diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java index 93c956dad9..d7513d7d6f 100644 --- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java @@ -48,9 +48,12 @@ import java.io.File; import java.net.MalformedURLException; import java.text.NumberFormat; import java.util.Date; +import java.util.HashSet; import java.util.Map; import java.util.Set; import java.util.WeakHashMap; +import java.util.regex.Matcher; +import java.util.regex.Pattern; /** * Authorizer implementation that uses Apache Ranger to make authorization decisions. @@ -61,9 +64,10 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor { static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path"; static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path"; static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled"; - static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin Identity"; static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type"; static final String RANGER_APP_ID_PROP = "Ranger Application Id"; + static final String RANGER_ADMIN_IDENTITY_PROP_PREFIX = "Ranger Admin Identity"; + static final Pattern RANGER_ADMIN_IDENTITY_PATTERN = Pattern.compile(RANGER_ADMIN_IDENTITY_PROP_PREFIX + "\\s?\\S*"); static final String RANGER_NIFI_RESOURCE_NAME = "nifi-resource"; static final String DEFAULT_SERVICE_TYPE = "nifi"; @@ -76,7 +80,7 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor { private volatile RangerBasePluginWithPolicies nifiPlugin = null; private volatile RangerDefaultAuditHandler defaultAuditHandler = null; - private volatile String rangerAdminIdentity = null; + private volatile Set rangerAdminIdentity = null; private volatile boolean rangerKerberosEnabled = false; private volatile NiFiProperties nifiProperties; private final NumberFormat numberFormat = NumberFormat.getInstance(); @@ -129,7 +133,7 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor { nifiPlugin.init(); defaultAuditHandler = new RangerDefaultAuditHandler(); - rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null); + rangerAdminIdentity = getConfigValues(configurationContext, RANGER_ADMIN_IDENTITY_PATTERN, null); } else { logger.info("RangerNiFiAuthorizer(): base plugin already initialized"); @@ -149,9 +153,9 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor { final Set userGroups = request.getGroups(); final String resourceIdentifier = request.getResource().getIdentifier(); - // if a ranger admin identity was provided, and it equals the identity making the request, + // if a ranger admin identity was provided, and it contains the identity making the request, // and the request is to retrieve the resources, then allow it through - if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity) + if (rangerAdminIdentity != null && rangerAdminIdentity.contains(identity) && resourceIdentifier.equals(RESOURCES_RESOURCE)) { return AuthorizationResult.approved(); } @@ -287,4 +291,20 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor { return retValue; } + private Set getConfigValues(final AuthorizerConfigurationContext context, final Pattern namePattern, final String defaultValue) { + final Set configValues = new HashSet<>(); + + for (Map.Entry entry : context.getProperties().entrySet()) { + Matcher matcher = namePattern.matcher(entry.getKey()); + if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) { + configValues.add(entry.getValue()); + } + } + + if (configValues.isEmpty() && (defaultValue != null)) { + configValues.add(defaultValue); + } + + return configValues; + } } diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java index 9fd39329ce..fc66ae47a6 100644 --- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java @@ -45,6 +45,8 @@ import org.mockito.Mockito; import java.io.File; import java.util.HashMap; import java.util.Map; +import java.util.stream.Collectors; +import java.util.stream.Stream; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; @@ -70,6 +72,8 @@ public class TestRangerNiFiAuthorizer { private RangerAccessResult allowedResult; private RangerAccessResult notAllowedResult; + private Map authorizersXmlContent = null; + @BeforeEach public void setup() { // have to initialize this system property before anything else @@ -82,6 +86,13 @@ public class TestRangerNiFiAuthorizer { securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple"); UserGroupInformation.setConfiguration(securityConf); + // initialize the content of authorizers.xml in case tests added further entries to it + authorizersXmlContent = Stream.of(new String[][] { + {RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP, "src/test/resources/ranger/ranger-nifi-security.xml"}, + {RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP, "src/test/resources/ranger/ranger-nifi-audit.xml"}, + {RangerNiFiAuthorizer.RANGER_APP_ID_PROP, appId}, + {RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP, serviceType} + }).collect(Collectors.toMap(entry -> entry[0], entry -> entry[1])); configurationContext = createMockConfigContext(); rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class); @@ -103,17 +114,12 @@ public class TestRangerNiFiAuthorizer { private AuthorizerConfigurationContext createMockConfigContext() { AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class); - when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP))) - .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml")); + for (Map.Entry entry : authorizersXmlContent.entrySet()) { + when(configurationContext.getProperty(eq(entry.getKey()))) + .thenReturn(new MockPropertyValue(entry.getValue())); + } - when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP))) - .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml")); - - when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_APP_ID_PROP))) - .thenReturn(new MockPropertyValue(appId)); - - when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP))) - .thenReturn(new MockPropertyValue(serviceType)); + when(configurationContext.getProperties()).thenReturn(authorizersXmlContent); return configurationContext; } @@ -339,20 +345,63 @@ public class TestRangerNiFiAuthorizer { @Test public void testRangerAdminApproved() { - runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, AuthorizationResult.approved().getResult()); + final String acceptableIdentity = "ranger-admin"; + authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity); + + final String requestIdentity = "ranger-admin"; + runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult()); + } + + @Test + public void testRangerAdminApprovedMultipleAcceptableIdentities() { + final String acceptableIdentity1 = "ranger-admin1"; + final String acceptableIdentity2 = "ranger-admin2"; + final String acceptableIdentity3 = "ranger-admin3"; + authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1); + authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2); + authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3); + + final String requestIdentity = "ranger-admin2"; + runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult()); + } + + @Test + public void testRangerAdminApprovedMultipleAcceptableIdentities2() { + final String acceptableIdentity1 = "ranger-admin1"; + final String acceptableIdentity2 = "ranger-admin2"; + final String acceptableIdentity3 = "ranger-admin3"; + authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1); + authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2); + authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3); + + final String requestIdentity = "ranger-admin3"; + runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult()); } @Test public void testRangerAdminDenied() { - runRangerAdminTest("/flow", AuthorizationResult.denied().getResult()); + final String acceptableIdentity = "ranger-admin"; + authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity); + + final String requestIdentity = "ranger-admin"; + runRangerAdminTest("/flow", requestIdentity, AuthorizationResult.denied().getResult()); } - private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) { - configurationContext = createMockConfigContext(); + @Test + public void testRangerAdminDeniedMultipleAcceptableIdentities() { + final String acceptableIdentity1 = "ranger-admin1"; + final String acceptableIdentity2 = "ranger-admin2"; + final String acceptableIdentity3 = "ranger-admin3"; + authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1); + authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2); + authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3); - final String rangerAdminIdentity = "ranger-admin"; - when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP))) - .thenReturn(new MockPropertyValue(rangerAdminIdentity)); + final String requestIdentity = "ranger-admin4"; + runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.denied().getResult()); + } + + private void runRangerAdminTest(final String resourceIdentifier, final String requestIdentity, final AuthorizationResult.Result expectedResult) { + configurationContext = createMockConfigContext(); rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class); @@ -368,7 +417,7 @@ public class TestRangerNiFiAuthorizer { final AuthorizationRequest request = new AuthorizationRequest.Builder() .resource(new MockResource(resourceIdentifier, resourceIdentifier)) .action(action) - .identity(rangerAdminIdentity) + .identity(requestIdentity) .resourceContext(new HashMap<>()) .accessAttempt(true) .anonymous(false) diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerAuthorizer.java b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerAuthorizer.java index 987148f0d9..ee90729b69 100644 --- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerAuthorizer.java +++ b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerAuthorizer.java @@ -67,9 +67,12 @@ import java.io.StringWriter; import java.net.MalformedURLException; import java.nio.charset.StandardCharsets; import java.util.Date; +import java.util.HashSet; import java.util.Map; import java.util.Set; import java.util.WeakHashMap; +import java.util.regex.Matcher; +import java.util.regex.Pattern; /** * Authorizer implementation that uses Apache Ranger to make authorization decisions. @@ -85,9 +88,10 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path"; static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path"; static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled"; - static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin Identity"; static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type"; static final String RANGER_APP_ID_PROP = "Ranger Application Id"; + static final String RANGER_ADMIN_IDENTITY_PROP_PREFIX = "Ranger Admin Identity"; + static final Pattern RANGER_ADMIN_IDENTITY_PATTERN = Pattern.compile(RANGER_ADMIN_IDENTITY_PROP_PREFIX + "\\s?\\S*"); static final String RANGER_NIFI_REG_RESOURCE_NAME = "nifi-registry-resource"; private static final String DEFAULT_SERVICE_TYPE = "nifi-registry"; @@ -100,7 +104,7 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor private volatile RangerBasePluginWithPolicies rangerPlugin = null; private volatile RangerDefaultAuditHandler defaultAuditHandler = null; - private volatile String rangerAdminIdentity = null; + private volatile Set rangerAdminIdentity = null; private volatile NiFiRegistryProperties registryProperties; private UserGroupProviderLookup userGroupProviderLookup; @@ -165,7 +169,7 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor rangerPlugin.init(); defaultAuditHandler = new RangerDefaultAuditHandler(); - rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null); + rangerAdminIdentity = getConfigValues(configurationContext, RANGER_ADMIN_IDENTITY_PATTERN, null); } else { logger.info("base plugin already initialized"); @@ -185,9 +189,9 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor final Set userGroups = request.getGroups(); final String resourceIdentifier = request.getResource().getIdentifier(); - // if a ranger admin identity was provided, and it equals the identity making the request, + // if a ranger admin identity was provided, and it contains the identity making the request, // and the request is to retrieve the resources, then allow it through - if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity) + if (rangerAdminIdentity != null && rangerAdminIdentity.contains(identity) && resourceIdentifier.equals(RESOURCES_RESOURCE)) { return AuthorizationResult.approved(); } @@ -317,6 +321,23 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor return retValue; } + private Set getConfigValues(final AuthorizerConfigurationContext context, final Pattern namePattern, final String defaultValue) { + final Set configValues = new HashSet<>(); + + for (Map.Entry entry : context.getProperties().entrySet()) { + Matcher matcher = namePattern.matcher(entry.getKey()); + if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) { + configValues.add(entry.getValue()); + } + } + + if (configValues.isEmpty() && (defaultValue != null)) { + configValues.add(defaultValue); + } + + return configValues; + } + @Override public String getFingerprint() throws AuthorizationAccessException { final StringWriter out = new StringWriter(); diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerAuthorizer.java b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerAuthorizer.java index 3d2c6ba64c..d3e346f453 100644 --- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerAuthorizer.java +++ b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerAuthorizer.java @@ -41,21 +41,24 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor; +import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.mockito.ArgumentMatcher; import java.io.File; import java.util.HashMap; import java.util.Map; +import java.util.stream.Collectors; +import java.util.stream.Stream; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyString; import static org.mockito.ArgumentMatchers.argThat; import static org.mockito.ArgumentMatchers.eq; -import static org.mockito.ArgumentMatchers.anyString; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; @@ -96,6 +99,18 @@ public class TestRangerAuthorizer { private RangerAccessResult allowedResult; private RangerAccessResult notAllowedResult; + private Map authorizersXmlContent = null; + + @BeforeEach + public void initialization() { + authorizersXmlContent = Stream.of(new String[][] { + {RangerAuthorizer.USER_GROUP_PROVIDER, "user-group-provider"}, + {RangerAuthorizer.RANGER_SECURITY_PATH_PROP, "src/test/resources/ranger/ranger-nifi-registry-security.xml"}, + {RangerAuthorizer.RANGER_AUDIT_PATH_PROP, "src/test/resources/ranger/ranger-nifi-registry-audit.xml"}, + {RangerAuthorizer.RANGER_APP_ID_PROP, appId}, + {RangerAuthorizer.RANGER_SERVICE_TYPE_PROP, serviceType} + }).collect(Collectors.toMap(entry -> entry[0], entry -> entry[1])); + } private void setup(final NiFiRegistryProperties registryProperties, final UserGroupProvider userGroupProvider, @@ -139,20 +154,12 @@ public class TestRangerAuthorizer { private AuthorizerConfigurationContext createMockConfigContext() { AuthorizerConfigurationContext configurationContext = mock(AuthorizerConfigurationContext.class); - when(configurationContext.getProperty(eq(RangerAuthorizer.USER_GROUP_PROVIDER))) - .thenReturn(new StandardPropertyValue("user-group-provider")); + for (Map.Entry entry : authorizersXmlContent.entrySet()) { + when(configurationContext.getProperty(eq(entry.getKey()))) + .thenReturn(new StandardPropertyValue(entry.getValue())); + } - when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_SECURITY_PATH_PROP))) - .thenReturn(new StandardPropertyValue("src/test/resources/ranger/ranger-nifi-registry-security.xml")); - - when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_AUDIT_PATH_PROP))) - .thenReturn(new StandardPropertyValue("src/test/resources/ranger/ranger-nifi-registry-audit.xml")); - - when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_APP_ID_PROP))) - .thenReturn(new StandardPropertyValue(appId)); - - when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_SERVICE_TYPE_PROP))) - .thenReturn(new StandardPropertyValue(serviceType)); + when(configurationContext.getProperties()).thenReturn(authorizersXmlContent); return configurationContext; } @@ -388,20 +395,63 @@ public class TestRangerAuthorizer { @Test public void testRangerAdminApproved() { - runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, AuthorizationResult.approved().getResult()); + final String acceptableIdentity = "ranger-admin"; + authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity); + + final String requestIdentity = "ranger-admin"; + runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult()); + } + + @Test + public void testRangerAdminApprovedMultipleAcceptableIdentities() { + final String acceptableIdentity1 = "ranger-admin1"; + final String acceptableIdentity2 = "ranger-admin2"; + final String acceptableIdentity3 = "ranger-admin3"; + authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1); + authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2); + authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3); + + final String requestIdentity = "ranger-admin2"; + runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult()); + } + + @Test + public void testRangerAdminApprovedMultipleAcceptableIdentities2() { + final String acceptableIdentity1 = "ranger-admin1"; + final String acceptableIdentity2 = "ranger-admin2"; + final String acceptableIdentity3 = "ranger-admin3"; + authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1); + authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2); + authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3); + + final String requestIdentity = "ranger-admin3"; + runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult()); } @Test public void testRangerAdminDenied() { - runRangerAdminTest("/flow", AuthorizationResult.denied().getResult()); + final String acceptableIdentity = "ranger-admin"; + authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity); + + final String requestIdentity = "ranger-admin"; + runRangerAdminTest("/flow", requestIdentity, AuthorizationResult.denied().getResult()); } - private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) { - final AuthorizerConfigurationContext configurationContext = createMockConfigContext(); + @Test + public void testRangerAdminDeniedMultipleAcceptableIdentities() { + final String acceptableIdentity1 = "ranger-admin1"; + final String acceptableIdentity2 = "ranger-admin2"; + final String acceptableIdentity3 = "ranger-admin3"; + authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1); + authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2); + authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3); - final String rangerAdminIdentity = "ranger-admin"; - when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP))) - .thenReturn(new StandardPropertyValue(rangerAdminIdentity)); + final String requestIdentity = "ranger-admin4"; + runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.denied().getResult()); + } + + private void runRangerAdminTest(final String resourceIdentifier, final String requestIdentity, final AuthorizationResult.Result expectedResult) { + final AuthorizerConfigurationContext configurationContext = createMockConfigContext(); setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext); @@ -411,7 +461,7 @@ public class TestRangerAuthorizer { final AuthorizationRequest request = new AuthorizationRequest.Builder() .resource(new MockResource(resourceIdentifier, resourceIdentifier)) .action(action) - .identity(rangerAdminIdentity) + .identity(requestIdentity) .resourceContext(new HashMap<>()) .accessAttempt(true) .anonymous(false)