Hi Bryan,
It's a placeholder in Ranger for usernames, see
https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable
which is used by certain matcher classes.
On Mon, Apr 9, 2018 at 3:28 PM, Bryan Bende <bbe...@gmail.com> wrote:
> Hello,
>
> I don't see any issue with the code you linked to. It's saying "if the
> ranger policies say the operation is allowed, then return approved".
>
> Is '{USER}' a special syntax in Ranger? or are you using that as a
> placeholder in email so you don't have to provide the real user
> identity?
>
> I haven't seen that syntax before so just trying to understand what
> {USER} and {OWNER} mean here.
>
> -Bryan
>
>
> On Mon, Apr 9, 2018 at 3:55 AM, Meixner, Johannes
> <johan...@perceivon.net> wrote:
> > I'm trying to harden my NiFi instance's authorizations and auditing using
> > Ranger (which is backed by an LDAP instance).
> >
> > In Ranger I have defined a couple of resources defined to be authorized
> for
> > the nifi nodes' CNs (from SSL certs), `{USER}` and `{OWNER}`.
> >
> > Turns out that if I add `{USER}` to the resource containing "/flow" I can
> > read the flow as anonymous user, which is exactly the opposite of what I
> > want.
> >
> > Some digging last week lead me to believe that this is due to the way
> > RangerNiFiAuthorizer.java [1] does authorizations. Note, I could be on
> the
> > completely wrong track here.
> >
> > Is there any way to prevent `anonymous` from doing anything in NiFi,
> > through Ranger?
> >
> > Best regards
> > Johannes Meixner
> >
> >
> > [1]
> > https://github.com/apache/nifi/blob/master/nifi-nar-
> bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/
> java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java#
> L185-L188
>
