Ah thanks for the info, didn't know that.

So you have a policy in Ranger where the resource is "/flow", the
action is READ, and the users/groups is "{USER}", and then you are
saying an "anonymous" user can retrieve the flow?

I'm assuming that since your Ranger is backed by an LDAP, that you
also have configured NiFi's LDAP Login Identity Provider?

If so, then how are you authenticating to NiFi as an "anonymous" user?

In a secure NiFi you should always have to authenticate as some
identity, the anonymous user is only used in an unsecured NiFi when
there is not authentication/authorization taking place.


On Mon, Apr 9, 2018 at 9:51 AM, Meixner, Johannes
<johan...@perceivon.net> wrote:
> Hi Bryan,
>
> It's a placeholder in Ranger for usernames, see
> https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable
>
> which is used by certain matcher classes.
>
> On Mon, Apr 9, 2018 at 3:28 PM, Bryan Bende <bbe...@gmail.com> wrote:
>>
>> Hello,
>>
>> I don't see any issue with the code you linked to. It's saying "if the
>> ranger policies say the operation is allowed, then return approved".
>>
>> Is '{USER}' a special syntax in Ranger? or are you using that as a
>> placeholder in email so you don't have to provide the real user
>> identity?
>>
>> I haven't seen that syntax before so just trying to understand what
>> {USER} and {OWNER} mean here.
>>
>> -Bryan
>>
>>
>> On Mon, Apr 9, 2018 at 3:55 AM, Meixner, Johannes
>> <johan...@perceivon.net> wrote:
>> > I'm trying to harden my NiFi instance's authorizations and auditing
>> > using
>> > Ranger (which is backed by an LDAP instance).
>> >
>> > In Ranger I have defined a couple of resources defined to be authorized
>> > for
>> > the nifi nodes' CNs (from SSL certs), `{USER}` and `{OWNER}`.
>> >
>> > Turns out that if I add `{USER}` to the resource containing "/flow" I
>> > can
>> > read the flow as anonymous user, which is exactly the opposite of what I
>> > want.
>> >
>> > Some digging last week lead me to believe that this is due to the way
>> > RangerNiFiAuthorizer.java [1] does authorizations. Note, I could be on
>> > the
>> > completely wrong track here.
>> >
>> > Is there any way to prevent `anonymous` from doing anything in NiFi,
>> > through Ranger?
>> >
>> > Best regards
>> > Johannes Meixner
>> >
>> >
>> > [1]
>> >
>> > https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java#L185-L188
>
>

Reply via email to