Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NIFI-4032: Managed Ranger Authorizer #2019

Closed
wants to merge 2 commits into from

Conversation

mcgilman
Copy link
Contributor

NIFI-4032: Managed Ranger Authorizer

  • Introducing the ManagedRangerAuthorizer.
  • Introducing the AuthorizationAuditor.
  • Updating authorization requests to utilize Authorizable where ever possible so allow for a singular place to audit resource not found as denied when the parent authorizable is null (no more inheritance).
  • Updating unit tests as appropriate.

@YolandaMDavis
Copy link
Contributor

@mcgilman will take a look soon

- Introducing the ManagedRangerAuthorizer.
- Introducing the AuthorizationAuditor.
- Updating authorization requests to utilize Authorizable where ever possible so allow for a singular place to audit resource not found as denied when the parent authorizable is null (no more inheritance).
- Updating unit tests as appropriate.
- Addressing issues with broken web-api integration tests.
@YolandaMDavis
Copy link
Contributor

YolandaMDavis commented Jul 21, 2017

I've worked through 3 Ranger configuration scenarios that leveraged the ldap user group provider, or the composite configurable user group provider (pairing the ldap provider with the file provider):

  1. Using group authorizations for LDAP users (with no mapping for identities) alongside user authorizations for nodes . This is to cover cases where node identities may not be present in LDAP

  2. Using mapped identities to ensure that user-group associations would still be properly resolved

  3. Using the Composite Configurable User Group Provider to allow maintenance of node identities and groups in NiFi while allowing policies to be enforced via Ranger

All three scenarios worked well with an established cluster. I was able to go from one scenario to the next through changing configurations, updating policies and restarting without issue. However a bug was encountered on the third test case when I wanted to add a new node to the cluster.

The process of adding a new node requires that no information that would seed the users.xml file be provided in configurations (e.g. Initial Admin, Node Identifiers, etc). Therefore the expectation is once the node attempts to join the cluster it would receive the necessary user information from the cluster to create it's own local version of the file. When using the ManagedRangerAuthorizer along with the Configurable provider it doesn't appear to have that functionality, since the users.xml generated was empty. This led to the node starting up fine however when attempting to access the UI from any node a proxy error occurred. Given the users.xml file was empty this error made sense because NiFi was unable to determine the users (node identities) or groups they should be mapped to, hence unable to apply the Ranger policy that allowed the nodes group to perform proxying.

In speaking with @mcgilman offline this error was due to the ManagedRangerAuthorizer not extracting user group information for cases when it's paired with configurable user group providers.

@mcgilman
Copy link
Contributor Author

Great find @YolandaMDavis! Will address this and update. Thanks!

- Generating the appropriate fingerprint for the ManagedRangerAuthorizer based on whether the UserGroupProvider is configurable.
- Adding unit tests.
@YolandaMDavis
Copy link
Contributor

@mcgilman with the latest commit I was able to add a new node and see the users.xml file populated. The node started successfully and I was able to access the cluster without issue.

+1

Will merge into master shortly.

@asfgit asfgit closed this in 743c6b9 Jul 24, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants