[
https://issues.apache.org/jira/browse/NIFI-4032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16096964#comment-16096964
]
ASF GitHub Bot commented on NIFI-4032:
--------------------------------------
Github user YolandaMDavis commented on the issue:
https://github.com/apache/nifi/pull/2019
I've worked through 3 Ranger configuration scenarios that leveraged the
ldap user group provider, or the composite configurable user group provider
(pairing the ldap provider with the file provider):
1) Using group authorizations for LDAP users (with no mapping for
identities) alongside user authorizations for nodes . This is to cover cases
where node identities may not be present in LDAP
2) Using mapped identities to ensure that user-group associations would
still be properly resolved
3) Using the Composite Configurable User Group Provider to allow
maintenance of node identities and groups in NiFi while allowing policies to be
enforced via Ranger
All three scenarios worked well with an established cluster. I was able to
go from one scenarios to the next through changing configurations and updating
policies without issue. However a bug was encountered on the third test case
when I wanted to add a new node to the cluster.
The process of adding a new node requires that no information that would
seed the users.xml file be provided in configurations (e.g. Initial Admin,
Node Identifiers, etc). Therefore the expectation is once the node attempts to
join the cluster it would receive the necessary user information from the
cluster to create it's own local version of the file. When using the
ManagedRangerAuthorizer along with the Configurable provider it doesn't appear
to have that functionality, since the users.xml generated was empty. This led
to the node starting up fine however when attempting to access the UI from any
node a proxy error occurred. Given the users.xml file was empty this error made
sense because NiFi was unable to determine the users (node identities) or
groups they should be mapped to, hence unable to apply the Ranger policy that
allowed the nodes group to perform proxying.
In speaking with @mcgilman offline this error was due to the
ManagedRangerAuthorizer not extracting user group information for cases when
it's paired with configurable user group providers.
> Create Managed Ranger Authorizer
> --------------------------------
>
> Key: NIFI-4032
> URL: https://issues.apache.org/jira/browse/NIFI-4032
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Extensions
> Reporter: Matt Gilman
> Assignee: Matt Gilman
> Fix For: 1.4.0
>
>
> Update the RangerAuthorizer to implement the ManagedAuthorizer interface.
> This will allow the Ranger policies to be visualized in NiFi UI. May even be
> able to extend the RangerAuthorizer to maintain compatibility with existing
> configurations.
> Additionally, update the RangerAuthorizer's authorize(...) method to consider
> the user's groups.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
