You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by mcgilman <gi...@git.apache.org> on 2017/07/18 19:14:17 UTC

[GitHub] nifi pull request #2019: NIFI-4032: Managed Ranger Authorizer

GitHub user mcgilman opened a pull request:

    https://github.com/apache/nifi/pull/2019

    NIFI-4032: Managed Ranger Authorizer

    NIFI-4032: Managed Ranger Authorizer
    - Introducing the ManagedRangerAuthorizer.
    - Introducing the AuthorizationAuditor.
    - Updating authorization requests to utilize Authorizable where ever possible so allow for a singular place to audit resource not found as denied when the parent authorizable is null (no more inheritance).
    - Updating unit tests as appropriate.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/mcgilman/nifi NIFI-4032

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/nifi/pull/2019.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2019
    
----
commit c87208d38ac1d46b7304dc737a8f8c332897a4d5
Author: Matt Gilman <ma...@gmail.com>
Date:   2017-06-28T14:17:17Z

    NIFI-4032:
    - Introducing the ManagedRangerAuthorizer.
    - Introducing the AuthorizationAuditor.
    - Updating authorization requests to utilize Authorizable where ever possible so allow for a singular place to audit resource not found as denied when the parent authorizable is null (no more inheritance).
    - Updating unit tests as appropriate.

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi issue #2019: NIFI-4032: Managed Ranger Authorizer

Posted by YolandaMDavis <gi...@git.apache.org>.
Github user YolandaMDavis commented on the issue:

    https://github.com/apache/nifi/pull/2019
  
    @mcgilman will take a look soon


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi issue #2019: NIFI-4032: Managed Ranger Authorizer

Posted by mcgilman <gi...@git.apache.org>.
Github user mcgilman commented on the issue:

    https://github.com/apache/nifi/pull/2019
  
    Great find @YolandaMDavis! Will address this and update. Thanks!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi issue #2019: NIFI-4032: Managed Ranger Authorizer

Posted by YolandaMDavis <gi...@git.apache.org>.
Github user YolandaMDavis commented on the issue:

    https://github.com/apache/nifi/pull/2019
  
    @mcgilman with the latest commit I was able to add a new node and see the users.xml file populated.  The node started successfully and I was able to access the cluster without issue.
    
    +1 
    
    Will merge into master shortly.
    



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi issue #2019: NIFI-4032: Managed Ranger Authorizer

Posted by YolandaMDavis <gi...@git.apache.org>.
Github user YolandaMDavis commented on the issue:

    https://github.com/apache/nifi/pull/2019
  
     I've worked through 3 Ranger configuration scenarios that leveraged the ldap user group provider, or the composite configurable user group provider (pairing the ldap provider with the file provider):
    
    1) Using group authorizations for LDAP users (with no mapping for identities) alongside  user authorizations for nodes . This is to cover cases where node identities may not be present in LDAP
    
    2) Using mapped identities to ensure that user-group associations would still be properly resolved
    
    3) Using the Composite Configurable User Group Provider to allow maintenance of node identities and groups in NiFi while allowing policies to be enforced via Ranger
    
    All three scenarios worked well with an established cluster. I was able to go from one scenarios to the next through changing configurations and updating policies without issue. However a bug was encountered on the third test case when I wanted to add a new node to the cluster.
    
    The process of adding a new node requires that no information that would seed the users.xml file be  provided in configurations (e.g. Initial Admin, Node Identifiers, etc). Therefore the expectation is once the node attempts to join the cluster it would receive the necessary user information from the cluster to create it's own local version of the file.  When using the ManagedRangerAuthorizer along with the Configurable provider it doesn't appear to have that functionality, since the users.xml generated was empty.  This led to the node starting up fine however when attempting to access the UI from any node a proxy error occurred. Given the users.xml file was empty this error made sense because NiFi was unable to determine the users (node identities) or groups they should be mapped to, hence unable to apply the Ranger policy that allowed the nodes group to perform proxying. 
    
    In speaking with @mcgilman offline this error was due to the ManagedRangerAuthorizer not extracting user group information for cases when it's paired with configurable user group providers.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] nifi pull request #2019: NIFI-4032: Managed Ranger Authorizer

Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:

    https://github.com/apache/nifi/pull/2019


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---