It should also be possible to add a deny policy for anonymous user, no?
Not sure if that would the issue though.

Pierre

2018-04-09 17:32 GMT+02:00 Bryan Bende <bbe...@gmail.com>:

> Actually, thinking about this more, I think the issue is that you
> currently can't use Ranger's {USER} concept because NiFi always has an
> "anonymous" user, and there is no way in Ranger to exclude "anonymous"
> from {USER}.
>
> What is happening is something like this...
>
> - You enter the NiFi URL in your browser which loads some of the front-end
> code
> - The front-end code then attempts to access a server side resource
> that requires authorization
> - This request is happening as the anonymous user, and if it fails
> with an unauthorized response, then the front-end knows to present the
> login page
> - In this case, the request is succeeding because of the policy you
> have with {USER}
>
> I think one way to support this might be to bring back the "Allow
> Anonymous" flag in the Ranger Authorizer config.
>
> This way if this value is set to false, then before doing anything
> else the authorizer would check if the incoming identity is
> "anonymous" and reject the request before even checking the actual
> policies from Ranger.
>
> On Mon, Apr 9, 2018 at 11:10 AM, Bryan Bende <bbe...@gmail.com> wrote:
> > Ok, so you end up in the NiFi UI with the identity in the top right
> > saying "Anonymous user" ? (as show in the screenshots of that hwx
> > forum)
> >
> > I think we need to dig into what is happening during authentication...
> >
> > Can you do a fresh login to NiFi using your LDAP credentials, and then
> > capture the content from nifi-user.log that occurred during this
> > login?
> >
> >
> > On Mon, Apr 9, 2018 at 10:37 AM, Meixner, Johannes
> > <johan...@perceivon.net> wrote:
> >>> If so, then how are you authenticating to NiFi as an "anonymous" user?
> >>
> >> Good question. NiFi uses its LdapProvider (with Authentication Strategy
> =
> >> SIMPLE, Identity Strategy = USE_USERNAME) to identify and the
> >> RangerNifiAuthorizer to authorise users.
> >>
> >> I'm not quite sure yet what authenticates the anonymous user, but I've
> found
> >> similar reports in a Hortonworks thread [1] without obvious solution.
> >>
> >> [1]
> >> https://community.hortonworks.com/questions/142667/how-to-
> give-permissions-to-users-to-access-nifi-ui.html
> >>
> >> On Mon, Apr 9, 2018 at 4:09 PM, Bryan Bende <bbe...@gmail.com> wrote:
> >>>
> >>> Ah thanks for the info, didn't know that.
> >>>
> >>> So you have a policy in Ranger where the resource is "/flow", the
> >>> action is READ, and the users/groups is "{USER}", and then you are
> >>> saying an "anonymous" user can retrieve the flow?
> >>>
> >>> I'm assuming that since your Ranger is backed by an LDAP, that you
> >>> also have configured NiFi's LDAP Login Identity Provider?
> >>>
> >>> If so, then how are you authenticating to NiFi as an "anonymous" user?
> >>>
> >>> In a secure NiFi you should always have to authenticate as some
> >>> identity, the anonymous user is only used in an unsecured NiFi when
> >>> there is not authentication/authorization taking place.
> >>>
> >>>
> >>> On Mon, Apr 9, 2018 at 9:51 AM, Meixner, Johannes
> >>> <johan...@perceivon.net> wrote:
> >>> > Hi Bryan,
> >>> >
> >>> > It's a placeholder in Ranger for usernames, see
> >>> >
> >>> > https://cwiki.apache.org/confluence/display/RANGER/
> Support+for+%24username+variable
> >>> >
> >>> > which is used by certain matcher classes.
> >>> >
> >>> > On Mon, Apr 9, 2018 at 3:28 PM, Bryan Bende <bbe...@gmail.com>
> wrote:
> >>> >>
> >>> >> Hello,
> >>> >>
> >>> >> I don't see any issue with the code you linked to. It's saying "if
> the
> >>> >> ranger policies say the operation is allowed, then return approved".
> >>> >>
> >>> >> Is '{USER}' a special syntax in Ranger? or are you using that as a
> >>> >> placeholder in email so you don't have to provide the real user
> >>> >> identity?
> >>> >>
> >>> >> I haven't seen that syntax before so just trying to understand what
> >>> >> {USER} and {OWNER} mean here.
> >>> >>
> >>> >> -Bryan
> >>> >>
> >>> >>
> >>> >> On Mon, Apr 9, 2018 at 3:55 AM, Meixner, Johannes
> >>> >> <johan...@perceivon.net> wrote:
> >>> >> > I'm trying to harden my NiFi instance's authorizations and
> auditing
> >>> >> > using
> >>> >> > Ranger (which is backed by an LDAP instance).
> >>> >> >
> >>> >> > In Ranger I have defined a couple of resources defined to be
> >>> >> > authorized
> >>> >> > for
> >>> >> > the nifi nodes' CNs (from SSL certs), `{USER}` and `{OWNER}`.
> >>> >> >
> >>> >> > Turns out that if I add `{USER}` to the resource containing
> "/flow" I
> >>> >> > can
> >>> >> > read the flow as anonymous user, which is exactly the opposite of
> >>> >> > what I
> >>> >> > want.
> >>> >> >
> >>> >> > Some digging last week lead me to believe that this is due to the
> way
> >>> >> > RangerNiFiAuthorizer.java [1] does authorizations. Note, I could
> be
> >>> >> > on
> >>> >> > the
> >>> >> > completely wrong track here.
> >>> >> >
> >>> >> > Is there any way to prevent `anonymous` from doing anything in
> NiFi,
> >>> >> > through Ranger?
> >>> >> >
> >>> >> > Best regards
> >>> >> > Johannes Meixner
> >>> >> >
> >>> >> >
> >>> >> > [1]
> >>> >> >
> >>> >> >
> >>> >> > https://github.com/apache/nifi/blob/master/nifi-nar-
> bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/
> java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java#
> L185-L188
> >>> >
> >>> >
> >>
> >>
>

Reply via email to