[
https://issues.apache.org/jira/browse/NIFI-1733?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15389970#comment-15389970
]
ASF GitHub Bot commented on NIFI-1733:
--------------------------------------
Github user YolandaMDavis commented on a diff in the pull request:
https://github.com/apache/nifi/pull/574#discussion_r71921933
--- Diff:
nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java
---
@@ -0,0 +1,236 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.nifi.ranger.authorization;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.nifi.authorization.AuthorizationRequest;
+import org.apache.nifi.authorization.AuthorizationResult;
+import org.apache.nifi.authorization.Authorizer;
+import org.apache.nifi.authorization.AuthorizerConfigurationContext;
+import org.apache.nifi.authorization.AuthorizerInitializationContext;
+import org.apache.nifi.authorization.UserContextKeys;
+import
org.apache.nifi.authorization.exception.AuthorizationAccessException;
+import org.apache.nifi.authorization.exception.AuthorizerCreationException;
+import
org.apache.nifi.authorization.exception.AuthorizerDestructionException;
+import org.apache.nifi.components.PropertyValue;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.net.MalformedURLException;
+import java.util.Date;
+
+/**
+ * Authorizer implementation that uses Apache Ranger to make authorization
decisions.
+ */
+public class RangerNiFiAuthorizer implements Authorizer {
+
+ private static final Logger logger =
LoggerFactory.getLogger(RangerNiFiAuthorizer.class);
+
+ static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config
Path";
+ static final String RANGER_SECURITY_PATH_PROP = "Ranger Security
Config Path";
+ static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos
Enabled";
+ static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin
Identity";
+ static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
+ static final String RANGER_APP_ID_PROP = "Ranger Application Id";
+
+ static final String RANGER_NIFI_RESOURCE_NAME = "nifi-resource";
+ static final String DEFAULT_SERVICE_TYPE = "nifi";
+ static final String DEFAULT_APP_ID = "nifi";
+ static final String RESOURCES_RESOURCE = "/resources";
+ static final String HADOOP_SECURITY_AUTHENTICATION =
"hadoop.security.authentication";
+ static final String KERBEROS_AUTHENTICATION = "kerberos";
+
+ private volatile RangerBasePluginWithPolicies nifiPlugin = null;
+ private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
+ private volatile String rangerAdminIdentity = null;
+ private volatile boolean rangerKerberosEnabled = false;
+
+ @Override
+ public void initialize(AuthorizerInitializationContext
initializationContext) throws AuthorizerCreationException {
+
+ }
+
+ @Override
+ public void onConfigured(AuthorizerConfigurationContext
configurationContext) throws AuthorizerCreationException {
+ try {
+ if (nifiPlugin == null) {
+ logger.info("RangerNiFiAuthorizer(): initializing base
plugin");
+
+ final PropertyValue securityConfigValue =
configurationContext.getProperty(RANGER_SECURITY_PATH_PROP);
+ addRequiredResource(RANGER_SECURITY_PATH_PROP,
securityConfigValue);
+
+ final PropertyValue auditConfigValue =
configurationContext.getProperty(RANGER_AUDIT_PATH_PROP);
+ addRequiredResource(RANGER_AUDIT_PATH_PROP,
auditConfigValue);
+
+ final String rangerKerberosEnabledValue =
getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP,
Boolean.FALSE.toString());
+ rangerKerberosEnabled =
rangerKerberosEnabledValue.equals(Boolean.TRUE.toString()) ? true : false;
+
+ if (rangerKerberosEnabled) {
--- End diff --
Could not see testing coverage in this area, especially in the case where
kerberos is enabled but no kerberos properties (keytab/principal) exist.
> Create Authorizer implementation that uses Apache Ranger
> --------------------------------------------------------
>
> Key: NIFI-1733
> URL: https://issues.apache.org/jira/browse/NIFI-1733
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: Bryan Bende
> Assignee: Bryan Bende
> Priority: Minor
> Fix For: 1.0.0
>
>
> In NIFI-1552 we defined a new Authorizer API for 1.0.0.
> In addition to the standard file-based Authorizer, we should provide an
> Authorizer implementation that uses Apache Ranger.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
