NIFI-10762: Ranger Authorizer accepts multiple Ranger Admin Identity property values (#6625)

This commit is contained in:
Peter Gyori 2022-11-14 14:28:24 +01:00 committed by GitHub
parent 08bc44715e
commit 412c1f2e43
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 190 additions and 50 deletions

View File

@ -48,9 +48,12 @@ import java.io.File;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.text.NumberFormat; import java.text.NumberFormat;
import java.util.Date; import java.util.Date;
import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import java.util.WeakHashMap; import java.util.WeakHashMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/** /**
* Authorizer implementation that uses Apache Ranger to make authorization decisions. * Authorizer implementation that uses Apache Ranger to make authorization decisions.
@ -61,9 +64,10 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path"; static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path"; static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled"; static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin Identity";
static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type"; static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
static final String RANGER_APP_ID_PROP = "Ranger Application Id"; static final String RANGER_APP_ID_PROP = "Ranger Application Id";
static final String RANGER_ADMIN_IDENTITY_PROP_PREFIX = "Ranger Admin Identity";
static final Pattern RANGER_ADMIN_IDENTITY_PATTERN = Pattern.compile(RANGER_ADMIN_IDENTITY_PROP_PREFIX + "\\s?\\S*");
static final String RANGER_NIFI_RESOURCE_NAME = "nifi-resource"; static final String RANGER_NIFI_RESOURCE_NAME = "nifi-resource";
static final String DEFAULT_SERVICE_TYPE = "nifi"; static final String DEFAULT_SERVICE_TYPE = "nifi";
@ -76,7 +80,7 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
private volatile RangerBasePluginWithPolicies nifiPlugin = null; private volatile RangerBasePluginWithPolicies nifiPlugin = null;
private volatile RangerDefaultAuditHandler defaultAuditHandler = null; private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
private volatile String rangerAdminIdentity = null; private volatile Set<String> rangerAdminIdentity = null;
private volatile boolean rangerKerberosEnabled = false; private volatile boolean rangerKerberosEnabled = false;
private volatile NiFiProperties nifiProperties; private volatile NiFiProperties nifiProperties;
private final NumberFormat numberFormat = NumberFormat.getInstance(); private final NumberFormat numberFormat = NumberFormat.getInstance();
@ -129,7 +133,7 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
nifiPlugin.init(); nifiPlugin.init();
defaultAuditHandler = new RangerDefaultAuditHandler(); defaultAuditHandler = new RangerDefaultAuditHandler();
rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null); rangerAdminIdentity = getConfigValues(configurationContext, RANGER_ADMIN_IDENTITY_PATTERN, null);
} else { } else {
logger.info("RangerNiFiAuthorizer(): base plugin already initialized"); logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
@ -149,9 +153,9 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
final Set<String> userGroups = request.getGroups(); final Set<String> userGroups = request.getGroups();
final String resourceIdentifier = request.getResource().getIdentifier(); final String resourceIdentifier = request.getResource().getIdentifier();
// if a ranger admin identity was provided, and it equals the identity making the request, // if a ranger admin identity was provided, and it contains the identity making the request,
// and the request is to retrieve the resources, then allow it through // and the request is to retrieve the resources, then allow it through
if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity) if (rangerAdminIdentity != null && rangerAdminIdentity.contains(identity)
&& resourceIdentifier.equals(RESOURCES_RESOURCE)) { && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
return AuthorizationResult.approved(); return AuthorizationResult.approved();
} }
@ -287,4 +291,20 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
return retValue; return retValue;
} }
private Set<String> getConfigValues(final AuthorizerConfigurationContext context, final Pattern namePattern, final String defaultValue) {
final Set<String> configValues = new HashSet<>();
for (Map.Entry<String,String> entry : context.getProperties().entrySet()) {
Matcher matcher = namePattern.matcher(entry.getKey());
if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
configValues.add(entry.getValue());
}
}
if (configValues.isEmpty() && (defaultValue != null)) {
configValues.add(defaultValue);
}
return configValues;
}
} }

View File

@ -45,6 +45,8 @@ import org.mockito.Mockito;
import java.io.File; import java.io.File;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertFalse;
@ -70,6 +72,8 @@ public class TestRangerNiFiAuthorizer {
private RangerAccessResult allowedResult; private RangerAccessResult allowedResult;
private RangerAccessResult notAllowedResult; private RangerAccessResult notAllowedResult;
private Map<String, String> authorizersXmlContent = null;
@BeforeEach @BeforeEach
public void setup() { public void setup() {
// have to initialize this system property before anything else // have to initialize this system property before anything else
@ -82,6 +86,13 @@ public class TestRangerNiFiAuthorizer {
securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple"); securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
UserGroupInformation.setConfiguration(securityConf); UserGroupInformation.setConfiguration(securityConf);
// initialize the content of authorizers.xml in case tests added further entries to it
authorizersXmlContent = Stream.of(new String[][] {
{RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP, "src/test/resources/ranger/ranger-nifi-security.xml"},
{RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP, "src/test/resources/ranger/ranger-nifi-audit.xml"},
{RangerNiFiAuthorizer.RANGER_APP_ID_PROP, appId},
{RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP, serviceType}
}).collect(Collectors.toMap(entry -> entry[0], entry -> entry[1]));
configurationContext = createMockConfigContext(); configurationContext = createMockConfigContext();
rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class); rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
@ -103,17 +114,12 @@ public class TestRangerNiFiAuthorizer {
private AuthorizerConfigurationContext createMockConfigContext() { private AuthorizerConfigurationContext createMockConfigContext() {
AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class); AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class);
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP))) for (Map.Entry<String, String> entry : authorizersXmlContent.entrySet()) {
.thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml")); when(configurationContext.getProperty(eq(entry.getKey())))
.thenReturn(new MockPropertyValue(entry.getValue()));
}
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP))) when(configurationContext.getProperties()).thenReturn(authorizersXmlContent);
.thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml"));
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_APP_ID_PROP)))
.thenReturn(new MockPropertyValue(appId));
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP)))
.thenReturn(new MockPropertyValue(serviceType));
return configurationContext; return configurationContext;
} }
@ -339,20 +345,63 @@ public class TestRangerNiFiAuthorizer {
@Test @Test
public void testRangerAdminApproved() { public void testRangerAdminApproved() {
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, AuthorizationResult.approved().getResult()); final String acceptableIdentity = "ranger-admin";
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
final String requestIdentity = "ranger-admin";
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
}
@Test
public void testRangerAdminApprovedMultipleAcceptableIdentities() {
final String acceptableIdentity1 = "ranger-admin1";
final String acceptableIdentity2 = "ranger-admin2";
final String acceptableIdentity3 = "ranger-admin3";
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
final String requestIdentity = "ranger-admin2";
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
}
@Test
public void testRangerAdminApprovedMultipleAcceptableIdentities2() {
final String acceptableIdentity1 = "ranger-admin1";
final String acceptableIdentity2 = "ranger-admin2";
final String acceptableIdentity3 = "ranger-admin3";
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
final String requestIdentity = "ranger-admin3";
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
} }
@Test @Test
public void testRangerAdminDenied() { public void testRangerAdminDenied() {
runRangerAdminTest("/flow", AuthorizationResult.denied().getResult()); final String acceptableIdentity = "ranger-admin";
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
final String requestIdentity = "ranger-admin";
runRangerAdminTest("/flow", requestIdentity, AuthorizationResult.denied().getResult());
} }
private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) { @Test
configurationContext = createMockConfigContext(); public void testRangerAdminDeniedMultipleAcceptableIdentities() {
final String acceptableIdentity1 = "ranger-admin1";
final String acceptableIdentity2 = "ranger-admin2";
final String acceptableIdentity3 = "ranger-admin3";
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
final String rangerAdminIdentity = "ranger-admin"; final String requestIdentity = "ranger-admin4";
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP))) runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.denied().getResult());
.thenReturn(new MockPropertyValue(rangerAdminIdentity)); }
private void runRangerAdminTest(final String resourceIdentifier, final String requestIdentity, final AuthorizationResult.Result expectedResult) {
configurationContext = createMockConfigContext();
rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class); rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
@ -368,7 +417,7 @@ public class TestRangerNiFiAuthorizer {
final AuthorizationRequest request = new AuthorizationRequest.Builder() final AuthorizationRequest request = new AuthorizationRequest.Builder()
.resource(new MockResource(resourceIdentifier, resourceIdentifier)) .resource(new MockResource(resourceIdentifier, resourceIdentifier))
.action(action) .action(action)
.identity(rangerAdminIdentity) .identity(requestIdentity)
.resourceContext(new HashMap<>()) .resourceContext(new HashMap<>())
.accessAttempt(true) .accessAttempt(true)
.anonymous(false) .anonymous(false)

View File

@ -67,9 +67,12 @@ import java.io.StringWriter;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.util.Date; import java.util.Date;
import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import java.util.WeakHashMap; import java.util.WeakHashMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/** /**
* Authorizer implementation that uses Apache Ranger to make authorization decisions. * Authorizer implementation that uses Apache Ranger to make authorization decisions.
@ -85,9 +88,10 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path"; static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path"; static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled"; static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin Identity";
static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type"; static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
static final String RANGER_APP_ID_PROP = "Ranger Application Id"; static final String RANGER_APP_ID_PROP = "Ranger Application Id";
static final String RANGER_ADMIN_IDENTITY_PROP_PREFIX = "Ranger Admin Identity";
static final Pattern RANGER_ADMIN_IDENTITY_PATTERN = Pattern.compile(RANGER_ADMIN_IDENTITY_PROP_PREFIX + "\\s?\\S*");
static final String RANGER_NIFI_REG_RESOURCE_NAME = "nifi-registry-resource"; static final String RANGER_NIFI_REG_RESOURCE_NAME = "nifi-registry-resource";
private static final String DEFAULT_SERVICE_TYPE = "nifi-registry"; private static final String DEFAULT_SERVICE_TYPE = "nifi-registry";
@ -100,7 +104,7 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
private volatile RangerBasePluginWithPolicies rangerPlugin = null; private volatile RangerBasePluginWithPolicies rangerPlugin = null;
private volatile RangerDefaultAuditHandler defaultAuditHandler = null; private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
private volatile String rangerAdminIdentity = null; private volatile Set<String> rangerAdminIdentity = null;
private volatile NiFiRegistryProperties registryProperties; private volatile NiFiRegistryProperties registryProperties;
private UserGroupProviderLookup userGroupProviderLookup; private UserGroupProviderLookup userGroupProviderLookup;
@ -165,7 +169,7 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
rangerPlugin.init(); rangerPlugin.init();
defaultAuditHandler = new RangerDefaultAuditHandler(); defaultAuditHandler = new RangerDefaultAuditHandler();
rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null); rangerAdminIdentity = getConfigValues(configurationContext, RANGER_ADMIN_IDENTITY_PATTERN, null);
} else { } else {
logger.info("base plugin already initialized"); logger.info("base plugin already initialized");
@ -185,9 +189,9 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
final Set<String> userGroups = request.getGroups(); final Set<String> userGroups = request.getGroups();
final String resourceIdentifier = request.getResource().getIdentifier(); final String resourceIdentifier = request.getResource().getIdentifier();
// if a ranger admin identity was provided, and it equals the identity making the request, // if a ranger admin identity was provided, and it contains the identity making the request,
// and the request is to retrieve the resources, then allow it through // and the request is to retrieve the resources, then allow it through
if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity) if (rangerAdminIdentity != null && rangerAdminIdentity.contains(identity)
&& resourceIdentifier.equals(RESOURCES_RESOURCE)) { && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
return AuthorizationResult.approved(); return AuthorizationResult.approved();
} }
@ -317,6 +321,23 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
return retValue; return retValue;
} }
private Set<String> getConfigValues(final AuthorizerConfigurationContext context, final Pattern namePattern, final String defaultValue) {
final Set<String> configValues = new HashSet<>();
for (Map.Entry<String,String> entry : context.getProperties().entrySet()) {
Matcher matcher = namePattern.matcher(entry.getKey());
if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
configValues.add(entry.getValue());
}
}
if (configValues.isEmpty() && (defaultValue != null)) {
configValues.add(defaultValue);
}
return configValues;
}
@Override @Override
public String getFingerprint() throws AuthorizationAccessException { public String getFingerprint() throws AuthorizationAccessException {
final StringWriter out = new StringWriter(); final StringWriter out = new StringWriter();

View File

@ -41,21 +41,24 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor; import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatcher; import org.mockito.ArgumentMatcher;
import java.io.File; import java.io.File;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue; import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.ArgumentMatchers.argThat; import static org.mockito.ArgumentMatchers.argThat;
import static org.mockito.ArgumentMatchers.eq; import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times; import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
@ -96,6 +99,18 @@ public class TestRangerAuthorizer {
private RangerAccessResult allowedResult; private RangerAccessResult allowedResult;
private RangerAccessResult notAllowedResult; private RangerAccessResult notAllowedResult;
private Map<String, String> authorizersXmlContent = null;
@BeforeEach
public void initialization() {
authorizersXmlContent = Stream.of(new String[][] {
{RangerAuthorizer.USER_GROUP_PROVIDER, "user-group-provider"},
{RangerAuthorizer.RANGER_SECURITY_PATH_PROP, "src/test/resources/ranger/ranger-nifi-registry-security.xml"},
{RangerAuthorizer.RANGER_AUDIT_PATH_PROP, "src/test/resources/ranger/ranger-nifi-registry-audit.xml"},
{RangerAuthorizer.RANGER_APP_ID_PROP, appId},
{RangerAuthorizer.RANGER_SERVICE_TYPE_PROP, serviceType}
}).collect(Collectors.toMap(entry -> entry[0], entry -> entry[1]));
}
private void setup(final NiFiRegistryProperties registryProperties, private void setup(final NiFiRegistryProperties registryProperties,
final UserGroupProvider userGroupProvider, final UserGroupProvider userGroupProvider,
@ -139,20 +154,12 @@ public class TestRangerAuthorizer {
private AuthorizerConfigurationContext createMockConfigContext() { private AuthorizerConfigurationContext createMockConfigContext() {
AuthorizerConfigurationContext configurationContext = mock(AuthorizerConfigurationContext.class); AuthorizerConfigurationContext configurationContext = mock(AuthorizerConfigurationContext.class);
when(configurationContext.getProperty(eq(RangerAuthorizer.USER_GROUP_PROVIDER))) for (Map.Entry<String, String> entry : authorizersXmlContent.entrySet()) {
.thenReturn(new StandardPropertyValue("user-group-provider")); when(configurationContext.getProperty(eq(entry.getKey())))
.thenReturn(new StandardPropertyValue(entry.getValue()));
}
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_SECURITY_PATH_PROP))) when(configurationContext.getProperties()).thenReturn(authorizersXmlContent);
.thenReturn(new StandardPropertyValue("src/test/resources/ranger/ranger-nifi-registry-security.xml"));
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_AUDIT_PATH_PROP)))
.thenReturn(new StandardPropertyValue("src/test/resources/ranger/ranger-nifi-registry-audit.xml"));
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_APP_ID_PROP)))
.thenReturn(new StandardPropertyValue(appId));
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_SERVICE_TYPE_PROP)))
.thenReturn(new StandardPropertyValue(serviceType));
return configurationContext; return configurationContext;
} }
@ -388,20 +395,63 @@ public class TestRangerAuthorizer {
@Test @Test
public void testRangerAdminApproved() { public void testRangerAdminApproved() {
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, AuthorizationResult.approved().getResult()); final String acceptableIdentity = "ranger-admin";
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
final String requestIdentity = "ranger-admin";
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
}
@Test
public void testRangerAdminApprovedMultipleAcceptableIdentities() {
final String acceptableIdentity1 = "ranger-admin1";
final String acceptableIdentity2 = "ranger-admin2";
final String acceptableIdentity3 = "ranger-admin3";
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
final String requestIdentity = "ranger-admin2";
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
}
@Test
public void testRangerAdminApprovedMultipleAcceptableIdentities2() {
final String acceptableIdentity1 = "ranger-admin1";
final String acceptableIdentity2 = "ranger-admin2";
final String acceptableIdentity3 = "ranger-admin3";
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
final String requestIdentity = "ranger-admin3";
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
} }
@Test @Test
public void testRangerAdminDenied() { public void testRangerAdminDenied() {
runRangerAdminTest("/flow", AuthorizationResult.denied().getResult()); final String acceptableIdentity = "ranger-admin";
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
final String requestIdentity = "ranger-admin";
runRangerAdminTest("/flow", requestIdentity, AuthorizationResult.denied().getResult());
} }
private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) { @Test
final AuthorizerConfigurationContext configurationContext = createMockConfigContext(); public void testRangerAdminDeniedMultipleAcceptableIdentities() {
final String acceptableIdentity1 = "ranger-admin1";
final String acceptableIdentity2 = "ranger-admin2";
final String acceptableIdentity3 = "ranger-admin3";
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
final String rangerAdminIdentity = "ranger-admin"; final String requestIdentity = "ranger-admin4";
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP))) runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.denied().getResult());
.thenReturn(new StandardPropertyValue(rangerAdminIdentity)); }
private void runRangerAdminTest(final String resourceIdentifier, final String requestIdentity, final AuthorizationResult.Result expectedResult) {
final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext); setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext);
@ -411,7 +461,7 @@ public class TestRangerAuthorizer {
final AuthorizationRequest request = new AuthorizationRequest.Builder() final AuthorizationRequest request = new AuthorizationRequest.Builder()
.resource(new MockResource(resourceIdentifier, resourceIdentifier)) .resource(new MockResource(resourceIdentifier, resourceIdentifier))
.action(action) .action(action)
.identity(rangerAdminIdentity) .identity(requestIdentity)
.resourceContext(new HashMap<>()) .resourceContext(new HashMap<>())
.accessAttempt(true) .accessAttempt(true)
.anonymous(false) .anonymous(false)