I'm trying to harden my NiFi instance's authorizations and auditing using
Ranger (which is backed by an LDAP instance).
In Ranger I have defined a couple of resources defined to be authorized for
the nifi nodes' CNs (from SSL certs), `{USER}` and `{OWNER}`.
Turns out that if I add `{USER}` to the resource containing "/flow" I can
read the flow as anonymous user, which is exactly the opposite of what I
want.
Some digging last week lead me to believe that this is due to the way
RangerNiFiAuthorizer.java [1] does authorizations. Note, I could be on the
completely wrong track here.
Is there any way to prevent `anonymous` from doing anything in NiFi,
through Ranger?
Best regards
Johannes Meixner
[1]
https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java#L185-L188
