New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NIFI-4032: Managed Ranger Authorizer #2019

Closed
wants to merge 2 commits into
base: master
from

Conversation

Projects
None yet
2 participants
@mcgilman
Contributor

mcgilman commented Jul 18, 2017

NIFI-4032: Managed Ranger Authorizer

  • Introducing the ManagedRangerAuthorizer.
  • Introducing the AuthorizationAuditor.
  • Updating authorization requests to utilize Authorizable where ever possible so allow for a singular place to audit resource not found as denied when the parent authorizable is null (no more inheritance).
  • Updating unit tests as appropriate.
@YolandaMDavis

This comment has been minimized.

Show comment
Hide comment
@YolandaMDavis

YolandaMDavis Jul 18, 2017

Contributor

@mcgilman will take a look soon

Contributor

YolandaMDavis commented Jul 18, 2017

@mcgilman will take a look soon

NIFI-4032:
- Introducing the ManagedRangerAuthorizer.
- Introducing the AuthorizationAuditor.
- Updating authorization requests to utilize Authorizable where ever possible so allow for a singular place to audit resource not found as denied when the parent authorizable is null (no more inheritance).
- Updating unit tests as appropriate.
- Addressing issues with broken web-api integration tests.
@YolandaMDavis

This comment has been minimized.

Show comment
Hide comment
@YolandaMDavis

YolandaMDavis Jul 21, 2017

Contributor

I've worked through 3 Ranger configuration scenarios that leveraged the ldap user group provider, or the composite configurable user group provider (pairing the ldap provider with the file provider):

  1. Using group authorizations for LDAP users (with no mapping for identities) alongside user authorizations for nodes . This is to cover cases where node identities may not be present in LDAP

  2. Using mapped identities to ensure that user-group associations would still be properly resolved

  3. Using the Composite Configurable User Group Provider to allow maintenance of node identities and groups in NiFi while allowing policies to be enforced via Ranger

All three scenarios worked well with an established cluster. I was able to go from one scenario to the next through changing configurations, updating policies and restarting without issue. However a bug was encountered on the third test case when I wanted to add a new node to the cluster.

The process of adding a new node requires that no information that would seed the users.xml file be provided in configurations (e.g. Initial Admin, Node Identifiers, etc). Therefore the expectation is once the node attempts to join the cluster it would receive the necessary user information from the cluster to create it's own local version of the file. When using the ManagedRangerAuthorizer along with the Configurable provider it doesn't appear to have that functionality, since the users.xml generated was empty. This led to the node starting up fine however when attempting to access the UI from any node a proxy error occurred. Given the users.xml file was empty this error made sense because NiFi was unable to determine the users (node identities) or groups they should be mapped to, hence unable to apply the Ranger policy that allowed the nodes group to perform proxying.

In speaking with @mcgilman offline this error was due to the ManagedRangerAuthorizer not extracting user group information for cases when it's paired with configurable user group providers.

Contributor

YolandaMDavis commented Jul 21, 2017

I've worked through 3 Ranger configuration scenarios that leveraged the ldap user group provider, or the composite configurable user group provider (pairing the ldap provider with the file provider):

  1. Using group authorizations for LDAP users (with no mapping for identities) alongside user authorizations for nodes . This is to cover cases where node identities may not be present in LDAP

  2. Using mapped identities to ensure that user-group associations would still be properly resolved

  3. Using the Composite Configurable User Group Provider to allow maintenance of node identities and groups in NiFi while allowing policies to be enforced via Ranger

All three scenarios worked well with an established cluster. I was able to go from one scenario to the next through changing configurations, updating policies and restarting without issue. However a bug was encountered on the third test case when I wanted to add a new node to the cluster.

The process of adding a new node requires that no information that would seed the users.xml file be provided in configurations (e.g. Initial Admin, Node Identifiers, etc). Therefore the expectation is once the node attempts to join the cluster it would receive the necessary user information from the cluster to create it's own local version of the file. When using the ManagedRangerAuthorizer along with the Configurable provider it doesn't appear to have that functionality, since the users.xml generated was empty. This led to the node starting up fine however when attempting to access the UI from any node a proxy error occurred. Given the users.xml file was empty this error made sense because NiFi was unable to determine the users (node identities) or groups they should be mapped to, hence unable to apply the Ranger policy that allowed the nodes group to perform proxying.

In speaking with @mcgilman offline this error was due to the ManagedRangerAuthorizer not extracting user group information for cases when it's paired with configurable user group providers.

@mcgilman

This comment has been minimized.

Show comment
Hide comment
@mcgilman

mcgilman Jul 24, 2017

Contributor

Great find @YolandaMDavis! Will address this and update. Thanks!

Contributor

mcgilman commented Jul 24, 2017

Great find @YolandaMDavis! Will address this and update. Thanks!

NIFI-4032:
- Generating the appropriate fingerprint for the ManagedRangerAuthorizer based on whether the UserGroupProvider is configurable.
- Adding unit tests.
@YolandaMDavis

This comment has been minimized.

Show comment
Hide comment
@YolandaMDavis

YolandaMDavis Jul 24, 2017

Contributor

@mcgilman with the latest commit I was able to add a new node and see the users.xml file populated. The node started successfully and I was able to access the cluster without issue.

+1

Will merge into master shortly.

Contributor

YolandaMDavis commented Jul 24, 2017

@mcgilman with the latest commit I was able to add a new node and see the users.xml file populated. The node started successfully and I was able to access the cluster without issue.

+1

Will merge into master shortly.

@asfgit asfgit closed this in 743c6b9 Jul 24, 2017

cammachusa added a commit to InspurUSA/nifi that referenced this pull request Jul 28, 2017

NIFI-4032: - Introducing the ManagedRangerAuthorizer. - Introducing t…
…he AuthorizationAuditor. - Updating authorization requests to utilize Authorizable where ever possible so allow for a singular place to audit resource not found as denied when the parent authorizable is null (no more inheritance). - Updating unit tests as appropriate. - Addressing issues with broken web-api integration tests.

NIFI-4032: - Generating the appropriate fingerprint for the ManagedRangerAuthorizer based on whether the UserGroupProvider is configurable. - Adding unit tests.

Signed-off-by: Yolanda M. Davis <ymdavis@apache.org>

This closes apache#2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment