction.WRITE; + + // the incoming NiFi request to test + final AuthorizationRequest request = new AuthorizationRequest.Builder() + .resource(new MockResource(resourceIdentifier, resourceIdentifier)) + .action(action) + .identity(rangerAdminIdentity) + .resourceContext(new HashMap<>()) + .accessAttempt(true) + .anonymous(false) + .build(); + + // the expected Ranger resource and request that are created + final RangerAccessResourceImpl resource = new RangerAccessResourceImpl(); + resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, resourceIdentifier); + + final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl(); + expectedRangerRequest.setResource(resource); + expectedRangerRequest.setAction(request.getAction().name()); + expectedRangerRequest.setAccessType(request.getAction().name()); + expectedRangerRequest.setUser(request.getIdentity()); + + // return true when checking if a policy exists for the resource + when(rangerBasePlugin.doesPolicyExist(resourceIdentifier)).thenReturn(true); + + // a non-null result processor should be used for direct access + when(rangerBasePlugin.isAccessAllowed( + argThat(new RangerAccessRequestMatcher(expectedRangerRequest)), + notNull(RangerAccessResultProcessor.class)) + ).thenReturn(notAllowedResult); + + final AuthorizationResult result = authorizer.authorize(request); + assertEquals(expectedResult, result.getResult()); + } + + @Test + @Ignore + public void testIntegration() { + final AuthorizerInitializationContext initializationContext = Mockito.mock(AuthorizerInitializationContext.class); + final AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class); + + when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP))) + .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml", null)); + + when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP))) + .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml", null)); + + Authorizer authorizer = new RangerNiFiAuthorizer(); + try { + authorizer.initialize(initializationContext); + authorizer.onConfigured(configurationContext); + + final AuthorizationRequest request = new AuthorizationRequest.Builder() + .resource(new Resource() { + @Override + public String getIdentifier() { + return "/system"; + } + + @Override + public String getName() { + return "/system"; + } + }) + .action(RequestAction.WRITE) + .identity("admin") + .resourceContext(new HashMap<>()) + .accessAttempt(true) + .anonymous(false) + .build(); + + + final AuthorizationResult result = authorizer.authorize(request); + + Assert.assertEquals(AuthorizationResult.denied().getResult(), result.getResult()); + + } finally { + authorizer.preDestruction(); + } + } + + /** + * Extend RangerNiFiAuthorizer to inject a mock base plugin for testing. + */ + private static class MockRangerNiFiAuthorizer extends RangerNiFiAuthorizer { + + RangerBasePluginWithPolicies mockRangerBasePlugin; + + public MockRangerNiFiAuthorizer(RangerBasePluginWithPolicies mockRangerBasePlugin) { + this.mockRangerBasePlugin = mockRangerBasePlugin; + } + + @Override + protected RangerBasePluginWithPolicies createRangerBasePlugin(String serviceType, String appId) { + when(mockRangerBasePlugin.getAppId()).thenReturn(appId); + when(mockRangerBasePlugin.getServiceType()).thenReturn(serviceType); + return mockRangerBasePlugin; + } + } + + /** + * Resource implementation for testing. + */ + private static class MockResource implements Resource { + + private String identifier; + private String name; + + public MockResource(String identifier, String name) { + this.identifier = identifier; + this.name = name; + } + + @Override + public String getIdentifier() { + return identifier; + } + + @Override + public String getName() { + return name; + } + } + + /** + * Custom Mockito matcher for RangerAccessRequest objects. + */ + private static class RangerAccessRequestMatcher extends ArgumentMatcher<RangerAccessRequest> { + + private final RangerAccessRequest request; + + public RangerAccessRequestMatcher(RangerAccessRequest request) { + this.request = request; + } + + @Override + public boolean matches(Object o) { + if (!(o instanceof RangerAccessRequest)) { + return false; + } + + final RangerAccessRequest other = (RangerAccessRequest) o; + + final boolean clientIpsMatch = (other.getClientIPAddress() == null && request.getClientIPAddress() == null) + || (other.getClientIPAddress() != null && request.getClientIPAddress() != null && other.getClientIPAddress().equals(request.getClientIPAddress())); + + return other.getResource().equals(request.getResource()) + && other.getAccessType().equals(request.getAccessType()) + && other.getAction().equals(request.getAction()) + && other.getUser().equals(request.getUser()) + && clientIpsMatch; + } + } + +} http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/authorizers.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/authorizers.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/authorizers.xml new file mode 100644 index 0000000..ef87a8c --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/authorizers.xml @@ -0,0 +1,27 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<authorizers> + <authorizer> + <identifier>ranger-provider</identifier> + <class>org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer</class> + <property name="Ranger Audit Config Path">src/test/resources/ranger/ranger-nifi-audit.xml</property> + <property name="Ranger Security Config Path">src/test/resources/ranger/ranger-nifi-security.xml</property> + <property name="Ranger Service Type">nifi</property> + <property name="Ranger Application Id">nifi</property> + <property name="Ranger Admin Identity">CN=ranger-admin, OU=Apache Ranger, O=Apache, L=Santa Monica, ST=CA, C=US</property> + <property name="Ranger Kerberos Enabled">false</property> + </authorizer> +</authorizers> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/krb5.conf ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/krb5.conf b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/krb5.conf new file mode 100644 index 0000000..0e3f142 --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/krb5.conf @@ -0,0 +1,25 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[libdefaults] + default_realm = EXAMPLE.COM + dns_lookup_kdc = false + dns_lookup_realm = false + +[realms] + EXAMPLE.COM = { + kdc = kerberos.example.com + admin_server = kerberos.example.com + } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/log4j.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/log4j.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/log4j.xml new file mode 100644 index 0000000..8d3fa67 --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/log4j.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd"> + +<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/"; debug="false"> + <appender name="console_appender" class="org.apache.log4j.ConsoleAppender"> + <param name="target" value="System.out" /> + <layout class="org.apache.log4j.PatternLayout"> + <param name="ConversionPattern" value="[%p]: %m%n" /> + </layout> + </appender> + + <category name="org.apache.ranger" additivity="false"> + <priority value="info" /> + <appender-ref ref="console_appender" /> + </category> + + <category name="ranger_audit_logger"> + <level value="info" /> + <appender-ref ref="console_appender" /> + </category> + + <root> + <priority value="info" /> + <appender-ref ref="console_appender" /> + </root> +</log4j:configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/core-site.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/core-site.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/core-site.xml new file mode 100644 index 0000000..d590a50 --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/core-site.xml @@ -0,0 +1,22 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<configuration> + <property> + <name>hadoop.security.authentication</name> + <value>simple</value> + </property> +</configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-audit.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-audit.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-audit.xml new file mode 100644 index 0000000..3dbd576 --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-audit.xml @@ -0,0 +1,101 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <property> + <name>xasecure.audit.is.enabled</name> + <value>true</value> + </property> + + <!-- DB audit provider configuration --> + <property> + <name>xasecure.audit.destination.db</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.destination.db.jdbc.driver</name> + <value>com.mysql.jdbc.Driver</value> + </property> + + <property> + <name>xasecure.audit.destination.db.jdbc.url</name> + <value>jdbc:mysql://localhost/ranger_audit</value> + </property> + + <property> + <name>xasecure.audit.destination.db.password</name> + <value>rangerlogger</value> + </property> + + <property> + <name>xasecure.audit.destination.db.user</name> + <value>rangerlogger</value> + </property> + + <property> + <name>xasecure.audit.destination.db.batch.filespool.dir</name> + <value>/tmp/audit/db/spool</value> + </property> + + + <!-- HDFS audit provider configuration --> + <property> + <name>xasecure.audit.destination.hdfs</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.destination.hdfs.dir</name> + <value>hdfs://localhost:8020/ranger/audit</value> + </property> + + <property> + <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name> + <value>/tmp/audit/hdfs/spool</value> + </property> + + + <!-- Log4j audit provider configuration --> + <property> + <name>xasecure.audit.destination.log4j</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.destination.log4j.logger</name> + <value>ranger_audit_logger</value> + </property> + + <!-- Solr audit provider configuration --> + <property> + <name>xasecure.audit.destination.solr</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.destination.solr.batch.filespool.dir</name> + <value>/tmp/audit/solr/spool</value> + </property> + + <property> + <name>xasecure.audit.destination.solr.urls</name> + <value>http://localhost:6083/solr/ranger_audits</value> + </property> + +</configuration> http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-security.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-security.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-security.xml new file mode 100644 index 0000000..b371dcc --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-security.xml @@ -0,0 +1,83 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <property> + <name>ranger.plugin.nifi.policy.rest.url</name> + <value>http://localhost:6080</value> + <description> + URL to Ranger Admin + </description> + </property> + + <property> + <name>ranger.plugin.nifi.service.name</name> + <value>nifi</value> + <description> + Name of the Ranger service containing policies for this nifi instance + </description> + </property> + + <property> + <name>ranger.plugin.nifi.policy.source.impl</name> + <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> + <description> + Class to retrieve policies from the source + </description> + </property> + + <property> + <name>ranger.plugin.nifi.policy.rest.ssl.config.file</name> + <value>ranger-policymgr-ssl.xml</value> + <description> + Path to the file containing SSL details to contact Ranger Admin + </description> + </property> + + <property> + <name>ranger.plugin.nifi.policy.pollIntervalMs</name> + <value>30000</value> + <description> + How often to poll for changes in policies? + </description> + </property> + + <property> + <name>ranger.plugin.nifi.policy.cache.dir</name> + <value>/tmp</value> + <description> + Directory where Ranger policies are cached after successful retrieval from the source + </description> + </property> + + <property> + <name>ranger.plugin.nifi.policy.rest.client.connection.timeoutMs</name> + <value>120000</value> + <description> + RangerRestClient Connection Timeout in Milli Seconds + </description> + </property> + + <property> + <name>ranger.plugin.nifi.policy.rest.client.read.timeoutMs</name> + <value>30000</value> + <description> + RangerRestClient read Timeout in Milli Seconds + </description> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml new file mode 100644 index 0000000..a6e0574 --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml @@ -0,0 +1,63 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <!-- The following properties are used for 2-way SSL client server validation --> + <property> + <name>xasecure.policymgr.clientssl.keystore</name> + <value></value> + <description> + Java Keystore files + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.keystore.password</name> + <value>none</value> + <description> + password for keystore + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore</name> + <value></value> + <description> + java truststore file + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore.password</name> + <value>none</value> + <description> + java truststore password + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.keystore.credential.file</name> + <value></value> + <description> + java keystore credential file + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore.credential.file</name> + <value></value> + <description> + java truststore credential file + </description> + </property> +</configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml new file mode 100644 index 0000000..8949a48 --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml @@ -0,0 +1,28 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + <modelVersion>4.0.0</modelVersion> + + <parent> + <groupId>org.apache.nifi</groupId> + <artifactId>nifi-ranger-bundle</artifactId> + <version>1.0.0-SNAPSHOT</version> + </parent> + + <artifactId>nifi-ranger-resources</artifactId> + <packaging>jar</packaging> + +</project> http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/src/main/resources/scripts/ranger_credential_helper.py ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/src/main/resources/scripts/ranger_credential_helper.py b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/src/main/resources/scripts/ranger_credential_helper.py new file mode 100644 index 0000000..940dbf1 --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/src/main/resources/scripts/ranger_credential_helper.py @@ -0,0 +1,75 @@ +#!/usr/bin/python +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import sys +import os +from subprocess import Popen,PIPE +from optparse import OptionParser + +if os.getenv('JAVA_HOME') is None: + print "[W] ---------- JAVA_HOME environment property not defined, using java in path. ----------" + JAVA_BIN='java' +else: + JAVA_BIN=os.path.join(os.getenv('JAVA_HOME'),'bin','java') +print "Using Java:" + str(JAVA_BIN) + +def main(): + + parser = OptionParser() + + parser.add_option("-l", "--libpath", dest="library_path", help="Path to folder where credential libs are present") + parser.add_option("-f", "--file", dest="jceks_file_path", help="Path to jceks file to use") + parser.add_option("-k", "--key", dest="key", help="Key to use") + parser.add_option("-v", "--value", dest="value", help="Value to use") + parser.add_option("-c", "--create", dest="create", help="Add a new alias") + + (options, args) = parser.parse_args() + library_path = options.library_path + jceks_file_path = options.jceks_file_path + key = options.key + value = options.value + getorcreate = 'create' if options.create else 'get' + call_keystore(library_path, jceks_file_path, key, value, getorcreate) + + +def call_keystore(libpath, filepath, aliasKey, aliasValue='', getorcreate='get'): + finalLibPath = libpath.replace('\\','/').replace('//','/') + finalFilePath = 'jceks://file/'+filepath.replace('\\','/').replace('//','/') + if getorcreate == 'create': + commandtorun = [JAVA_BIN, '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks' ,'create', aliasKey, '-value', aliasValue, '-provider',finalFilePath] + p = Popen(commandtorun,stdin=PIPE, stdout=PIPE, stderr=PIPE) + output, error = p.communicate() + statuscode = p.returncode + if statuscode == 0: + print "Alias " + aliasKey + " created successfully!" + else : + print "Error creating Alias!! Error: " + str(error) + + elif getorcreate == 'get': + commandtorun = [JAVA_BIN, '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks' ,'get', aliasKey, '-provider',finalFilePath] + p = Popen(commandtorun,stdin=PIPE, stdout=PIPE, stderr=PIPE) + output, error = p.communicate() + statuscode = p.returncode + if statuscode == 0: + print "Alias : " + aliasKey + " Value : " + str(output) + else : + print "Error getting value!! Error: " + str(error) + + else: + print 'Invalid Arguments!!' + +if __name__ == '__main__': + main() http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-ranger-bundle/pom.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-ranger-bundle/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml new file mode 100644 index 0000000..be915ec --- /dev/null +++ b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + <modelVersion>4.0.0</modelVersion> + + <parent> + <groupId>org.apache.nifi</groupId> + <artifactId>nifi-nar-bundles</artifactId> + <version>1.0.0-SNAPSHOT</version> + </parent> + + <groupId>org.apache.nifi</groupId> + <artifactId>nifi-ranger-bundle</artifactId> + <version>1.0.0-SNAPSHOT</version> + <packaging>pom</packaging> + + <properties> + <httpcomponents.httpclient.version>4.4.1</httpcomponents.httpclient.version> + <httpcomponents.httpcore.version>4.4.1</httpcomponents.httpcore.version> + <httpcomponents.httpmime.version>4.4.1</httpcomponents.httpmime.version> + </properties> + + <modules> + <module>nifi-ranger-plugin</module> + <module>nifi-ranger-nar</module> + <module>nifi-ranger-resources</module> + </modules> + + <dependencyManagement> + <dependencies> + <dependency> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpclient</artifactId> + <version>${httpcomponents.httpclient.version}</version> + </dependency> + <dependency> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpcore</artifactId> + <version>${httpcomponents.httpcore.version}</version> + </dependency> + <dependency> + <groupId>org.apache.httpcomponents</groupId> + <artifactId>httpmime</artifactId> + <version>${httpcomponents.httpmime.version}</version> + </dependency> + </dependencies> + </dependencyManagement> +</project> http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml b/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml index 2248ad8..7d4c488 100644 --- a/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml +++ b/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml @@ -38,6 +38,17 @@ <groupId>com.twitter</groupId> <artifactId>hbc-twitter4j</artifactId> <version>2.2.0</version> + <exclusions> + <exclusion> + <groupId>com.google.code.findbugs</groupId> + <artifactId>jsr305</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> + <groupId>com.github.stephenc.findbugs</groupId> + <artifactId>findbugs-annotations</artifactId> + <version>1.3.9-1</version> </dependency> <dependency> <groupId>org.apache.nifi</groupId> http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml index 0196b1d..156d4e5 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml +++ b/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml @@ -44,6 +44,12 @@ <dependency> <groupId>org.apache.nifi</groupId> <artifactId>nifi-hadoop-utils</artifactId> + <exclusions> + <exclusion> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-common</artifactId> + </exclusion> + </exclusions> </dependency> <dependency> <groupId>org.apache.hbase</groupId> @@ -53,9 +59,18 @@ <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> </exclusion> + <exclusion> + <groupId>com.google.code.findbugs</groupId> + <artifactId>jsr305</artifactId> + </exclusion> </exclusions> </dependency> <dependency> + <groupId>com.github.stephenc.findbugs</groupId> + <artifactId>findbugs-annotations</artifactId> + <version>1.3.9-1</version> + </dependency> + <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-lang3</artifactId> <version>3.4</version> http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/nifi-nar-bundles/pom.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/pom.xml b/nifi-nar-bundles/pom.xml index 63ed50e..291feb2 100644 --- a/nifi-nar-bundles/pom.xml +++ b/nifi-nar-bundles/pom.xml @@ -55,13 +55,13 @@ <module>nifi-scripting-bundle</module> <module>nifi-elasticsearch-bundle</module> <module>nifi-amqp-bundle</module> - <module>nifi-splunk-bundle</module> + <module>nifi-splunk-bundle</module> <module>nifi-jms-bundle</module> <module>nifi-lumberjack-bundle</module> <module>nifi-cassandra-bundle</module> <module>nifi-spring-bundle</module> <module>nifi-hive-bundle</module> - <module>nifi-site-to-site-reporting-bundle</module> + <module>nifi-site-to-site-reporting-bundle</module> <module>nifi-mqtt-bundle</module> <module>nifi-evtx-bundle</module> <module>nifi-slack-bundle</module> @@ -69,9 +69,10 @@ <module>nifi-windows-event-log-bundle</module> <module>nifi-ignite-bundle</module> <module>nifi-email-bundle</module> - </modules> - - <dependencyManagement> + <module>nifi-ranger-bundle</module> + </modules> + + <dependencyManagement> <dependencies> <dependency> <groupId>org.apache.nifi</groupId> http://git-wip-us.apache.org/repos/asf/nifi/blob/c27763a1/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 24ef0a4..602ac22 100644 --- a/pom.xml +++ b/pom.xml @@ -98,6 +98,7 @@ language governing permissions and limitations under the License. --> <hadoop.guava.version>12.0.1</hadoop.guava.version> <hadoop.http.client.version>4.2.5</hadoop.http.client.version> <yammer.metrics.version>2.2.0</yammer.metrics.version> + <ranger.version>0.6.0</ranger.version> </properties> @@ -1150,8 +1151,8 @@ language governing permissions and limitations under the License. --> <groupId>org.apache.nifi</groupId> <artifactId>nifi-elasticsearch-nar</artifactId> <version>1.0.0-SNAPSHOT</version> - <type>nar</type> - </dependency> + <type>nar</type> + </dependency> <dependency> <groupId>org.apache.nifi</groupId> <artifactId>nifi-lumberjack-nar</artifactId> @@ -1182,13 +1183,13 @@ language governing permissions and limitations under the License. --> <version>1.0.0-SNAPSHOT</version> <type>nar</type> </dependency> - <dependency> + <dependency> <groupId>org.apache.nifi</groupId> <artifactId>nifi-site-to-site-reporting-nar</artifactId> <version>1.0.0-SNAPSHOT</version> <type>nar</type> </dependency> - <dependency> + <dependency> <groupId>org.apache.nifi</groupId> <artifactId>nifi-evtx-nar</artifactId> <version>1.0.0-SNAPSHOT</version> @@ -1271,6 +1272,33 @@ language governing permissions and limitations under the License. --> <artifactId>aws-java-sdk</artifactId> <version>1.11.8</version> </dependency> + <!-- Ranger dependencies, only included when using -Pinclude-ranger --> + <dependency> + <groupId>org.apache.nifi</groupId> + <artifactId>nifi-ranger-nar</artifactId> + <version>1.0.0-SNAPSHOT</version> + <type>nar</type> + </dependency> + <dependency> + <groupId>org.apache.nifi</groupId> + <artifactId>nifi-ranger-resources</artifactId> + <version>1.0.0-SNAPSHOT</version> + </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-plugins-common</artifactId> + <version>${ranger.version}</version> + </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-plugins-audit</artifactId> + <version>${ranger.version}</version> + </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>credentialbuilder</artifactId> + <version>${ranger.version}</version> + </dependency> <!-- Groovy support is primarily as a test dependency --> <dependency> <groupId>org.codehaus.groovy</groupId>
