> If so, then how are you authenticating to NiFi as an "anonymous" user?

Good question. NiFi uses its LdapProvider (with Authentication Strategy =
SIMPLE, Identity Strategy = USE_USERNAME) to identify and the
RangerNifiAuthorizer to authorise users.

I'm not quite sure yet what authenticates the anonymous user, but I've
found similar reports in a Hortonworks thread [1] without obvious solution.

[1]
https://community.hortonworks.com/questions/142667/how-to-give-permissions-to-users-to-access-nifi-ui.html

On Mon, Apr 9, 2018 at 4:09 PM, Bryan Bende <bbe...@gmail.com> wrote:

> Ah thanks for the info, didn't know that.
>
> So you have a policy in Ranger where the resource is "/flow", the
> action is READ, and the users/groups is "{USER}", and then you are
> saying an "anonymous" user can retrieve the flow?
>
> I'm assuming that since your Ranger is backed by an LDAP, that you
> also have configured NiFi's LDAP Login Identity Provider?
>
> If so, then how are you authenticating to NiFi as an "anonymous" user?
>
> In a secure NiFi you should always have to authenticate as some
> identity, the anonymous user is only used in an unsecured NiFi when
> there is not authentication/authorization taking place.
>
>
> On Mon, Apr 9, 2018 at 9:51 AM, Meixner, Johannes
> <johan...@perceivon.net> wrote:
> > Hi Bryan,
> >
> > It's a placeholder in Ranger for usernames, see
> > https://cwiki.apache.org/confluence/display/RANGER/
> Support+for+%24username+variable
> >
> > which is used by certain matcher classes.
> >
> > On Mon, Apr 9, 2018 at 3:28 PM, Bryan Bende <bbe...@gmail.com> wrote:
> >>
> >> Hello,
> >>
> >> I don't see any issue with the code you linked to. It's saying "if the
> >> ranger policies say the operation is allowed, then return approved".
> >>
> >> Is '{USER}' a special syntax in Ranger? or are you using that as a
> >> placeholder in email so you don't have to provide the real user
> >> identity?
> >>
> >> I haven't seen that syntax before so just trying to understand what
> >> {USER} and {OWNER} mean here.
> >>
> >> -Bryan
> >>
> >>
> >> On Mon, Apr 9, 2018 at 3:55 AM, Meixner, Johannes
> >> <johan...@perceivon.net> wrote:
> >> > I'm trying to harden my NiFi instance's authorizations and auditing
> >> > using
> >> > Ranger (which is backed by an LDAP instance).
> >> >
> >> > In Ranger I have defined a couple of resources defined to be
> authorized
> >> > for
> >> > the nifi nodes' CNs (from SSL certs), `{USER}` and `{OWNER}`.
> >> >
> >> > Turns out that if I add `{USER}` to the resource containing "/flow" I
> >> > can
> >> > read the flow as anonymous user, which is exactly the opposite of
> what I
> >> > want.
> >> >
> >> > Some digging last week lead me to believe that this is due to the way
> >> > RangerNiFiAuthorizer.java [1] does authorizations. Note, I could be on
> >> > the
> >> > completely wrong track here.
> >> >
> >> > Is there any way to prevent `anonymous` from doing anything in NiFi,
> >> > through Ranger?
> >> >
> >> > Best regards
> >> > Johannes Meixner
> >> >
> >> >
> >> > [1]
> >> >
> >> > https://github.com/apache/nifi/blob/master/nifi-nar-
> bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/
> java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java#
> L185-L188
> >
> >
>

Reply via email to