> If so, then how are you authenticating to NiFi as an "anonymous" user?
Good question. NiFi uses its LdapProvider (with Authentication Strategy = SIMPLE, Identity Strategy = USE_USERNAME) to identify and the RangerNifiAuthorizer to authorise users. I'm not quite sure yet what authenticates the anonymous user, but I've found similar reports in a Hortonworks thread [1] without obvious solution. [1] https://community.hortonworks.com/questions/142667/how-to-give-permissions-to-users-to-access-nifi-ui.html On Mon, Apr 9, 2018 at 4:09 PM, Bryan Bende <[email protected]> wrote: > Ah thanks for the info, didn't know that. > > So you have a policy in Ranger where the resource is "/flow", the > action is READ, and the users/groups is "{USER}", and then you are > saying an "anonymous" user can retrieve the flow? > > I'm assuming that since your Ranger is backed by an LDAP, that you > also have configured NiFi's LDAP Login Identity Provider? > > If so, then how are you authenticating to NiFi as an "anonymous" user? > > In a secure NiFi you should always have to authenticate as some > identity, the anonymous user is only used in an unsecured NiFi when > there is not authentication/authorization taking place. > > > On Mon, Apr 9, 2018 at 9:51 AM, Meixner, Johannes > <[email protected]> wrote: > > Hi Bryan, > > > > It's a placeholder in Ranger for usernames, see > > https://cwiki.apache.org/confluence/display/RANGER/ > Support+for+%24username+variable > > > > which is used by certain matcher classes. > > > > On Mon, Apr 9, 2018 at 3:28 PM, Bryan Bende <[email protected]> wrote: > >> > >> Hello, > >> > >> I don't see any issue with the code you linked to. It's saying "if the > >> ranger policies say the operation is allowed, then return approved". > >> > >> Is '{USER}' a special syntax in Ranger? or are you using that as a > >> placeholder in email so you don't have to provide the real user > >> identity? > >> > >> I haven't seen that syntax before so just trying to understand what > >> {USER} and {OWNER} mean here. > >> > >> -Bryan > >> > >> > >> On Mon, Apr 9, 2018 at 3:55 AM, Meixner, Johannes > >> <[email protected]> wrote: > >> > I'm trying to harden my NiFi instance's authorizations and auditing > >> > using > >> > Ranger (which is backed by an LDAP instance). > >> > > >> > In Ranger I have defined a couple of resources defined to be > authorized > >> > for > >> > the nifi nodes' CNs (from SSL certs), `{USER}` and `{OWNER}`. > >> > > >> > Turns out that if I add `{USER}` to the resource containing "/flow" I > >> > can > >> > read the flow as anonymous user, which is exactly the opposite of > what I > >> > want. > >> > > >> > Some digging last week lead me to believe that this is due to the way > >> > RangerNiFiAuthorizer.java [1] does authorizations. Note, I could be on > >> > the > >> > completely wrong track here. > >> > > >> > Is there any way to prevent `anonymous` from doing anything in NiFi, > >> > through Ranger? > >> > > >> > Best regards > >> > Johannes Meixner > >> > > >> > > >> > [1] > >> > > >> > https://github.com/apache/nifi/blob/master/nifi-nar- > bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/ > java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java# > L185-L188 > > > > >
