Ok, so you end up in the NiFi UI with the identity in the top right
saying "Anonymous user" ? (as show in the screenshots of that hwx
forum)

I think we need to dig into what is happening during authentication...

Can you do a fresh login to NiFi using your LDAP credentials, and then
capture the content from nifi-user.log that occurred during this
login?


On Mon, Apr 9, 2018 at 10:37 AM, Meixner, Johannes
<johan...@perceivon.net> wrote:
>> If so, then how are you authenticating to NiFi as an "anonymous" user?
>
> Good question. NiFi uses its LdapProvider (with Authentication Strategy =
> SIMPLE, Identity Strategy = USE_USERNAME) to identify and the
> RangerNifiAuthorizer to authorise users.
>
> I'm not quite sure yet what authenticates the anonymous user, but I've found
> similar reports in a Hortonworks thread [1] without obvious solution.
>
> [1]
> https://community.hortonworks.com/questions/142667/how-to-give-permissions-to-users-to-access-nifi-ui.html
>
> On Mon, Apr 9, 2018 at 4:09 PM, Bryan Bende <bbe...@gmail.com> wrote:
>>
>> Ah thanks for the info, didn't know that.
>>
>> So you have a policy in Ranger where the resource is "/flow", the
>> action is READ, and the users/groups is "{USER}", and then you are
>> saying an "anonymous" user can retrieve the flow?
>>
>> I'm assuming that since your Ranger is backed by an LDAP, that you
>> also have configured NiFi's LDAP Login Identity Provider?
>>
>> If so, then how are you authenticating to NiFi as an "anonymous" user?
>>
>> In a secure NiFi you should always have to authenticate as some
>> identity, the anonymous user is only used in an unsecured NiFi when
>> there is not authentication/authorization taking place.
>>
>>
>> On Mon, Apr 9, 2018 at 9:51 AM, Meixner, Johannes
>> <johan...@perceivon.net> wrote:
>> > Hi Bryan,
>> >
>> > It's a placeholder in Ranger for usernames, see
>> >
>> > https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable
>> >
>> > which is used by certain matcher classes.
>> >
>> > On Mon, Apr 9, 2018 at 3:28 PM, Bryan Bende <bbe...@gmail.com> wrote:
>> >>
>> >> Hello,
>> >>
>> >> I don't see any issue with the code you linked to. It's saying "if the
>> >> ranger policies say the operation is allowed, then return approved".
>> >>
>> >> Is '{USER}' a special syntax in Ranger? or are you using that as a
>> >> placeholder in email so you don't have to provide the real user
>> >> identity?
>> >>
>> >> I haven't seen that syntax before so just trying to understand what
>> >> {USER} and {OWNER} mean here.
>> >>
>> >> -Bryan
>> >>
>> >>
>> >> On Mon, Apr 9, 2018 at 3:55 AM, Meixner, Johannes
>> >> <johan...@perceivon.net> wrote:
>> >> > I'm trying to harden my NiFi instance's authorizations and auditing
>> >> > using
>> >> > Ranger (which is backed by an LDAP instance).
>> >> >
>> >> > In Ranger I have defined a couple of resources defined to be
>> >> > authorized
>> >> > for
>> >> > the nifi nodes' CNs (from SSL certs), `{USER}` and `{OWNER}`.
>> >> >
>> >> > Turns out that if I add `{USER}` to the resource containing "/flow" I
>> >> > can
>> >> > read the flow as anonymous user, which is exactly the opposite of
>> >> > what I
>> >> > want.
>> >> >
>> >> > Some digging last week lead me to believe that this is due to the way
>> >> > RangerNiFiAuthorizer.java [1] does authorizations. Note, I could be
>> >> > on
>> >> > the
>> >> > completely wrong track here.
>> >> >
>> >> > Is there any way to prevent `anonymous` from doing anything in NiFi,
>> >> > through Ranger?
>> >> >
>> >> > Best regards
>> >> > Johannes Meixner
>> >> >
>> >> >
>> >> > [1]
>> >> >
>> >> >
>> >> > https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java#L185-L188
>> >
>> >
>
>

Reply via email to