apache · ijokarumawak · Jun 27, 2018 · Aug 1, 2018 · Aug 7, 2018 · Aug 11, 2018
diff --git a/nifi-registry-extensions/nifi-registry-ranger-extension/README.md b/nifi-registry-extensions/nifi-registry-ranger-extension/README.md
@@ -0,0 +1,116 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+      http://www.apache.org/licenses/LICENSE-2.0
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+# NiFi Registry Ranger extension
+
+This extension provides `org.apache.nifi.registry.ranger.RangerAuthorizer` class for NiFi Registry to authorize user requests by access policies defined at [Apache Ranger](https://ranger.apache.org/).
+
+## Prerequisites
+
+* Apache Ranger 1.2.0 or later is needed.
+
+## How to install
+
+### Enable Ranger extension at NiFi Registry build
+
+In order to enable Ranger extension when you build NiFi Registry, specify `include-ranger` profile with a maven install command:
+
+```
+cd nifi-registry
+mvn clean install -Pinclude-ranger
+```
+
+Then the extension will be installed at `${NIFI_REG_HOME}/ext/ranger` directory.
+
+### Add Ranger extension to existing NiFi Registry
+
+Alternatively, you can add Ranger extension to an existing NiFi Registry.
+To do so, build the extension with the following command:
+
+```
+cd nifi-registry
+mvn clean install -f nifi-registry-extensions/nifi-registry-ranger-extension
+```
+
+The extension zip will be created as `nifi-registry-extensions/nifi-registry-ranger-extension/target/nifi-registry-ranger-extension-xxx-bin.zip`.
+
+Unzip the file into arbitrary directory so that NiFi Registry can use, such as `${NIFI_REG_HOME}/ext/ranger`.
+For example:
+
+```
+mkdir -p ${NIFI_REG_HOME}/ext/ranger
+unzip -d ${NIFI_REG_HOME}/ext/ranger nifi-registry-extensions/nifi-registry-ranger-extension/target/nifi-registry-ranger-extension-xxx-bin.zip
+```
+
+## NiFi Registry Configuration
+
+In order to use this extension, following NiFi Registry files need to be configured.
+
+### nifi-registry.properties
+
+```
+# Specify Ranger extension dir
+nifi.registry.extension.dir.ranger=./ext/ranger/lib
+# Specify Ranger authorizer identifier, which is defined at authorizers.xml
+nifi.registry.security.authorizer=ranger-authorizer
+```
+
+### authorizers.xml
+
+Add following `authorizer` element:
+```
+    <authorizer>
+        <identifier>ranger-authorizer</identifier>
+        <class>org.apache.nifi.registry.ranger.RangerAuthorizer</class>
+        <property name="Ranger Service Type">nifi-registry</property>
+
+        <property name="User Group Provider">file-user-group-provider</property>
+
+        <!-- Specify Ranger service name to use -->
+        <property name="Ranger Application Id">nifi-registry-service-name</property>
+
+        <!-- Specify configuration file paths for Ranger plugin -->
+        <property name="Ranger Security Config Path">./ext/ranger/conf/ranger-nifi-registry-security.xml</property>
+        <property name="Ranger Audit Config Path">./ext/ranger/conf/ranger-nifi-registry-audit.xml</property>
+
+        <!--
+            Specify user identity that is used by Ranger to access NiFi Registry.
+            This property is used by NiFi Registry for Ranger to get available NiFi Registry policy resource identifiers.
+            The configured user can access NiFi Registry /policies/resources REST endpoint regardless of configured access policies.
+            Ranger uses available policies for user input suggestion at Ranger policy editor UI.
+        -->
+        <property name="Ranger Admin Identity">ranger@NIFI</property>
+
+        <!--
+            If set to true, NiFi Registry will use the principal and keytab defined at nifi-registry.properties to access Ranger:
+            - nifi.registry.kerberos.service.principal
+            - nifi.registry.kerberos.service.keytab.location
+        -->
+        <property name="Ranger Kerberos Enabled">false</property>
+
+    </authorizer>
+```
+
+## Ranger Configuration
+
+At Ranger side, add a NiFi Registry service. NiFi Registry service has following configuration properties:
+
+- NiFi Registry URL: Specify corresponding NiFi Registry URL that will be managed by this Ranger service. E.g. `https://nifi-registry.example.com:18443/nifi-registry-api/policies/resources`
+- Authentication Type: Should be `SSL`. Ranger authenticates itself to NiFi Registry by X.509 client certificate in the configured Keystore.
+- Keystore: Specify a Keystore filepath to use for X.509 client certificate.
+- Keystore Type: Specify the type of Keystore. E.g. `JKS`
+- Keystore Password: Specify the password of Keystore.
+- Truststore: Specify a Truststore filepath to verify NiFi Registry server certificate.
+- Truststore Type: Specify the type of Truststore. E.g. `JKS`
+- Truststore Password: Specify the password of Truststore.
diff --git a/nifi-registry-extensions/nifi-registry-ranger-extension/conf/ranger-nifi-registry-audit.xml b/nifi-registry-extensions/nifi-registry-ranger-extension/conf/ranger-nifi-registry-audit.xml
@@ -0,0 +1,101 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<configuration>
+	<property>
+		<name>xasecure.audit.is.enabled</name>
+		<value>true</value>
+	</property>
+
+	<!-- DB audit provider configuration -->
+	<property>
+		<name>xasecure.audit.destination.db</name>
+		<value>false</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.destination.db.jdbc.driver</name>
+		<value>com.mysql.jdbc.Driver</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.destination.db.jdbc.url</name>
+		<value>jdbc:mysql://localhost/ranger_audit</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.destination.db.password</name>
+		<value>rangerlogger</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.destination.db.user</name>
+		<value>rangerlogger</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.destination.db.batch.filespool.dir</name>
+		<value>/tmp/audit/db/spool</value>
+	</property>
+
+
+	<!-- HDFS audit provider configuration -->
+	<property>
+		<name>xasecure.audit.destination.hdfs</name>
+		<value>false</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.destination.hdfs.dir</name>
+		<value>hdfs://localhost:8020/ranger/audit</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
+		<value>/tmp/audit/hdfs/spool</value>
+	</property>
+
+
+	<!-- Log4j audit provider configuration -->
+	<property>
+		<name>xasecure.audit.destination.log4j</name>
+		<value>false</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.destination.log4j.logger</name>
+		<value>ranger_audit_logger</value>
+	</property>
+
+	<!-- Solr audit provider configuration -->
+	<property>
+		<name>xasecure.audit.destination.solr</name>
+		<value>true</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.destination.solr.batch.filespool.dir</name>
+		<value>/tmp/audit/solr/spool</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.destination.solr.urls</name>
+		<value>http://localhost:6083/solr/ranger_audits</value>
+	</property>
+
+</configuration>
diff --git a/...registry-extensions/nifi-registry-ranger-extension/conf/ranger-nifi-registry-security.xml b/...registry-extensions/nifi-registry-ranger-extension/conf/ranger-nifi-registry-security.xml
@@ -0,0 +1,83 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<configuration>
+	<property>
+		<name>ranger.plugin.nifi-registry.policy.rest.url</name>
+		<value>http://localhost:6080</value>
+		<description>
+			URL to Ranger Admin
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.nifi-registry.service.name</name>
+		<value>nifi-registry-service-name</value>
+		<description>
+			Name of the Ranger service containing policies for this NiFi Registry instance
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.nifi-registry.policy.source.impl</name>
+		<value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
+		<description>
+			Class to retrieve policies from the source
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.nifi-registry.policy.rest.ssl.config.file</name>
+		<value>ranger-policymgr-ssl.xml</value>
+		<description>
+			Path to the file containing SSL details to contact Ranger Admin
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.nifi-registry.policy.pollIntervalMs</name>
+		<value>30000</value>
+		<description>
+			How often to poll for changes in policies?
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.nifi-registry.policy.cache.dir</name>
+		<value>/tmp</value>
+		<description>
+			Directory where Ranger policies are cached after successful retrieval from the source
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.nifi-registry.policy.rest.client.connection.timeoutMs</name>
+		<value>120000</value>
+		<description>
+			RangerRestClient Connection Timeout in Milli Seconds
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.nifi-registry.policy.rest.client.read.timeoutMs</name>
+		<value>30000</value>
+		<description>
+			RangerRestClient read Timeout in Milli Seconds
+		</description>
+	</property>
+</configuration>
diff --git a/nifi-registry-extensions/nifi-registry-ranger-extension/src/main/assembly/extension.xml b/nifi-registry-extensions/nifi-registry-ranger-extension/src/main/assembly/extension.xml
@@ -28,4 +28,21 @@
             <fileMode>0660</fileMode>
         </dependencySet>
     </dependencySets>
+
+    <files>
+        <file>
+            <source>./README.md</source>
+            <outputDirectory>./</outputDirectory>
+            <destName>README.md</destName>
+            <fileMode>0644</fileMode>
+            <filtered>true</filtered>
+        </file>
+    </files>
+
+    <fileSets>
+        <fileSet>
+            <directory>conf</directory>
+            <outputDirectory>conf</outputDirectory>
+        </fileSet>
+    </fileSets>
 </assembly>