I don't have a Ranger instance at the moment to test, but the "deny"
policy may work.
Regarding the "Allow Anonymous" approach... since it is a function of
the Authorizer, I think it needs to be in the config in
authorizers.xml. Maybe there is a way to make it applicable to all
authorizers by
Good catch, Bryan. It does sound like that could explain what is going on in
these cases.
Regarding this:
>I think one way to support this might be to bring back the "Allow
>Anonymous" flag in the Ranger Authorizer config.
>
>This way if this value is set to false, then before
It should also be possible to add a deny policy for anonymous user, no?
Not sure if that would the issue though.
Pierre
2018-04-09 17:32 GMT+02:00 Bryan Bende :
> Actually, thinking about this more, I think the issue is that you
> currently can't use Ranger's {USER} concept
Actually, thinking about this more, I think the issue is that you
currently can't use Ranger's {USER} concept because NiFi always has an
"anonymous" user, and there is no way in Ranger to exclude "anonymous"
from {USER}.
What is happening is something like this...
- You enter the NiFi URL in
Ok, so you end up in the NiFi UI with the identity in the top right
saying "Anonymous user" ? (as show in the screenshots of that hwx
forum)
I think we need to dig into what is happening during authentication...
Can you do a fresh login to NiFi using your LDAP credentials, and then
capture the
> If so, then how are you authenticating to NiFi as an "anonymous" user?
Good question. NiFi uses its LdapProvider (with Authentication Strategy =
SIMPLE, Identity Strategy = USE_USERNAME) to identify and the
RangerNifiAuthorizer to authorise users.
I'm not quite sure yet what authenticates the
Ah thanks for the info, didn't know that.
So you have a policy in Ranger where the resource is "/flow", the
action is READ, and the users/groups is "{USER}", and then you are
saying an "anonymous" user can retrieve the flow?
I'm assuming that since your Ranger is backed by an LDAP, that you
also
Hi Bryan,
It's a placeholder in Ranger for usernames, see
https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable
which is used by certain matcher classes.
On Mon, Apr 9, 2018 at 3:28 PM, Bryan Bende wrote:
> Hello,
>
> I don't see any issue with
Hello,
I don't see any issue with the code you linked to. It's saying "if the
ranger policies say the operation is allowed, then return approved".
Is '{USER}' a special syntax in Ranger? or are you using that as a
placeholder in email so you don't have to provide the real user
identity?
I
I'm trying to harden my NiFi instance's authorizations and auditing using
Ranger (which is backed by an LDAP instance).
In Ranger I have defined a couple of resources defined to be authorized for
the nifi nodes' CNs (from SSL certs), `{USER}` and `{OWNER}`.
Turns out that if I add `{USER}` to
10 matches
Mail list logo