Re: Ranger-plugin authorises "anonymous" for /flow

I don't have a Ranger instance at the moment to test, but the "deny" policy may work. Regarding the "Allow Anonymous" approach... since it is a function of the Authorizer, I think it needs to be in the config in authorizers.xml. Maybe there is a way to make it applicable to all authorizers by

Re: Ranger-plugin authorises "anonymous" for /flow

Good catch, Bryan. It does sound like that could explain what is going on in these cases. Regarding this: >I think one way to support this might be to bring back the "Allow >Anonymous" flag in the Ranger Authorizer config. > >This way if this value is set to false, then before

Re: Ranger-plugin authorises "anonymous" for /flow

It should also be possible to add a deny policy for anonymous user, no? Not sure if that would the issue though. Pierre 2018-04-09 17:32 GMT+02:00 Bryan Bende : > Actually, thinking about this more, I think the issue is that you > currently can't use Ranger's {USER} concept

Re: Ranger-plugin authorises "anonymous" for /flow

Actually, thinking about this more, I think the issue is that you currently can't use Ranger's {USER} concept because NiFi always has an "anonymous" user, and there is no way in Ranger to exclude "anonymous" from {USER}. What is happening is something like this... - You enter the NiFi URL in

Re: Ranger-plugin authorises "anonymous" for /flow

Ok, so you end up in the NiFi UI with the identity in the top right saying "Anonymous user" ? (as show in the screenshots of that hwx forum) I think we need to dig into what is happening during authentication... Can you do a fresh login to NiFi using your LDAP credentials, and then capture the

Re: Ranger-plugin authorises "anonymous" for /flow

> If so, then how are you authenticating to NiFi as an "anonymous" user? Good question. NiFi uses its LdapProvider (with Authentication Strategy = SIMPLE, Identity Strategy = USE_USERNAME) to identify and the RangerNifiAuthorizer to authorise users. I'm not quite sure yet what authenticates the

Re: Ranger-plugin authorises "anonymous" for /flow

Ah thanks for the info, didn't know that. So you have a policy in Ranger where the resource is "/flow", the action is READ, and the users/groups is "{USER}", and then you are saying an "anonymous" user can retrieve the flow? I'm assuming that since your Ranger is backed by an LDAP, that you also

Re: Ranger-plugin authorises "anonymous" for /flow

Hi Bryan, It's a placeholder in Ranger for usernames, see https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable which is used by certain matcher classes. On Mon, Apr 9, 2018 at 3:28 PM, Bryan Bende wrote: > Hello, > > I don't see any issue with

Re: Ranger-plugin authorises "anonymous" for /flow

Hello, I don't see any issue with the code you linked to. It's saying "if the ranger policies say the operation is allowed, then return approved". Is '{USER}' a special syntax in Ranger? or are you using that as a placeholder in email so you don't have to provide the real user identity? I

Ranger-plugin authorises "anonymous" for /flow

I'm trying to harden my NiFi instance's authorizations and auditing using Ranger (which is backed by an LDAP instance). In Ranger I have defined a couple of resources defined to be authorized for the nifi nodes' CNs (from SSL certs), `{USER}` and `{OWNER}`. Turns out that if I add `{USER}` to