You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by jo...@apache.org on 2024/02/15 00:12:06 UTC
(nifi) branch main updated: NIFI-12765 Removed Apache Ranger modules This closes #8389
This is an automated email from the ASF dual-hosted git repository.
joewitt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 4d5f33804b NIFI-12765 Removed Apache Ranger modules This closes #8389
4d5f33804b is described below
commit 4d5f33804b4a0cc22e35cab8de5e2678271d7766
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Fri Feb 9 15:56:14 2024 -0600
NIFI-12765 Removed Apache Ranger modules
This closes #8389
- Removed nifi-ranger-bundle modules
- Removed nifi-registry-ranger modules
Signed-off-by: Joseph Witt <jo...@apache.org>
---
nifi-assembly/pom.xml | 51 --
nifi-assembly/src/main/assembly/ranger.xml | 69 ---
nifi-code-coverage/pom.xml | 10 -
nifi-dependency-check-maven/suppressions.xml | 5 -
.../src/main/asciidoc/administration-guide.adoc | 2 +-
nifi-docs/src/main/asciidoc/developer-guide.adoc | 1 -
.../nifi-ranger-bundle/nifi-ranger-nar/pom.xml | 35 --
.../src/main/resources/META-INF/LICENSE | 407 -------------
.../src/main/resources/META-INF/NOTICE | 386 ------------
.../nifi-ranger-bundle/nifi-ranger-plugin/pom.xml | 332 ----------
.../authorization/ManagedRangerAuthorizer.java | 207 -------
.../RangerBasePluginWithPolicies.java | 293 ---------
.../ranger/authorization/RangerNiFiAuthorizer.java | 310 ----------
.../org.apache.nifi.authorization.Authorizer | 16 -
.../authorization/ManagedRangerAuthorizerTest.java | 227 -------
.../TestRangerBasePluginWithPolicies.java | 550 -----------------
.../authorization/TestRangerNiFiAuthorizer.java | 575 ------------------
.../src/test/resources/authorizers.xml | 27 -
.../src/test/resources/krb5.conf | 25 -
.../src/test/resources/ranger/core-site.xml | 22 -
.../test/resources/ranger/ranger-nifi-audit.xml | 101 ----
.../test/resources/ranger/ranger-nifi-security.xml | 83 ---
.../test/resources/ranger/ranger-policymgr-ssl.xml | 63 --
.../nifi-ranger-resources/pom.xml | 81 ---
.../resources/scripts/ranger_credential_helper.py | 75 ---
nifi-nar-bundles/nifi-ranger-bundle/pom.xml | 152 -----
nifi-nar-bundles/pom.xml | 1 -
nifi-registry/nifi-registry-assembly/pom.xml | 38 --
.../src/main/assembly/dependencies.xml | 1 -
.../src/main/asciidoc/administration-guide.adoc | 2 -
.../nifi-registry-ranger-assembly/LICENSE | 445 --------------
.../nifi-registry-ranger-assembly/NOTICE | 449 --------------
.../nifi-registry-ranger-assembly/README.md | 131 ----
.../conf/ranger-nifi-registry-audit.xml | 174 ------
.../conf/ranger-nifi-registry-security.xml | 92 ---
.../nifi-registry-ranger-assembly/pom.xml | 100 ---
.../src/main/assembly/extension.xml | 62 --
.../nifi-registry-ranger-jersey-bundle/pom.xml | 71 ---
.../nifi-registry-ranger-plugin/pom.xml | 463 --------------
.../nifi/registry/ranger/RangerAuthorizer.java | 453 --------------
.../ranger/RangerBasePluginWithPolicies.java | 291 ---------
...nifi.registry.security.authorization.Authorizer | 15 -
.../nifi/registry/ranger/TestRangerAuthorizer.java | 672 ---------------------
.../ranger/TestRangerBasePluginWithPolicies.java | 544 -----------------
.../src/test/resources/krb5.conf | 25 -
.../src/test/resources/ranger/core-site.xml | 22 -
.../ranger/ranger-nifi-registry-audit.xml | 101 ----
.../ranger/ranger-nifi-registry-security.xml | 83 ---
.../test/resources/ranger/ranger-policymgr-ssl.xml | 63 --
.../nifi-registry-ranger/pom.xml | 55 --
nifi-registry/nifi-registry-extensions/pom.xml | 1 -
pom.xml | 1 -
52 files changed, 1 insertion(+), 8459 deletions(-)
diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
index 66572d413e..ec602f141b 100644
--- a/nifi-assembly/pom.xml
+++ b/nifi-assembly/pom.xml
@@ -1261,57 +1261,6 @@ language governing permissions and limitations under the License. -->
</plugins>
</build>
</profile>
- <profile>
- <id>include-ranger</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- <property>
- <name>allProfiles</name>
- </property>
- </activation>
- <build>
- <plugins>
- <plugin>
- <artifactId>maven-assembly-plugin</artifactId>
- <executions>
- <execution>
- <id>make shared resource</id>
- <goals>
- <goal>single</goal>
- </goals>
- <phase>package</phase>
- <configuration>
- <finalName>nifi-${project.version}</finalName>
- <attach>false</attach>
- <archiverConfig>
- <defaultDirectoryMode>0775</defaultDirectoryMode>
- <directoryMode>0775</directoryMode>
- <fileMode>0664</fileMode>
- </archiverConfig>
- <descriptors>
- <descriptor>src/main/assembly/ranger.xml</descriptor>
- </descriptors>
- <tarLongFileMode>posix</tarLongFileMode>
- </configuration>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
- <dependencies>
- <dependency>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-ranger-nar</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- <type>nar</type>
- </dependency>
- <dependency>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-ranger-resources</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- </dependency>
- </dependencies>
- </profile>
<profile>
<id>include-asn1</id>
<activation>
diff --git a/nifi-assembly/src/main/assembly/ranger.xml b/nifi-assembly/src/main/assembly/ranger.xml
deleted file mode 100644
index 134d7811ac..0000000000
--- a/nifi-assembly/src/main/assembly/ranger.xml
+++ /dev/null
@@ -1,69 +0,0 @@
-<?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<assembly>
- <id>bin</id>
- <formats>
- <format>dir</format>
- <format>zip</format>
- <format>tar.gz</format>
- </formats>
- <includeBaseDirectory>true</includeBaseDirectory>
- <baseDirectory>nifi-${project.version}</baseDirectory>
-
- <componentDescriptors>
- <componentDescriptor>src/main/assembly/core.xml</componentDescriptor>
- <componentDescriptor>src/main/assembly/common.xml</componentDescriptor>
- </componentDescriptors>
-
- <dependencySets>
- <!-- Write out dependencies for Ranger's credentialbuilder to ext/ranger/install/lib -->
- <dependencySet>
- <scope>runtime</scope>
- <useProjectArtifact>false</useProjectArtifact>
- <outputDirectory>ext/ranger/install/lib/</outputDirectory>
- <directoryMode>0770</directoryMode>
- <fileMode>0660</fileMode>
- <useTransitiveFiltering>true</useTransitiveFiltering>
- <includes>
- <include>org.apache.nifi:nifi-ranger-resources:jar</include>
- <include>org.slf4j:slf4j-api</include>
- <include>org.slf4j:jcl-over-slf4j</include>
- <include>org.apache.commons:commons-lang3</include>
- <include>com.google.guava:guava</include>
- </includes>
- </dependencySet>
- <!-- Write out scripts from nifi-ranger-resources to ext/ranger/scripts -->
- <dependencySet>
- <scope>runtime</scope>
- <useProjectArtifact>false</useProjectArtifact>
- <outputDirectory>ext/ranger/</outputDirectory>
- <directoryMode>0770</directoryMode>
- <fileMode>0770</fileMode>
- <useTransitiveFiltering>false</useTransitiveFiltering>
- <includes>
- <include>org.apache.nifi:nifi-ranger-resources:jar</include>
- </includes>
- <unpack>true</unpack>
- <unpackOptions>
- <filtered>true</filtered>
- <includes>
- <include>scripts/</include>
- </includes>
- </unpackOptions>
- </dependencySet>
- </dependencySets>
-
-</assembly>
diff --git a/nifi-code-coverage/pom.xml b/nifi-code-coverage/pom.xml
index ec929c0331..cc0c651168 100644
--- a/nifi-code-coverage/pom.xml
+++ b/nifi-code-coverage/pom.xml
@@ -1364,11 +1364,6 @@
<artifactId>nifi-python-framework-api</artifactId>
<version>2.0.0-SNAPSHOT</version>
</dependency>
- <dependency>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-ranger-plugin</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- </dependency>
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-redis-extensions</artifactId>
@@ -1841,11 +1836,6 @@
<version>2.0.0-SNAPSHOT</version>
<type>war</type>
</dependency>
- <dependency>
- <groupId>org.apache.nifi.registry</groupId>
- <artifactId>nifi-registry-ranger-plugin</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- </dependency>
<dependency>
<groupId>org.apache.nifi.registry</groupId>
<artifactId>nifi-registry-toolkit-persistence</artifactId>
diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
index fa25b9355d..08d0a6db69 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -424,11 +424,6 @@
<packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl>
<cve>CVE-2020-13946</cve>
</suppress>
- <suppress>
- <notes>CVE-2019-10172 applies to Jackson 1 XmlMapper not JSON mapper used in Ranger plugins</notes>
- <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl>
- <cve>CVE-2019-10172</cve>
- </suppress>
<suppress>
<notes>Bundled versions of jQuery DataTables are not used</notes>
<packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl>
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index dedae7f2e7..db31ffa366 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -93,7 +93,7 @@ There is also a specific profile allowing you to build NiFi with all of the addi
`./mvnw clean install -Pinclude-all`
-This will include bundles such as gRPC, Atlas, Hive, Hive 1_1, Hive 3, Media, Rules, SQL Reporting, Accumulo, Ranger, ASN1, Snowflake, Iceberg, etc.
+This will include all optional bundles.
== Port Configuration
diff --git a/nifi-docs/src/main/asciidoc/developer-guide.adoc b/nifi-docs/src/main/asciidoc/developer-guide.adoc
index db9816bc2b..2001de4a05 100644
--- a/nifi-docs/src/main/asciidoc/developer-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/developer-guide.adoc
@@ -2705,7 +2705,6 @@ deprecationLogger.warn(
| Apache Hive 3 Bundle | include-hive3 | Adds support for Apache Hive 3.X
| Apache IoTDB Bundle | include-iotdb | Adds support for Apache IoTDB
| Apache Kudu Bundle | include-kudu | Adds support for Apache Kudu
-| Apache Ranger Bundle | include-ranger | Adds support for https://ranger.apache.org[Apache Ranger].
| Apache Solr Bundle | include-solr | Adds support for Apache Solr
| ASN.1 Support | include-asn1 | Adds support for ASN.1
| Contribution Check | contrib-check | Runs various quality checks that are required to be accepted before a contribution can be accepted into the core NiFi code base.
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/pom.xml
deleted file mode 100644
index 87d47d739d..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/pom.xml
+++ /dev/null
@@ -1,35 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
-
- <parent>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-ranger-bundle</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- </parent>
-
- <artifactId>nifi-ranger-nar</artifactId>
- <packaging>nar</packaging>
-
- <dependencies>
- <dependency>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-ranger-plugin</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- </dependency>
- </dependencies>
-</project>
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/src/main/resources/META-INF/LICENSE b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/src/main/resources/META-INF/LICENSE
deleted file mode 100644
index 476fe7dc9b..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/src/main/resources/META-INF/LICENSE
+++ /dev/null
@@ -1,407 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- APPENDIX: How to apply the Apache License to your work.
-
- To apply the Apache License to your work, attach the following
- boilerplate notice, with the fields enclosed by brackets "[]"
- replaced with your own identifying information. (Don't include
- the brackets!) The text should be enclosed in the appropriate
- comment syntax for the file format. We also recommend that a
- file or class name and description of purpose be included on the
- same "printed page" as the copyright notice for easier
- identification within third-party archives.
-
- Copyright [yyyy] [name of copyright owner]
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
-APACHE NIFI SUBCOMPONENTS:
-
-The Apache NiFi project contains subcomponents with separate copyright
-notices and license terms. Your use of the source code for the these
-subcomponents is subject to the terms and conditions of the following
-licenses.
-
- The binary distribution of this product bundles 'Scala Library' under a BSD
- style license.
-
- Copyright (c) 2002-2015 EPFL
- Copyright (c) 2011-2015 Typesafe, Inc.
-
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without modification,
- are permitted provided that the following conditions are met:
-
- Redistributions of source code must retain the above copyright notice, this list of
- conditions and the following disclaimer.
-
- Redistributions in binary form must reproduce the above copyright notice, this list of
- conditions and the following disclaimer in the documentation and/or other materials
- provided with the distribution.
-
- Neither the name of the EPFL nor the names of its contributors may be used to endorse
- or promote products derived from this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS
- OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
- CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
- IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
- The binary distribution of this product bundles 'JOpt Simple' under an MIT
- style license.
-
- Copyright (c) 2009 Paul R. Holser, Jr.
-
- Permission is hereby granted, free of charge, to any person obtaining
- a copy of this software and associated documentation files (the
- "Software"), to deal in the Software without restriction, including
- without limitation the rights to use, copy, modify, merge, publish,
- distribute, sublicense, and/or sell copies of the Software, and to
- permit persons to whom the Software is furnished to do so, subject to
- the following conditions:
-
- The above copyright notice and this permission notice shall be
- included in all copies or substantial portions of the Software.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
- LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
- OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
- WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
- The binary distribution of this product bundles 'JCraft Jsch' which is available
- under a BSD style license.
-
- Copyright (c) 2002-2015 Atsuhiko Yamanaka, JCraft,Inc.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in
- the documentation and/or other materials provided with the distribution.
-
- 3. The names of the authors may not be used to endorse or promote products
- derived from this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
- FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT,
- INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
- INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
- OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
- The binary distribution of this product bundles 'ParaNamer' and 'Paranamer Core'
- which is available under a BSD style license.
-
- Copyright (c) 2006 Paul Hammant & ThoughtWorks Inc
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
- 3. Neither the name of the copyright holders nor the names of its
- contributors may be used to endorse or promote products derived from
- this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- THE POSSIBILITY OF SUCH DAMAGE.
-
- The binary distribution of this product bundles 'Protocol Buffers - Google's data interchange format'
- which is available under a BSD style license.
-
- Copyright 2008 Google Inc. All rights reserved.
- http://code.google.com/p/protobuf/
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are
- met:
-
- * Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following disclaimer
- in the documentation and/or other materials provided with the
- distribution.
- * Neither the name of Google Inc. nor the names of its
- contributors may be used to endorse or promote products derived from
- this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
- The binary distribution of this product bundles 'Woodstox StAX 2 API' which is
- "licensed under standard BSD license"
-
- The binary distribution of this product bundles 'XMLENC' which is available
- under a BSD license. More details found here: http://xmlenc.sourceforge.net.
-
- Copyright 2003-2005, Ernst de Haan <wf...@gmail.com>
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice, this
- list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright notice,
- this list of conditions and the following disclaimer in the documentation
- and/or other materials provided with the distribution.
-
- 3. Neither the name of the copyright holder nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS"
- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
- CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
- The binary distribution of this product bundles 'Azure SDK for Java' which is available under an MIT license.
-
- Copyright (c) 2015 Microsoft Azure
-
- Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
- associated documentation files (the Software), to deal in the Software without restriction, including
- without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
- sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject
- to the following conditions:
-
- The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
- THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
- LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
- NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
- WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/src/main/resources/META-INF/NOTICE b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/src/main/resources/META-INF/NOTICE
deleted file mode 100644
index 97c6efd448..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/src/main/resources/META-INF/NOTICE
+++ /dev/null
@@ -1,386 +0,0 @@
-nifi-ranger-nar
-Copyright 2014-2024 The Apache Software Foundation
-
-This product includes software developed at
-The Apache Software Foundation (http://www.apache.org/).
-
-******************
-Apache Software License v2
-******************
-
- (ASLv2) Apache Avro
- The following NOTICE information applies:
- Apache Avro
- Copyright 2009-2017 The Apache Software Foundation
-
- (ASLv2) Apache Commons Collections
- The following NOTICE information applies:
- Apache Commons Collections
- Copyright 2001-2013 The Apache Software Foundation
-
- (ASLv2) Apache Commons Compress
- The following NOTICE information applies:
- Apache Commons Compress
- Copyright 2002-2017 The Apache Software Foundation
-
- The files in the package org.apache.commons.compress.archivers.sevenz
- were derived from the LZMA SDK, version 9.20 (C/ and CPP/7zip/),
- which has been placed in the public domain:
-
- "LZMA SDK is placed in the public domain." (http://www.7-zip.org/sdk.html)
-
- (ASLv2) Apache Commons Codec
- The following NOTICE information applies:
- Apache Commons Codec
- Copyright 2002-2014 The Apache Software Foundation
-
- src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
- contains test data from http://aspell.net/test/orig/batch0.tab.
- Copyright (C) 2002 Kevin Atkinson (kevina@gnu.org)
-
- ===============================================================================
-
- The content of package org.apache.commons.codec.language.bm has been translated
- from the original php source code available at http://stevemorse.org/phoneticinfo.htm
- with permission from the original authors.
- Original source copyright:
- Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
-
- (ASLv2) Apache Commons CLI
- The following NOTICE information applies:
- Apache Commons CLI
- Copyright 2001-2009 The Apache Software Foundation
-
- (ASLv2) Apache Commons Configuration
- The following NOTICE information applies:
- Apache Commons Configuration
- Copyright 2001-2008 The Apache Software Foundation
-
- (ASLv2) Apache Commons EL
- The following NOTICE information applies:
- Apache Commons EL
- Copyright 1999-2007 The Apache Software Foundation
-
- EL-8 patch - Copyright 2004-2007 Jamie Taylor
- http://issues.apache.org/jira/browse/EL-8
-
- (ASLv2) Apache Directory Server
- The following NOTICE information applies:
- ApacheDS Protocol Kerberos Codec
- Copyright 2003-2013 The Apache Software Foundation
-
- ApacheDS I18n
- Copyright 2003-2013 The Apache Software Foundation
-
- Apache Directory API ASN.1 API
- Copyright 2003-2013 The Apache Software Foundation
-
- Apache Directory LDAP API Utilities
- Copyright 2003-2013 The Apache Software Foundation
-
- (ASLv2) Apache Jakarta HttpClient
- The following NOTICE information applies:
- Apache Jakarta HttpClient
- Copyright 1999-2007 The Apache Software Foundation
-
- (ASLv2) Apache Commons IO
- The following NOTICE information applies:
- Apache Commons IO
- Copyright 2002-2016 The Apache Software Foundation
-
- (ASLv2) Apache Commons Lang
- The following NOTICE information applies:
- Apache Commons Lang
- Copyright 2001-2015 The Apache Software Foundation
-
- This product includes software from the Spring Framework,
- under the Apache License 2.0 (see: StringUtils.containsWhitespace())
-
- (ASLv2) Apache Commons Math
- The following NOTICE information applies:
- Apache Commons Math
- Copyright 2001-2012 The Apache Software Foundation
-
- This product includes software developed by
- The Apache Software Foundation (http://www.apache.org/).
-
- ===============================================================================
-
- The BracketFinder (package org.apache.commons.math3.optimization.univariate)
- and PowellOptimizer (package org.apache.commons.math3.optimization.general)
- classes are based on the Python code in module "optimize.py" (version 0.5)
- developed by Travis E. Oliphant for the SciPy library (http://www.scipy.org/)
- Copyright © 2003-2009 SciPy Developers.
- ===============================================================================
-
- The LinearConstraint, LinearObjectiveFunction, LinearOptimizer,
- RelationShip, SimplexSolver and SimplexTableau classes in package
- org.apache.commons.math3.optimization.linear include software developed by
- Benjamin McCann (http://www.benmccann.com) and distributed with
- the following copyright: Copyright 2009 Google Inc.
- ===============================================================================
-
- This product includes software developed by the
- University of Chicago, as Operator of Argonne National
- Laboratory.
- The LevenbergMarquardtOptimizer class in package
- org.apache.commons.math3.optimization.general includes software
- translated from the lmder, lmpar and qrsolv Fortran routines
- from the Minpack package
- Minpack Copyright Notice (1999) University of Chicago. All rights reserved
- ===============================================================================
-
- The GraggBulirschStoerIntegrator class in package
- org.apache.commons.math3.ode.nonstiff includes software translated
- from the odex Fortran routine developed by E. Hairer and G. Wanner.
- Original source copyright:
- Copyright (c) 2004, Ernst Hairer
- ===============================================================================
-
- The EigenDecompositionImpl class in package
- org.apache.commons.math3.linear includes software translated
- from some LAPACK Fortran routines. Original source copyright:
- Copyright (c) 1992-2008 The University of Tennessee. All rights reserved.
- ===============================================================================
-
- The MersenneTwister class in package org.apache.commons.math3.random
- includes software translated from the 2002-01-26 version of
- the Mersenne-Twister generator written in C by Makoto Matsumoto and Takuji
- Nishimura. Original source copyright:
- Copyright (C) 1997 - 2002, Makoto Matsumoto and Takuji Nishimura,
- All rights reserved
- ===============================================================================
-
- The LocalizedFormatsTest class in the unit tests is an adapted version of
- the OrekitMessagesTest class from the orekit library distributed under the
- terms of the Apache 2 licence. Original source copyright:
- Copyright 2010 CS Systèmes d'Information
- ===============================================================================
-
- The HermiteInterpolator class and its corresponding test have been imported from
- the orekit library distributed under the terms of the Apache 2 licence. Original
- source copyright:
- Copyright 2010-2012 CS Systèmes d'Information
- ===============================================================================
-
- The creation of the package "o.a.c.m.analysis.integration.gauss" was inspired
- by an original code donated by Sébastien Brisard.
- ===============================================================================
-
- (ASLv2) Apache Commons Net
- The following NOTICE information applies:
- Apache Commons Net
- Copyright 2001-2013 The Apache Software Foundation
-
- (ASLv2) Apache Curator
- The following NOTICE information applies:
- Curator Framework
- Copyright 2011-2014 The Apache Software Foundation
-
- Curator Client
- Copyright 2011-2014 The Apache Software Foundation
-
- Curator Recipes
- Copyright 2011-2014 The Apache Software Foundation
-
- (ASLv2) Apache HttpComponents
- The following NOTICE information applies:
- Apache HttpClient
- Copyright 1999-2015 The Apache Software Foundation
-
- Apache HttpCore
- Copyright 2005-2015 The Apache Software Foundation
-
- Apache HttpMime
- Copyright 1999-2013 The Apache Software Foundation
-
- This project contains annotations derived from JCIP-ANNOTATIONS
- Copyright (c) 2005 Brian Goetz and Tim Peierls. See http://www.jcip.net
-
- (ASLv2) Apache Ranger
- The following NOTICE information applies:
- Apache Ranger Credential Builder
- Copyright 2014-2016 The Apache Software Foundation
-
- Apache Ranger Plugins Audit
- Copyright 2014-2016 The Apache Software Foundation
-
- Apache Ranger Plugins Common
- Copyright 2014-2016 The Apache Software Foundation
-
- Apache Ranger Plugins Cred
- Copyright 2014-2016 The Apache Software Foundation
-
- (ASLv2) Google GSON
- The following NOTICE information applies:
- Copyright 2008 Google Inc.
-
- (ASLv2) HTrace Core
- The following NOTICE information applies:
- In addition, this product includes software dependencies. See
- the accompanying LICENSE.txt for a listing of dependencies
- that are NOT Apache licensed (with pointers to their licensing)
-
- Apache HTrace includes an Apache Thrift connector to Zipkin. Zipkin
- is a distributed tracing system that is Apache 2.0 Licensed.
- Copyright 2012 Twitter, Inc.
-
- (ASLv2) Jackson JSON processor
- The following NOTICE information applies:
- # Jackson JSON processor
-
- Jackson is a high-performance, Free/Open Source JSON processing library.
- It was originally written by Tatu Saloranta (tatu.saloranta@iki.fi), and has
- been in development since 2007.
- It is currently developed by a community of developers, as well as supported
- commercially by FasterXML.com.
-
- ## Licensing
-
- Jackson core and extension components may licensed under different licenses.
- To find the details that apply to this artifact see the accompanying LICENSE file.
- For more information, including possible other licensing options, contact
- FasterXML.com (http://fasterxml.com).
-
- ## Credits
-
- A list of contributors may be found from CREDITS file, which is included
- in some artifacts (usually source distributions); but is always available
- from the source code management (SCM) system project uses.
-
- (ASLv2) Jettison
- The following NOTICE information applies:
- Copyright 2006 Envoi Solutions LLC
-
- (ASLv2) Jets3t
- The following NOTICE information applies:
-
- This product includes software developed by:
-
- The Apache Software Foundation (http://www.apache.org/).
-
- The ExoLab Project (http://www.exolab.org/)
-
- Sun Microsystems (http://www.sun.com/)
-
- Codehaus (http://castor.codehaus.org)
-
- Tatu Saloranta (http://wiki.fasterxml.com/TatuSaloranta)
-
- (ASLv2) Jetty
- The following NOTICE information applies:
- Jetty Web Container
- Copyright 1995-2019 Mort Bay Consulting Pty Ltd.
-
- (ASLv2) Apache Kafka
- The following NOTICE information applies:
- Apache Kafka
- Copyright 2012 The Apache Software Foundation.
-
- (ASLv2) Apache log4j
- The following NOTICE information applies:
- Apache log4j
- Copyright 2007 The Apache Software Foundation
-
- (ASLv2) Apache Solr
- The following NOTICE information applies:
- Apache Solrj
- Copyright 2006-2014 The Apache Software Foundation
-
- (ASLv2) Apache ZooKeeper
- The following NOTICE information applies:
- Apache ZooKeeper
- Copyright 2009-2012 The Apache Software Foundation
-
- (ASLv2) The Netty Project
- The following NOTICE information applies:
- The Netty Project
- Copyright 2011 The Netty Project
-
- (ASLv2) Snappy Java
- The following NOTICE information applies:
- This product includes software developed by Google
- Snappy: http://code.google.com/p/snappy/ (New BSD License)
-
- This product includes software developed by Apache
- PureJavaCrc32C from apache-hadoop-common http://hadoop.apache.org/
- (Apache 2.0 license)
-
- This library containd statically linked libstdc++. This inclusion is allowed by
- "GCC RUntime Library Exception"
- http://gcc.gnu.org/onlinedocs/libstdc++/manual/license.html
-
- (ASLv2) Woodstox Core ASL
- The following NOTICE information applies:
- This product currently only contains code developed by authors
- of specific components, as identified by the source code files.
-
- Since product implements StAX API, it has dependencies to StAX API
- classes.
-
- (ASLv2) Yammer Metrics
- The following NOTICE information applies:
- Metrics
- Copyright 2010-2012 Coda Hale and Yammer, Inc.
-
- This product includes software developed by Coda Hale and Yammer, Inc.
-
- This product includes code derived from the JSR-166 project (ThreadLocalRandom), which was released
- with the following comments:
-
- Written by Doug Lea with assistance from members of JCP JSR-166
- Expert Group and released to the public domain, as explained at
- http://creativecommons.org/publicdomain/zero/1.0/
-
- (ASLv2) ZkClient
- The following NOTICE information applies:
- ZkClient
- Copyright 2009 Stefan Groschupf
-
- (ASLv2) Amazon Web Services SDK
- The following NOTICE information applies:
- Copyright 2010-2014 Amazon.com, Inc. or its affiliates. All Rights Reserved.
-
- This product includes software developed by
- Amazon Technologies, Inc (http://www.amazon.com/).
-
- **********************
- THIRD PARTY COMPONENTS
- **********************
- This software includes third party software subject to the following copyrights:
- - XML parsing and utility functions from JetS3t - Copyright 2006-2009 James Murty.
- - PKCS#1 PEM encoded private key parsing and utility functions from oauth.googlecode.com - Copyright 1998-2010 AOL Inc.
-
-************************
-Common Development and Distribution License 1.0
-************************
-
-The following binary components are provided under the Common Development and Distribution License 1.0. See project link for details.
-
- (CDDL 1.0) JavaBeans Activation Framework (JAF) (javax.activation:activation:jar:1.1 - http://java.sun.com/products/javabeans/jaf/index.jsp)
- (CDDL 1.0) (GPL3) Streaming API For XML (javax.xml.stream:stax-api:jar:1.0-2 - no url provided)
-
-************************
-Common Development and Distribution License 1.1
-************************
-
-The following binary components are provided under the Common Development and Distribution License 1.1. See project link for details.
-
- (CDDL 1.1) (GPL2 w/ CPE) Old JAXB Runtime (com.sun.xml.bind:jaxb-impl:jar:2.2.3-1 - http://jaxb.java.net/)
- (CDDL 1.1) (GPL2 w/ CPE) Java Architecture For XML Binding (javax.xml.bind:jaxb-api:jar:2.2.2 - https://jaxb.dev.java.net/)
- (CDDL 1.1) (GPL2 w/ CPE) jersey-bundle (com.sun.jersey:jersey-bundle:jar:1.17 - https://jersey.java.net/jersey-bundle/)
- (CDDL 1.1) (GPL2 w/ CPE) jersey-core (com.sun.jersey:jersey-core:jar:1.19 - https://jersey.java.net/jersey-core/)
- (CDDL 1.1) (GPL2 w/ CPE) jersey-server (com.sun.jersey:jersey-server:jar:1.19 - https://jersey.java.net/jersey-server/)
- (CDDL 1.1) (GPL2 w/ CPE) jersey-json (com.sun.jersey:jersey-json:jar:1.19 - https://jersey.java.net/jersey-json/)
- (CDDL 1.1) (GPL2 w/ CPE) JavaServer Pages(TM) API (javax.servlet.jsp:javax.servlet.jsp-api:jar:2.1 - http://jsp.java.net)
- (CDDL 1.1) (GPL2 w/ CPE) Java Servlet API (javax.servlet:javax.servlet-api:jar:2.5 - http://servlet-spec.java.net)
-
-************************
-Eclipse Public License 1.0
-************************
-
-The following binary components are provided under the Eclipse Public License 1.0. See project link for details.
-
- (EPL 1.0) Eclipse Link (org.eclipse.persistence:eclipselink:2.5.2 - http://www.eclipse.org/eclipselink/)
- (EPL 1.0) Common Service Data Objects (org.eclipse.persistence:commonj.sdo:2.1.1 - http://www.eclipse.org/eclipselink/)
- (EPL 1.0) Java Persistence API (org.eclipse.persistence:javax.persistence:2.1.0 - http://www.eclipse.org/eclipselink/)
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
deleted file mode 100644
index 33547d67a1..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
+++ /dev/null
@@ -1,332 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
-
- <parent>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-ranger-bundle</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- </parent>
-
- <artifactId>nifi-ranger-plugin</artifactId>
- <packaging>jar</packaging>
- <dependencies>
- <dependency>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-api</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-properties</artifactId>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>log4j-over-slf4j</artifactId>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>jcl-over-slf4j</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.ranger</groupId>
- <artifactId>ranger-plugins-common</artifactId>
- <version>${ranger.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </exclusion>
- <exclusion>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>com.google.code.findbugs</groupId>
- <artifactId>jsr305</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- <exclusion>
- <groupId>ch.qos.logback</groupId>
- <artifactId>logback-classic</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.apache.ranger</groupId>
- <artifactId>ranger-plugins-audit</artifactId>
- <version>${ranger.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </exclusion>
- <exclusion>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- <!-- Exclude Log4j 2 since Ranger does not include direct references to Log4j Loggers -->
- <exclusion>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-api</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-core</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.apache.ranger</groupId>
- <artifactId>credentialbuilder</artifactId>
- <version>${ranger.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-api</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>com.github.stephenc.findbugs</groupId>
- <artifactId>findbugs-annotations</artifactId>
- <version>1.3.9-1</version>
- </dependency>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-client</artifactId>
- <version>${ranger.hadoop.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-reload4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- <!-- Exclude Jetty 9.4 -->
- <exclusion>
- <groupId>org.eclipse.jetty.websocket</groupId>
- <artifactId>websocket-client</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <!-- hadoop-common and hadoop-auth are transitive dependencies of ranger client, but we need to make sure they
- are the same version as hadoop-client above -->
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-common</artifactId>
- <version>${ranger.hadoop.version}</version>
- </dependency>
- <dependency>
- <groupId>com.fasterxml.jackson.core</groupId>
- <artifactId>jackson-databind</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-auth</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-xml-processing</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- </dependency>
- <dependency>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-mock</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- <scope>test</scope>
- </dependency>
- </dependencies>
-
- <profiles>
- <!-- Disable tests on AArch64 which does not have necessary platform-specific libraries -->
- <profile>
- <id>disable-ranger-tests</id>
- <activation>
- <os>
- <arch>aarch64</arch>
- </os>
- </activation>
- <properties>
- <skipTests>true</skipTests>
- </properties>
- </profile>
- <!-- Includes hadoop-aws for accessing HDFS with an s3a:// filesystem -->
- <profile>
- <id>include-hadoop-aws</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <dependencies>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-aws</artifactId>
- <version>${ranger.hadoop.version}</version>
- </dependency>
- </dependencies>
- </profile>
- <!-- Includes hadoop-azure and hadoop-azure-datalake for accessing HDFS with wasb://, abfs://, and adl:// filesystems -->
- <profile>
- <id>include-hadoop-azure</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <dependencies>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-azure</artifactId>
- <version>${ranger.hadoop.version}</version>
- <exclusions>
- <exclusion>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- </exclusion>
- <exclusion>
- <groupId>com.fasterxml.jackson.core</groupId>
- <artifactId>jackson-core</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-azure-datalake</artifactId>
- <version>${ranger.hadoop.version}</version>
- <exclusions>
- <exclusion>
- <groupId>com.fasterxml.jackson.core</groupId>
- <artifactId>jackson-core</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- </dependencies>
- </profile>
- <!-- Includes hadoop-cloud-storage -->
- <profile>
- <id>include-hadoop-cloud-storage</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <dependencies>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-cloud-storage</artifactId>
- <version>${ranger.hadoop.version}</version>
- <exclusions>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- </dependencies>
- </profile>
- <!-- Includes hadoop-ozone for o3fs:// file system -->
- <profile>
- <id>include-hadoop-ozone</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <dependencies>
- <dependency>
- <groupId>org.apache.ozone</groupId>
- <artifactId>ozone-client</artifactId>
- <version>${ozone.version}</version>
- <exclusions>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-core</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-jdk15on</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcpkix-jdk15on</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-jdk18on</artifactId>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcpkix-jdk18on</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.ozone</groupId>
- <artifactId>ozone-filesystem</artifactId>
- <version>${ozone.version}</version>
- </dependency>
- </dependencies>
- </profile>
- <!-- Includes hadoop-gcp for accessing HDFS with an gcs:// filesystem -->
- <profile>
- <id>include-hadoop-gcp</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <dependencies>
- <dependency>
- <groupId>com.google.cloud.bigdataoss</groupId>
- <artifactId>gcs-connector</artifactId>
- <version>hadoop3-${gcs.version}</version>
- </dependency>
- <dependency>
- <groupId>com.google.cloud.bigdataoss</groupId>
- <artifactId>util</artifactId>
- <version>${gcs.version}</version>
- </dependency>
- <dependency>
- <groupId>com.google.cloud.bigdataoss</groupId>
- <artifactId>util-hadoop</artifactId>
- <version>hadoop3-${gcs.version}</version>
- </dependency>
- <dependency>
- <groupId>com.google.cloud.bigdataoss</groupId>
- <artifactId>gcsio</artifactId>
- <version>${gcs.version}</version>
- </dependency>
- </dependencies>
- </profile>
- </profiles>
-</project>
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/ManagedRangerAuthorizer.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/ManagedRangerAuthorizer.java
deleted file mode 100644
index 376f1e55ca..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/ManagedRangerAuthorizer.java
+++ /dev/null
@@ -1,207 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.nifi.ranger.authorization;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.StringWriter;
-import java.nio.charset.StandardCharsets;
-import java.util.Set;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
-import org.apache.commons.lang.StringUtils;
-import org.apache.nifi.authorization.AccessPolicy;
-import org.apache.nifi.authorization.AccessPolicyProvider;
-import org.apache.nifi.authorization.AccessPolicyProviderInitializationContext;
-import org.apache.nifi.authorization.AuthorizerConfigurationContext;
-import org.apache.nifi.authorization.AuthorizerInitializationContext;
-import org.apache.nifi.authorization.ConfigurableUserGroupProvider;
-import org.apache.nifi.authorization.ManagedAuthorizer;
-import org.apache.nifi.authorization.RequestAction;
-import org.apache.nifi.authorization.UserGroupProvider;
-import org.apache.nifi.authorization.UserGroupProviderLookup;
-import org.apache.nifi.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.authorization.exception.AuthorizerCreationException;
-import org.apache.nifi.authorization.exception.AuthorizerDestructionException;
-import org.apache.nifi.authorization.exception.UninheritableAuthorizationsException;
-import org.apache.nifi.xml.processing.ProcessingException;
-import org.apache.nifi.xml.processing.parsers.StandardDocumentProvider;
-import org.apache.nifi.xml.processing.transform.StandardTransformProvider;
-import org.apache.nifi.xml.processing.transform.TransformProvider;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
-
-public class ManagedRangerAuthorizer extends RangerNiFiAuthorizer implements ManagedAuthorizer {
- private static final String USER_GROUP_PROVIDER_ELEMENT = "userGroupProvider";
-
- private UserGroupProviderLookup userGroupProviderLookup;
- private UserGroupProvider userGroupProvider;
- private RangerBasePluginWithPolicies nifiPlugin;
-
- @Override
- public void initialize(AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException {
- userGroupProviderLookup = initializationContext.getUserGroupProviderLookup();
-
- super.initialize(initializationContext);
- }
-
- @Override
- public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
- final String userGroupProviderKey = configurationContext.getProperty("User Group Provider").getValue();
- userGroupProvider = userGroupProviderLookup.getUserGroupProvider(userGroupProviderKey);
-
- // ensure the desired access policy provider has a user group provider
- if (userGroupProvider == null) {
- throw new AuthorizerCreationException(String.format("Unable to locate configured User Group Provider: %s", userGroupProviderKey));
- }
-
- super.onConfigured(configurationContext);
- }
-
- @Override
- protected RangerBasePluginWithPolicies createRangerBasePlugin(final String serviceType, final String appId) {
- // override the method for creating the ranger base plugin so a user group provider can be specified
- nifiPlugin = new RangerBasePluginWithPolicies(serviceType, appId, userGroupProvider);
- return nifiPlugin;
- }
-
- @Override
- public AccessPolicyProvider getAccessPolicyProvider() {
- return new AccessPolicyProvider() {
- @Override
- public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
- return nifiPlugin.getAccessPolicies();
- }
-
- @Override
- public AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException {
- return nifiPlugin.getAccessPolicy(identifier);
- }
-
- @Override
- public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) throws AuthorizationAccessException {
- return nifiPlugin.getAccessPolicy(resourceIdentifier, action);
- }
-
- @Override
- public UserGroupProvider getUserGroupProvider() {
- return userGroupProvider;
- }
-
- @Override
- public void initialize(AccessPolicyProviderInitializationContext initializationContext) throws AuthorizerCreationException {
- }
-
- @Override
- public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
- }
-
- @Override
- public void preDestruction() throws AuthorizerDestructionException {
- }
- };
- }
-
- @Override
- public String getFingerprint() throws AuthorizationAccessException {
- final StringWriter out = new StringWriter();
- try {
- // create the document
- final StandardDocumentProvider documentProvider = new StandardDocumentProvider();
- final Document document = documentProvider.newDocument();
-
- // create the root element
- final Element managedRangerAuthorizationsElement = document.createElement("managedRangerAuthorizations");
- document.appendChild(managedRangerAuthorizationsElement);
-
- // create the user group provider element
- final Element userGroupProviderElement = document.createElement(USER_GROUP_PROVIDER_ELEMENT);
- managedRangerAuthorizationsElement.appendChild(userGroupProviderElement);
-
- // append fingerprint if the provider is configurable
- if (userGroupProvider instanceof ConfigurableUserGroupProvider) {
- userGroupProviderElement.appendChild(document.createTextNode(((ConfigurableUserGroupProvider) userGroupProvider).getFingerprint()));
- }
-
- final TransformProvider transformProvider = new StandardTransformProvider();
- transformProvider.transform(new DOMSource(document), new StreamResult(out));
- } catch (final ProcessingException e) {
- throw new AuthorizationAccessException("Unable to generate fingerprint", e);
- }
-
- return out.toString();
- }
-
- @Override
- public void inheritFingerprint(String fingerprint) throws AuthorizationAccessException {
- if (StringUtils.isBlank(fingerprint)) {
- return;
- }
-
- final String userGroupFingerprint = parseFingerprint(fingerprint);
-
- if (StringUtils.isNotBlank(userGroupFingerprint) && userGroupProvider instanceof ConfigurableUserGroupProvider) {
- ((ConfigurableUserGroupProvider) userGroupProvider).inheritFingerprint(userGroupFingerprint);
- }
- }
-
- @Override
- public void forciblyInheritFingerprint(final String fingerprint) throws AuthorizationAccessException {
- final String userGroupFingerprint = parseFingerprint(fingerprint);
-
- if (userGroupProvider instanceof ConfigurableUserGroupProvider) {
- ((ConfigurableUserGroupProvider) userGroupProvider).forciblyInheritFingerprint(userGroupFingerprint);
- }
- }
-
- @Override
- public void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
- final String userGroupFingerprint = parseFingerprint(proposedFingerprint);
-
- if (StringUtils.isNotBlank(userGroupFingerprint)) {
- if (userGroupProvider instanceof ConfigurableUserGroupProvider) {
- ((ConfigurableUserGroupProvider) userGroupProvider).checkInheritability(userGroupFingerprint);
- } else {
- throw new UninheritableAuthorizationsException("User/Group fingerprint is not blank and the configured UserGroupProvider does not support fingerprinting.");
- }
- }
- }
-
- private String parseFingerprint(final String fingerprint) throws AuthorizationAccessException {
- final byte[] fingerprintBytes = fingerprint.getBytes(StandardCharsets.UTF_8);
-
- try (final ByteArrayInputStream in = new ByteArrayInputStream(fingerprintBytes)) {
- final StandardDocumentProvider documentProvider = new StandardDocumentProvider();
- final Document document = documentProvider.parse(in);
- final Element rootElement = document.getDocumentElement();
-
- final NodeList userGroupProviderList = rootElement.getElementsByTagName(USER_GROUP_PROVIDER_ELEMENT);
- if (userGroupProviderList.getLength() != 1) {
- throw new AuthorizationAccessException(String.format("Only one %s element is allowed: %s", USER_GROUP_PROVIDER_ELEMENT, fingerprint));
- }
-
- final Node userGroupProvider = userGroupProviderList.item(0);
- return userGroupProvider.getTextContent();
- } catch (final ProcessingException | IOException e) {
- throw new AuthorizationAccessException("Unable to parse fingerprint", e);
- }
- }
-}
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java
deleted file mode 100644
index e06c0ebdf3..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java
+++ /dev/null
@@ -1,293 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.nifi.ranger.authorization;
-
-import org.apache.nifi.authorization.AccessPolicy;
-import org.apache.nifi.authorization.Group;
-import org.apache.nifi.authorization.RequestAction;
-import org.apache.nifi.authorization.User;
-import org.apache.nifi.authorization.UserGroupProvider;
-import org.apache.nifi.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.util.StringUtils;
-import org.apache.ranger.plugin.service.RangerBasePlugin;
-import org.apache.ranger.plugin.util.ServicePolicies;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Objects;
-import java.util.Set;
-import java.util.concurrent.atomic.AtomicReference;
-import java.util.function.Function;
-import java.util.stream.Collectors;
-
-/**
- * Extends the base plugin to convert service policies into NiFi policy domain model.
- */
-public class RangerBasePluginWithPolicies extends RangerBasePlugin {
-
- private static final Logger logger = LoggerFactory.getLogger(RangerBasePluginWithPolicies.class);
-
- private final static String WILDCARD_ASTERISK = "*";
-
- private UserGroupProvider userGroupProvider;
- private AtomicReference<PolicyLookup> policies = new AtomicReference<>(new PolicyLookup());
-
- public RangerBasePluginWithPolicies(final String serviceType, final String appId) {
- this(serviceType, appId, null);
- }
-
- public RangerBasePluginWithPolicies(final String serviceType, final String appId, final UserGroupProvider userGroupProvider) {
- super(serviceType, appId);
- this.userGroupProvider = userGroupProvider; // will be null if used outside of the ManagedRangerAuthorizer
- }
-
- @Override
- public void setPolicies(final ServicePolicies policies) {
- super.setPolicies(policies);
-
- if (policies == null || policies.getPolicies() == null) {
- this.policies.set(new PolicyLookup());
- } else {
- this.policies.set(createPolicyLookup(policies));
- }
- }
-
- /**
- * Determines if a policy exists for the given resource.
- *
- * @param resourceIdentifier the id of the resource
- *
- * @return true if a policy exists for the given resource, false otherwise
- */
- public boolean doesPolicyExist(final String resourceIdentifier, final RequestAction requestAction) {
- if (resourceIdentifier == null) {
- return false;
- }
-
- final PolicyLookup policyLookup = policies.get();
- return policyLookup.getAccessPolicy(resourceIdentifier, requestAction) != null;
- }
-
- public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
- return policies.get().getAccessPolicies();
- }
-
- public AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException {
- return policies.get().getAccessPolicy(identifier);
- }
-
- public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) throws AuthorizationAccessException {
- return policies.get().getAccessPolicy(resourceIdentifier, action);
- }
-
- private PolicyLookup createPolicyLookup(final ServicePolicies servicePolicies) {
- final Map<String, AccessPolicy> policiesByIdentifier = new HashMap<>();
- final Map<String, Map<RequestAction, AccessPolicy>> policiesByResource = new HashMap<>();
-
- logger.info("Converting Ranger ServicePolicies model into NiFi policy model for viewing purposes in NiFi UI.");
-
- servicePolicies.getPolicies().stream().forEach(policy -> {
- // only consider policies that are enabled
- if (Boolean.TRUE.equals(policy.getIsEnabled())) {
- // get all the resources for this policy - excludes/recursive support disabled
- final Set<String> resources = policy.getResources().values().stream()
- .filter(resource -> {
- final boolean isMissingResource;
- final boolean isWildcard;
- if (resource.getValues() == null) {
- isMissingResource = true;
- isWildcard = false;
- } else {
- isMissingResource = false;
- isWildcard = resource.getValues().stream().anyMatch(value -> value.contains(WILDCARD_ASTERISK));
- }
-
- final boolean isExclude = Boolean.TRUE.equals(resource.getIsExcludes());
- final boolean isRecursive = Boolean.TRUE.equals(resource.getIsRecursive());
-
- if (isMissingResource) {
- logger.warn("Encountered resources missing values. Skipping policy for viewing purposes. Will still be used for access decisions.");
- }
- if (isWildcard) {
- logger.warn(String.format("Resources [%s] include a wildcard value. Skipping policy for viewing purposes. "
- + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
- }
- if (isExclude) {
- logger.warn(String.format("Resources [%s] marked as an exclude policy. Skipping policy for viewing purposes. "
- + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
- }
- if (isRecursive) {
- logger.warn(String.format("Resources [%s] marked as a recursive policy. Skipping policy for viewing purposes. "
- + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
- }
-
- return !isMissingResource && !isWildcard && !isExclude && !isRecursive;
- })
- .flatMap(resource -> resource.getValues().stream())
- .collect(Collectors.toSet());
-
- policy.getPolicyItems().forEach(policyItem -> {
- // get all the users for this policy item, excluding unknown users
- final Set<String> userIds = policyItem.getUsers().stream()
- .map(userIdentity -> getUser(userIdentity))
- .filter(Objects::nonNull)
- .map(user -> user.getIdentifier())
- .collect(Collectors.toSet());
-
- // get all groups for this policy item, excluding unknown groups
- final Set<String> groupIds = policyItem.getGroups().stream()
- .map(groupName -> getGroup(groupName))
- .filter(Objects::nonNull)
- .map(group -> group.getIdentifier())
- .collect(Collectors.toSet());
-
- // check if this policy item is a delegate admin
- final boolean isDelegateAdmin = Boolean.TRUE.equals(policyItem.getDelegateAdmin());
-
- policyItem.getAccesses().forEach(access -> {
- try {
- // interpret the request action
- final RequestAction action = RequestAction.valueOf(access.getType());
-
- // function for creating an access policy
- final Function<String, AccessPolicy> createPolicy = resource -> new AccessPolicy.Builder()
- .identifierGenerateFromSeed(resource + access.getType())
- .resource(resource)
- .action(action)
- .addUsers(userIds)
- .addGroups(groupIds)
- .build();
-
- resources.forEach(resource -> {
- // create the access policy for the specified resource
- final AccessPolicy accessPolicy = createPolicy.apply(resource);
- policiesByIdentifier.put(accessPolicy.getIdentifier(), accessPolicy);
- policiesByResource.computeIfAbsent(resource, r -> new HashMap<>()).put(action, accessPolicy);
-
- // if this is a delegate admin, also create the admin policy for the specified resource
- if (isDelegateAdmin) {
- // build the admin resource identifier
- final String adminResource;
- if (resource.startsWith("/")) {
- adminResource = "/policies" + resource;
- } else {
- adminResource = "/policies/" + resource;
- }
-
- final AccessPolicy adminAccessPolicy = createPolicy.apply(adminResource);
- policiesByIdentifier.put(adminAccessPolicy.getIdentifier(), adminAccessPolicy);
- policiesByResource.computeIfAbsent(adminResource, ar -> new HashMap<>()).put(action, adminAccessPolicy);
- }
- });
- } catch (final IllegalArgumentException e) {
- logger.warn(String.format("Unrecognized request action '%s'. Skipping policy for viewing purposes. Will still be used for access decisions.", access.getType()));
- }
- });
- });
- }
- });
-
- return new PolicyLookup(policiesByIdentifier, policiesByResource);
- }
-
- private User getUser(final String identity) {
- if (userGroupProvider == null) {
- // generate the user deterministically when running outside of the ManagedRangerAuthorizer
- return new User.Builder().identifierGenerateFromSeed(identity).identity(identity).build();
- } else {
- // find the user in question
- final User user = userGroupProvider.getUserByIdentity(identity);
-
- if (user == null) {
- logger.warn(String.format("Cannot find user '%s' in the configured User Group Provider. Skipping user for viewing purposes. Will still be used for access decisions.", identity));
- }
-
- return user;
- }
- }
-
- private Group getGroup(final String name) {
- if (userGroupProvider == null) {
- // generate the group deterministically when running outside of the ManagedRangerAuthorizer
- return new Group.Builder().identifierGenerateFromSeed(name).name(name).build();
- } else {
- // find the group in question
- final Group group = userGroupProvider.getGroups().stream().filter(g -> g.getName().equals(name)).findFirst().orElse(null);
-
- if (group == null) {
- logger.warn(String.format("Cannot find group '%s' in the configured User Group Provider. Skipping group for viewing purposes. Will still be used for access decisions.", name));
- }
-
- return group;
- }
- }
-
- private static class PolicyLookup {
-
- private final Map<String, AccessPolicy> policiesByIdentifier;
- private final Map<String, Map<RequestAction, AccessPolicy>> policiesByResource;
- private final Set<AccessPolicy> allPolicies;
-
- private PolicyLookup() {
- this(null, null);
- }
-
- private PolicyLookup(final Map<String, AccessPolicy> policiesByIdentifier, final Map<String, Map<RequestAction, AccessPolicy>> policiesByResource) {
- if (policiesByIdentifier == null) {
- allPolicies = Collections.EMPTY_SET;
- } else {
- allPolicies = Collections.unmodifiableSet(new HashSet<>(policiesByIdentifier.values()));
- }
-
- this.policiesByIdentifier = policiesByIdentifier;
- this.policiesByResource = policiesByResource;
- }
-
- private Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
- return allPolicies;
- }
-
- private AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException {
- if (policiesByIdentifier == null) {
- return null;
- }
-
- return policiesByIdentifier.get(identifier);
- }
-
- private AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) throws AuthorizationAccessException {
- if (policiesByResource == null) {
- return null;
- }
-
- final Map<RequestAction, AccessPolicy> policiesForResource = policiesByResource.get(resourceIdentifier);
-
- if (policiesForResource != null) {
- return policiesForResource.get(action);
- }
-
- return null;
- }
- }
-
-}
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java
deleted file mode 100644
index d7513d7d6f..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java
+++ /dev/null
@@ -1,310 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.nifi.ranger.authorization;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.nifi.authorization.AuthorizationAuditor;
-import org.apache.nifi.authorization.AuthorizationRequest;
-import org.apache.nifi.authorization.AuthorizationResult;
-import org.apache.nifi.authorization.Authorizer;
-import org.apache.nifi.authorization.AuthorizerConfigurationContext;
-import org.apache.nifi.authorization.AuthorizerInitializationContext;
-import org.apache.nifi.authorization.UserContextKeys;
-import org.apache.nifi.authorization.annotation.AuthorizerContext;
-import org.apache.nifi.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.authorization.exception.AuthorizerCreationException;
-import org.apache.nifi.authorization.exception.AuthorizerDestructionException;
-import org.apache.nifi.components.PropertyValue;
-import org.apache.nifi.util.NiFiProperties;
-import org.apache.ranger.audit.model.AuthzAuditEvent;
-import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
-import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
-import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResult;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.File;
-import java.net.MalformedURLException;
-import java.text.NumberFormat;
-import java.util.Date;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-import java.util.WeakHashMap;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-/**
- * Authorizer implementation that uses Apache Ranger to make authorization decisions.
- */
-public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
- private static final Logger logger = LoggerFactory.getLogger(RangerNiFiAuthorizer.class);
-
- static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
- static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
- static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
- static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
- static final String RANGER_APP_ID_PROP = "Ranger Application Id";
- static final String RANGER_ADMIN_IDENTITY_PROP_PREFIX = "Ranger Admin Identity";
- static final Pattern RANGER_ADMIN_IDENTITY_PATTERN = Pattern.compile(RANGER_ADMIN_IDENTITY_PROP_PREFIX + "\\s?\\S*");
-
- static final String RANGER_NIFI_RESOURCE_NAME = "nifi-resource";
- static final String DEFAULT_SERVICE_TYPE = "nifi";
- static final String DEFAULT_APP_ID = "nifi";
- static final String RESOURCES_RESOURCE = "/resources";
- static final String HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication";
- static final String KERBEROS_AUTHENTICATION = "kerberos";
-
- private final Map<AuthorizationRequest, RangerAccessResult> resultLookup = new WeakHashMap<>();
-
- private volatile RangerBasePluginWithPolicies nifiPlugin = null;
- private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
- private volatile Set<String> rangerAdminIdentity = null;
- private volatile boolean rangerKerberosEnabled = false;
- private volatile NiFiProperties nifiProperties;
- private final NumberFormat numberFormat = NumberFormat.getInstance();
-
- @Override
- public void initialize(AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException {
-
- }
-
- @Override
- public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
- try {
- if (nifiPlugin == null) {
- logger.info("RangerNiFiAuthorizer(): initializing base plugin");
-
- final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE);
- final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID);
-
- nifiPlugin = createRangerBasePlugin(serviceType, appId);
-
- final RangerPluginConfig pluginConfig = nifiPlugin.getConfig();
-
- final PropertyValue securityConfigValue = configurationContext.getProperty(RANGER_SECURITY_PATH_PROP);
- addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue, pluginConfig);
-
- final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP);
- addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue, pluginConfig);
-
- final String rangerKerberosEnabledValue = getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString());
- rangerKerberosEnabled = rangerKerberosEnabledValue.equals(Boolean.TRUE.toString()) ? true : false;
-
- if (rangerKerberosEnabled) {
- // configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled()
- final Configuration securityConf = new Configuration();
- securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION);
- UserGroupInformation.setConfiguration(securityConf);
-
- // login with the nifi principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which
- // will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab();
- final String nifiPrincipal = nifiProperties.getKerberosServicePrincipal();
- final String nifiKeytab = nifiProperties.getKerberosServiceKeytabLocation();
-
- if (StringUtils.isBlank(nifiPrincipal) || StringUtils.isBlank(nifiKeytab)) {
- throw new AuthorizerCreationException("Principal and Keytab must be provided when Kerberos is enabled");
- }
-
- UserGroupInformation.loginUserFromKeytab(nifiPrincipal.trim(), nifiKeytab.trim());
- }
-
- nifiPlugin.init();
-
- defaultAuditHandler = new RangerDefaultAuditHandler();
- rangerAdminIdentity = getConfigValues(configurationContext, RANGER_ADMIN_IDENTITY_PATTERN, null);
-
- } else {
- logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
- }
- } catch (Throwable t) {
- throw new AuthorizerCreationException("Error creating RangerBasePlugin", t);
- }
- }
-
- protected RangerBasePluginWithPolicies createRangerBasePlugin(final String serviceType, final String appId) {
- return new RangerBasePluginWithPolicies(serviceType, appId);
- }
-
- @Override
- public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
- final String identity = request.getIdentity();
- final Set<String> userGroups = request.getGroups();
- final String resourceIdentifier = request.getResource().getIdentifier();
-
- // if a ranger admin identity was provided, and it contains the identity making the request,
- // and the request is to retrieve the resources, then allow it through
- if (rangerAdminIdentity != null && rangerAdminIdentity.contains(identity)
- && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
- return AuthorizationResult.approved();
- }
-
- final String clientIp;
- if (request.getUserContext() != null) {
- clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name());
- } else {
- clientIp = null;
- }
-
- final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
- resource.setValue(RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);
-
- final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
- rangerRequest.setResource(resource);
- rangerRequest.setAction(request.getAction().name());
- rangerRequest.setAccessType(request.getAction().name());
- rangerRequest.setUser(identity);
- rangerRequest.setUserGroups(userGroups);
- rangerRequest.setAccessTime(new Date());
-
- if (!StringUtils.isBlank(clientIp)) {
- rangerRequest.setClientIPAddress(clientIp);
- }
-
- final long authStart = System.nanoTime();
- final RangerAccessResult result = nifiPlugin.isAccessAllowed(rangerRequest);
- final long authNanos = System.nanoTime() - authStart;
- logger.debug("Performed authorization against Ranger for Resource ID {}, Identity {} in {} nanos", resourceIdentifier, identity, numberFormat.format(authNanos));
-
- // store the result for auditing purposes later if appropriate
- if (request.isAccessAttempt()) {
- synchronized (resultLookup) {
- resultLookup.put(request, result);
- }
- }
-
- if (result != null && result.getIsAllowed()) {
- // return approved
- return AuthorizationResult.approved();
- } else {
- // if result.getIsAllowed() is false, then we need to determine if it was because no policy exists for the
- // given resource, or if it was because a policy exists but not for the given user or action
- final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier(), request.getAction());
-
- if (doesPolicyExist) {
- final String reason = result == null ? null : result.getReason();
- if (reason != null) {
- logger.debug(String.format("Unable to authorize %s due to %s", identity, reason));
- }
-
- // a policy does exist for the resource so we were really denied access here
- return AuthorizationResult.denied(request.getExplanationSupplier().get());
- } else {
- // a policy doesn't exist so return resource not found so NiFi can work back up the resource hierarchy
- return AuthorizationResult.resourceNotFound();
- }
- }
- }
-
- @Override
- public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) {
- final RangerAccessResult rangerResult;
- synchronized (resultLookup) {
- rangerResult = resultLookup.remove(request);
- }
-
- if (rangerResult != null && rangerResult.getIsAudited()) {
- AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult);
-
- // update the event with the originally requested resource
- event.setResourceType(RANGER_NIFI_RESOURCE_NAME);
- event.setResourcePath(request.getRequestedResource().getIdentifier());
-
- final long start = System.nanoTime();
- defaultAuditHandler.logAuthzAudit(event);
- final long nanos = System.nanoTime() - start;
- logger.debug("Logged authorization audits to Ranger in {} nanos", numberFormat.format(nanos));
- }
- }
-
- @Override
- public void preDestruction() throws AuthorizerDestructionException {
- if (nifiPlugin != null) {
- try {
- nifiPlugin.cleanup();
- nifiPlugin = null;
- } catch (Throwable t) {
- throw new AuthorizerDestructionException("Error cleaning up RangerBasePlugin", t);
- }
- }
- }
-
- @AuthorizerContext
- public void setNiFiProperties(final NiFiProperties properties) {
- this.nifiProperties = properties;
- }
-
- /**
- * Adds a resource to the RangerConfiguration singleton so it is already there by the time RangerBasePlugin.init()
- * is called.
- *
- * @param name the name of the given PropertyValue from the AuthorizationConfigurationContext
- * @param resourceValue the value for the given name, should be a full path to a file
- * @param configuration the RangerConfiguration instance to add the resource to
- */
- private void addRequiredResource(final String name, final PropertyValue resourceValue, final RangerConfiguration configuration) {
- if (resourceValue == null || StringUtils.isBlank(resourceValue.getValue())) {
- throw new AuthorizerCreationException(name + " must be specified.");
- }
-
- final File resourceFile = new File(resourceValue.getValue());
- if (!resourceFile.exists() || !resourceFile.canRead()) {
- throw new AuthorizerCreationException(resourceValue + " does not exist, or can not be read");
- }
-
- try {
- configuration.addResource(resourceFile.toURI().toURL());
- } catch (MalformedURLException e) {
- throw new AuthorizerCreationException("Error creating URI for " + resourceValue, e);
- }
- }
-
- private String getConfigValue(final AuthorizerConfigurationContext context, final String name, final String defaultValue) {
- final PropertyValue configValue = context.getProperty(name);
-
- String retValue = defaultValue;
- if (configValue != null && !StringUtils.isBlank(configValue.getValue())) {
- retValue = configValue.getValue();
- }
-
- return retValue;
- }
-
- private Set<String> getConfigValues(final AuthorizerConfigurationContext context, final Pattern namePattern, final String defaultValue) {
- final Set<String> configValues = new HashSet<>();
-
- for (Map.Entry<String,String> entry : context.getProperties().entrySet()) {
- Matcher matcher = namePattern.matcher(entry.getKey());
- if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
- configValues.add(entry.getValue());
- }
- }
-
- if (configValues.isEmpty() && (defaultValue != null)) {
- configValues.add(defaultValue);
- }
-
- return configValues;
- }
-}
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer
deleted file mode 100755
index 34d87976e8..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer
+++ /dev/null
@@ -1,16 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer
-org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/ManagedRangerAuthorizerTest.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/ManagedRangerAuthorizerTest.java
deleted file mode 100644
index 7f8c17ce90..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/ManagedRangerAuthorizerTest.java
+++ /dev/null
@@ -1,227 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.ranger.authorization;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.nifi.authorization.AuthorizerConfigurationContext;
-import org.apache.nifi.authorization.AuthorizerInitializationContext;
-import org.apache.nifi.authorization.ConfigurableUserGroupProvider;
-import org.apache.nifi.authorization.UserGroupProvider;
-import org.apache.nifi.authorization.UserGroupProviderLookup;
-import org.apache.nifi.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.authorization.exception.UninheritableAuthorizationsException;
-import org.apache.nifi.util.MockPropertyValue;
-import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.mockito.Mockito;
-
-import java.io.File;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-public class ManagedRangerAuthorizerTest {
-
- private static final String TENANT_FINGERPRINT =
- "<tenants>"
- + "<user identifier=\"user-id-1\" identity=\"user-1\"></user>"
- + "<group identifier=\"group-id-1\" name=\"group-1\">"
- + "<groupUser identifier=\"user-id-1\"></groupUser>"
- + "</group>"
- + "</tenants>";
-
- private static final String EMPTY_FINGERPRINT = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>"
- + "<managedRangerAuthorizations>"
- + "<userGroupProvider/>"
- + "</managedRangerAuthorizations>";
-
- private static final String NON_EMPTY_FINGERPRINT = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>"
- + "<managedRangerAuthorizations>"
- + "<userGroupProvider>"
- + "<tenants>"
- + "<user identifier=\"user-id-1\" identity=\"user-1\"></user>"
- + "<group identifier=\"group-id-1\" name=\"group-1\">"
- + "<groupUser identifier=\"user-id-1\"></groupUser>"
- + "</group>"
- + "</tenants>"
- + "</userGroupProvider>"
- + "</managedRangerAuthorizations>";
-
- private final String serviceType = "nifi";
- private final String appId = "nifiAppId";
-
- @BeforeEach
- public void setup() {
- // have to initialize this system property before anything else
- File krb5conf = new File("src/test/resources/krb5.conf");
- assertTrue(krb5conf.exists());
- System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath());
-
- // rest the authentication to simple in case any tests set it to kerberos
- final Configuration securityConf = new Configuration();
- securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
- UserGroupInformation.setConfiguration(securityConf);
-
- assertFalse(UserGroupInformation.isSecurityEnabled());
- }
-
- @Test
- public void testNonConfigurableFingerPrint() {
- final UserGroupProvider userGroupProvider = mock(UserGroupProvider.class);
-
- final ManagedRangerAuthorizer managedRangerAuthorizer = getStandardManagedAuthorizer(userGroupProvider);
- assertEquals(EMPTY_FINGERPRINT, managedRangerAuthorizer.getFingerprint());
- }
-
- @Test
- public void testConfigurableEmptyFingerPrint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
- when(userGroupProvider.getFingerprint()).thenReturn("");
-
- final ManagedRangerAuthorizer managedRangerAuthorizer = getStandardManagedAuthorizer(userGroupProvider);
- assertEquals(EMPTY_FINGERPRINT, managedRangerAuthorizer.getFingerprint());
- }
-
- @Test
- public void testConfigurableFingerPrint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
- when(userGroupProvider.getFingerprint()).thenReturn(TENANT_FINGERPRINT);
-
- final ManagedRangerAuthorizer managedRangerAuthorizer = getStandardManagedAuthorizer(userGroupProvider);
- assertEquals(NON_EMPTY_FINGERPRINT, managedRangerAuthorizer.getFingerprint());
- }
-
- @Test
- public void testInheritEmptyFingerprint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
-
- final ManagedRangerAuthorizer managedRangerAuthorizer = getStandardManagedAuthorizer(userGroupProvider);
- managedRangerAuthorizer.inheritFingerprint(EMPTY_FINGERPRINT);
-
- verify(userGroupProvider, times(0)).inheritFingerprint(anyString());
- }
-
- @Test
- public void testInheritInvalidFingerprint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
-
- final ManagedRangerAuthorizer managedRangerAuthorizer = getStandardManagedAuthorizer(userGroupProvider);
- assertThrows(AuthorizationAccessException.class, () -> managedRangerAuthorizer.inheritFingerprint("not a valid fingerprint"));
- }
-
- @Test
- public void testInheritNonEmptyFingerprint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
-
- final ManagedRangerAuthorizer managedRangerAuthorizer = getStandardManagedAuthorizer(userGroupProvider);
- managedRangerAuthorizer.inheritFingerprint(NON_EMPTY_FINGERPRINT);
-
- verify(userGroupProvider, times(1)).inheritFingerprint(TENANT_FINGERPRINT);
- }
-
- @Test
- public void testCheckInheritEmptyFingerprint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
-
- final ManagedRangerAuthorizer managedRangerAuthorizer = getStandardManagedAuthorizer(userGroupProvider);
- managedRangerAuthorizer.checkInheritability(EMPTY_FINGERPRINT);
-
- verify(userGroupProvider, times(0)).inheritFingerprint(anyString());
- }
-
- @Test
- public void testCheckInheritInvalidFingerprint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
-
- final ManagedRangerAuthorizer managedRangerAuthorizer = getStandardManagedAuthorizer(userGroupProvider);
- assertThrows(AuthorizationAccessException.class, () -> managedRangerAuthorizer.checkInheritability("not a valid fingerprint"));
- }
-
- @Test
- public void testCheckInheritNonEmptyFingerprint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
-
- final ManagedRangerAuthorizer managedRangerAuthorizer = getStandardManagedAuthorizer(userGroupProvider);
- managedRangerAuthorizer.checkInheritability(NON_EMPTY_FINGERPRINT);
-
- verify(userGroupProvider, times(1)).checkInheritability(TENANT_FINGERPRINT);
- }
-
- @Test
- public void testCheckInheritNonConfigurableUserGroupProvider() {
- final UserGroupProvider userGroupProvider = mock(UserGroupProvider.class);
-
- final ManagedRangerAuthorizer managedRangerAuthorizer = getStandardManagedAuthorizer(userGroupProvider);
- assertThrows(UninheritableAuthorizationsException.class, () -> managedRangerAuthorizer.checkInheritability(NON_EMPTY_FINGERPRINT));
- }
-
- private ManagedRangerAuthorizer getStandardManagedAuthorizer(final UserGroupProvider userGroupProvider) {
- final RangerBasePluginWithPolicies rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
-
- final RangerPluginConfig pluginConfig = new RangerPluginConfig(serviceType, null, appId, null, null, null);
- when(rangerBasePlugin.getConfig()).thenReturn(pluginConfig);
-
- final ManagedRangerAuthorizer managedAuthorizer = new MockManagedRangerAuthorizer(rangerBasePlugin);
-
- final AuthorizerConfigurationContext configurationContext = mock(AuthorizerConfigurationContext.class);
- when(configurationContext.getProperty(eq("User Group Provider"))).thenReturn(new MockPropertyValue("user-group-provider", null));
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP))).thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml"));
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP))).thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml"));
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_APP_ID_PROP))).thenReturn(new MockPropertyValue(appId));
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP))).thenReturn(new MockPropertyValue(serviceType));
-
- final UserGroupProviderLookup userGroupProviderLookup = mock(UserGroupProviderLookup.class);
- when(userGroupProviderLookup.getUserGroupProvider("user-group-provider")).thenReturn(userGroupProvider);
-
- final AuthorizerInitializationContext initializationContext = mock(AuthorizerInitializationContext.class);
- when(initializationContext.getUserGroupProviderLookup()).thenReturn(userGroupProviderLookup);
-
- managedAuthorizer.initialize(initializationContext);
- managedAuthorizer.onConfigured(configurationContext);
-
- return managedAuthorizer;
- }
-
- /**
- * Extend ManagedRangerAuthorizer to inject a mock base plugin for testing.
- */
- private static class MockManagedRangerAuthorizer extends ManagedRangerAuthorizer {
-
- RangerBasePluginWithPolicies mockRangerBasePlugin;
-
- public MockManagedRangerAuthorizer(RangerBasePluginWithPolicies mockRangerBasePlugin) {
- this.mockRangerBasePlugin = mockRangerBasePlugin;
- }
-
- @Override
- protected RangerBasePluginWithPolicies createRangerBasePlugin(String serviceType, String appId) {
- when(mockRangerBasePlugin.getAppId()).thenReturn(appId);
- when(mockRangerBasePlugin.getServiceType()).thenReturn(serviceType);
- return mockRangerBasePlugin;
- }
- }
-}
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java
deleted file mode 100644
index ba405e4f97..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java
+++ /dev/null
@@ -1,550 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.nifi.ranger.authorization;
-
-import org.apache.nifi.authorization.AccessPolicy;
-import org.apache.nifi.authorization.AuthorizerConfigurationContext;
-import org.apache.nifi.authorization.Group;
-import org.apache.nifi.authorization.RequestAction;
-import org.apache.nifi.authorization.User;
-import org.apache.nifi.authorization.UserAndGroups;
-import org.apache.nifi.authorization.UserGroupProvider;
-import org.apache.nifi.authorization.UserGroupProviderInitializationContext;
-import org.apache.nifi.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.authorization.exception.AuthorizerCreationException;
-import org.apache.nifi.authorization.exception.AuthorizerDestructionException;
-import org.apache.ranger.plugin.model.RangerPolicy;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
-import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.util.ServicePolicies;
-import org.junit.jupiter.api.Test;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertNull;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-public class TestRangerBasePluginWithPolicies {
-
- @Test
- public void testPoliciesWithoutUserGroupProvider() {
- final String user1 = "user-1";
- final String group1 = "group-1";
-
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
-
- final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicyItem policy1Item = new RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
- policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final String resourceIdentifier2 = "/resource-2";
- RangerPolicyResource resource2 = new RangerPolicyResource(resourceIdentifier2);
-
- final Map<String, RangerPolicyResource> policy2Resources = new HashMap<>();
- policy2Resources.put(resourceIdentifier2, resource2);
-
- final RangerPolicyItem policy2Item = new RangerPolicyItem();
- policy2Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ"), new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
- policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
-
- final RangerPolicy policy2 = new RangerPolicy();
- policy2.setResources(policy2Resources);
- policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
- policies.add(policy2);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the two ranger policies converted into 3 nifi access policies
- final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
- assertEquals(3, accessPolicies.size());
-
- // resource 1 -> read but no write
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
-
- // read
- final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
- assertNotNull(readResource1);
- assertTrue(accessPolicies.contains(readResource1));
- assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
- assertEquals(1, readResource1.getUsers().size());
- assertTrue(readResource1.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user1).identity(user1).build().getIdentifier()));
- assertTrue(readResource1.getGroups().isEmpty());
-
- // but no write
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
-
- // resource 2 -> read and write
- assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
-
- // read
- final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
- assertNotNull(readResource2);
- assertTrue(accessPolicies.contains(readResource2));
- assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
- assertTrue(readResource2.getUsers().isEmpty());
- assertEquals(1, readResource2.getGroups().size());
- assertTrue(readResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
-
- // and write
- final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
- assertNotNull(writeResource2);
- assertTrue(accessPolicies.contains(writeResource2));
- assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
- assertTrue(writeResource2.getUsers().isEmpty());
- assertEquals(1, writeResource2.getGroups().size());
- assertTrue(writeResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
-
- // resource 3 -> no read or write
- assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.WRITE));
- assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.READ));
-
- // no read or write
- assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.WRITE));
- assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.READ));
- }
-
- @Test
- public void testNoPolicies() {
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
-
- assertFalse(pluginWithPolicies.doesPolicyExist("non-existent-resource", RequestAction.READ));
- assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
- assertNull(pluginWithPolicies.getAccessPolicy("non-existent-identifier"));
- assertNull(pluginWithPolicies.getAccessPolicy("non-existent-resource", RequestAction.READ));
- }
-
- @Test
- public void testDisabledPolicy() {
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
-
- final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicyItem policy1Item = new RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setIsEnabled(false);
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the policy was skipped
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
- assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ));
- }
-
- @Test
- public void testMissingResourceValue() {
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicyResource resource1 = new RangerPolicyResource();
-
- final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicyItem policy1Item = new RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the policy was skipped
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
- }
-
- @Test
- public void testWildcardResourceValue() {
- final String resourceIdentifier1 = "*";
- RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
-
- final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicyItem policy1Item = new RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the policy was skipped
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
- }
-
- @Test
- public void testExcludesPolicy() {
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
- resource1.setIsExcludes(true);
-
- final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicyItem policy1Item = new RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the policy was skipped
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
- }
-
- @Test
- public void testRecursivePolicy() {
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
- resource1.setIsRecursive(true);
-
- final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicyItem policy1Item = new RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the policy was skipped
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
- }
-
- @Test
- public void testDelegateAdmin() {
- final String user1 = "user-1";
-
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
-
- final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicyItem policy1Item = new RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ"), new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
- policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
- policy1Item.setDelegateAdmin(true);
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- assertEquals(4, pluginWithPolicies.getAccessPolicies().size());
- assertNotNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ));
- assertNotNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
- assertNotNull(pluginWithPolicies.getAccessPolicy("/policies" + resourceIdentifier1, RequestAction.READ));
- assertNotNull(pluginWithPolicies.getAccessPolicy("/policies" + resourceIdentifier1, RequestAction.WRITE));
- }
-
- @Test
- public void testPoliciesWithUserGroupProvider() {
- final String user1 = "user-1"; // unknown according to user group provider
- final String user2 = "user-2"; // known according to user group provider
- final String group1 = "group-1"; // unknown according to user group provider
- final String group2 = "group-2"; // known according to user group provider
-
- final UserGroupProvider userGroupProvider = new UserGroupProvider() {
- @Override
- public Set<User> getUsers() throws AuthorizationAccessException {
- return Stream.of(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build()).collect(Collectors.toSet());
- }
-
- @Override
- public User getUser(String identifier) throws AuthorizationAccessException {
- final User u2 = new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
- if (u2.getIdentifier().equals(identifier)) {
- return u2;
- } else {
- return null;
- }
- }
-
- @Override
- public User getUserByIdentity(String identity) throws AuthorizationAccessException {
- if (user2.equals(identity)) {
- return new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
- } else {
- return null;
- }
- }
-
- @Override
- public Set<Group> getGroups() throws AuthorizationAccessException {
- return Stream.of(new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build()).collect(Collectors.toSet());
- }
-
- @Override
- public Group getGroup(String identifier) throws AuthorizationAccessException {
- final Group g2 = new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build();
- if (g2.getIdentifier().equals(identifier)) {
- return g2;
- } else {
- return null;
- }
- }
-
- @Override
- public UserAndGroups getUserAndGroups(String identity) throws AuthorizationAccessException {
- if (user2.equals(identity)) {
- return new UserAndGroups() {
- @Override
- public User getUser() {
- return new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
- }
-
- @Override
- public Set<Group> getGroups() {
- return Collections.EMPTY_SET;
- }
- };
- } else {
- return null;
- }
- }
-
- @Override
- public void initialize(UserGroupProviderInitializationContext initializationContext) throws AuthorizerCreationException {
- }
-
- @Override
- public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
- }
-
- @Override
- public void preDestruction() throws AuthorizerDestructionException {
- }
- };
-
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
-
- final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicyItem policy1Item = new RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
- policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
- policy1Item.setGroups(Stream.of(group2).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final String resourceIdentifier2 = "/resource-2";
- RangerPolicyResource resource2 = new RangerPolicyResource(resourceIdentifier2);
-
- final Map<String, RangerPolicyResource> policy2Resources = new HashMap<>();
- policy2Resources.put(resourceIdentifier2, resource2);
-
- final RangerPolicyItem policy2Item = new RangerPolicyItem();
- policy2Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ"), new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
- policy2Item.setUsers(Stream.of(user2).collect(Collectors.toList()));
- policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
-
- final RangerPolicy policy2 = new RangerPolicy();
- policy2.setResources(policy2Resources);
- policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
- policies.add(policy2);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi", userGroupProvider);
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the two ranger policies converted into 3 nifi access policies
- final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
- assertEquals(3, accessPolicies.size());
-
- // resource 1 -> read but no write
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
-
- // read
- final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
- assertNotNull(readResource1);
- assertTrue(accessPolicies.contains(readResource1));
- assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
- assertTrue(readResource1.getUsers().isEmpty());
- assertEquals(1, readResource1.getGroups().size());
- assertTrue(readResource1.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build().getIdentifier()));
-
- // but no write
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
-
- // resource 2 -> read and write
- assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
-
- // read
- final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
- assertNotNull(readResource2);
- assertTrue(accessPolicies.contains(readResource2));
- assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
- assertEquals(1, readResource2.getUsers().size());
- assertTrue(readResource2.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build().getIdentifier()));
- assertTrue(readResource2.getGroups().isEmpty());
-
- // and write
- final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
- assertNotNull(writeResource2);
- assertTrue(accessPolicies.contains(writeResource2));
- assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
- assertEquals(1, writeResource2.getUsers().size());
- assertTrue(writeResource2.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build().getIdentifier()));
- assertTrue(writeResource2.getGroups().isEmpty());
- }
-}
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java
deleted file mode 100644
index fc66ae47a6..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java
+++ /dev/null
@@ -1,575 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.nifi.ranger.authorization;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.nifi.authorization.AuthorizationRequest;
-import org.apache.nifi.authorization.AuthorizationResult;
-import org.apache.nifi.authorization.Authorizer;
-import org.apache.nifi.authorization.AuthorizerConfigurationContext;
-import org.apache.nifi.authorization.AuthorizerInitializationContext;
-import org.apache.nifi.authorization.RequestAction;
-import org.apache.nifi.authorization.Resource;
-import org.apache.nifi.authorization.UserContextKeys;
-import org.apache.nifi.authorization.exception.AuthorizerCreationException;
-import org.apache.nifi.util.MockPropertyValue;
-import org.apache.nifi.util.NiFiProperties;
-import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResult;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Disabled;
-import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentMatcher;
-import org.mockito.Mockito;
-
-import java.io.File;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.mockito.ArgumentMatchers.isNotNull;
-import static org.mockito.Mockito.argThat;
-import static org.mockito.Mockito.eq;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-public class TestRangerNiFiAuthorizer {
-
- private MockRangerNiFiAuthorizer authorizer;
- private RangerBasePluginWithPolicies rangerBasePlugin;
- private AuthorizerConfigurationContext configurationContext;
- private NiFiProperties nifiProperties;
-
- private final String serviceType = "nifi";
- private final String appId = "nifiAppId";
-
- private RangerAccessResult allowedResult;
- private RangerAccessResult notAllowedResult;
-
- private Map<String, String> authorizersXmlContent = null;
-
- @BeforeEach
- public void setup() {
- // have to initialize this system property before anything else
- File krb5conf = new File("src/test/resources/krb5.conf");
- assertTrue(krb5conf.exists());
- System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath());
-
- // rest the authentication to simple in case any tests set it to kerberos
- final Configuration securityConf = new Configuration();
- securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
- UserGroupInformation.setConfiguration(securityConf);
-
- // initialize the content of authorizers.xml in case tests added further entries to it
- authorizersXmlContent = Stream.of(new String[][] {
- {RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP, "src/test/resources/ranger/ranger-nifi-security.xml"},
- {RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP, "src/test/resources/ranger/ranger-nifi-audit.xml"},
- {RangerNiFiAuthorizer.RANGER_APP_ID_PROP, appId},
- {RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP, serviceType}
- }).collect(Collectors.toMap(entry -> entry[0], entry -> entry[1]));
- configurationContext = createMockConfigContext();
- rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
-
- final RangerPluginConfig pluginConfig = new RangerPluginConfig(serviceType, null, appId, null, null, null);
- when(rangerBasePlugin.getConfig()).thenReturn(pluginConfig);
-
- authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
- authorizer.onConfigured(configurationContext);
-
- assertFalse(UserGroupInformation.isSecurityEnabled());
-
- allowedResult = Mockito.mock(RangerAccessResult.class);
- when(allowedResult.getIsAllowed()).thenReturn(true);
-
- notAllowedResult = Mockito.mock(RangerAccessResult.class);
- when(notAllowedResult.getIsAllowed()).thenReturn(false);
- }
-
- private AuthorizerConfigurationContext createMockConfigContext() {
- AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class);
-
- for (Map.Entry<String, String> entry : authorizersXmlContent.entrySet()) {
- when(configurationContext.getProperty(eq(entry.getKey())))
- .thenReturn(new MockPropertyValue(entry.getValue()));
- }
-
- when(configurationContext.getProperties()).thenReturn(authorizersXmlContent);
-
- return configurationContext;
- }
-
- @Test
- public void testOnConfigured() {
- verify(rangerBasePlugin, times(1)).init();
-
- assertEquals(appId, authorizer.mockRangerBasePlugin.getAppId());
- assertEquals(serviceType, authorizer.mockRangerBasePlugin.getServiceType());
- }
-
- @Test
- public void testKerberosEnabledWithoutKeytab() {
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_KERBEROS_ENABLED_PROP)))
- .thenReturn(new MockPropertyValue("true"));
-
- nifiProperties = Mockito.mock(NiFiProperties.class);
- when(nifiProperties.getKerberosServicePrincipal()).thenReturn("");
-
- authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
- authorizer.setNiFiProperties(nifiProperties);
-
- assertThrows(AuthorizerCreationException.class, () ->authorizer.onConfigured(configurationContext));
- }
-
- @Test
- public void testKerberosEnabledWithoutPrincipal() {
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_KERBEROS_ENABLED_PROP)))
- .thenReturn(new MockPropertyValue("true"));
-
- nifiProperties = Mockito.mock(NiFiProperties.class);
- when(nifiProperties.getKerberosServiceKeytabLocation()).thenReturn("");
-
- authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
- authorizer.setNiFiProperties(nifiProperties);
-
- assertThrows(AuthorizerCreationException.class, () -> authorizer.onConfigured(configurationContext));
- }
-
- @Test
- public void testKerberosEnabledWithoutKeytabOrPrincipal() {
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_KERBEROS_ENABLED_PROP)))
- .thenReturn(new MockPropertyValue("true"));
-
- nifiProperties = Mockito.mock(NiFiProperties.class);
- when(nifiProperties.getKerberosServiceKeytabLocation()).thenReturn("");
- when(nifiProperties.getKerberosServicePrincipal()).thenReturn("");
-
- authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
- authorizer.setNiFiProperties(nifiProperties);
-
- assertThrows(AuthorizerCreationException.class, () -> authorizer.onConfigured(configurationContext));
- }
-
- @Test
- public void testKerberosEnabled() {
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_KERBEROS_ENABLED_PROP)))
- .thenReturn(new MockPropertyValue("true"));
-
- nifiProperties = Mockito.mock(NiFiProperties.class);
- when(nifiProperties.getKerberosServiceKeytabLocation()).thenReturn("test");
- when(nifiProperties.getKerberosServicePrincipal()).thenReturn("test");
-
- authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
- authorizer.setNiFiProperties(nifiProperties);
-
- assertThrows(AuthorizerCreationException.class, () -> authorizer.onConfigured(configurationContext));
- }
-
- @Test
- public void testApprovedWithDirectAccess() {
- final String systemResource = "/system";
- final RequestAction action = RequestAction.WRITE;
- final String user = "admin";
- final String clientIp = "192.168.1.1";
-
- final Map<String,String> userContext = new HashMap<>();
- userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), clientIp);
-
- // the incoming NiFi request to test
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(new MockResource(systemResource, systemResource))
- .action(action)
- .identity(user)
- .resourceContext(new HashMap<>())
- .userContext(userContext)
- .accessAttempt(true)
- .anonymous(false)
- .build();
-
- // the expected Ranger resource and request that are created
- final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
- resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
-
- final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
- expectedRangerRequest.setResource(resource);
- expectedRangerRequest.setAction(request.getAction().name());
- expectedRangerRequest.setAccessType(request.getAction().name());
- expectedRangerRequest.setUser(request.getIdentity());
- expectedRangerRequest.setClientIPAddress(clientIp);
-
- // a non-null result processor should be used for direct access
- when(rangerBasePlugin.isAccessAllowed(
- argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))
- ).thenReturn(allowedResult);
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertEquals(AuthorizationResult.approved().getResult(), result.getResult());
- }
-
- @Test
- public void testApprovedWithNonDirectAccess() {
- final String systemResource = "/system";
- final RequestAction action = RequestAction.WRITE;
- final String user = "admin";
-
- // the incoming NiFi request to test
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(new MockResource(systemResource, systemResource))
- .action(action)
- .identity(user)
- .resourceContext(new HashMap<>())
- .accessAttempt(false)
- .anonymous(false)
- .build();
-
- // the expected Ranger resource and request that are created
- final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
- resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
-
- final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
- expectedRangerRequest.setResource(resource);
- expectedRangerRequest.setAction(request.getAction().name());
- expectedRangerRequest.setAccessType(request.getAction().name());
- expectedRangerRequest.setUser(request.getIdentity());
-
- // no result processor should be provided used non-direct access
- when(rangerBasePlugin.isAccessAllowed(
- argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))
- ).thenReturn(allowedResult);
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertEquals(AuthorizationResult.approved().getResult(), result.getResult());
- }
-
- @Test
- public void testResourceNotFound() {
- final String systemResource = "/system";
- final RequestAction action = RequestAction.WRITE;
- final String user = "admin";
-
- // the incoming NiFi request to test
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(new MockResource(systemResource, systemResource))
- .action(action)
- .identity(user)
- .resourceContext(new HashMap<>())
- .accessAttempt(true)
- .anonymous(false)
- .build();
-
- // the expected Ranger resource and request that are created
- final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
- resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
-
- final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
- expectedRangerRequest.setResource(resource);
- expectedRangerRequest.setAction(request.getAction().name());
- expectedRangerRequest.setAccessType(request.getAction().name());
- expectedRangerRequest.setUser(request.getIdentity());
-
- // no result processor should be provided used non-direct access
- when(rangerBasePlugin.isAccessAllowed(
- argThat(new RangerAccessRequestMatcher(expectedRangerRequest)),
- isNotNull())
- ).thenReturn(notAllowedResult);
-
- // return false when checking if a policy exists for the resource
- when(rangerBasePlugin.doesPolicyExist(systemResource, action)).thenReturn(false);
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertEquals(AuthorizationResult.resourceNotFound().getResult(), result.getResult());
- }
-
- @Test
- public void testDenied() {
- final String systemResource = "/system";
- final RequestAction action = RequestAction.WRITE;
- final String user = "admin";
-
- // the incoming NiFi request to test
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(new MockResource(systemResource, systemResource))
- .action(action)
- .identity(user)
- .resourceContext(new HashMap<>())
- .accessAttempt(true)
- .anonymous(false)
- .build();
-
- // the expected Ranger resource and request that are created
- final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
- resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
-
- final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
- expectedRangerRequest.setResource(resource);
- expectedRangerRequest.setAction(request.getAction().name());
- expectedRangerRequest.setAccessType(request.getAction().name());
- expectedRangerRequest.setUser(request.getIdentity());
-
- // no result processor should be provided used non-direct access
- when(rangerBasePlugin.isAccessAllowed(
- argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))
- ).thenReturn(notAllowedResult);
-
- // return true when checking if a policy exists for the resource
- when(rangerBasePlugin.doesPolicyExist(systemResource, action)).thenReturn(true);
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertEquals(AuthorizationResult.denied().getResult(), result.getResult());
- }
-
- @Test
- public void testRangerAdminApproved() {
- final String acceptableIdentity = "ranger-admin";
- authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
-
- final String requestIdentity = "ranger-admin";
- runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
- }
-
- @Test
- public void testRangerAdminApprovedMultipleAcceptableIdentities() {
- final String acceptableIdentity1 = "ranger-admin1";
- final String acceptableIdentity2 = "ranger-admin2";
- final String acceptableIdentity3 = "ranger-admin3";
- authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
- authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
- authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
-
- final String requestIdentity = "ranger-admin2";
- runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
- }
-
- @Test
- public void testRangerAdminApprovedMultipleAcceptableIdentities2() {
- final String acceptableIdentity1 = "ranger-admin1";
- final String acceptableIdentity2 = "ranger-admin2";
- final String acceptableIdentity3 = "ranger-admin3";
- authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
- authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
- authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
-
- final String requestIdentity = "ranger-admin3";
- runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
- }
-
- @Test
- public void testRangerAdminDenied() {
- final String acceptableIdentity = "ranger-admin";
- authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
-
- final String requestIdentity = "ranger-admin";
- runRangerAdminTest("/flow", requestIdentity, AuthorizationResult.denied().getResult());
- }
-
- @Test
- public void testRangerAdminDeniedMultipleAcceptableIdentities() {
- final String acceptableIdentity1 = "ranger-admin1";
- final String acceptableIdentity2 = "ranger-admin2";
- final String acceptableIdentity3 = "ranger-admin3";
- authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
- authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
- authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
-
- final String requestIdentity = "ranger-admin4";
- runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.denied().getResult());
- }
-
- private void runRangerAdminTest(final String resourceIdentifier, final String requestIdentity, final AuthorizationResult.Result expectedResult) {
- configurationContext = createMockConfigContext();
-
- rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
-
- final RangerPluginConfig pluginConfig = new RangerPluginConfig(serviceType, null, appId, null, null, null);
- when(rangerBasePlugin.getConfig()).thenReturn(pluginConfig);
-
- authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
- authorizer.onConfigured(configurationContext);
-
- final RequestAction action = RequestAction.WRITE;
-
- // the incoming NiFi request to test
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(new MockResource(resourceIdentifier, resourceIdentifier))
- .action(action)
- .identity(requestIdentity)
- .resourceContext(new HashMap<>())
- .accessAttempt(true)
- .anonymous(false)
- .build();
-
- // the expected Ranger resource and request that are created
- final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
- resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);
-
- final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
- expectedRangerRequest.setResource(resource);
- expectedRangerRequest.setAction(request.getAction().name());
- expectedRangerRequest.setAccessType(request.getAction().name());
- expectedRangerRequest.setUser(request.getIdentity());
-
- // return true when checking if a policy exists for the resource
- when(rangerBasePlugin.doesPolicyExist(resourceIdentifier, action)).thenReturn(true);
-
- // a non-null result processor should be used for direct access
- when(rangerBasePlugin.isAccessAllowed(
- argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))
- ).thenReturn(notAllowedResult);
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertEquals(expectedResult, result.getResult());
- }
-
- @Test
- @Disabled
- public void testIntegration() {
- final AuthorizerInitializationContext initializationContext = Mockito.mock(AuthorizerInitializationContext.class);
- final AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class);
-
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP)))
- .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml"));
-
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP)))
- .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml"));
-
- Authorizer authorizer = new RangerNiFiAuthorizer();
- try {
- authorizer.initialize(initializationContext);
- authorizer.onConfigured(configurationContext);
-
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(new Resource() {
- @Override
- public String getIdentifier() {
- return "/system";
- }
-
- @Override
- public String getName() {
- return "/system";
- }
-
- @Override
- public String getSafeDescription() {
- return "system";
- }
- })
- .action(RequestAction.WRITE)
- .identity("admin")
- .resourceContext(new HashMap<>())
- .accessAttempt(true)
- .anonymous(false)
- .build();
-
-
- final AuthorizationResult result = authorizer.authorize(request);
-
- assertEquals(AuthorizationResult.denied().getResult(), result.getResult());
-
- } finally {
- authorizer.preDestruction();
- }
- }
-
- /**
- * Extend RangerNiFiAuthorizer to inject a mock base plugin for testing.
- */
- private static class MockRangerNiFiAuthorizer extends RangerNiFiAuthorizer {
-
- RangerBasePluginWithPolicies mockRangerBasePlugin;
-
- public MockRangerNiFiAuthorizer(RangerBasePluginWithPolicies mockRangerBasePlugin) {
- this.mockRangerBasePlugin = mockRangerBasePlugin;
- }
-
- @Override
- protected RangerBasePluginWithPolicies createRangerBasePlugin(String serviceType, String appId) {
- when(mockRangerBasePlugin.getAppId()).thenReturn(appId);
- when(mockRangerBasePlugin.getServiceType()).thenReturn(serviceType);
- return mockRangerBasePlugin;
- }
- }
-
- /**
- * Resource implementation for testing.
- */
- private static class MockResource implements Resource {
-
- private final String identifier;
- private final String name;
-
- public MockResource(String identifier, String name) {
- this.identifier = identifier;
- this.name = name;
- }
-
- @Override
- public String getIdentifier() {
- return identifier;
- }
-
- @Override
- public String getName() {
- return name;
- }
-
- @Override
- public String getSafeDescription() {
- return name;
- }
- }
-
- /**
- * Custom Mockito matcher for RangerAccessRequest objects.
- */
- private static class RangerAccessRequestMatcher implements ArgumentMatcher<RangerAccessRequest> {
-
- private final RangerAccessRequest request;
-
- public RangerAccessRequestMatcher(RangerAccessRequest request) {
- this.request = request;
- }
-
- @Override
- public boolean matches(RangerAccessRequest argument) {
- if (argument == null) {
- return false;
- }
-
- final boolean clientIpsMatch = (argument.getClientIPAddress() == null && request.getClientIPAddress() == null)
- || (argument.getClientIPAddress() != null && request.getClientIPAddress() != null && argument.getClientIPAddress().equals(request.getClientIPAddress()));
-
- return argument.getResource().equals(request.getResource())
- && argument.getAccessType().equals(request.getAccessType())
- && argument.getAction().equals(request.getAction())
- && argument.getUser().equals(request.getUser())
- && clientIpsMatch;
- }
- }
-
-}
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/authorizers.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/authorizers.xml
deleted file mode 100644
index ef87a8c51c..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/authorizers.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<authorizers>
- <authorizer>
- <identifier>ranger-provider</identifier>
- <class>org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer</class>
- <property name="Ranger Audit Config Path">src/test/resources/ranger/ranger-nifi-audit.xml</property>
- <property name="Ranger Security Config Path">src/test/resources/ranger/ranger-nifi-security.xml</property>
- <property name="Ranger Service Type">nifi</property>
- <property name="Ranger Application Id">nifi</property>
- <property name="Ranger Admin Identity">CN=ranger-admin, OU=Apache Ranger, O=Apache, L=Santa Monica, ST=CA, C=US</property>
- <property name="Ranger Kerberos Enabled">false</property>
- </authorizer>
-</authorizers>
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/krb5.conf b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/krb5.conf
deleted file mode 100644
index 0e3f142a9b..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/krb5.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-[libdefaults]
- default_realm = EXAMPLE.COM
- dns_lookup_kdc = false
- dns_lookup_realm = false
-
-[realms]
- EXAMPLE.COM = {
- kdc = kerberos.example.com
- admin_server = kerberos.example.com
- }
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/core-site.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/core-site.xml
deleted file mode 100644
index d590a5039c..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/core-site.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<?xml version="1.0"?>
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<configuration>
- <property>
- <name>hadoop.security.authentication</name>
- <value>simple</value>
- </property>
-</configuration>
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-audit.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-audit.xml
deleted file mode 100644
index 3dbd576334..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-audit.xml
+++ /dev/null
@@ -1,101 +0,0 @@
-<?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
- <property>
- <name>xasecure.audit.is.enabled</name>
- <value>true</value>
- </property>
-
- <!-- DB audit provider configuration -->
- <property>
- <name>xasecure.audit.destination.db</name>
- <value>false</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.jdbc.driver</name>
- <value>com.mysql.jdbc.Driver</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.jdbc.url</name>
- <value>jdbc:mysql://localhost/ranger_audit</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.password</name>
- <value>rangerlogger</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.user</name>
- <value>rangerlogger</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.batch.filespool.dir</name>
- <value>/tmp/audit/db/spool</value>
- </property>
-
-
- <!-- HDFS audit provider configuration -->
- <property>
- <name>xasecure.audit.destination.hdfs</name>
- <value>false</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.hdfs.dir</name>
- <value>hdfs://localhost:8020/ranger/audit</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
- <value>/tmp/audit/hdfs/spool</value>
- </property>
-
-
- <!-- Log4j audit provider configuration -->
- <property>
- <name>xasecure.audit.destination.log4j</name>
- <value>false</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.log4j.logger</name>
- <value>ranger_audit_logger</value>
- </property>
-
- <!-- Solr audit provider configuration -->
- <property>
- <name>xasecure.audit.destination.solr</name>
- <value>true</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
- <value>/tmp/audit/solr/spool</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.solr.urls</name>
- <value>http://localhost:6083/solr/ranger_audits</value>
- </property>
-
-</configuration>
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-security.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-security.xml
deleted file mode 100644
index b371dcc843..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-security.xml
+++ /dev/null
@@ -1,83 +0,0 @@
-<?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
- <property>
- <name>ranger.plugin.nifi.policy.rest.url</name>
- <value>http://localhost:6080</value>
- <description>
- URL to Ranger Admin
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi.service.name</name>
- <value>nifi</value>
- <description>
- Name of the Ranger service containing policies for this nifi instance
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi.policy.source.impl</name>
- <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
- <description>
- Class to retrieve policies from the source
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi.policy.rest.ssl.config.file</name>
- <value>ranger-policymgr-ssl.xml</value>
- <description>
- Path to the file containing SSL details to contact Ranger Admin
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi.policy.pollIntervalMs</name>
- <value>30000</value>
- <description>
- How often to poll for changes in policies?
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi.policy.cache.dir</name>
- <value>/tmp</value>
- <description>
- Directory where Ranger policies are cached after successful retrieval from the source
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi.policy.rest.client.connection.timeoutMs</name>
- <value>120000</value>
- <description>
- RangerRestClient Connection Timeout in Milli Seconds
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi.policy.rest.client.read.timeoutMs</name>
- <value>30000</value>
- <description>
- RangerRestClient read Timeout in Milli Seconds
- </description>
- </property>
-</configuration>
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml
deleted file mode 100644
index a6e05747a3..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml
+++ /dev/null
@@ -1,63 +0,0 @@
-<?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
- <!-- The following properties are used for 2-way SSL client server validation -->
- <property>
- <name>xasecure.policymgr.clientssl.keystore</name>
- <value></value>
- <description>
- Java Keystore files
- </description>
- </property>
- <property>
- <name>xasecure.policymgr.clientssl.keystore.password</name>
- <value>none</value>
- <description>
- password for keystore
- </description>
- </property>
- <property>
- <name>xasecure.policymgr.clientssl.truststore</name>
- <value></value>
- <description>
- java truststore file
- </description>
- </property>
- <property>
- <name>xasecure.policymgr.clientssl.truststore.password</name>
- <value>none</value>
- <description>
- java truststore password
- </description>
- </property>
- <property>
- <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
- <value></value>
- <description>
- java keystore credential file
- </description>
- </property>
- <property>
- <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
- <value></value>
- <description>
- java truststore credential file
- </description>
- </property>
-</configuration>
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml
deleted file mode 100644
index 3b7655c975..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml
+++ /dev/null
@@ -1,81 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
-
- <parent>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-ranger-bundle</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- </parent>
-
- <artifactId>nifi-ranger-resources</artifactId>
- <packaging>jar</packaging>
-
- <dependencies>
- <dependency>
- <groupId>org.apache.commons</groupId>
- <artifactId>commons-lang3</artifactId>
- <version>3.12.0</version>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>log4j-over-slf4j</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.ranger</groupId>
- <artifactId>credentialbuilder</artifactId>
- <version>${ranger.version}</version>
- <exclusions>
- <exclusion>
- <groupId>commons-configuration</groupId>
- <artifactId>commons-configuration</artifactId>
- </exclusion>
- <exclusion>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-reload4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>jcl-over-slf4j</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.commons</groupId>
- <artifactId>commons-configuration2</artifactId>
- <version>2.1.1</version>
- <exclusions>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- </dependencies>
-</project>
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/src/main/resources/scripts/ranger_credential_helper.py b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/src/main/resources/scripts/ranger_credential_helper.py
deleted file mode 100644
index 940dbf1688..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/src/main/resources/scripts/ranger_credential_helper.py
+++ /dev/null
@@ -1,75 +0,0 @@
-#!/usr/bin/python
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import sys
-import os
-from subprocess import Popen,PIPE
-from optparse import OptionParser
-
-if os.getenv('JAVA_HOME') is None:
- print "[W] ---------- JAVA_HOME environment property not defined, using java in path. ----------"
- JAVA_BIN='java'
-else:
- JAVA_BIN=os.path.join(os.getenv('JAVA_HOME'),'bin','java')
-print "Using Java:" + str(JAVA_BIN)
-
-def main():
-
- parser = OptionParser()
-
- parser.add_option("-l", "--libpath", dest="library_path", help="Path to folder where credential libs are present")
- parser.add_option("-f", "--file", dest="jceks_file_path", help="Path to jceks file to use")
- parser.add_option("-k", "--key", dest="key", help="Key to use")
- parser.add_option("-v", "--value", dest="value", help="Value to use")
- parser.add_option("-c", "--create", dest="create", help="Add a new alias")
-
- (options, args) = parser.parse_args()
- library_path = options.library_path
- jceks_file_path = options.jceks_file_path
- key = options.key
- value = options.value
- getorcreate = 'create' if options.create else 'get'
- call_keystore(library_path, jceks_file_path, key, value, getorcreate)
-
-
-def call_keystore(libpath, filepath, aliasKey, aliasValue='', getorcreate='get'):
- finalLibPath = libpath.replace('\\','/').replace('//','/')
- finalFilePath = 'jceks://file/'+filepath.replace('\\','/').replace('//','/')
- if getorcreate == 'create':
- commandtorun = [JAVA_BIN, '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks' ,'create', aliasKey, '-value', aliasValue, '-provider',finalFilePath]
- p = Popen(commandtorun,stdin=PIPE, stdout=PIPE, stderr=PIPE)
- output, error = p.communicate()
- statuscode = p.returncode
- if statuscode == 0:
- print "Alias " + aliasKey + " created successfully!"
- else :
- print "Error creating Alias!! Error: " + str(error)
-
- elif getorcreate == 'get':
- commandtorun = [JAVA_BIN, '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks' ,'get', aliasKey, '-provider',finalFilePath]
- p = Popen(commandtorun,stdin=PIPE, stdout=PIPE, stderr=PIPE)
- output, error = p.communicate()
- statuscode = p.returncode
- if statuscode == 0:
- print "Alias : " + aliasKey + " Value : " + str(output)
- else :
- print "Error getting value!! Error: " + str(error)
-
- else:
- print 'Invalid Arguments!!'
-
-if __name__ == '__main__':
- main()
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml
deleted file mode 100644
index 7693a30260..0000000000
--- a/nifi-nar-bundles/nifi-ranger-bundle/pom.xml
+++ /dev/null
@@ -1,152 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
-
- <parent>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-nar-bundles</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- </parent>
-
- <artifactId>nifi-ranger-bundle</artifactId>
- <packaging>pom</packaging>
-
- <modules>
- <module>nifi-ranger-plugin</module>
- <module>nifi-ranger-nar</module>
- <module>nifi-ranger-resources</module>
- </modules>
-
- <properties>
- <ranger.hadoop.version>3.3.6</ranger.hadoop.version>
- </properties>
-
- <dependencyManagement>
- <dependencies>
- <!-- Override commons-beanutils -->
- <dependency>
- <groupId>commons-beanutils</groupId>
- <artifactId>commons-beanutils</artifactId>
- <version>1.9.4</version>
- </dependency>
- <!-- Override Hadoop -->
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-common</artifactId>
- <version>${ranger.hadoop.version}</version>
- <exclusions>
- <exclusion>
- <groupId>com.fasterxml.jackson.core</groupId>
- <artifactId>jackson-databind</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-reload4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </exclusion>
- <exclusion>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- <exclusion>
- <groupId>ch.qos.logback</groupId>
- <artifactId>logback-classic</artifactId>
- </exclusion>
- <!-- Exclude Jetty 9.4 -->
- <exclusion>
- <groupId>org.eclipse.jetty</groupId>
- <artifactId>jetty-server</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.eclipse.jetty</groupId>
- <artifactId>jetty-servlet</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.eclipse.jetty</groupId>
- <artifactId>jetty-webapp</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.eclipse.jetty</groupId>
- <artifactId>jetty-util</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.eclipse.jetty</groupId>
- <artifactId>jetty-http</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.eclipse.jetty</groupId>
- <artifactId>jetty-rewrite</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <!-- Override SolrJ 8.6.3 from Ranger -->
- <dependency>
- <groupId>org.apache.solr</groupId>
- <artifactId>solr-solrj</artifactId>
- <version>8.11.2</version>
- </dependency>
- <!-- Override nimbus-jose-jwt 9.8.1 from hadoop-auth -->
- <dependency>
- <groupId>com.nimbusds</groupId>
- <artifactId>nimbus-jose-jwt</artifactId>
- <version>9.33</version>
- </dependency>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-auth</artifactId>
- <version>${ranger.hadoop.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-reload4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </exclusion>
- <exclusion>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <!-- Override Guava 27 -->
- <dependency>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- <version>32.1.2-jre</version>
- </dependency>
- <!-- Override Jettison from Ranger -->
- <dependency>
- <groupId>org.codehaus.jettison</groupId>
- <artifactId>jettison</artifactId>
- <version>1.5.4</version>
- </dependency>
- </dependencies>
- </dependencyManagement>
-</project>
diff --git a/nifi-nar-bundles/pom.xml b/nifi-nar-bundles/pom.xml
index 28327d78be..0ca64630be 100755
--- a/nifi-nar-bundles/pom.xml
+++ b/nifi-nar-bundles/pom.xml
@@ -82,7 +82,6 @@
<module>nifi-cdc</module>
<module>nifi-parquet-bundle</module>
<module>nifi-extension-utils</module>
- <module>nifi-ranger-bundle</module>
<module>nifi-redis-bundle</module>
<module>nifi-atlas-bundle</module>
<module>nifi-network-bundle</module>
diff --git a/nifi-registry/nifi-registry-assembly/pom.xml b/nifi-registry/nifi-registry-assembly/pom.xml
index 6eadbdcdbd..6a27669c69 100644
--- a/nifi-registry/nifi-registry-assembly/pom.xml
+++ b/nifi-registry/nifi-registry-assembly/pom.xml
@@ -227,44 +227,6 @@
</properties>
<profiles>
- <profile>
- <id>include-ranger</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <dependencies>
- <dependency>
- <groupId>org.apache.nifi.registry</groupId>
- <artifactId>nifi-registry-ranger-assembly</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- <classifier>bin</classifier>
- <scope>runtime</scope>
- <type>${nifi.registry.extension.archive.type}</type>
- </dependency>
- </dependencies>
- <build>
- <plugins>
- <plugin>
- <artifactId>maven-dependency-plugin</artifactId>
- <executions>
- <execution>
- <id>unpack-ranger-extensions</id>
- <goals>
- <goal>unpack-dependencies</goal>
- </goals>
- <phase>generate-resources</phase>
- <configuration>
- <outputDirectory>${project.build.directory}/ext/ranger</outputDirectory>
- <includeGroupIds>org.apache.nifi.registry</includeGroupIds>
- <includeArtifactIds>nifi-registry-ranger-assembly</includeArtifactIds>
- <excludeTransitive>false</excludeTransitive>
- </configuration>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
- </profile>
<profile>
<id>include-aws</id>
<activation>
diff --git a/nifi-registry/nifi-registry-assembly/src/main/assembly/dependencies.xml b/nifi-registry/nifi-registry-assembly/src/main/assembly/dependencies.xml
index 05e4c5f838..70fcae0f44 100644
--- a/nifi-registry/nifi-registry-assembly/src/main/assembly/dependencies.xml
+++ b/nifi-registry/nifi-registry-assembly/src/main/assembly/dependencies.xml
@@ -81,7 +81,6 @@
<exclude>*:nifi-registry-bootstrap</exclude>
<exclude>*:nifi-registry-utils</exclude>
<exclude>*:nifi-registry-docs</exclude>
- <exclude>*:nifi-registry-ranger-assembly</exclude>
<exclude>*:nifi-registry-aws-assembly</exclude>
<exclude>*:nifi-registry-properties-loader</exclude>
</excludes>
diff --git a/nifi-registry/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc b/nifi-registry/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc
index fa46a9811d..d4cf51ce8a 100644
--- a/nifi-registry/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-registry/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc
@@ -1762,5 +1762,3 @@ If using the `S3BundlePersistenceProvider`, data will be stored remotely and aut
=== Configuration Files
If using NiFi Registry's policy based authorization, the users, groups, and policies are stored in files on disk named _users.xml_ and _authorizations.xml_. These files should be periodically backed up to an external location. In order to ensure a proper backup, NiFi Registry should be stopped to ensure no authorization data is being written to disk.
-
-If using Ranger, then all authorization information is stored externally and there is nothing to back up.
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/LICENSE b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/LICENSE
deleted file mode 100644
index 3d6c113c3e..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/LICENSE
+++ /dev/null
@@ -1,445 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- https://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- APPENDIX: How to apply the Apache License to your work.
-
- To apply the Apache License to your work, attach the following
- boilerplate notice, with the fields enclosed by brackets "[]"
- replaced with your own identifying information. (Don't include
- the brackets!) The text should be enclosed in the appropriate
- comment syntax for the file format. We also recommend that a
- file or class name and description of purpose be included on the
- same "printed page" as the copyright notice for easier
- identification within third-party archives.
-
- Copyright [yyyy] [name of copyright owner]
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
-The binary distribution of this product bundles 'Slf4j' which is available under an MIT license.
-
- Copyright (c) 2004-2017 QOS.ch
- All rights reserved.
-
- Permission is hereby granted, free of charge, to any person obtaining
- a copy of this software and associated documentation files (the
- "Software"), to deal in the Software without restriction, including
- without limitation the rights to use, copy, modify, merge, publish,
- distribute, sublicense, and/or sell copies of the Software, and to
- permit persons to whom the Software is furnished to do so, subject to
- the following conditions:
-
- The above copyright notice and this permission notice shall be
- included in all copies or substantial portions of the Software.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
- LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
- OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
- WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-
-The binary distribution of this product bundles 'jopt-simple' which is available under an MIT license.
-
- Copyright (c) 2004-2016 Paul R. Holser, Jr.
-
- Permission is hereby granted, free of charge, to any person obtaining
- a copy of this software and associated documentation files (the
- "Software"), to deal in the Software without restriction, including
- without limitation the rights to use, copy, modify, merge, publish,
- distribute, sublicense, and/or sell copies of the Software, and to
- permit persons to whom the Software is furnished to do so, subject to
- the following conditions:
-
- The above copyright notice and this permission notice shall be
- included in all copies or substantial portions of the Software.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
- LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
- OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
- WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-The binary distribution of this product bundles 'ParaNamer' which is available under a BSD license.
-
- Portions copyright (c) 2006-2018 Paul Hammant & ThoughtWorks Inc
- Portions copyright (c) 2000-2007 INRIA, France Telecom
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
- 3. Neither the name of the copyright holders nor the names of its
- contributors may be used to endorse or promote products derived from
- this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- THE POSSIBILITY OF SUCH DAMAGE.
-
-The binary distribution of this product bundles 'JSch' which is available under a BSD license.
-
- Copyright (c) 2002-2015 Atsuhiko Yamanaka, JCraft,Inc.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in
- the documentation and/or other materials provided with the distribution.
-
- 3. The names of the authors may not be used to endorse or promote products
- derived from this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
- FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT,
- INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
- INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
- OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-The binary distribution of this product bundles 'JLine Bundle' which is available under a BSD 3-Clause license.
-
- Copyright (c) 2002-2006, Marc Prud'hommeaux <mw...@cornell.edu>
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or
- without modification, are permitted provided that the following
- conditions are met:
-
- Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer
- in the documentation and/or other materials provided with
- the distribution.
-
- Neither the name of JLine nor the names of its contributors
- may be used to endorse or promote products derived from this
- software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
- BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
- EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
- AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
- IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-
-The binary distribution of this product bundles 'Protocol Buffers' which is available under a BSD 3-Clause license.
-
- Copyright 2008 Google Inc. All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are
- met:
-
- * Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following disclaimer
- in the documentation and/or other materials provided with the
- distribution.
- * Neither the name of Google Inc. nor the names of its
- contributors may be used to endorse or promote products derived from
- this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
- Code generated by the Protocol Buffer compiler is owned by the owner
- of the input file used when generating it. This code is not
- standalone and requires a support library to be linked with it. This
- support library is itself covered by the above license.
-
-The binary distribution of this product bundles 'Scala' which is available under a BSD 3-Clause license.
-
- Copyright (c) 2002- EPFL
- Copyright (c) 2011- Lightbend, Inc.
-
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without modification,
- are permitted provided that the following conditions are met:
-
- * Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright notice,
- this list of conditions and the following disclaimer in the documentation
- and/or other materials provided with the distribution.
- * Neither the name of the EPFL nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
- CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-
-This product bundles 'RE2/J' which is available under a Go license.
-
- This is a work derived from Russ Cox's RE2 in Go, whose license
- https://golang.org/LICENSE is as follows:
-
- Copyright (c) 2009 The Go Authors. All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are
- met:
-
- * Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- * Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in
- the documentation and/or other materials provided with the
- distribution.
-
- * Neither the name of Google Inc. nor the names of its contributors
- may be used to endorse or promote products derived from this
- software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
\ No newline at end of file
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/NOTICE b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/NOTICE
deleted file mode 100644
index 074c9a86ad..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/NOTICE
+++ /dev/null
@@ -1,449 +0,0 @@
-nifi-registry-ranger-extension
-Copyright 2020 The Apache Software Foundation
-
-This product includes software developed at
-The Apache Software Foundation (https://www.apache.org/).
-
-******************
-Apache Software License v2
-******************
-
- (ASLv2) Apache Avro
- The following NOTICE information applies:
- Apache Avro
- Copyright 2009-2017 The Apache Software Foundation
-
- (ASLv2) Apache Commons Collections
- The following NOTICE information applies:
- Apache Commons Collections
- Copyright 2001-2013 The Apache Software Foundation
-
- (ASLv2) Apache Commons Compress
- The following NOTICE information applies:
- Apache Commons Compress
- Copyright 2002-2017 The Apache Software Foundation
-
- The files in the package org.apache.commons.compress.archivers.sevenz
- were derived from the LZMA SDK, version 9.20 (C/ and CPP/7zip/),
- which has been placed in the public domain:
-
- "LZMA SDK is placed in the public domain." (https://www.7-zip.org/sdk.html)
-
- (ASLv2) Apache Commons Codec
- The following NOTICE information applies:
- Apache Commons Codec
- Copyright 2002-2014 The Apache Software Foundation
-
- src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
- contains test data from http://aspell.net/test/orig/batch0.tab.
- Copyright (C) 2002 Kevin Atkinson (kevina@gnu.org)
-
- ===============================================================================
-
- The content of package org.apache.commons.codec.language.bm has been translated
- from the original php source code available at https://stevemorse.org/phoneticinfo.htm
- with permission from the original authors.
- Original source copyright:
- Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
-
- (ASLv2) Apache Commons CLI
- The following NOTICE information applies:
- Apache Commons CLI
- Copyright 2001-2009 The Apache Software Foundation
-
- (ASLv2) Apache Commons Configuration
- The following NOTICE information applies:
- Apache Commons Configuration
- Copyright 2001-2008 The Apache Software Foundation
-
- (ASLv2) Apache Jakarta HttpClient
- The following NOTICE information applies:
- Apache Jakarta HttpClient
- Copyright 1999-2007 The Apache Software Foundation
-
- (ASLv2) Apache Commons IO
- The following NOTICE information applies:
- Apache Commons IO
- Copyright 2002-2016 The Apache Software Foundation
-
- (ASLv2) Apache Commons Lang
- The following NOTICE information applies:
- Apache Commons Lang
- Copyright 2001-2015 The Apache Software Foundation
-
- This product includes software from the Spring Framework,
- under the Apache License 2.0 (see: StringUtils.containsWhitespace())
-
- (ASLv2) Apache Commons Math
- The following NOTICE information applies:
- Apache Commons Math
- Copyright 2001-2012 The Apache Software Foundation
-
- This product includes software developed by
- The Apache Software Foundation (https://www.apache.org/).
-
- ===============================================================================
-
- The BracketFinder (package org.apache.commons.math3.optimization.univariate)
- and PowellOptimizer (package org.apache.commons.math3.optimization.general)
- classes are based on the Python code in module "optimize.py" (version 0.5)
- developed by Travis E. Oliphant for the SciPy library (https://www.scipy.org/)
- Copyright © 2003-2009 SciPy Developers.
- ===============================================================================
-
- The LinearConstraint, LinearObjectiveFunction, LinearOptimizer,
- RelationShip, SimplexSolver and SimplexTableau classes in package
- org.apache.commons.math3.optimization.linear include software developed by
- Benjamin McCann (https://www.benmccann.com) and distributed with
- the following copyright: Copyright 2009 Google Inc.
- ===============================================================================
-
- This product includes software developed by the
- University of Chicago, as Operator of Argonne National
- Laboratory.
- The LevenbergMarquardtOptimizer class in package
- org.apache.commons.math3.optimization.general includes software
- translated from the lmder, lmpar and qrsolv Fortran routines
- from the Minpack package
- Minpack Copyright Notice (1999) University of Chicago. All rights reserved
- ===============================================================================
-
- The GraggBulirschStoerIntegrator class in package
- org.apache.commons.math3.ode.nonstiff includes software translated
- from the odex Fortran routine developed by E. Hairer and G. Wanner.
- Original source copyright:
- Copyright (c) 2004, Ernst Hairer
- ===============================================================================
-
- The EigenDecompositionImpl class in package
- org.apache.commons.math3.linear includes software translated
- from some LAPACK Fortran routines. Original source copyright:
- Copyright (c) 1992-2008 The University of Tennessee. All rights reserved.
- ===============================================================================
-
- The MersenneTwister class in package org.apache.commons.math3.random
- includes software translated from the 2002-01-26 version of
- the Mersenne-Twister generator written in C by Makoto Matsumoto and Takuji
- Nishimura. Original source copyright:
- Copyright (C) 1997 - 2002, Makoto Matsumoto and Takuji Nishimura,
- All rights reserved
- ===============================================================================
-
- The LocalizedFormatsTest class in the unit tests is an adapted version of
- the OrekitMessagesTest class from the orekit library distributed under the
- terms of the Apache 2 licence. Original source copyright:
- Copyright 2010 CS Systèmes d'Information
- ===============================================================================
-
- The HermiteInterpolator class and its corresponding test have been imported from
- the orekit library distributed under the terms of the Apache 2 licence. Original
- source copyright:
- Copyright 2010-2012 CS Systèmes d'Information
- ===============================================================================
-
- The creation of the package "o.a.c.m.analysis.integration.gauss" was inspired
- by an original code donated by Sébastien Brisard.
- ===============================================================================
-
- (ASLv2) Apache Commons Net
- The following NOTICE information applies:
- Apache Commons Net
- Copyright 2001-2013 The Apache Software Foundation
-
- (ASLv2) Apache Curator
- The following NOTICE information applies:
- Curator Framework
- Copyright 2011-2014 The Apache Software Foundation
-
- Curator Client
- Copyright 2011-2014 The Apache Software Foundation
-
- Curator Recipes
- Copyright 2011-2014 The Apache Software Foundation
-
- (ASLv2) Apache HttpComponents
- The following NOTICE information applies:
- Apache HttpClient
- Copyright 1999-2015 The Apache Software Foundation
-
- Apache HttpCore
- Copyright 2005-2015 The Apache Software Foundation
-
- Apache HttpMime
- Copyright 1999-2013 The Apache Software Foundation
-
- This project contains annotations derived from JCIP-ANNOTATIONS
- Copyright (c) 2005 Brian Goetz and Tim Peierls. See https://www.jcip.net
-
- (ASLv2) Apache Ranger
- The following NOTICE information applies:
- Apache Ranger Credential Builder
- Copyright 2014-2016 The Apache Software Foundation
-
- Apache Ranger Plugins Audit
- Copyright 2014-2016 The Apache Software Foundation
-
- Apache Ranger Plugins Common
- Copyright 2014-2016 The Apache Software Foundation
-
- Apache Ranger Plugins Cred
- Copyright 2014-2016 The Apache Software Foundation
-
- (ASLv2) Google GSON
- The following NOTICE information applies:
- Copyright 2008 Google Inc.
-
- (ASLv2) Guava
- The following NOTICE information applies:
- Guava
- Copyright 2015 The Guava Authors
-
- (ASLv2) Apache Hadoop
- The following NOTICE information applies:
- Apache Hadoop
- Copyright 2014 The Apache Software Foundation.
-
- (ASLv2) HTrace Core
- The following NOTICE information applies:
- In addition, this product includes software dependencies. See
- the accompanying LICENSE.txt for a listing of dependencies
- that are NOT Apache licensed (with pointers to their licensing)
-
- Apache HTrace includes an Apache Thrift connector to Zipkin. Zipkin
- is a distributed tracing system that is Apache 2.0 Licensed.
- Copyright 2012 Twitter, Inc.
-
- (ASLv2) Jackson JSON processor
- The following NOTICE information applies:
- # Jackson JSON processor
-
- Jackson is a high-performance, Free/Open Source JSON processing library.
- It was originally written by Tatu Saloranta (tatu.saloranta@iki.fi), and has
- been in development since 2007.
- It is currently developed by a community of developers, as well as supported
- commercially by FasterXML.com.
-
- ## Licensing
-
- Jackson core and extension components may licensed under different licenses.
- To find the details that apply to this artifact see the accompanying LICENSE file.
- For more information, including possible other licensing options, contact
- FasterXML.com (https://fasterxml.com).
-
- ## Credits
-
- A list of contributors may be found from CREDITS file, which is included
- in some artifacts (usually source distributions); but is always available
- from the source code management (SCM) system project uses.
-
- (ASLv2) Jettison
- The following NOTICE information applies:
- Copyright 2006 Envoi Solutions LLC
-
- (ASLv2) Jetty
- The following NOTICE information applies:
- Jetty Web Container
- Copyright 1995-2017 Mort Bay Consulting Pty Ltd.
-
- (ASLv2) Apache Kafka
- The following NOTICE information applies:
- Apache Kafka
- Copyright 2012 The Apache Software Foundation.
-
- scala-library is BSD-like licensed software (https://www.scala-lang.org/license.html)
-
- (ASLv2) Apache log4j
- The following NOTICE information applies:
- Apache log4j
- Copyright 2007 The Apache Software Foundation
-
- (ASLv2) Apache Solr
- The following NOTICE information applies:
- Apache Solrj
- Copyright 2006-2014 The Apache Software Foundation
-
- (ASLv2) Apache ZooKeeper
- The following NOTICE information applies:
- Apache ZooKeeper
- Copyright 2009-2012 The Apache Software Foundation
-
- (ASLv2) The Netty Project
- The following NOTICE information applies:
- The Netty Project
- Copyright 2011 The Netty Project
-
- (ASLv2) Snappy Java
- The following NOTICE information applies:
- This product includes software developed by Google
- Snappy: https://code.google.com/p/snappy/ (New BSD License)
-
- This product includes software developed by Apache
- PureJavaCrc32C from apache-hadoop-common https://hadoop.apache.org/
- (Apache 2.0 license)
-
- This library containd statically linked libstdc++. This inclusion is allowed by
- "GCC RUntime Library Exception"
- https://gcc.gnu.org/onlinedocs/libstdc++/manual/license.html
-
- (ASLv2) Woodstox Core ASL
- The following NOTICE information applies:
- This product currently only contains code developed by authors
- of specific components, as identified by the source code files.
-
- Since product implements StAX API, it has dependencies to StAX API
- classes.
-
- (ASLv2) Yammer Metrics
- The following NOTICE information applies:
- Metrics
- Copyright 2010-2012 Coda Hale and Yammer, Inc.
-
- This product includes software developed by Coda Hale and Yammer, Inc.
-
- This product includes code derived from the JSR-166 project (ThreadLocalRandom), which was released
- with the following comments:
-
- Written by Doug Lea with assistance from members of JCP JSR-166
- Expert Group and released to the public domain, as explained at
- https://creativecommons.org/publicdomain/zero/1.0/
-
- (ASLv2) ZkClient
- The following NOTICE information applies:
- ZkClient
- Copyright 2009 Stefan Groschupf
-
- (ASLv2) Swagger Core library
- The following NOTICE information applies:
- Copyright 2016 SmartBear Software
-
- (ASLv2) json-smart
- The following NOTICE information applies:
- Copyright 2011 JSON-SMART authors
-
- (ASLv2) Apache Commons BeanUtils
- The following NOTICE information applies:
- Apache Commons BeanUtils
- Copyright 2000-2008 The Apache Software Foundation
-
- (ASLv2) Apache Kerby
- The following NOTICE information applies:
- Apache Kerby
- Copyright 2003-2018 The Apache Software Foundation
-
- (ASLv2) Nimbus JOSE + JWT
- The following NOTICE information applies:
- Nimbus JOSE + JWT
- Copyright 2012 - 2018, Connect2id Ltd.
-
- (ASLv2) OkHttp
- The following NOTICE information applies:
- OkHttp
- Copyright (C) 2014 Square, Inc.
-
- (ASLv2) Okio
- The following NOTICE information applies:
- Okio
- Copyright (C) 2014 Square, Inc.
-
- (ASLv2) JCIP Annotations Under Apache License
- The following NOTICE information applies:
- JCIP Annotations Under Apache License
- Copyright 2013 Stephen Connolly.
-
-************************
-Common Development and Distribution License 1.0
-************************
-
-The following binary components are provided under the Common Development and Distribution License 1.0. See project link for details.
-
- (CDDL 1.0) JavaBeans Activation Framework (JAF) (javax.activation:activation:jar:1.1 - https://java.sun.com/products/javabeans/jaf/index.jsp)
- (CDDL 1.0) (GPL3) Streaming API For XML (javax.xml.stream:stax-api:jar:1.0-2 - no url provided)
-
-************************
-Common Development and Distribution License 1.1
-************************
-
-The following binary components are provided under the Common Development and Distribution License 1.1. See project link for details.
-
- (CDDL 1.1) (GPL2 w/ CPE) jersey-bundle (com.sun.jersey:jersey-bundle:jar:1.19.3 - https://jersey.java.net/jersey-bundle/)
- (CDDL 1.1) (GPL2 w/ CPE) jersey-server (com.sun.jersey:jersey-server:jar:1.19 - https://jersey.java.net/jersey-server/)
- (CDDL 1.1) (GPL2 w/ CPE) JavaServer Pages(TM) API (javax.servlet.jsp:javax.servlet.jsp-api:jar:2.1 - https://jsp.java.net)
- (CDDL 1.1) (GPL2 w/ CPE) Java Servlet API (javax.servlet:javax.servlet-api:jar:2.5 - https://servlet-spec.java.net)
- (CDDL 1.1) (GPL2 w/ CPE) javax.ws.rs-api (javax.ws.rs:javax.ws.rs-api:jar:2.1 - https://jax-rs-spec.java.net)
- (CDDL 1.1) (GPL2 w/ CPE) JavaMail API (compat) (javax.mail:mail:jar:1.4.7 - https://java.net/projects/javamail/pages/Home)
- (CDDL 1.1) (GPL2 w/ CPE) Java Architecture For XML Binding (javax.xml.bind:jaxb-api:jar:2.2.2 - https://jaxb.dev.java.net/)
- (CDDL 1.1) (GPL2 w/ CPE) Old JAXB Runtime (com.sun.xml.bind:jaxb-impl:jar:2.2.3-1 - https://jaxb.java.net/)
-
-************************
-Eclipse Public License 1.0
-************************
-
-The following binary components are provided under the Eclipse Public License 1.0. See project link for details.
-
- (EPL 1.0) Eclipse Link (org.eclipse.persistence:eclipselink:2.5.2 - https://www.eclipse.org/eclipselink/)
- (EPL 1.0) Common Service Data Objects (org.eclipse.persistence:commonj.sdo:2.1.1 - https://www.eclipse.org/eclipselink/)
- (EPL 1.0) Java Persistence API (org.eclipse.persistence:javax.persistence:2.1.0 - https://www.eclipse.org/eclipselink/)
-
-************************
-The MIT License
-************************
-
-The following binary components are provided under the MIT License. See project link for details.
-
- (MIT License) Simple Logging Facade for Java (SLF4J)
- The following NOTICE information applies:
- Copyright (c) 2004-2017 QOS.ch
- All rights reserved.
- https://www.slf4j.org/
-
- (MIT License) JOpt Simple
- Copyright (c) 2004-2016 Paul R. Holser, Jr.
- https://jopt-simple.github.io/jopt-simple/
-
-************************
-BSD License
-************************
-
-The following binary components are provided under the BSD License. See project link for details.
-
- (BSD) Paranamer
- The following NOTICE information applies:
- Portions copyright (c) 2006-2018 Paul Hammant & ThoughtWorks Inc
- Portions copyright (c) 2000-2007 INRIA, France Telecom
- All rights reserved.
- https://github.com/paul-hammant/paranamer
-
- (BSD) JSch
- The following NOTICE information applies:
- Copyright (c) 2002-2015 Atsuhiko Yamanaka, JCraft,Inc.
- All rights reserved.
- https://www.jcraft.com/jsch/
-
- (BSD 3-Clause) JLine Bundle
- The following NOTICE information applies:
- Copyright (c) 2002-2007, Marc Prud'hommeaux. All rights reserved.
- https://github.com/jline/jline1
-
- (BSD 3-Clause) Protocol Buffers
- The following NOTICE information applies:
- Copyright 2008 Google Inc. All rights reserved.
- https://github.com/google/protobuf/tree/master/java
-
- (BSD 3-Clause) Scala
- The following NOTICE information applies:
- Copyright (c) 2002- EPFL
- Copyright (c) 2011- Lightbend, Inc.
-
- All rights reserved.
- https://www.scala-lang.org/
-
-************************
-Go License
-************************
-
-The following binary components are provided under the Go License. See project link for details.
-
- (Go) RE2/J
- The following NOTICE information applies:
- Copyright (c) 2009 The Go Authors. All rights reserved.
- https://github.com/google/re2j
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/README.md b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/README.md
deleted file mode 100644
index ad6c4aac2e..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/README.md
+++ /dev/null
@@ -1,131 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-# NiFi Registry Ranger extension
-
-This extension provides `org.apache.nifi.registry.ranger.RangerAuthorizer` class for NiFi Registry to authorize user requests by access policies defined at [Apache Ranger](https://ranger.apache.org/).
-
-## Prerequisites
-
-* Apache Ranger 1.2.0 or later is needed.
-
-## How to install
-
-### Enable Ranger extension at NiFi Registry build
-
-In order to enable Ranger extension when you build NiFi Registry, specify `include-ranger` profile with a maven install command:
-
-```
-cd nifi-registry
-mvn clean install -Pinclude-ranger
-```
-
-Then the extension will be installed at `${NIFI_REG_HOME}/ext/ranger` directory.
-
-### Add Ranger extension to existing NiFi Registry
-
-Alternatively, you can add Ranger extension to an existing NiFi Registry.
-To do so, build the extension with the following command:
-
-```
-cd nifi-registry
-mvn clean install -f nifi-registry-extensions/nifi-registry-ranger
-```
-
-The extension zip will be created as `nifi-registry-extensions/nifi-registry-ranger-extension/target/nifi-registry-ranger-extension-xxx-bin.zip`.
-
-Unzip the file into arbitrary directory so that NiFi Registry can use, such as `${NIFI_REG_HOME}/ext/ranger`.
-For example:
-
-```
-mkdir -p ${NIFI_REG_HOME}/ext/ranger
-unzip -d ${NIFI_REG_HOME}/ext/ranger nifi-registry-extensions/nifi-registry-ranger-extension/target/nifi-registry-ranger-extension-xxx-bin.zip
-```
-
-## NiFi Registry Configuration
-
-In order to use this extension, following NiFi Registry files need to be configured.
-
-### nifi-registry.properties
-
-```
-# Specify Ranger extension dir
-nifi.registry.extension.dir.ranger=./ext/ranger/lib
-# Specify Ranger authorizer identifier, which is defined at authorizers.xml
-nifi.registry.security.authorizer=ranger-authorizer
-```
-
-### authorizers.xml
-
-Add following `authorizer` element:
-```
- <authorizer>
- <identifier>ranger-authorizer</identifier>
- <class>org.apache.nifi.registry.ranger.RangerAuthorizer</class>
- <property name="Ranger Service Type">nifi-registry</property>
-
- <property name="User Group Provider">file-user-group-provider</property>
-
- <!-- Specify Ranger service name to use -->
- <property name="Ranger Application Id">nifi-registry-service-name</property>
-
- <!--
- Specify configuration file paths for Ranger plugin.
- See the XML files bundled with this extension for further details.
- -->
- <property name="Ranger Security Config Path">./ext/ranger/conf/ranger-nifi-registry-security.xml</property>
- <property name="Ranger Audit Config Path">./ext/ranger/conf/ranger-nifi-registry-audit.xml</property>
-
- <!--
- Specify user identity that is used by Ranger to access NiFi Registry.
- This property is used by NiFi Registry for Ranger to get available NiFi Registry policy resource identifiers.
- The configured user can access NiFi Registry /policies/resources REST endpoint regardless of configured access policies.
- Ranger uses available policies for user input suggestion at Ranger policy editor UI.
- -->
- <property name="Ranger Admin Identity">ranger@NIFI</property>
-
- <!--
- Specify if target Ranger is Kerberized.
- If set to true, NiFi Registry will use the principal and keytab defined at nifi-registry.properties:
- - nifi.registry.kerberos.service.principal
- - nifi.registry.kerberos.service.keytab.location
-
- The specified credential is used to access Ranger API, and to write audit logs into HDFS (if enabled).
-
- At Ranger side, the configured user needs to be added to 'policy.download.auth.users' property, see Ranger configuration section below.
-
- Also, ranger-nifi-registry-security.xml needs additional "xasecure.add-hadoop-authorization = true" configuration.
- -->
- <property name="Ranger Kerberos Enabled">false</property>
-
- </authorizer>
-```
-
-## Ranger Configuration
-
-At Ranger side, add a NiFi Registry service. NiFi Registry service has following configuration properties:
-
-- NiFi Registry URL: Specify corresponding NiFi Registry URL that will be managed by this Ranger service. E.g. `https://nifi-registry.example.com:18443/nifi-registry-api/policies/resources`
-- Authentication Type: Should be `SSL`. Ranger authenticates itself to NiFi Registry by X.509 client certificate in the configured Keystore.
-- Keystore: Specify a Keystore filepath to use for X.509 client certificate.
-- Keystore Type: Specify the type of Keystore. E.g. `JKS`
-- Keystore Password: Specify the password of Keystore.
-- Truststore: Specify a Truststore filepath to verify NiFi Registry server certificate.
-- Truststore Type: Specify the type of Truststore. E.g. `JKS`
-- Truststore Password: Specify the password of Truststore.
-- Add New Configurations:
- - policy.download.auth.users: Required if Ranger is Kerberized.
- Specify the NiFi Registry user to download policies,
- which is configured by 'nifi.registry.kerberos.service.principal' at nifi-registry.properties,
- when NiFi Registry Ranger authorizer is configured as 'Ranger Kerberos Enabled' to true.
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/conf/ranger-nifi-registry-audit.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/conf/ranger-nifi-registry-audit.xml
deleted file mode 100644
index e34ef8873d..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/conf/ranger-nifi-registry-audit.xml
+++ /dev/null
@@ -1,174 +0,0 @@
-<?xml version="1.0"?>
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<configuration>
- <property>
- <name>xasecure.audit.is.enabled</name>
- <value>true</value>
- </property>
-
- <!-- DB audit provider configuration -->
- <property>
- <name>xasecure.audit.destination.db</name>
- <value>false</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.jdbc.driver</name>
- <value>com.mysql.jdbc.Driver</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.jdbc.url</name>
- <value>jdbc:mysql://localhost/ranger_audit</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.password</name>
- <value>rangerlogger</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.user</name>
- <value>rangerlogger</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.batch.filespool.dir</name>
- <value>/tmp/audit/db/spool</value>
- </property>
-
-
- <!-- HDFS audit provider configuration -->
- <property>
- <name>xasecure.audit.destination.hdfs</name>
- <value>false</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.hdfs.dir</name>
- <value>hdfs://localhost:8020/ranger/audit</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
- <value>/tmp/audit/hdfs/spool</value>
- </property>
-
-
- <!--
- NOTE: These HDFS related configurations can be specified from here, or putting core-site.xml and hdfs-site.xml under classpath.
- <property>
- <name>xasecure.audit.destination.hdfs.config.fs.hdfs.impl</name>
- <value>org.apache.hadoop.hdfs.DistributedFileSystem</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.hdfs.config.hadoop.security.authentication</name>
- <value>kerberos</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.hdfs.config.dfs.namenode.kerberos.principal</name>
- <value>nn/_HOST@EXAMPLE.COM</value>
- </property>
- -->
-
-
- <!-- Log4j audit provider configuration -->
- <property>
- <name>xasecure.audit.destination.log4j</name>
- <value>false</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.log4j.logger</name>
- <value>ranger_audit_logger</value>
- </property>
-
- <!-- Solr audit provider configuration -->
- <property>
- <name>xasecure.audit.destination.solr</name>
- <value>true</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
- <value>/tmp/audit/solr/spool</value>
- </property>
-
- <!--
- IMPORTANT: Solr destination can be specified by either HTTP URL or Zookeeper address.
- However, when the target Solr is Kerberized, use Zookeeper address.
- Because LBHttpSolrClient can not use following In-memory JAAS config as it overwrites JAAS config internally.
- -->
- <property>
- <name>xasecure.audit.destination.solr.urls</name>
- <!-- by HTTP URL
- <value>http://localhost:6083/solr/ranger_audits</value>
- -->
- <!-- by Zookeeper address, recommended -->
- <value>localhost:2181/solr</value>
- </property>
-
- <!--
- If Solr is Kerberized, following in-memory JAAS properties are also needed to authenticate NiFi Registry as a Solr client.
-
- Also, solr-security.json should be configured to allow this NiFi Registry user (specified by the principal)
- to write audits to 'ranger_audits' Solr collection. See Solr documentation for how to configure solr-security.json.
- https://lucene.apache.org/solr/guide/6_6/authentication-and-authorization-plugins.html
-
- In case Ranger uses infra-solr resides in the same cluster managed by Ambari, you can configure required solr-security.json from:
- Ambari -> Infra Solr -> Config -> Advanced -> Advanced infra-solr-security-json -> Ranger audit service users
- E.g. {default_ranger_audit_users},nifi-registry
- -->
- <!-- Also, solr-security.json Ranger audit service users -->
- <property>
- <name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name>
- <value>true</value>
- </property>
- <property>
- <name>xasecure.audit.jaas.Client.option.useKeyTab</name>
- <value>true</value>
- </property>
- <property>
- <name>xasecure.audit.jaas.Client.option.storeKey</name>
- <value>false</value>
- </property>
- <property>
- <name>xasecure.audit.jaas.Client.option.serviceName</name>
- <value>solr</value>
- </property>
- <property>
- <name>xasecure.audit.jaas.Client.option.principal</name>
- <value>nifi-registry@EXAMPLE.COM</value>
- </property>
- <property>
- <name>xasecure.audit.jaas.Client.option.keyTab</name>
- <value>/etc/security/keytabs/nifi-registry.keytab</value>
- </property>
- <property>
- <name>xasecure.audit.jaas.Client.loginModuleName</name>
- <value>com.sun.security.auth.module.Krb5LoginModule</value>
- </property>
- <property>
- <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name>
- <value>required</value>
- </property>
-
-</configuration>
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/conf/ranger-nifi-registry-security.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/conf/ranger-nifi-registry-security.xml
deleted file mode 100644
index f271d6d8df..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/conf/ranger-nifi-registry-security.xml
+++ /dev/null
@@ -1,92 +0,0 @@
-<?xml version="1.0"?>
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<configuration>
- <property>
- <name>ranger.plugin.nifi-registry.policy.rest.url</name>
- <value>http://localhost:6080</value>
- <description>
- URL to Ranger Admin
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.service.name</name>
- <value>nifi-registry-service-name</value>
- <description>
- Name of the Ranger service containing policies for this NiFi Registry instance
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.policy.source.impl</name>
- <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
- <description>
- Class to retrieve policies from the source
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.policy.rest.ssl.config.file</name>
- <value>ranger-policymgr-ssl.xml</value>
- <description>
- Path to the file containing SSL details to contact Ranger Admin
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.policy.pollIntervalMs</name>
- <value>30000</value>
- <description>
- How often to poll for changes in policies?
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.policy.cache.dir</name>
- <value>/tmp</value>
- <description>
- Directory where Ranger policies are cached after successful retrieval from the source
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.policy.rest.client.connection.timeoutMs</name>
- <value>120000</value>
- <description>
- RangerRestClient Connection Timeout in Milli Seconds
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.policy.rest.client.read.timeoutMs</name>
- <value>30000</value>
- <description>
- RangerRestClient read Timeout in Milli Seconds
- </description>
- </property>
-
- <property>
- <name>xasecure.add-hadoop-authorization</name>
- <value>true</value>
- <description>
- Enable SPNEGO authentication using principal and keytab to download policies from Ranger
- </description>
- </property>
-
-</configuration>
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/pom.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/pom.xml
deleted file mode 100644
index a474cf4255..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/pom.xml
+++ /dev/null
@@ -1,100 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
- <parent>
- <artifactId>nifi-registry-ranger</artifactId>
- <groupId>org.apache.nifi.registry</groupId>
- <version>2.0.0-SNAPSHOT</version>
- </parent>
- <modelVersion>4.0.0</modelVersion>
-
- <artifactId>nifi-registry-ranger-assembly</artifactId>
- <packaging>pom</packaging>
- <description>Apache Ranger extension for Apache NiFi Registry</description>
-
- <dependencies>
- <dependency>
- <groupId>org.apache.nifi.registry</groupId>
- <artifactId>nifi-registry-ranger-plugin</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>jcl-over-slf4j</artifactId>
- <scope>runtime</scope>
- </dependency>
- </dependencies>
-
- <build>
- <plugins>
- <plugin>
- <artifactId>maven-assembly-plugin</artifactId>
- <configuration>
- <attach>true</attach>
- </configuration>
- <executions>
- <execution>
- <id>assembly-ranger-extension</id>
- <goals>
- <goal>single</goal>
- </goals>
- <phase>package</phase>
- <configuration>
- <descriptors>
- <descriptor>src/main/assembly/extension.xml</descriptor>
- </descriptors>
- <formats>zip</formats>
- </configuration>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
-
- <profiles>
- <profile>
- <id>targz</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <build>
- <plugins>
- <plugin>
- <artifactId>maven-assembly-plugin</artifactId>
- <configuration>
- <attach>true</attach>
- </configuration>
- <executions>
- <execution>
- <id>assembly-ranger-extension</id>
- <goals>
- <goal>single</goal>
- </goals>
- <phase>package</phase>
- <configuration>
- <descriptors>
- <descriptor>src/main/assembly/extension.xml</descriptor>
- </descriptors>
- <formats>tar.gz</formats>
- </configuration>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
- </profile>
- </profiles>
-</project>
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/src/main/assembly/extension.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/src/main/assembly/extension.xml
deleted file mode 100644
index 859ca1158d..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-assembly/src/main/assembly/extension.xml
+++ /dev/null
@@ -1,62 +0,0 @@
-<?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<assembly>
- <id>bin</id>
- <formats>
- <format>zip</format>
- </formats>
- <includeBaseDirectory>false</includeBaseDirectory>
- <dependencySets>
- <dependencySet>
- <scope>runtime</scope>
- <useProjectArtifact>false</useProjectArtifact>
- <outputDirectory>lib</outputDirectory>
- <directoryMode>0770</directoryMode>
- <fileMode>0664</fileMode>
- </dependencySet>
- </dependencySets>
-
- <files>
- <file>
- <source>./README.md</source>
- <outputDirectory>./</outputDirectory>
- <destName>README.md</destName>
- <fileMode>0644</fileMode>
- <filtered>true</filtered>
- </file>
- <file>
- <source>./LICENSE</source>
- <outputDirectory>./</outputDirectory>
- <destName>LICENSE</destName>
- <fileMode>0644</fileMode>
- <filtered>true</filtered>
- </file>
- <file>
- <source>./NOTICE</source>
- <outputDirectory>./</outputDirectory>
- <destName>NOTICE</destName>
- <fileMode>0644</fileMode>
- <filtered>true</filtered>
- </file>
- </files>
-
- <fileSets>
- <fileSet>
- <directory>conf</directory>
- <outputDirectory>conf</outputDirectory>
- </fileSet>
- </fileSets>
-</assembly>
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-jersey-bundle/pom.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-jersey-bundle/pom.xml
deleted file mode 100644
index 7259c61c06..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-jersey-bundle/pom.xml
+++ /dev/null
@@ -1,71 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
- <parent>
- <artifactId>nifi-registry-ranger</artifactId>
- <groupId>org.apache.nifi.registry</groupId>
- <version>2.0.0-SNAPSHOT</version>
- </parent>
- <modelVersion>4.0.0</modelVersion>
-
- <description>This module removes javax.ws.rs package from jersey-bundle.jar which is used by ranger-plugins-common.jar in order to address javax.ws.rs version mismatch between jersey-bundle.jar and NiFi Registry. NiFi Registry uses javax.ws.rs version 2.1. Without doing this, NiFi Registry encounters java.lang.LinkageError: ClassCastException: attempting to castjar:file:nifi-registry-xxx/work/jetty/nifi-registry-web-api-xxx.war/webapp/WEB-INF/lib/javax.ws.rs-api.jar!/javax/ws/rs/ext/ [...]
-
- <artifactId>nifi-registry-ranger-jersey-bundle</artifactId>
-
- <dependencies>
- <dependency>
- <groupId>com.sun.jersey</groupId>
- <artifactId>jersey-bundle</artifactId>
- <version>1.19.4</version>
-
- <exclusions>
- <exclusion>
- <groupId>javax.ws.rs</groupId>
- <artifactId>jsr311-api</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- </dependencies>
-
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-shade-plugin</artifactId>
- <version>3.5.0</version>
- <executions>
- <execution>
- <phase>package</phase>
- <goals>
- <goal>shade</goal>
- </goals>
- <configuration>
- <createDependencyReducedPom>false</createDependencyReducedPom>
- <filters>
- <filter>
- <artifact>com.sun.jersey:jersey-bundle</artifact>
- <excludes>
- <exclude>javax/ws/rs/**</exclude>
- </excludes>
- </filter>
- </filters>
- </configuration>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
-</project>
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/pom.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/pom.xml
deleted file mode 100644
index a7e802c836..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/pom.xml
+++ /dev/null
@@ -1,463 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
- <parent>
- <artifactId>nifi-registry-ranger</artifactId>
- <groupId>org.apache.nifi.registry</groupId>
- <version>2.0.0-SNAPSHOT</version>
- </parent>
- <modelVersion>4.0.0</modelVersion>
-
- <artifactId>nifi-registry-ranger-plugin</artifactId>
- <packaging>jar</packaging>
-
- <properties>
- <ranger.hadoop.version>3.3.6</ranger.hadoop.version>
- <ranger.ozone.version>1.2.1</ranger.ozone.version>
- <ranger.gcs.version>2.1.5</ranger.gcs.version>
- </properties>
-
- <dependencies>
- <dependency>
- <groupId>org.apache.nifi.registry</groupId>
- <artifactId>nifi-registry-data-model</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- <!--
- Since using the one in the war causes class loading issue between war and ranger/lib,
- this needs to be in ranger/lib.
- -->
- </dependency>
- <dependency>
- <groupId>org.apache.nifi.registry</groupId>
- <artifactId>nifi-registry-security-api</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- <!-- The one in registry/lib can be used -->
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.nifi.registry</groupId>
- <artifactId>nifi-registry-properties</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- <!-- The one in registry/lib can be used -->
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.nifi</groupId>
- <artifactId>nifi-xml-processing</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- </dependency>
- <dependency>
- <groupId>org.apache.nifi.registry</groupId>
- <artifactId>nifi-registry-ranger-jersey-bundle</artifactId>
- <version>2.0.0-SNAPSHOT</version>
- <exclusions>
- <exclusion>
- <groupId>com.sun.jersey</groupId>
- <artifactId>jersey-bundle</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>log4j-over-slf4j</artifactId>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>jcl-over-slf4j</artifactId>
- </dependency>
-
- <!-- Ranger dependencies -->
- <dependency>
- <groupId>org.apache.ranger</groupId>
- <artifactId>ranger-plugins-common</artifactId>
- <version>${ranger.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </exclusion>
- <exclusion>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- <exclusion>
- <groupId>ch.qos.logback</groupId>
- <artifactId>logback-classic</artifactId>
- </exclusion>
- <exclusion>
- <groupId>com.google.code.findbugs</groupId>
- <artifactId>jsr305</artifactId>
- </exclusion>
- <exclusion>
- <!-- Use nifi-registry-ranger-jersey-bundle instead to avoid
- javax.ws.rs version conflict. -->
- <groupId>com.sun.jersey</groupId>
- <artifactId>jersey-bundle</artifactId>
- </exclusion>
- <exclusion>
- <!-- The one in hadoop-common conflicts with jersey-bundle. -->
- <groupId>com.sun.jersey</groupId>
- <artifactId>jersey-json</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.apache.ranger</groupId>
- <artifactId>ranger-plugins-audit</artifactId>
- <version>${ranger.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </exclusion>
- <exclusion>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- <!-- Exclude Log4j 2 since Ranger does not include direct references to Log4j Loggers -->
- <exclusion>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-api</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-core</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.apache.ranger</groupId>
- <artifactId>credentialbuilder</artifactId>
- <version>${ranger.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-reload4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-api</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
-
- <!-- hadoop-client is needed for auditing to HDFS -->
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-client</artifactId>
- <version>${ranger.hadoop.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-yarn-api</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-yarn-client</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-mapreduce-client</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-mapreduce-client-core</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-mapreduce-client-jobclient</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <!-- hadoop-common and hadoop-auth are transitive dependencies of ranger client, but we need to make sure they
- are the same version as hadoop-client above -->
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-common</artifactId>
- <version>${ranger.hadoop.version}</version>
- <exclusions>
- <exclusion>
- <groupId>com.google.code.findbugs</groupId>
- <artifactId>jsr305</artifactId>
- </exclusion>
- <exclusion>
- <!-- Avoid using old jsr311 which does not have
- javax.ws.rs.core.Application.getProperties method
- that is used by newer Jetty. -->
- <groupId>javax.ws.rs</groupId>
- <artifactId>jsr311-api</artifactId>
- </exclusion>
- <exclusion>
- <!-- Avoid using old jersey-core which does not have
- javax.ws.rs.core.Application.getProperties method
- that is used by newer Jetty. -->
- <groupId>com.sun.jersey</groupId>
- <artifactId>jersey-core</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-reload4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </exclusion>
- <exclusion>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- <exclusion>
- <groupId>ch.qos.logback</groupId>
- <artifactId>logback-classic</artifactId>
- </exclusion>
- <!-- Exclude Jetty Server -->
- <exclusion>
- <groupId>org.eclipse.jetty</groupId>
- <artifactId>jetty-server</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.eclipse.jetty</groupId>
- <artifactId>jetty-servlet</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.eclipse.jetty</groupId>
- <artifactId>jetty-webapp</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.eclipse.jetty</groupId>
- <artifactId>jetty-util</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-auth</artifactId>
- <version>${ranger.hadoop.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-reload4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </exclusion>
- <exclusion>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- </exclusion>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
-
- <!-- Followings are required by com.sun.jersey.core.spi.factory.MessageBodyFactory -->
- <dependency>
- <groupId>javax.mail</groupId>
- <artifactId>mail</artifactId>
- <version>1.4.7</version>
- </dependency>
- <dependency>
- <groupId>org.codehaus.jettison</groupId>
- <artifactId>jettison</artifactId>
- <version>1.5.4</version>
- </dependency>
- </dependencies>
-
- <profiles>
- <!-- Disable tests on AArch64 which does not have necessary platform-specific libraries -->
- <profile>
- <id>disable-ranger-tests</id>
- <activation>
- <os>
- <arch>aarch64</arch>
- </os>
- </activation>
- <properties>
- <skipTests>true</skipTests>
- </properties>
- </profile>
- <!-- Includes hadoop-aws for accessing HDFS with an s3a:// filesystem -->
- <profile>
- <id>include-hadoop-aws</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <dependencies>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-aws</artifactId>
- <version>${ranger.hadoop.version}</version>
- </dependency>
- </dependencies>
- </profile>
- <!-- Includes hadoop-azure and hadoop-azure-datalake for accessing HDFS with wasb://, abfs://, and adl:// filesystems -->
- <profile>
- <id>include-hadoop-azure</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <dependencies>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-azure</artifactId>
- <version>${ranger.hadoop.version}</version>
- <exclusions>
- <exclusion>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- </exclusion>
- <exclusion>
- <groupId>com.fasterxml.jackson.core</groupId>
- <artifactId>jackson-core</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-azure-datalake</artifactId>
- <version>${ranger.hadoop.version}</version>
- <exclusions>
- <exclusion>
- <groupId>com.fasterxml.jackson.core</groupId>
- <artifactId>jackson-core</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- </dependencies>
- </profile>
- <!-- Includes hadoop-cloud-storage -->
- <profile>
- <id>include-hadoop-cloud-storage</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <dependencies>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-cloud-storage</artifactId>
- <version>${ranger.hadoop.version}</version>
- <exclusions>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- </dependencies>
- </profile>
- <!-- Includes hadoop-ozone for o3fs:// file system -->
- <profile>
- <id>include-hadoop-ozone</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <dependencies>
- <dependency>
- <groupId>org.apache.ozone</groupId>
- <artifactId>ozone-client</artifactId>
- <version>${ranger.ozone.version}</version>
- <exclusions>
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-core</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-jdk15on</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcpkix-jdk15on</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-jdk18on</artifactId>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcpkix-jdk18on</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.ozone</groupId>
- <artifactId>ozone-filesystem</artifactId>
- <version>${ranger.ozone.version}</version>
- </dependency>
- </dependencies>
- </profile>
- <!-- Includes hadoop-gcp for accessing HDFS with an gcs:// filesystem -->
- <profile>
- <id>include-hadoop-gcp</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <dependencies>
- <dependency>
- <groupId>com.google.cloud.bigdataoss</groupId>
- <artifactId>gcs-connector</artifactId>
- <version>hadoop3-${ranger.gcs.version}</version>
- </dependency>
- <dependency>
- <groupId>com.google.cloud.bigdataoss</groupId>
- <artifactId>util</artifactId>
- <version>${ranger.gcs.version}</version>
- </dependency>
- <dependency>
- <groupId>com.google.cloud.bigdataoss</groupId>
- <artifactId>util-hadoop</artifactId>
- <version>hadoop3-${ranger.gcs.version}</version>
- </dependency>
- <dependency>
- <groupId>com.google.cloud.bigdataoss</groupId>
- <artifactId>gcsio</artifactId>
- <version>${ranger.gcs.version}</version>
- </dependency>
- </dependencies>
- </profile>
- </profiles>
-</project>
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerAuthorizer.java b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerAuthorizer.java
deleted file mode 100644
index ee90729b69..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerAuthorizer.java
+++ /dev/null
@@ -1,453 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.ranger;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.nifi.registry.properties.NiFiRegistryProperties;
-import org.apache.nifi.registry.security.authorization.AccessPolicy;
-import org.apache.nifi.registry.security.authorization.AccessPolicyProvider;
-import org.apache.nifi.registry.security.authorization.AccessPolicyProviderInitializationContext;
-import org.apache.nifi.registry.security.authorization.AuthorizationAuditor;
-import org.apache.nifi.registry.security.authorization.AuthorizationRequest;
-import org.apache.nifi.registry.security.authorization.AuthorizationResult;
-import org.apache.nifi.registry.security.authorization.AuthorizerConfigurationContext;
-import org.apache.nifi.registry.security.authorization.AuthorizerInitializationContext;
-import org.apache.nifi.registry.security.authorization.ConfigurableUserGroupProvider;
-import org.apache.nifi.registry.security.authorization.ManagedAuthorizer;
-import org.apache.nifi.registry.security.authorization.RequestAction;
-import org.apache.nifi.registry.security.authorization.UserContextKeys;
-import org.apache.nifi.registry.security.authorization.UserGroupProvider;
-import org.apache.nifi.registry.security.authorization.UserGroupProviderLookup;
-import org.apache.nifi.registry.security.authorization.annotation.AuthorizerContext;
-import org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.registry.security.authorization.exception.UninheritableAuthorizationsException;
-import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
-import org.apache.nifi.registry.util.PropertyValue;
-import org.apache.nifi.xml.processing.ProcessingException;
-import org.apache.nifi.xml.processing.parsers.DocumentProvider;
-import org.apache.nifi.xml.processing.parsers.StandardDocumentProvider;
-import org.apache.nifi.xml.processing.transform.StandardTransformProvider;
-import org.apache.nifi.xml.processing.transform.TransformProvider;
-import org.apache.ranger.audit.model.AuthzAuditEvent;
-import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
-import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
-import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResult;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
-
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
-import java.io.ByteArrayInputStream;
-import java.io.File;
-import java.io.IOException;
-import java.io.StringWriter;
-import java.net.MalformedURLException;
-import java.nio.charset.StandardCharsets;
-import java.util.Date;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-import java.util.WeakHashMap;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-/**
- * Authorizer implementation that uses Apache Ranger to make authorization decisions.
- */
-public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor {
-
- private static final Logger logger = LoggerFactory.getLogger(RangerAuthorizer.class);
-
- private static final String USER_GROUP_PROVIDER_ELEMENT = "userGroupProvider";
-
- static final String USER_GROUP_PROVIDER = "User Group Provider";
-
- static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
- static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
- static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
- static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
- static final String RANGER_APP_ID_PROP = "Ranger Application Id";
- static final String RANGER_ADMIN_IDENTITY_PROP_PREFIX = "Ranger Admin Identity";
- static final Pattern RANGER_ADMIN_IDENTITY_PATTERN = Pattern.compile(RANGER_ADMIN_IDENTITY_PROP_PREFIX + "\\s?\\S*");
-
- static final String RANGER_NIFI_REG_RESOURCE_NAME = "nifi-registry-resource";
- private static final String DEFAULT_SERVICE_TYPE = "nifi-registry";
- private static final String DEFAULT_APP_ID = "nifi-registry";
- static final String RESOURCES_RESOURCE = "/policies";
- static final String HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication";
- private static final String KERBEROS_AUTHENTICATION = "kerberos";
-
- private final Map<AuthorizationRequest, RangerAccessResult> resultLookup = new WeakHashMap<>();
-
- private volatile RangerBasePluginWithPolicies rangerPlugin = null;
- private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
- private volatile Set<String> rangerAdminIdentity = null;
- private volatile NiFiRegistryProperties registryProperties;
-
- private UserGroupProviderLookup userGroupProviderLookup;
- private UserGroupProvider userGroupProvider;
-
-
- @Override
- public void initialize(AuthorizerInitializationContext initializationContext) throws SecurityProviderCreationException {
- userGroupProviderLookup = initializationContext.getUserGroupProviderLookup();
- }
-
- @Override
- public void onConfigured(AuthorizerConfigurationContext configurationContext) throws SecurityProviderCreationException {
- final String userGroupProviderKey = configurationContext.getProperty(USER_GROUP_PROVIDER).getValue();
- if (StringUtils.isEmpty(userGroupProviderKey)) {
- throw new SecurityProviderCreationException(USER_GROUP_PROVIDER + " must be specified.");
- }
- userGroupProvider = userGroupProviderLookup.getUserGroupProvider(userGroupProviderKey);
-
- // ensure the desired access policy provider has a user group provider
- if (userGroupProvider == null) {
- throw new SecurityProviderCreationException(String.format("Unable to locate configured User Group Provider: %s", userGroupProviderKey));
- }
-
- try {
- if (rangerPlugin == null) {
- logger.info("initializing base plugin");
-
- final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE);
- final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID);
-
- rangerPlugin = createRangerBasePlugin(serviceType, appId);
-
- final RangerPluginConfig pluginConfig = rangerPlugin.getConfig();
-
- final PropertyValue securityConfigValue = configurationContext.getProperty(RANGER_SECURITY_PATH_PROP);
- addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue, pluginConfig);
-
- final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP);
- addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue, pluginConfig);
-
- boolean rangerKerberosEnabled = Boolean.valueOf(getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString()));
-
- if (rangerKerberosEnabled) {
- // configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled()
- final Configuration securityConf = new Configuration();
- securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION);
- UserGroupInformation.setConfiguration(securityConf);
-
- // login with the nifi registry principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which
- // will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab();
- final String registryPrincipal = registryProperties.getKerberosServicePrincipal();
- final String registryKeytab = registryProperties.getKerberosServiceKeytabLocation();
-
- if (StringUtils.isBlank(registryPrincipal) || StringUtils.isBlank(registryKeytab)) {
- throw new SecurityProviderCreationException("Principal and Keytab must be provided when Kerberos is enabled");
- }
-
- UserGroupInformation.loginUserFromKeytab(registryPrincipal.trim(), registryKeytab.trim());
- }
-
- rangerPlugin.init();
-
- defaultAuditHandler = new RangerDefaultAuditHandler();
- rangerAdminIdentity = getConfigValues(configurationContext, RANGER_ADMIN_IDENTITY_PATTERN, null);
-
- } else {
- logger.info("base plugin already initialized");
- }
- } catch (Throwable t) {
- throw new SecurityProviderCreationException("Error creating RangerBasePlugin", t);
- }
- }
-
- protected RangerBasePluginWithPolicies createRangerBasePlugin(final String serviceType, final String appId) {
- return new RangerBasePluginWithPolicies(serviceType, appId, userGroupProvider);
- }
-
- @Override
- public AuthorizationResult authorize(final AuthorizationRequest request) throws SecurityProviderCreationException {
- final String identity = request.getIdentity();
- final Set<String> userGroups = request.getGroups();
- final String resourceIdentifier = request.getResource().getIdentifier();
-
- // if a ranger admin identity was provided, and it contains the identity making the request,
- // and the request is to retrieve the resources, then allow it through
- if (rangerAdminIdentity != null && rangerAdminIdentity.contains(identity)
- && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
- return AuthorizationResult.approved();
- }
-
- final String clientIp;
- if (request.getUserContext() != null) {
- clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name());
- } else {
- clientIp = null;
- }
-
- final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
- resource.setValue(RANGER_NIFI_REG_RESOURCE_NAME, resourceIdentifier);
-
- final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
- rangerRequest.setResource(resource);
- rangerRequest.setAction(request.getAction().name());
- rangerRequest.setAccessType(request.getAction().name());
- rangerRequest.setUser(identity);
- rangerRequest.setUserGroups(userGroups);
- rangerRequest.setAccessTime(new Date());
-
- if (!StringUtils.isBlank(clientIp)) {
- rangerRequest.setClientIPAddress(clientIp);
- }
-
- final RangerAccessResult result = rangerPlugin.isAccessAllowed(rangerRequest);
-
- // store the result for auditing purposes later if appropriate
- if (request.isAccessAttempt()) {
- synchronized (resultLookup) {
- resultLookup.put(request, result);
- }
- }
-
- if (result != null && result.getIsAllowed()) {
- // return approved
- return AuthorizationResult.approved();
- } else {
- // if result.getIsAllowed() is false, then we need to determine if it was because no policy exists for the
- // given resource, or if it was because a policy exists but not for the given user or action
- final boolean doesPolicyExist = rangerPlugin.doesPolicyExist(request.getResource().getIdentifier(), request.getAction());
-
- if (doesPolicyExist) {
- final String reason = result == null ? null : result.getReason();
- if (reason != null) {
- logger.debug(String.format("Unable to authorize %s due to %s", identity, reason));
- }
-
- // a policy does exist for the resource so we were really denied access here
- return AuthorizationResult.denied(request.getExplanationSupplier().get());
- } else {
- // a policy doesn't exist so return resource not found so NiFi Registry can work back up the resource hierarchy
- return AuthorizationResult.resourceNotFound();
- }
- }
- }
-
- @Override
- public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) {
- final RangerAccessResult rangerResult;
- synchronized (resultLookup) {
- rangerResult = resultLookup.remove(request);
- }
-
- if (rangerResult != null && rangerResult.getIsAudited()) {
- AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult);
-
- // update the event with the originally requested resource
- event.setResourceType(RANGER_NIFI_REG_RESOURCE_NAME);
- event.setResourcePath(request.getRequestedResource().getIdentifier());
-
- defaultAuditHandler.logAuthzAudit(event);
- }
- }
-
- @Override
- public void preDestruction() throws SecurityProviderCreationException {
- if (rangerPlugin != null) {
- try {
- rangerPlugin.cleanup();
- rangerPlugin = null;
- } catch (Throwable t) {
- throw new SecurityProviderCreationException("Error cleaning up RangerBasePlugin", t);
- }
- }
- }
-
- @AuthorizerContext
- public void setRegistryProperties(final NiFiRegistryProperties properties) {
- this.registryProperties = properties;
- }
-
- /**
- * Adds a resource to the RangerConfiguration singleton so it is already there by the time RangerBasePlugin.init()
- * is called.
- *
- * @param name the name of the given PropertyValue from the AuthorizationConfigurationContext
- * @param resourceValue the value for the given name, should be a full path to a file
- * @param configuration the RangerConfiguration to add the resource to
- */
- private void addRequiredResource(final String name, final PropertyValue resourceValue, final RangerConfiguration configuration) {
- if (resourceValue == null || StringUtils.isBlank(resourceValue.getValue())) {
- throw new SecurityProviderCreationException(name + " must be specified.");
- }
-
- final File resourceFile = new File(resourceValue.getValue());
- if (!resourceFile.exists() || !resourceFile.canRead()) {
- throw new SecurityProviderCreationException(resourceValue + " does not exist, or can not be read");
- }
-
- try {
- configuration.addResource(resourceFile.toURI().toURL());
- } catch (MalformedURLException e) {
- throw new SecurityProviderCreationException("Error creating URI for " + resourceValue, e);
- }
- }
-
- private String getConfigValue(final AuthorizerConfigurationContext context, final String name, final String defaultValue) {
- final PropertyValue configValue = context.getProperty(name);
-
- String retValue = defaultValue;
- if (configValue != null && !StringUtils.isBlank(configValue.getValue())) {
- retValue = configValue.getValue();
- }
-
- return retValue;
- }
-
- private Set<String> getConfigValues(final AuthorizerConfigurationContext context, final Pattern namePattern, final String defaultValue) {
- final Set<String> configValues = new HashSet<>();
-
- for (Map.Entry<String,String> entry : context.getProperties().entrySet()) {
- Matcher matcher = namePattern.matcher(entry.getKey());
- if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
- configValues.add(entry.getValue());
- }
- }
-
- if (configValues.isEmpty() && (defaultValue != null)) {
- configValues.add(defaultValue);
- }
-
- return configValues;
- }
-
- @Override
- public String getFingerprint() throws AuthorizationAccessException {
- final StringWriter out = new StringWriter();
- try {
- // create the document
- final DocumentProvider documentProvider = new StandardDocumentProvider();
- final Document document = documentProvider.newDocument();
-
- // create the root element
- final Element managedRangerAuthorizationsElement = document.createElement("managedRangerAuthorizations");
- document.appendChild(managedRangerAuthorizationsElement);
-
- // create the user group provider element
- final Element userGroupProviderElement = document.createElement(USER_GROUP_PROVIDER_ELEMENT);
- managedRangerAuthorizationsElement.appendChild(userGroupProviderElement);
-
- // append fingerprint if the provider is configurable
- if (userGroupProvider instanceof ConfigurableUserGroupProvider) {
- userGroupProviderElement.appendChild(document.createTextNode(((ConfigurableUserGroupProvider) userGroupProvider).getFingerprint()));
- }
-
- final TransformProvider transformProvider = new StandardTransformProvider();
- transformProvider.transform(new DOMSource(document), new StreamResult(out));
- } catch (final ProcessingException e) {
- throw new AuthorizationAccessException("Unable to generate fingerprint", e);
- }
-
- return out.toString();
- }
-
- private String parseFingerprint(final String fingerprint) throws AuthorizationAccessException {
- final byte[] fingerprintBytes = fingerprint.getBytes(StandardCharsets.UTF_8);
-
- try (final ByteArrayInputStream in = new ByteArrayInputStream(fingerprintBytes)) {
- final DocumentProvider documentProvider = new StandardDocumentProvider();
- final Document document = documentProvider.parse(in);
- final Element rootElement = document.getDocumentElement();
-
- final NodeList userGroupProviderList = rootElement.getElementsByTagName(USER_GROUP_PROVIDER_ELEMENT);
- if (userGroupProviderList.getLength() != 1) {
- throw new AuthorizationAccessException(String.format("Only one %s element is allowed: %s", USER_GROUP_PROVIDER_ELEMENT, fingerprint));
- }
-
- final Node userGroupProvider = userGroupProviderList.item(0);
- return userGroupProvider.getTextContent();
- } catch (final ProcessingException | IOException e) {
- throw new AuthorizationAccessException("Unable to parse fingerprint", e);
- }
- }
-
- @Override
- public void inheritFingerprint(String fingerprint) throws AuthorizationAccessException {
- if (StringUtils.isBlank(fingerprint)) {
- return;
- }
-
- final String userGroupFingerprint = parseFingerprint(fingerprint);
-
- if (StringUtils.isNotBlank(userGroupFingerprint) && userGroupProvider instanceof ConfigurableUserGroupProvider) {
- ((ConfigurableUserGroupProvider) userGroupProvider).inheritFingerprint(userGroupFingerprint);
- }
- }
-
- @Override
- public void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
- final String userGroupFingerprint = parseFingerprint(proposedFingerprint);
-
- if (StringUtils.isNotBlank(userGroupFingerprint)) {
- if (userGroupProvider instanceof ConfigurableUserGroupProvider) {
- ((ConfigurableUserGroupProvider) userGroupProvider).checkInheritability(userGroupFingerprint);
- } else {
- throw new UninheritableAuthorizationsException("User/Group fingerprint is not blank and the configured UserGroupProvider does not support fingerprinting.");
- }
- }
- }
-
- @Override
- public AccessPolicyProvider getAccessPolicyProvider() {
- return new AccessPolicyProvider() {
- @Override
- public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
- return rangerPlugin.getAccessPolicies();
- }
-
- @Override
- public AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException {
- return rangerPlugin.getAccessPolicy(identifier);
- }
-
- @Override
- public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) throws AuthorizationAccessException {
- return rangerPlugin.getAccessPolicy(resourceIdentifier, action);
- }
-
- @Override
- public UserGroupProvider getUserGroupProvider() {
- return userGroupProvider;
- }
-
- @Override
- public void initialize(AccessPolicyProviderInitializationContext initializationContext) throws SecurityProviderCreationException {
- }
-
- @Override
- public void onConfigured(AuthorizerConfigurationContext configurationContext) throws SecurityProviderCreationException {
- }
-
- @Override
- public void preDestruction() throws SecurityProviderCreationException {
- }
- };
- }
-}
\ No newline at end of file
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerBasePluginWithPolicies.java b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerBasePluginWithPolicies.java
deleted file mode 100644
index 96994da199..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerBasePluginWithPolicies.java
+++ /dev/null
@@ -1,291 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.ranger;
-
-import org.apache.commons.lang3.StringUtils;
-import org.apache.nifi.registry.security.authorization.AccessPolicy;
-import org.apache.nifi.registry.security.authorization.Group;
-import org.apache.nifi.registry.security.authorization.RequestAction;
-import org.apache.nifi.registry.security.authorization.User;
-import org.apache.nifi.registry.security.authorization.UserGroupProvider;
-import org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException;
-import org.apache.ranger.plugin.service.RangerBasePlugin;
-import org.apache.ranger.plugin.util.ServicePolicies;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Objects;
-import java.util.Set;
-import java.util.concurrent.atomic.AtomicReference;
-import java.util.function.Function;
-import java.util.stream.Collectors;
-
-/**
- * Extends the base plugin to convert service policies into NiFi Registry policy domain model.
- */
-public class RangerBasePluginWithPolicies extends RangerBasePlugin {
-
- private static final Logger logger = LoggerFactory.getLogger(RangerBasePluginWithPolicies.class);
-
- private final static String WILDCARD_ASTERISK = "*";
-
- private UserGroupProvider userGroupProvider;
- private AtomicReference<PolicyLookup> policies = new AtomicReference<>(new PolicyLookup());
-
- public RangerBasePluginWithPolicies(final String serviceType, final String appId) {
- this(serviceType, appId, null);
- }
-
- public RangerBasePluginWithPolicies(final String serviceType, final String appId, final UserGroupProvider userGroupProvider) {
- super(serviceType, appId);
- this.userGroupProvider = userGroupProvider; // will be null if used outside of the managed RangerAuthorizer
- }
-
- @Override
- public void setPolicies(final ServicePolicies policies) {
- super.setPolicies(policies);
-
- if (policies == null || policies.getPolicies() == null) {
- this.policies.set(new PolicyLookup());
- } else {
- this.policies.set(createPolicyLookup(policies));
- }
- }
-
- /**
- * Determines if a policy exists for the given resource.
- *
- * @param resourceIdentifier the id of the resource
- *
- * @return true if a policy exists for the given resource, false otherwise
- */
- public boolean doesPolicyExist(final String resourceIdentifier, final RequestAction requestAction) {
- if (resourceIdentifier == null) {
- return false;
- }
-
- final PolicyLookup policyLookup = policies.get();
- return policyLookup.getAccessPolicy(resourceIdentifier, requestAction) != null;
- }
-
- public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
- return policies.get().getAccessPolicies();
- }
-
- public AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException {
- return policies.get().getAccessPolicy(identifier);
- }
-
- public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) throws AuthorizationAccessException {
- return policies.get().getAccessPolicy(resourceIdentifier, action);
- }
-
- private PolicyLookup createPolicyLookup(final ServicePolicies servicePolicies) {
- final Map<String, AccessPolicy> policiesByIdentifier = new HashMap<>();
- final Map<String, Map<RequestAction, AccessPolicy>> policiesByResource = new HashMap<>();
-
- logger.debug("Converting Ranger ServicePolicies model into NiFi Registry policy model for viewing purposes in NiFi Registry UI.");
-
- servicePolicies.getPolicies().stream().forEach(policy -> {
- // only consider policies that are enabled
- if (Boolean.TRUE.equals(policy.getIsEnabled())) {
- // get all the resources for this policy - excludes/recursive support disabled
- final Set<String> resources = policy.getResources().values().stream()
- .filter(resource -> {
- final boolean isMissingResource;
- final boolean isWildcard;
- if (resource.getValues() == null) {
- isMissingResource = true;
- isWildcard = false;
- } else {
- isMissingResource = false;
- isWildcard = resource.getValues().stream().anyMatch(value -> value.contains(WILDCARD_ASTERISK));
- }
-
- final boolean isExclude = Boolean.TRUE.equals(resource.getIsExcludes());
- final boolean isRecursive = Boolean.TRUE.equals(resource.getIsRecursive());
-
- if (isMissingResource) {
- logger.warn("Encountered resources missing values. Skipping policy for viewing purposes. Will still be used for access decisions.");
- }
- if (isWildcard) {
- logger.warn(String.format("Resources [%s] include a wildcard value. Skipping policy for viewing purposes. "
- + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
- }
- if (isExclude) {
- logger.warn(String.format("Resources [%s] marked as an exclude policy. Skipping policy for viewing purposes. "
- + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
- }
- if (isRecursive) {
- logger.warn(String.format("Resources [%s] marked as a recursive policy. Skipping policy for viewing purposes. "
- + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
- }
-
- return !isMissingResource && !isWildcard && !isExclude && !isRecursive;
- })
- .flatMap(resource -> resource.getValues().stream())
- .collect(Collectors.toSet());
-
- policy.getPolicyItems().forEach(policyItem -> {
- // get all the users for this policy item, excluding unknown users
- final Set<String> userIds = policyItem.getUsers().stream()
- .map(userIdentity -> getUser(userIdentity))
- .filter(Objects::nonNull)
- .map(user -> user.getIdentifier())
- .collect(Collectors.toSet());
-
- // get all groups for this policy item, excluding unknown groups
- final Set<String> groupIds = policyItem.getGroups().stream()
- .map(groupName -> getGroup(groupName))
- .filter(Objects::nonNull)
- .map(group -> group.getIdentifier())
- .collect(Collectors.toSet());
-
- // check if this policy item is a delegate admin
- final boolean isDelegateAdmin = Boolean.TRUE.equals(policyItem.getDelegateAdmin());
-
- policyItem.getAccesses().forEach(access -> {
- try {
- // interpret the request action
- final RequestAction action = RequestAction.valueOf(access.getType());
-
- // function for creating an access policy
- final Function<String, AccessPolicy> createPolicy = resource -> new AccessPolicy.Builder()
- .identifierGenerateFromSeed(resource + access.getType())
- .resource(resource)
- .action(action)
- .addUsers(userIds)
- .addGroups(groupIds)
- .build();
-
- resources.forEach(resource -> {
- // create the access policy for the specified resource
- final AccessPolicy accessPolicy = createPolicy.apply(resource);
- policiesByIdentifier.put(accessPolicy.getIdentifier(), accessPolicy);
- policiesByResource.computeIfAbsent(resource, r -> new HashMap<>()).put(action, accessPolicy);
-
- // if this is a delegate admin, also create the admin policy for the specified resource
- if (isDelegateAdmin) {
- // build the admin resource identifier
- final String adminResource;
- if (resource.startsWith("/")) {
- adminResource = "/policies" + resource;
- } else {
- adminResource = "/policies/" + resource;
- }
-
- final AccessPolicy adminAccessPolicy = createPolicy.apply(adminResource);
- policiesByIdentifier.put(adminAccessPolicy.getIdentifier(), adminAccessPolicy);
- policiesByResource.computeIfAbsent(adminResource, ar -> new HashMap<>()).put(action, adminAccessPolicy);
- }
- });
- } catch (final IllegalArgumentException e) {
- logger.warn(String.format("Unrecognized request action '%s'. Skipping policy for viewing purposes. Will still be used for access decisions.", access.getType()));
- }
- });
- });
- }
- });
-
- return new PolicyLookup(policiesByIdentifier, policiesByResource);
- }
-
- private User getUser(final String identity) {
- if (userGroupProvider == null) {
- // generate the user deterministically when running outside of the ManagedRangerAuthorizer
- return new User.Builder().identifierGenerateFromSeed(identity).identity(identity).build();
- } else {
- // find the user in question
- final User user = userGroupProvider.getUserByIdentity(identity);
-
- if (user == null) {
- logger.warn(String.format("Cannot find user '%s' in the configured User Group Provider. Skipping user for viewing purposes. Will still be used for access decisions.", identity));
- }
-
- return user;
- }
- }
-
- private Group getGroup(final String name) {
- if (userGroupProvider == null) {
- // generate the group deterministically when running outside of the ManagedRangerAuthorizer
- return new Group.Builder().identifierGenerateFromSeed(name).name(name).build();
- } else {
- // find the group in question
- final Group group = userGroupProvider.getGroups().stream().filter(g -> g.getName().equals(name)).findFirst().orElse(null);
-
- if (group == null) {
- logger.warn(String.format("Cannot find group '%s' in the configured User Group Provider. Skipping group for viewing purposes. Will still be used for access decisions.", name));
- }
-
- return group;
- }
- }
-
- private static class PolicyLookup {
-
- private final Map<String, AccessPolicy> policiesByIdentifier;
- private final Map<String, Map<RequestAction, AccessPolicy>> policiesByResource;
- private final Set<AccessPolicy> allPolicies;
-
- private PolicyLookup() {
- this(null, null);
- }
-
- private PolicyLookup(final Map<String, AccessPolicy> policiesByIdentifier, final Map<String, Map<RequestAction, AccessPolicy>> policiesByResource) {
- if (policiesByIdentifier == null) {
- allPolicies = Collections.EMPTY_SET;
- } else {
- allPolicies = Collections.unmodifiableSet(new HashSet<>(policiesByIdentifier.values()));
- }
-
- this.policiesByIdentifier = policiesByIdentifier;
- this.policiesByResource = policiesByResource;
- }
-
- private Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
- return allPolicies;
- }
-
- private AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException {
- if (policiesByIdentifier == null) {
- return null;
- }
-
- return policiesByIdentifier.get(identifier);
- }
-
- private AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) throws AuthorizationAccessException {
- if (policiesByResource == null) {
- return null;
- }
-
- final Map<RequestAction, AccessPolicy> policiesForResource = policiesByResource.get(resourceIdentifier);
-
- if (policiesForResource != null) {
- return policiesForResource.get(action);
- }
-
- return null;
- }
- }
-
-}
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.registry.security.authorization.Authorizer b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.registry.security.authorization.Authorizer
deleted file mode 100644
index f8c1bc3bf0..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.registry.security.authorization.Authorizer
+++ /dev/null
@@ -1,15 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-org.apache.nifi.registry.ranger.RangerAuthorizer
\ No newline at end of file
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerAuthorizer.java b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerAuthorizer.java
deleted file mode 100644
index d3e346f453..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerAuthorizer.java
+++ /dev/null
@@ -1,672 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.nifi.registry.ranger;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.nifi.registry.properties.NiFiRegistryProperties;
-import org.apache.nifi.registry.security.authorization.AuthorizationRequest;
-import org.apache.nifi.registry.security.authorization.AuthorizationResult;
-import org.apache.nifi.registry.security.authorization.AuthorizerConfigurationContext;
-import org.apache.nifi.registry.security.authorization.AuthorizerInitializationContext;
-import org.apache.nifi.registry.security.authorization.ConfigurableUserGroupProvider;
-import org.apache.nifi.registry.security.authorization.RequestAction;
-import org.apache.nifi.registry.security.authorization.Resource;
-import org.apache.nifi.registry.security.authorization.UserContextKeys;
-import org.apache.nifi.registry.security.authorization.UserGroupProvider;
-import org.apache.nifi.registry.security.authorization.UserGroupProviderLookup;
-import org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.registry.security.authorization.exception.UninheritableAuthorizationsException;
-import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
-import org.apache.nifi.registry.util.StandardPropertyValue;
-import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResult;
-import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentMatcher;
-
-import java.io.File;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.ArgumentMatchers.argThat;
-import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-public class TestRangerAuthorizer {
-
- private static final String TENANT_FINGERPRINT =
- "<tenants>"
- + "<user identifier=\"user-id-1\" identity=\"user-1\"></user>"
- + "<group identifier=\"group-id-1\" name=\"group-1\">"
- + "<groupUser identifier=\"user-id-1\"></groupUser>"
- + "</group>"
- + "</tenants>";
-
- private static final String EMPTY_FINGERPRINT = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>"
- + "<managedRangerAuthorizations>"
- + "<userGroupProvider/>"
- + "</managedRangerAuthorizations>";
-
- private static final String NON_EMPTY_FINGERPRINT = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>"
- + "<managedRangerAuthorizations>"
- + "<userGroupProvider>"
- + "<tenants>"
- + "<user identifier=\"user-id-1\" identity=\"user-1\"></user>"
- + "<group identifier=\"group-id-1\" name=\"group-1\">"
- + "<groupUser identifier=\"user-id-1\"></groupUser>"
- + "</group>"
- + "</tenants>"
- + "</userGroupProvider>"
- + "</managedRangerAuthorizations>";
-
- private MockRangerAuthorizer authorizer;
- private RangerBasePluginWithPolicies rangerBasePlugin;
-
- private final String serviceType = "nifiRegistryService";
- private final String appId = "nifiRegistryAppId";
-
- private RangerAccessResult allowedResult;
- private RangerAccessResult notAllowedResult;
- private Map<String, String> authorizersXmlContent = null;
-
- @BeforeEach
- public void initialization() {
- authorizersXmlContent = Stream.of(new String[][] {
- {RangerAuthorizer.USER_GROUP_PROVIDER, "user-group-provider"},
- {RangerAuthorizer.RANGER_SECURITY_PATH_PROP, "src/test/resources/ranger/ranger-nifi-registry-security.xml"},
- {RangerAuthorizer.RANGER_AUDIT_PATH_PROP, "src/test/resources/ranger/ranger-nifi-registry-audit.xml"},
- {RangerAuthorizer.RANGER_APP_ID_PROP, appId},
- {RangerAuthorizer.RANGER_SERVICE_TYPE_PROP, serviceType}
- }).collect(Collectors.toMap(entry -> entry[0], entry -> entry[1]));
- }
-
- private void setup(final NiFiRegistryProperties registryProperties,
- final UserGroupProvider userGroupProvider,
- final AuthorizerConfigurationContext configurationContext) {
- // have to initialize this system property before anything else
- File krb5conf = new File("src/test/resources/krb5.conf");
- assertTrue(krb5conf.exists());
- System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath());
-
- // rest the authentication to simple in case any tests set it to kerberos
- final Configuration securityConf = new Configuration();
- securityConf.set(RangerAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
- UserGroupInformation.setConfiguration(securityConf);
-
- rangerBasePlugin = mock(RangerBasePluginWithPolicies.class);
-
- final RangerPluginConfig pluginConfig = new RangerPluginConfig(serviceType, null, appId, null, null, null);
- when(rangerBasePlugin.getConfig()).thenReturn(pluginConfig);
-
- authorizer = new MockRangerAuthorizer(rangerBasePlugin);
-
- final UserGroupProviderLookup userGroupProviderLookup = mock(UserGroupProviderLookup.class);
- when(userGroupProviderLookup.getUserGroupProvider(eq("user-group-provider"))).thenReturn(userGroupProvider);
-
- final AuthorizerInitializationContext initializationContext = mock(AuthorizerInitializationContext.class);
- when(initializationContext.getUserGroupProviderLookup()).thenReturn(userGroupProviderLookup);
-
- authorizer.setRegistryProperties(registryProperties);
- authorizer.initialize(initializationContext);
- authorizer.onConfigured(configurationContext);
-
- assertFalse(UserGroupInformation.isSecurityEnabled());
-
- allowedResult = mock(RangerAccessResult.class);
- when(allowedResult.getIsAllowed()).thenReturn(true);
-
- notAllowedResult = mock(RangerAccessResult.class);
- when(notAllowedResult.getIsAllowed()).thenReturn(false);
- }
-
- private AuthorizerConfigurationContext createMockConfigContext() {
- AuthorizerConfigurationContext configurationContext = mock(AuthorizerConfigurationContext.class);
-
- for (Map.Entry<String, String> entry : authorizersXmlContent.entrySet()) {
- when(configurationContext.getProperty(eq(entry.getKey())))
- .thenReturn(new StandardPropertyValue(entry.getValue()));
- }
-
- when(configurationContext.getProperties()).thenReturn(authorizersXmlContent);
-
- return configurationContext;
- }
-
- @Test
- public void testOnConfigured() {
- setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), createMockConfigContext());
-
- verify(rangerBasePlugin, times(1)).init();
-
- assertEquals(appId, authorizer.mockRangerBasePlugin.getAppId());
- assertEquals(serviceType, authorizer.mockRangerBasePlugin.getServiceType());
- }
-
- @Test
- public void testKerberosEnabledWithoutKeytab() {
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
-
- when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_KERBEROS_ENABLED_PROP)))
- .thenReturn(new StandardPropertyValue("true"));
-
- NiFiRegistryProperties registryProperties = mock(NiFiRegistryProperties.class);
- when(registryProperties.getKerberosServicePrincipal()).thenReturn("");
-
- assertThrows(SecurityProviderCreationException.class, () -> setup(registryProperties, mock(UserGroupProvider.class), configurationContext));
- }
-
- @Test
- public void testKerberosEnabledWithoutPrincipal() {
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
-
- when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_KERBEROS_ENABLED_PROP)))
- .thenReturn(new StandardPropertyValue("true"));
-
- NiFiRegistryProperties registryProperties = mock(NiFiRegistryProperties.class);
- when(registryProperties.getKerberosServiceKeytabLocation()).thenReturn("");
-
- assertThrows(SecurityProviderCreationException.class, () -> setup(registryProperties, mock(UserGroupProvider.class), configurationContext));
- }
-
- @Test
- public void testKerberosEnabledWithoutKeytabOrPrincipal() {
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
-
- when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_KERBEROS_ENABLED_PROP)))
- .thenReturn(new StandardPropertyValue("true"));
-
- NiFiRegistryProperties registryProperties = mock(NiFiRegistryProperties.class);
- when(registryProperties.getKerberosServiceKeytabLocation()).thenReturn("");
- when(registryProperties.getKerberosServicePrincipal()).thenReturn("");
-
- assertThrows(SecurityProviderCreationException.class, () -> setup(registryProperties, mock(UserGroupProvider.class), configurationContext));
- }
-
- @Test
- public void testKerberosEnabled() {
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
-
- when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_KERBEROS_ENABLED_PROP)))
- .thenReturn(new StandardPropertyValue("true"));
-
- NiFiRegistryProperties registryProperties = mock(NiFiRegistryProperties.class);
- when(registryProperties.getKerberosServiceKeytabLocation()).thenReturn("test");
- when(registryProperties.getKerberosServicePrincipal()).thenReturn("test");
-
- assertThrows(SecurityProviderCreationException.class, () -> setup(registryProperties, mock(UserGroupProvider.class), configurationContext));
- }
-
- @Test
- public void testApprovedWithDirectAccess() {
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext);
-
- final String systemResource = "/system";
- final RequestAction action = RequestAction.WRITE;
- final String user = "admin";
- final String clientIp = "192.168.1.1";
-
- final Map<String,String> userContext = new HashMap<>();
- userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), clientIp);
-
- // the incoming NiFi request to test
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(new MockResource(systemResource, systemResource))
- .action(action)
- .identity(user)
- .resourceContext(new HashMap<>())
- .userContext(userContext)
- .accessAttempt(true)
- .anonymous(false)
- .build();
-
- // the expected Ranger resource and request that are created
- final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
- resource.setValue(RangerAuthorizer.RANGER_NIFI_REG_RESOURCE_NAME, systemResource);
-
- final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
- expectedRangerRequest.setResource(resource);
- expectedRangerRequest.setAction(request.getAction().name());
- expectedRangerRequest.setAccessType(request.getAction().name());
- expectedRangerRequest.setUser(request.getIdentity());
- expectedRangerRequest.setClientIPAddress(clientIp);
-
- // a non-null result processor should be used for direct access
- when(rangerBasePlugin.isAccessAllowed(
- argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))
- ).thenReturn(allowedResult);
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertEquals(AuthorizationResult.approved().getResult(), result.getResult());
- }
-
- @Test
- public void testApprovedWithNonDirectAccess() {
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext);
-
- final String systemResource = "/system";
- final RequestAction action = RequestAction.WRITE;
- final String user = "admin";
-
- // the incoming NiFi request to test
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(new MockResource(systemResource, systemResource))
- .action(action)
- .identity(user)
- .resourceContext(new HashMap<>())
- .accessAttempt(false)
- .anonymous(false)
- .build();
-
- // the expected Ranger resource and request that are created
- final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
- resource.setValue(RangerAuthorizer.RANGER_NIFI_REG_RESOURCE_NAME, systemResource);
-
- final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
- expectedRangerRequest.setResource(resource);
- expectedRangerRequest.setAction(request.getAction().name());
- expectedRangerRequest.setAccessType(request.getAction().name());
- expectedRangerRequest.setUser(request.getIdentity());
-
- // no result processor should be provided used non-direct access
- when(rangerBasePlugin.isAccessAllowed(
- argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))
- ).thenReturn(allowedResult);
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertEquals(AuthorizationResult.approved().getResult(), result.getResult());
- }
-
- @Test
- public void testResourceNotFound() {
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext);
-
- final String systemResource = "/system";
- final RequestAction action = RequestAction.WRITE;
- final String user = "admin";
-
- // the incoming NiFi request to test
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(new MockResource(systemResource, systemResource))
- .action(action)
- .identity(user)
- .resourceContext(new HashMap<>())
- .accessAttempt(true)
- .anonymous(false)
- .build();
-
- // the expected Ranger resource and request that are created
- final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
- resource.setValue(RangerAuthorizer.RANGER_NIFI_REG_RESOURCE_NAME, systemResource);
-
- final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
- expectedRangerRequest.setResource(resource);
- expectedRangerRequest.setAction(request.getAction().name());
- expectedRangerRequest.setAccessType(request.getAction().name());
- expectedRangerRequest.setUser(request.getIdentity());
-
- // no result processor should be provided used non-direct access
- when(rangerBasePlugin.isAccessAllowed(
- argThat(new RangerAccessRequestMatcher(expectedRangerRequest)),
- any(RangerAccessResultProcessor.class))
- ).thenReturn(notAllowedResult);
-
- // return false when checking if a policy exists for the resource
- when(rangerBasePlugin.doesPolicyExist(systemResource, action)).thenReturn(false);
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertEquals(AuthorizationResult.resourceNotFound().getResult(), result.getResult());
- }
-
- @Test
- public void testDenied() {
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext);
-
- final String systemResource = "/system";
- final RequestAction action = RequestAction.WRITE;
- final String user = "admin";
-
- // the incoming NiFi request to test
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(new MockResource(systemResource, systemResource))
- .action(action)
- .identity(user)
- .resourceContext(new HashMap<>())
- .accessAttempt(true)
- .anonymous(false)
- .build();
-
- // the expected Ranger resource and request that are created
- final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
- resource.setValue(RangerAuthorizer.RANGER_NIFI_REG_RESOURCE_NAME, systemResource);
-
- final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
- expectedRangerRequest.setResource(resource);
- expectedRangerRequest.setAction(request.getAction().name());
- expectedRangerRequest.setAccessType(request.getAction().name());
- expectedRangerRequest.setUser(request.getIdentity());
-
- // no result processor should be provided used non-direct access
- when(rangerBasePlugin.isAccessAllowed(
- argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))
- ).thenReturn(notAllowedResult);
-
- // return true when checking if a policy exists for the resource
- when(rangerBasePlugin.doesPolicyExist(systemResource, action)).thenReturn(true);
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertEquals(AuthorizationResult.denied().getResult(), result.getResult());
- }
-
- @Test
- public void testRangerAdminApproved() {
- final String acceptableIdentity = "ranger-admin";
- authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
-
- final String requestIdentity = "ranger-admin";
- runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
- }
-
- @Test
- public void testRangerAdminApprovedMultipleAcceptableIdentities() {
- final String acceptableIdentity1 = "ranger-admin1";
- final String acceptableIdentity2 = "ranger-admin2";
- final String acceptableIdentity3 = "ranger-admin3";
- authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
- authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
- authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
-
- final String requestIdentity = "ranger-admin2";
- runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
- }
-
- @Test
- public void testRangerAdminApprovedMultipleAcceptableIdentities2() {
- final String acceptableIdentity1 = "ranger-admin1";
- final String acceptableIdentity2 = "ranger-admin2";
- final String acceptableIdentity3 = "ranger-admin3";
- authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
- authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
- authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
-
- final String requestIdentity = "ranger-admin3";
- runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
- }
-
- @Test
- public void testRangerAdminDenied() {
- final String acceptableIdentity = "ranger-admin";
- authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
-
- final String requestIdentity = "ranger-admin";
- runRangerAdminTest("/flow", requestIdentity, AuthorizationResult.denied().getResult());
- }
-
- @Test
- public void testRangerAdminDeniedMultipleAcceptableIdentities() {
- final String acceptableIdentity1 = "ranger-admin1";
- final String acceptableIdentity2 = "ranger-admin2";
- final String acceptableIdentity3 = "ranger-admin3";
- authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
- authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
- authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
-
- final String requestIdentity = "ranger-admin4";
- runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.denied().getResult());
- }
-
- private void runRangerAdminTest(final String resourceIdentifier, final String requestIdentity, final AuthorizationResult.Result expectedResult) {
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
-
- setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext);
-
- final RequestAction action = RequestAction.WRITE;
-
- // the incoming NiFi request to test
- final AuthorizationRequest request = new AuthorizationRequest.Builder()
- .resource(new MockResource(resourceIdentifier, resourceIdentifier))
- .action(action)
- .identity(requestIdentity)
- .resourceContext(new HashMap<>())
- .accessAttempt(true)
- .anonymous(false)
- .build();
-
- // the expected Ranger resource and request that are created
- final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
- resource.setValue(RangerAuthorizer.RANGER_NIFI_REG_RESOURCE_NAME, resourceIdentifier);
-
- final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
- expectedRangerRequest.setResource(resource);
- expectedRangerRequest.setAction(request.getAction().name());
- expectedRangerRequest.setAccessType(request.getAction().name());
- expectedRangerRequest.setUser(request.getIdentity());
-
- // return true when checking if a policy exists for the resource
- when(rangerBasePlugin.doesPolicyExist(resourceIdentifier, action)).thenReturn(true);
-
- // a non-null result processor should be used for direct access
- when(rangerBasePlugin.isAccessAllowed(
- argThat(new RangerAccessRequestMatcher(expectedRangerRequest)))
- ).thenReturn(notAllowedResult);
-
- final AuthorizationResult result = authorizer.authorize(request);
- assertEquals(expectedResult, result.getResult());
- }
-
- /**
- * Extend RangerAuthorizer to inject a mock base plugin for testing.
- */
- private static class MockRangerAuthorizer extends RangerAuthorizer {
-
- RangerBasePluginWithPolicies mockRangerBasePlugin;
-
- MockRangerAuthorizer(RangerBasePluginWithPolicies mockRangerBasePlugin) {
- this.mockRangerBasePlugin = mockRangerBasePlugin;
- }
-
- @Override
- protected RangerBasePluginWithPolicies createRangerBasePlugin(String serviceType, String appId) {
- when(mockRangerBasePlugin.getAppId()).thenReturn(appId);
- when(mockRangerBasePlugin.getServiceType()).thenReturn(serviceType);
- return mockRangerBasePlugin;
- }
- }
-
- /**
- * Resource implementation for testing.
- */
- private static class MockResource implements Resource {
-
- private final String identifier;
- private final String name;
-
- MockResource(String identifier, String name) {
- this.identifier = identifier;
- this.name = name;
- }
-
- @Override
- public String getIdentifier() {
- return identifier;
- }
-
- @Override
- public String getName() {
- return name;
- }
-
- @Override
- public String getSafeDescription() {
- return name;
- }
- }
-
- /**
- * Custom Mockito matcher for RangerAccessRequest objects.
- */
- private static class RangerAccessRequestMatcher implements ArgumentMatcher<RangerAccessRequest> {
-
- private final RangerAccessRequest request;
-
- RangerAccessRequestMatcher(RangerAccessRequest request) {
- this.request = request;
- }
-
- @Override
- public boolean matches(RangerAccessRequest other) {
- final boolean clientIpsMatch = (other.getClientIPAddress() == null && request.getClientIPAddress() == null)
- || (other.getClientIPAddress() != null && request.getClientIPAddress() != null && other.getClientIPAddress().equals(request.getClientIPAddress()));
-
- return other.getResource().equals(request.getResource())
- && other.getAccessType().equals(request.getAccessType())
- && other.getAction().equals(request.getAction())
- && other.getUser().equals(request.getUser())
- && clientIpsMatch;
- }
- }
-
- @Test
- public void testNonConfigurableFingerPrint() {
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext);
-
- assertEquals(EMPTY_FINGERPRINT, authorizer.getFingerprint());
- }
-
- @Test
- public void testConfigurableEmptyFingerPrint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
- when(userGroupProvider.getFingerprint()).thenReturn("");
-
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), userGroupProvider, configurationContext);
-
- assertEquals(EMPTY_FINGERPRINT, authorizer.getFingerprint());
- }
-
- @Test
- public void testConfigurableFingerPrint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
- when(userGroupProvider.getFingerprint()).thenReturn(TENANT_FINGERPRINT);
-
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), userGroupProvider, configurationContext);
-
- assertEquals(NON_EMPTY_FINGERPRINT, authorizer.getFingerprint());
- }
-
- @Test
- public void testInheritEmptyFingerprint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
-
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), userGroupProvider, configurationContext);
-
- authorizer.inheritFingerprint(EMPTY_FINGERPRINT);
-
- verify(userGroupProvider, times(0)).inheritFingerprint(anyString());
- }
-
- @Test
- public void testInheritInvalidFingerprint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
-
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), userGroupProvider, configurationContext);
-
- assertThrows(AuthorizationAccessException.class, () -> authorizer.inheritFingerprint("not a valid fingerprint"));
- }
-
- @Test
- public void testInheritNonEmptyFingerprint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
-
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), userGroupProvider, configurationContext);
-
- authorizer.inheritFingerprint(NON_EMPTY_FINGERPRINT);
-
- verify(userGroupProvider, times(1)).inheritFingerprint(TENANT_FINGERPRINT);
- }
-
- @Test
- public void testCheckInheritEmptyFingerprint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
-
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), userGroupProvider, configurationContext);
-
- authorizer.checkInheritability(EMPTY_FINGERPRINT);
-
- verify(userGroupProvider, times(0)).inheritFingerprint(anyString());
- }
-
- @Test
- public void testCheckInheritInvalidFingerprint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
-
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), userGroupProvider, configurationContext);
-
- assertThrows(AuthorizationAccessException.class, () -> authorizer.checkInheritability("not a valid fingerprint"));
- }
-
- @Test
- public void testCheckInheritNonEmptyFingerprint() {
- final ConfigurableUserGroupProvider userGroupProvider = mock(ConfigurableUserGroupProvider.class);
-
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), userGroupProvider, configurationContext);
-
- authorizer.checkInheritability(NON_EMPTY_FINGERPRINT);
-
- verify(userGroupProvider, times(1)).checkInheritability(TENANT_FINGERPRINT);
- }
-
- @Test
- public void testCheckInheritNonConfigurableUserGroupProvider() {
- final UserGroupProvider userGroupProvider = mock(UserGroupProvider.class);
-
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
- setup(mock(NiFiRegistryProperties.class), userGroupProvider, configurationContext);
-
- assertThrows(UninheritableAuthorizationsException.class, () -> authorizer.checkInheritability(NON_EMPTY_FINGERPRINT));
- }
-
-}
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerBasePluginWithPolicies.java b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerBasePluginWithPolicies.java
deleted file mode 100644
index 586906ad91..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerBasePluginWithPolicies.java
+++ /dev/null
@@ -1,544 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.registry.ranger;
-
-import org.apache.nifi.registry.security.authorization.AccessPolicy;
-import org.apache.nifi.registry.security.authorization.AuthorizerConfigurationContext;
-import org.apache.nifi.registry.security.authorization.Group;
-import org.apache.nifi.registry.security.authorization.RequestAction;
-import org.apache.nifi.registry.security.authorization.User;
-import org.apache.nifi.registry.security.authorization.UserAndGroups;
-import org.apache.nifi.registry.security.authorization.UserGroupProvider;
-import org.apache.nifi.registry.security.authorization.UserGroupProviderInitializationContext;
-import org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
-import org.apache.ranger.plugin.model.RangerPolicy;
-import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.util.ServicePolicies;
-import org.junit.jupiter.api.Test;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertNull;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-public class TestRangerBasePluginWithPolicies {
-
- @Test
- public void testPoliciesWithoutUserGroupProvider() {
- final String user1 = "user-1";
- final String group1 = "group-1";
-
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
-
- final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
- policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final String resourceIdentifier2 = "/resource-2";
- RangerPolicy.RangerPolicyResource resource2 = new RangerPolicy.RangerPolicyResource(resourceIdentifier2);
-
- final Map<String, RangerPolicy.RangerPolicyResource> policy2Resources = new HashMap<>();
- policy2Resources.put(resourceIdentifier2, resource2);
-
- final RangerPolicy.RangerPolicyItem policy2Item = new RangerPolicy.RangerPolicyItem();
- policy2Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ"), new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
- policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
-
- final RangerPolicy policy2 = new RangerPolicy();
- policy2.setResources(policy2Resources);
- policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
- policies.add(policy2);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi-registry");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the two ranger policies converted into 3 nifi-registry access policies
- final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
- assertEquals(3, accessPolicies.size());
-
- // resource 1 -> read but no write
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
-
- // read
- final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
- assertNotNull(readResource1);
- assertTrue(accessPolicies.contains(readResource1));
- assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
- assertEquals(1, readResource1.getUsers().size());
- assertTrue(readResource1.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user1).identity(user1).build().getIdentifier()));
- assertTrue(readResource1.getGroups().isEmpty());
-
- // but no write
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
-
- // resource 2 -> read and write
- assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
-
- // read
- final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
- assertNotNull(readResource2);
- assertTrue(accessPolicies.contains(readResource2));
- assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
- assertTrue(readResource2.getUsers().isEmpty());
- assertEquals(1, readResource2.getGroups().size());
- assertTrue(readResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
-
- // and write
- final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
- assertNotNull(writeResource2);
- assertTrue(accessPolicies.contains(writeResource2));
- assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
- assertTrue(writeResource2.getUsers().isEmpty());
- assertEquals(1, writeResource2.getGroups().size());
- assertTrue(writeResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
-
- // resource 3 -> no read or write
- assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.WRITE));
- assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.READ));
-
- // no read or write
- assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.WRITE));
- assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.READ));
- }
-
- @Test
- public void testNoPolicies() {
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
-
- assertFalse(pluginWithPolicies.doesPolicyExist("non-existent-resource", RequestAction.READ));
- assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
- assertNull(pluginWithPolicies.getAccessPolicy("non-existent-identifier"));
- assertNull(pluginWithPolicies.getAccessPolicy("non-existent-resource", RequestAction.READ));
- }
-
- @Test
- public void testDisabledPolicy() {
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
-
- final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setIsEnabled(false);
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi-registry");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the policy was skipped
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
- assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ));
- }
-
- @Test
- public void testMissingResourceValue() {
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource();
-
- final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi-registry");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the policy was skipped
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
- }
-
- @Test
- public void testWildcardResourceValue() {
- final String resourceIdentifier1 = "*";
- RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
-
- final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi-registry");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the policy was skipped
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
- }
-
- @Test
- public void testExcludesPolicy() {
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
- resource1.setIsExcludes(true);
-
- final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi-registry");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the policy was skipped
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
- }
-
- @Test
- public void testRecursivePolicy() {
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
- resource1.setIsRecursive(true);
-
- final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi-registry");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the policy was skipped
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
- }
-
- @Test
- public void testDelegateAdmin() {
- final String user1 = "user-1";
-
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
-
- final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ"), new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
- policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
- policy1Item.setDelegateAdmin(true);
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi-registry");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
- pluginWithPolicies.setPolicies(servicePolicies);
-
- assertEquals(4, pluginWithPolicies.getAccessPolicies().size());
- assertNotNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ));
- assertNotNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
- assertNotNull(pluginWithPolicies.getAccessPolicy("/policies" + resourceIdentifier1, RequestAction.READ));
- assertNotNull(pluginWithPolicies.getAccessPolicy("/policies" + resourceIdentifier1, RequestAction.WRITE));
- }
-
- @Test
- public void testPoliciesWithUserGroupProvider() {
- final String user1 = "user-1"; // unknown according to user group provider
- final String user2 = "user-2"; // known according to user group provider
- final String group1 = "group-1"; // unknown according to user group provider
- final String group2 = "group-2"; // known according to user group provider
-
- final UserGroupProvider userGroupProvider = new UserGroupProvider() {
- @Override
- public Set<User> getUsers() throws AuthorizationAccessException {
- return Stream.of(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build()).collect(Collectors.toSet());
- }
-
- @Override
- public User getUser(String identifier) throws AuthorizationAccessException {
- final User u2 = new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
- if (u2.getIdentifier().equals(identifier)) {
- return u2;
- } else {
- return null;
- }
- }
-
- @Override
- public User getUserByIdentity(String identity) throws AuthorizationAccessException {
- if (user2.equals(identity)) {
- return new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
- } else {
- return null;
- }
- }
-
- @Override
- public Set<Group> getGroups() throws AuthorizationAccessException {
- return Stream.of(new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build()).collect(Collectors.toSet());
- }
-
- @Override
- public Group getGroup(String identifier) throws AuthorizationAccessException {
- final Group g2 = new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build();
- if (g2.getIdentifier().equals(identifier)) {
- return g2;
- } else {
- return null;
- }
- }
-
- @Override
- public UserAndGroups getUserAndGroups(String identity) throws AuthorizationAccessException {
- if (user2.equals(identity)) {
- return new UserAndGroups() {
- @Override
- public User getUser() {
- return new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
- }
-
- @Override
- public Set<Group> getGroups() {
- return Collections.EMPTY_SET;
- }
- };
- } else {
- return null;
- }
- }
-
- @Override
- public void initialize(UserGroupProviderInitializationContext initializationContext) throws SecurityProviderCreationException {
- }
-
- @Override
- public void onConfigured(AuthorizerConfigurationContext configurationContext) throws SecurityProviderCreationException {
- }
-
- @Override
- public void preDestruction() throws SecurityProviderCreationException {
- }
- };
-
- final String resourceIdentifier1 = "/resource-1";
- RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
-
- final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
- policy1Resources.put(resourceIdentifier1, resource1);
-
- final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
- policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
- policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
- policy1Item.setGroups(Stream.of(group2).collect(Collectors.toList()));
-
- final RangerPolicy policy1 = new RangerPolicy();
- policy1.setResources(policy1Resources);
- policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
-
- final String resourceIdentifier2 = "/resource-2";
- RangerPolicy.RangerPolicyResource resource2 = new RangerPolicy.RangerPolicyResource(resourceIdentifier2);
-
- final Map<String, RangerPolicy.RangerPolicyResource> policy2Resources = new HashMap<>();
- policy2Resources.put(resourceIdentifier2, resource2);
-
- final RangerPolicy.RangerPolicyItem policy2Item = new RangerPolicy.RangerPolicyItem();
- policy2Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ"), new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
- policy2Item.setUsers(Stream.of(user2).collect(Collectors.toList()));
- policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
-
- final RangerPolicy policy2 = new RangerPolicy();
- policy2.setResources(policy2Resources);
- policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
-
- final List<RangerPolicy> policies = new ArrayList<>();
- policies.add(policy1);
- policies.add(policy2);
-
- final RangerServiceDef serviceDef = new RangerServiceDef();
- serviceDef.setName("nifi-registry");
-
- final ServicePolicies servicePolicies = new ServicePolicies();
- servicePolicies.setPolicies(policies);
- servicePolicies.setServiceDef(serviceDef);
-
- // set all the policies in the plugin
- final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry", userGroupProvider);
- pluginWithPolicies.setPolicies(servicePolicies);
-
- // ensure the two ranger policies converted into 3 nifi-registry access policies
- final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
- assertEquals(3, accessPolicies.size());
-
- // resource 1 -> read but no write
- assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
-
- // read
- final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
- assertNotNull(readResource1);
- assertTrue(accessPolicies.contains(readResource1));
- assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
- assertTrue(readResource1.getUsers().isEmpty());
- assertEquals(1, readResource1.getGroups().size());
- assertTrue(readResource1.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build().getIdentifier()));
-
- // but no write
- assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
-
- // resource 2 -> read and write
- assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
- assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
-
- // read
- final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
- assertNotNull(readResource2);
- assertTrue(accessPolicies.contains(readResource2));
- assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
- assertEquals(1, readResource2.getUsers().size());
- assertTrue(readResource2.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build().getIdentifier()));
- assertTrue(readResource2.getGroups().isEmpty());
-
- // and write
- final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
- assertNotNull(writeResource2);
- assertTrue(accessPolicies.contains(writeResource2));
- assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
- assertEquals(1, writeResource2.getUsers().size());
- assertTrue(writeResource2.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build().getIdentifier()));
- assertTrue(writeResource2.getGroups().isEmpty());
- }
-}
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/krb5.conf b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/krb5.conf
deleted file mode 100644
index 0e3f142a9b..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/krb5.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-[libdefaults]
- default_realm = EXAMPLE.COM
- dns_lookup_kdc = false
- dns_lookup_realm = false
-
-[realms]
- EXAMPLE.COM = {
- kdc = kerberos.example.com
- admin_server = kerberos.example.com
- }
\ No newline at end of file
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/ranger/core-site.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/ranger/core-site.xml
deleted file mode 100644
index d590a5039c..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/ranger/core-site.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<?xml version="1.0"?>
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<configuration>
- <property>
- <name>hadoop.security.authentication</name>
- <value>simple</value>
- </property>
-</configuration>
\ No newline at end of file
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/ranger/ranger-nifi-registry-audit.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/ranger/ranger-nifi-registry-audit.xml
deleted file mode 100644
index 3dbd576334..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/ranger/ranger-nifi-registry-audit.xml
+++ /dev/null
@@ -1,101 +0,0 @@
-<?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
- <property>
- <name>xasecure.audit.is.enabled</name>
- <value>true</value>
- </property>
-
- <!-- DB audit provider configuration -->
- <property>
- <name>xasecure.audit.destination.db</name>
- <value>false</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.jdbc.driver</name>
- <value>com.mysql.jdbc.Driver</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.jdbc.url</name>
- <value>jdbc:mysql://localhost/ranger_audit</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.password</name>
- <value>rangerlogger</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.user</name>
- <value>rangerlogger</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.db.batch.filespool.dir</name>
- <value>/tmp/audit/db/spool</value>
- </property>
-
-
- <!-- HDFS audit provider configuration -->
- <property>
- <name>xasecure.audit.destination.hdfs</name>
- <value>false</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.hdfs.dir</name>
- <value>hdfs://localhost:8020/ranger/audit</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
- <value>/tmp/audit/hdfs/spool</value>
- </property>
-
-
- <!-- Log4j audit provider configuration -->
- <property>
- <name>xasecure.audit.destination.log4j</name>
- <value>false</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.log4j.logger</name>
- <value>ranger_audit_logger</value>
- </property>
-
- <!-- Solr audit provider configuration -->
- <property>
- <name>xasecure.audit.destination.solr</name>
- <value>true</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
- <value>/tmp/audit/solr/spool</value>
- </property>
-
- <property>
- <name>xasecure.audit.destination.solr.urls</name>
- <value>http://localhost:6083/solr/ranger_audits</value>
- </property>
-
-</configuration>
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/ranger/ranger-nifi-registry-security.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/ranger/ranger-nifi-registry-security.xml
deleted file mode 100644
index ab55fba707..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/ranger/ranger-nifi-registry-security.xml
+++ /dev/null
@@ -1,83 +0,0 @@
-<?xml version="1.0"?>
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<configuration>
- <property>
- <name>ranger.plugin.nifi-registry.policy.rest.url</name>
- <value>http://localhost:6080</value>
- <description>
- URL to Ranger Admin
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.service.name</name>
- <value>nifi-registry</value>
- <description>
- Name of the Ranger service containing policies for this nifi instance
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.policy.source.impl</name>
- <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
- <description>
- Class to retrieve policies from the source
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.policy.rest.ssl.config.file</name>
- <value>ranger-policymgr-ssl.xml</value>
- <description>
- Path to the file containing SSL details to contact Ranger Admin
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.policy.pollIntervalMs</name>
- <value>30000</value>
- <description>
- How often to poll for changes in policies?
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.policy.cache.dir</name>
- <value>/tmp</value>
- <description>
- Directory where Ranger policies are cached after successful retrieval from the source
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.policy.rest.client.connection.timeoutMs</name>
- <value>120000</value>
- <description>
- RangerRestClient Connection Timeout in Milli Seconds
- </description>
- </property>
-
- <property>
- <name>ranger.plugin.nifi-registry.policy.rest.client.read.timeoutMs</name>
- <value>30000</value>
- <description>
- RangerRestClient read Timeout in Milli Seconds
- </description>
- </property>
-</configuration>
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml
deleted file mode 100644
index a6e05747a3..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml
+++ /dev/null
@@ -1,63 +0,0 @@
-<?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
- <!-- The following properties are used for 2-way SSL client server validation -->
- <property>
- <name>xasecure.policymgr.clientssl.keystore</name>
- <value></value>
- <description>
- Java Keystore files
- </description>
- </property>
- <property>
- <name>xasecure.policymgr.clientssl.keystore.password</name>
- <value>none</value>
- <description>
- password for keystore
- </description>
- </property>
- <property>
- <name>xasecure.policymgr.clientssl.truststore</name>
- <value></value>
- <description>
- java truststore file
- </description>
- </property>
- <property>
- <name>xasecure.policymgr.clientssl.truststore.password</name>
- <value>none</value>
- <description>
- java truststore password
- </description>
- </property>
- <property>
- <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
- <value></value>
- <description>
- java keystore credential file
- </description>
- </property>
- <property>
- <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
- <value></value>
- <description>
- java truststore credential file
- </description>
- </property>
-</configuration>
\ No newline at end of file
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml
deleted file mode 100644
index 9073a99c45..0000000000
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml
+++ /dev/null
@@ -1,55 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
- <parent>
- <artifactId>nifi-registry-extensions</artifactId>
- <groupId>org.apache.nifi.registry</groupId>
- <version>2.0.0-SNAPSHOT</version>
- </parent>
- <modelVersion>4.0.0</modelVersion>
-
- <artifactId>nifi-registry-ranger</artifactId>
- <packaging>pom</packaging>
-
- <modules>
- <module>nifi-registry-ranger-assembly</module>
- <module>nifi-registry-ranger-jersey-bundle</module>
- <module>nifi-registry-ranger-plugin</module>
- </modules>
-
- <dependencyManagement>
- <dependencies>
- <!-- Override SolrJ 8.6.3 from Ranger -->
- <dependency>
- <groupId>org.apache.solr</groupId>
- <artifactId>solr-solrj</artifactId>
- <version>8.11.2</version>
- </dependency>
- <!-- Override nimbus-jose-jwt 9.8.1 from hadoop-auth -->
- <dependency>
- <groupId>com.nimbusds</groupId>
- <artifactId>nimbus-jose-jwt</artifactId>
- <version>9.33</version>
- </dependency>
- <!-- Override Guava 27 -->
- <dependency>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- <version>32.1.2-jre</version>
- </dependency>
- </dependencies>
- </dependencyManagement>
-</project>
diff --git a/nifi-registry/nifi-registry-extensions/pom.xml b/nifi-registry/nifi-registry-extensions/pom.xml
index 797845318c..74f0102184 100644
--- a/nifi-registry/nifi-registry-extensions/pom.xml
+++ b/nifi-registry/nifi-registry-extensions/pom.xml
@@ -26,6 +26,5 @@
<modules>
<module>nifi-registry-aws</module>
- <module>nifi-registry-ranger</module>
</modules>
</project>
diff --git a/pom.xml b/pom.xml
index f74dbc5698..ced7a8e70e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -129,7 +129,6 @@
<org.slf4j.version>2.0.11</org.slf4j.version>
<com.jayway.jsonpath.version>2.9.0</com.jayway.jsonpath.version>
<derby.version>10.17.1.0</derby.version>
- <ranger.version>2.4.0</ranger.version>
<jetty.version>12.0.6</jetty.version>
<jackson.bom.version>2.16.1</jackson.bom.version>
<avro.version>1.11.3</avro.version>