Hi Bryan, It's a placeholder in Ranger for usernames, see https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable
which is used by certain matcher classes. On Mon, Apr 9, 2018 at 3:28 PM, Bryan Bende <bbe...@gmail.com> wrote: > Hello, > > I don't see any issue with the code you linked to. It's saying "if the > ranger policies say the operation is allowed, then return approved". > > Is '{USER}' a special syntax in Ranger? or are you using that as a > placeholder in email so you don't have to provide the real user > identity? > > I haven't seen that syntax before so just trying to understand what > {USER} and {OWNER} mean here. > > -Bryan > > > On Mon, Apr 9, 2018 at 3:55 AM, Meixner, Johannes > <johan...@perceivon.net> wrote: > > I'm trying to harden my NiFi instance's authorizations and auditing using > > Ranger (which is backed by an LDAP instance). > > > > In Ranger I have defined a couple of resources defined to be authorized > for > > the nifi nodes' CNs (from SSL certs), `{USER}` and `{OWNER}`. > > > > Turns out that if I add `{USER}` to the resource containing "/flow" I can > > read the flow as anonymous user, which is exactly the opposite of what I > > want. > > > > Some digging last week lead me to believe that this is due to the way > > RangerNiFiAuthorizer.java [1] does authorizations. Note, I could be on > the > > completely wrong track here. > > > > Is there any way to prevent `anonymous` from doing anything in NiFi, > > through Ranger? > > > > Best regards > > Johannes Meixner > > > > > > [1] > > https://github.com/apache/nifi/blob/master/nifi-nar- > bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/ > java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java# > L185-L188 >