You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by bb...@apache.org on 2022/11/14 13:28:30 UTC
[nifi] branch main updated: NIFI-10762: Ranger Authorizer accepts multiple Ranger Admin Identity property values (#6625)
This is an automated email from the ASF dual-hosted git repository.
bbende pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 412c1f2e43 NIFI-10762: Ranger Authorizer accepts multiple Ranger Admin Identity property values (#6625)
412c1f2e43 is described below
commit 412c1f2e43652a7fe7494ea4f302926dc5585655
Author: Peter Gyori <63...@users.noreply.github.com>
AuthorDate: Mon Nov 14 14:28:24 2022 +0100
NIFI-10762: Ranger Authorizer accepts multiple Ranger Admin Identity property values (#6625)
---
.../ranger/authorization/RangerNiFiAuthorizer.java | 30 +++++--
.../authorization/TestRangerNiFiAuthorizer.java | 85 ++++++++++++++-----
.../nifi/registry/ranger/RangerAuthorizer.java | 31 +++++--
.../nifi/registry/ranger/TestRangerAuthorizer.java | 94 +++++++++++++++++-----
4 files changed, 190 insertions(+), 50 deletions(-)
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java
index 93c956dad9..d7513d7d6f 100644
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java
@@ -48,9 +48,12 @@ import java.io.File;
import java.net.MalformedURLException;
import java.text.NumberFormat;
import java.util.Date;
+import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
/**
* Authorizer implementation that uses Apache Ranger to make authorization decisions.
@@ -61,9 +64,10 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
- static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin Identity";
static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
static final String RANGER_APP_ID_PROP = "Ranger Application Id";
+ static final String RANGER_ADMIN_IDENTITY_PROP_PREFIX = "Ranger Admin Identity";
+ static final Pattern RANGER_ADMIN_IDENTITY_PATTERN = Pattern.compile(RANGER_ADMIN_IDENTITY_PROP_PREFIX + "\\s?\\S*");
static final String RANGER_NIFI_RESOURCE_NAME = "nifi-resource";
static final String DEFAULT_SERVICE_TYPE = "nifi";
@@ -76,7 +80,7 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
private volatile RangerBasePluginWithPolicies nifiPlugin = null;
private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
- private volatile String rangerAdminIdentity = null;
+ private volatile Set<String> rangerAdminIdentity = null;
private volatile boolean rangerKerberosEnabled = false;
private volatile NiFiProperties nifiProperties;
private final NumberFormat numberFormat = NumberFormat.getInstance();
@@ -129,7 +133,7 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
nifiPlugin.init();
defaultAuditHandler = new RangerDefaultAuditHandler();
- rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
+ rangerAdminIdentity = getConfigValues(configurationContext, RANGER_ADMIN_IDENTITY_PATTERN, null);
} else {
logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
@@ -149,9 +153,9 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
final Set<String> userGroups = request.getGroups();
final String resourceIdentifier = request.getResource().getIdentifier();
- // if a ranger admin identity was provided, and it equals the identity making the request,
+ // if a ranger admin identity was provided, and it contains the identity making the request,
// and the request is to retrieve the resources, then allow it through
- if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
+ if (rangerAdminIdentity != null && rangerAdminIdentity.contains(identity)
&& resourceIdentifier.equals(RESOURCES_RESOURCE)) {
return AuthorizationResult.approved();
}
@@ -287,4 +291,20 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
return retValue;
}
+ private Set<String> getConfigValues(final AuthorizerConfigurationContext context, final Pattern namePattern, final String defaultValue) {
+ final Set<String> configValues = new HashSet<>();
+
+ for (Map.Entry<String,String> entry : context.getProperties().entrySet()) {
+ Matcher matcher = namePattern.matcher(entry.getKey());
+ if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
+ configValues.add(entry.getValue());
+ }
+ }
+
+ if (configValues.isEmpty() && (defaultValue != null)) {
+ configValues.add(defaultValue);
+ }
+
+ return configValues;
+ }
}
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java
index 9fd39329ce..fc66ae47a6 100644
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java
@@ -45,6 +45,8 @@ import org.mockito.Mockito;
import java.io.File;
import java.util.HashMap;
import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
@@ -70,6 +72,8 @@ public class TestRangerNiFiAuthorizer {
private RangerAccessResult allowedResult;
private RangerAccessResult notAllowedResult;
+ private Map<String, String> authorizersXmlContent = null;
+
@BeforeEach
public void setup() {
// have to initialize this system property before anything else
@@ -82,6 +86,13 @@ public class TestRangerNiFiAuthorizer {
securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
UserGroupInformation.setConfiguration(securityConf);
+ // initialize the content of authorizers.xml in case tests added further entries to it
+ authorizersXmlContent = Stream.of(new String[][] {
+ {RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP, "src/test/resources/ranger/ranger-nifi-security.xml"},
+ {RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP, "src/test/resources/ranger/ranger-nifi-audit.xml"},
+ {RangerNiFiAuthorizer.RANGER_APP_ID_PROP, appId},
+ {RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP, serviceType}
+ }).collect(Collectors.toMap(entry -> entry[0], entry -> entry[1]));
configurationContext = createMockConfigContext();
rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
@@ -103,17 +114,12 @@ public class TestRangerNiFiAuthorizer {
private AuthorizerConfigurationContext createMockConfigContext() {
AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class);
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP)))
- .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml"));
-
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP)))
- .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml"));
-
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_APP_ID_PROP)))
- .thenReturn(new MockPropertyValue(appId));
+ for (Map.Entry<String, String> entry : authorizersXmlContent.entrySet()) {
+ when(configurationContext.getProperty(eq(entry.getKey())))
+ .thenReturn(new MockPropertyValue(entry.getValue()));
+ }
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP)))
- .thenReturn(new MockPropertyValue(serviceType));
+ when(configurationContext.getProperties()).thenReturn(authorizersXmlContent);
return configurationContext;
}
@@ -339,20 +345,63 @@ public class TestRangerNiFiAuthorizer {
@Test
public void testRangerAdminApproved() {
- runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, AuthorizationResult.approved().getResult());
+ final String acceptableIdentity = "ranger-admin";
+ authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
+
+ final String requestIdentity = "ranger-admin";
+ runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
+ }
+
+ @Test
+ public void testRangerAdminApprovedMultipleAcceptableIdentities() {
+ final String acceptableIdentity1 = "ranger-admin1";
+ final String acceptableIdentity2 = "ranger-admin2";
+ final String acceptableIdentity3 = "ranger-admin3";
+ authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
+ authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
+ authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
+
+ final String requestIdentity = "ranger-admin2";
+ runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
+ }
+
+ @Test
+ public void testRangerAdminApprovedMultipleAcceptableIdentities2() {
+ final String acceptableIdentity1 = "ranger-admin1";
+ final String acceptableIdentity2 = "ranger-admin2";
+ final String acceptableIdentity3 = "ranger-admin3";
+ authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
+ authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
+ authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
+
+ final String requestIdentity = "ranger-admin3";
+ runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
}
@Test
public void testRangerAdminDenied() {
- runRangerAdminTest("/flow", AuthorizationResult.denied().getResult());
+ final String acceptableIdentity = "ranger-admin";
+ authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
+
+ final String requestIdentity = "ranger-admin";
+ runRangerAdminTest("/flow", requestIdentity, AuthorizationResult.denied().getResult());
}
- private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) {
- configurationContext = createMockConfigContext();
+ @Test
+ public void testRangerAdminDeniedMultipleAcceptableIdentities() {
+ final String acceptableIdentity1 = "ranger-admin1";
+ final String acceptableIdentity2 = "ranger-admin2";
+ final String acceptableIdentity3 = "ranger-admin3";
+ authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
+ authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
+ authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
+
+ final String requestIdentity = "ranger-admin4";
+ runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.denied().getResult());
+ }
- final String rangerAdminIdentity = "ranger-admin";
- when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP)))
- .thenReturn(new MockPropertyValue(rangerAdminIdentity));
+ private void runRangerAdminTest(final String resourceIdentifier, final String requestIdentity, final AuthorizationResult.Result expectedResult) {
+ configurationContext = createMockConfigContext();
rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
@@ -368,7 +417,7 @@ public class TestRangerNiFiAuthorizer {
final AuthorizationRequest request = new AuthorizationRequest.Builder()
.resource(new MockResource(resourceIdentifier, resourceIdentifier))
.action(action)
- .identity(rangerAdminIdentity)
+ .identity(requestIdentity)
.resourceContext(new HashMap<>())
.accessAttempt(true)
.anonymous(false)
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerAuthorizer.java b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerAuthorizer.java
index 987148f0d9..ee90729b69 100644
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerAuthorizer.java
+++ b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerAuthorizer.java
@@ -67,9 +67,12 @@ import java.io.StringWriter;
import java.net.MalformedURLException;
import java.nio.charset.StandardCharsets;
import java.util.Date;
+import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
/**
* Authorizer implementation that uses Apache Ranger to make authorization decisions.
@@ -85,9 +88,10 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
- static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin Identity";
static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
static final String RANGER_APP_ID_PROP = "Ranger Application Id";
+ static final String RANGER_ADMIN_IDENTITY_PROP_PREFIX = "Ranger Admin Identity";
+ static final Pattern RANGER_ADMIN_IDENTITY_PATTERN = Pattern.compile(RANGER_ADMIN_IDENTITY_PROP_PREFIX + "\\s?\\S*");
static final String RANGER_NIFI_REG_RESOURCE_NAME = "nifi-registry-resource";
private static final String DEFAULT_SERVICE_TYPE = "nifi-registry";
@@ -100,7 +104,7 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
private volatile RangerBasePluginWithPolicies rangerPlugin = null;
private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
- private volatile String rangerAdminIdentity = null;
+ private volatile Set<String> rangerAdminIdentity = null;
private volatile NiFiRegistryProperties registryProperties;
private UserGroupProviderLookup userGroupProviderLookup;
@@ -165,7 +169,7 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
rangerPlugin.init();
defaultAuditHandler = new RangerDefaultAuditHandler();
- rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
+ rangerAdminIdentity = getConfigValues(configurationContext, RANGER_ADMIN_IDENTITY_PATTERN, null);
} else {
logger.info("base plugin already initialized");
@@ -185,9 +189,9 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
final Set<String> userGroups = request.getGroups();
final String resourceIdentifier = request.getResource().getIdentifier();
- // if a ranger admin identity was provided, and it equals the identity making the request,
+ // if a ranger admin identity was provided, and it contains the identity making the request,
// and the request is to retrieve the resources, then allow it through
- if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
+ if (rangerAdminIdentity != null && rangerAdminIdentity.contains(identity)
&& resourceIdentifier.equals(RESOURCES_RESOURCE)) {
return AuthorizationResult.approved();
}
@@ -317,6 +321,23 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
return retValue;
}
+ private Set<String> getConfigValues(final AuthorizerConfigurationContext context, final Pattern namePattern, final String defaultValue) {
+ final Set<String> configValues = new HashSet<>();
+
+ for (Map.Entry<String,String> entry : context.getProperties().entrySet()) {
+ Matcher matcher = namePattern.matcher(entry.getKey());
+ if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
+ configValues.add(entry.getValue());
+ }
+ }
+
+ if (configValues.isEmpty() && (defaultValue != null)) {
+ configValues.add(defaultValue);
+ }
+
+ return configValues;
+ }
+
@Override
public String getFingerprint() throws AuthorizationAccessException {
final StringWriter out = new StringWriter();
diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerAuthorizer.java b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerAuthorizer.java
index 3d2c6ba64c..d3e346f453 100644
--- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerAuthorizer.java
+++ b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerAuthorizer.java
@@ -41,21 +41,24 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
+import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatcher;
import java.io.File;
import java.util.HashMap;
import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.ArgumentMatchers.argThat;
import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
@@ -96,6 +99,18 @@ public class TestRangerAuthorizer {
private RangerAccessResult allowedResult;
private RangerAccessResult notAllowedResult;
+ private Map<String, String> authorizersXmlContent = null;
+
+ @BeforeEach
+ public void initialization() {
+ authorizersXmlContent = Stream.of(new String[][] {
+ {RangerAuthorizer.USER_GROUP_PROVIDER, "user-group-provider"},
+ {RangerAuthorizer.RANGER_SECURITY_PATH_PROP, "src/test/resources/ranger/ranger-nifi-registry-security.xml"},
+ {RangerAuthorizer.RANGER_AUDIT_PATH_PROP, "src/test/resources/ranger/ranger-nifi-registry-audit.xml"},
+ {RangerAuthorizer.RANGER_APP_ID_PROP, appId},
+ {RangerAuthorizer.RANGER_SERVICE_TYPE_PROP, serviceType}
+ }).collect(Collectors.toMap(entry -> entry[0], entry -> entry[1]));
+ }
private void setup(final NiFiRegistryProperties registryProperties,
final UserGroupProvider userGroupProvider,
@@ -139,20 +154,12 @@ public class TestRangerAuthorizer {
private AuthorizerConfigurationContext createMockConfigContext() {
AuthorizerConfigurationContext configurationContext = mock(AuthorizerConfigurationContext.class);
- when(configurationContext.getProperty(eq(RangerAuthorizer.USER_GROUP_PROVIDER)))
- .thenReturn(new StandardPropertyValue("user-group-provider"));
-
- when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_SECURITY_PATH_PROP)))
- .thenReturn(new StandardPropertyValue("src/test/resources/ranger/ranger-nifi-registry-security.xml"));
-
- when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_AUDIT_PATH_PROP)))
- .thenReturn(new StandardPropertyValue("src/test/resources/ranger/ranger-nifi-registry-audit.xml"));
-
- when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_APP_ID_PROP)))
- .thenReturn(new StandardPropertyValue(appId));
+ for (Map.Entry<String, String> entry : authorizersXmlContent.entrySet()) {
+ when(configurationContext.getProperty(eq(entry.getKey())))
+ .thenReturn(new StandardPropertyValue(entry.getValue()));
+ }
- when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_SERVICE_TYPE_PROP)))
- .thenReturn(new StandardPropertyValue(serviceType));
+ when(configurationContext.getProperties()).thenReturn(authorizersXmlContent);
return configurationContext;
}
@@ -388,20 +395,63 @@ public class TestRangerAuthorizer {
@Test
public void testRangerAdminApproved() {
- runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, AuthorizationResult.approved().getResult());
+ final String acceptableIdentity = "ranger-admin";
+ authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
+
+ final String requestIdentity = "ranger-admin";
+ runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
+ }
+
+ @Test
+ public void testRangerAdminApprovedMultipleAcceptableIdentities() {
+ final String acceptableIdentity1 = "ranger-admin1";
+ final String acceptableIdentity2 = "ranger-admin2";
+ final String acceptableIdentity3 = "ranger-admin3";
+ authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
+ authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
+ authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
+
+ final String requestIdentity = "ranger-admin2";
+ runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
+ }
+
+ @Test
+ public void testRangerAdminApprovedMultipleAcceptableIdentities2() {
+ final String acceptableIdentity1 = "ranger-admin1";
+ final String acceptableIdentity2 = "ranger-admin2";
+ final String acceptableIdentity3 = "ranger-admin3";
+ authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
+ authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
+ authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
+
+ final String requestIdentity = "ranger-admin3";
+ runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
}
@Test
public void testRangerAdminDenied() {
- runRangerAdminTest("/flow", AuthorizationResult.denied().getResult());
+ final String acceptableIdentity = "ranger-admin";
+ authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
+
+ final String requestIdentity = "ranger-admin";
+ runRangerAdminTest("/flow", requestIdentity, AuthorizationResult.denied().getResult());
}
- private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) {
- final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
+ @Test
+ public void testRangerAdminDeniedMultipleAcceptableIdentities() {
+ final String acceptableIdentity1 = "ranger-admin1";
+ final String acceptableIdentity2 = "ranger-admin2";
+ final String acceptableIdentity3 = "ranger-admin3";
+ authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
+ authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
+ authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
+
+ final String requestIdentity = "ranger-admin4";
+ runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.denied().getResult());
+ }
- final String rangerAdminIdentity = "ranger-admin";
- when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP)))
- .thenReturn(new StandardPropertyValue(rangerAdminIdentity));
+ private void runRangerAdminTest(final String resourceIdentifier, final String requestIdentity, final AuthorizationResult.Result expectedResult) {
+ final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext);
@@ -411,7 +461,7 @@ public class TestRangerAuthorizer {
final AuthorizationRequest request = new AuthorizationRequest.Builder()
.resource(new MockResource(resourceIdentifier, resourceIdentifier))
.action(action)
- .identity(rangerAdminIdentity)
+ .identity(requestIdentity)
.resourceContext(new HashMap<>())
.accessAttempt(true)
.anonymous(false)