Ok, so you end up in the NiFi UI with the identity in the top right saying "Anonymous user" ? (as show in the screenshots of that hwx forum)
I think we need to dig into what is happening during authentication... Can you do a fresh login to NiFi using your LDAP credentials, and then capture the content from nifi-user.log that occurred during this login? On Mon, Apr 9, 2018 at 10:37 AM, Meixner, Johannes <[email protected]> wrote: >> If so, then how are you authenticating to NiFi as an "anonymous" user? > > Good question. NiFi uses its LdapProvider (with Authentication Strategy = > SIMPLE, Identity Strategy = USE_USERNAME) to identify and the > RangerNifiAuthorizer to authorise users. > > I'm not quite sure yet what authenticates the anonymous user, but I've found > similar reports in a Hortonworks thread [1] without obvious solution. > > [1] > https://community.hortonworks.com/questions/142667/how-to-give-permissions-to-users-to-access-nifi-ui.html > > On Mon, Apr 9, 2018 at 4:09 PM, Bryan Bende <[email protected]> wrote: >> >> Ah thanks for the info, didn't know that. >> >> So you have a policy in Ranger where the resource is "/flow", the >> action is READ, and the users/groups is "{USER}", and then you are >> saying an "anonymous" user can retrieve the flow? >> >> I'm assuming that since your Ranger is backed by an LDAP, that you >> also have configured NiFi's LDAP Login Identity Provider? >> >> If so, then how are you authenticating to NiFi as an "anonymous" user? >> >> In a secure NiFi you should always have to authenticate as some >> identity, the anonymous user is only used in an unsecured NiFi when >> there is not authentication/authorization taking place. >> >> >> On Mon, Apr 9, 2018 at 9:51 AM, Meixner, Johannes >> <[email protected]> wrote: >> > Hi Bryan, >> > >> > It's a placeholder in Ranger for usernames, see >> > >> > https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable >> > >> > which is used by certain matcher classes. >> > >> > On Mon, Apr 9, 2018 at 3:28 PM, Bryan Bende <[email protected]> wrote: >> >> >> >> Hello, >> >> >> >> I don't see any issue with the code you linked to. It's saying "if the >> >> ranger policies say the operation is allowed, then return approved". >> >> >> >> Is '{USER}' a special syntax in Ranger? or are you using that as a >> >> placeholder in email so you don't have to provide the real user >> >> identity? >> >> >> >> I haven't seen that syntax before so just trying to understand what >> >> {USER} and {OWNER} mean here. >> >> >> >> -Bryan >> >> >> >> >> >> On Mon, Apr 9, 2018 at 3:55 AM, Meixner, Johannes >> >> <[email protected]> wrote: >> >> > I'm trying to harden my NiFi instance's authorizations and auditing >> >> > using >> >> > Ranger (which is backed by an LDAP instance). >> >> > >> >> > In Ranger I have defined a couple of resources defined to be >> >> > authorized >> >> > for >> >> > the nifi nodes' CNs (from SSL certs), `{USER}` and `{OWNER}`. >> >> > >> >> > Turns out that if I add `{USER}` to the resource containing "/flow" I >> >> > can >> >> > read the flow as anonymous user, which is exactly the opposite of >> >> > what I >> >> > want. >> >> > >> >> > Some digging last week lead me to believe that this is due to the way >> >> > RangerNiFiAuthorizer.java [1] does authorizations. Note, I could be >> >> > on >> >> > the >> >> > completely wrong track here. >> >> > >> >> > Is there any way to prevent `anonymous` from doing anything in NiFi, >> >> > through Ranger? >> >> > >> >> > Best regards >> >> > Johannes Meixner >> >> > >> >> > >> >> > [1] >> >> > >> >> > >> >> > https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java#L185-L188 >> > >> > > >
