mirror of https://github.com/apache/nifi.git
NIFI-10762: Ranger Authorizer accepts multiple Ranger Admin Identity property values (#6625)
This commit is contained in:
parent
08bc44715e
commit
412c1f2e43
|
@ -48,9 +48,12 @@ import java.io.File;
|
||||||
import java.net.MalformedURLException;
|
import java.net.MalformedURLException;
|
||||||
import java.text.NumberFormat;
|
import java.text.NumberFormat;
|
||||||
import java.util.Date;
|
import java.util.Date;
|
||||||
|
import java.util.HashSet;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.WeakHashMap;
|
import java.util.WeakHashMap;
|
||||||
|
import java.util.regex.Matcher;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Authorizer implementation that uses Apache Ranger to make authorization decisions.
|
* Authorizer implementation that uses Apache Ranger to make authorization decisions.
|
||||||
|
@ -61,9 +64,10 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
|
||||||
static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
|
static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
|
||||||
static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
|
static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
|
||||||
static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
|
static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
|
||||||
static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin Identity";
|
|
||||||
static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
|
static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
|
||||||
static final String RANGER_APP_ID_PROP = "Ranger Application Id";
|
static final String RANGER_APP_ID_PROP = "Ranger Application Id";
|
||||||
|
static final String RANGER_ADMIN_IDENTITY_PROP_PREFIX = "Ranger Admin Identity";
|
||||||
|
static final Pattern RANGER_ADMIN_IDENTITY_PATTERN = Pattern.compile(RANGER_ADMIN_IDENTITY_PROP_PREFIX + "\\s?\\S*");
|
||||||
|
|
||||||
static final String RANGER_NIFI_RESOURCE_NAME = "nifi-resource";
|
static final String RANGER_NIFI_RESOURCE_NAME = "nifi-resource";
|
||||||
static final String DEFAULT_SERVICE_TYPE = "nifi";
|
static final String DEFAULT_SERVICE_TYPE = "nifi";
|
||||||
|
@ -76,7 +80,7 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
|
||||||
|
|
||||||
private volatile RangerBasePluginWithPolicies nifiPlugin = null;
|
private volatile RangerBasePluginWithPolicies nifiPlugin = null;
|
||||||
private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
|
private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
|
||||||
private volatile String rangerAdminIdentity = null;
|
private volatile Set<String> rangerAdminIdentity = null;
|
||||||
private volatile boolean rangerKerberosEnabled = false;
|
private volatile boolean rangerKerberosEnabled = false;
|
||||||
private volatile NiFiProperties nifiProperties;
|
private volatile NiFiProperties nifiProperties;
|
||||||
private final NumberFormat numberFormat = NumberFormat.getInstance();
|
private final NumberFormat numberFormat = NumberFormat.getInstance();
|
||||||
|
@ -129,7 +133,7 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
|
||||||
nifiPlugin.init();
|
nifiPlugin.init();
|
||||||
|
|
||||||
defaultAuditHandler = new RangerDefaultAuditHandler();
|
defaultAuditHandler = new RangerDefaultAuditHandler();
|
||||||
rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
|
rangerAdminIdentity = getConfigValues(configurationContext, RANGER_ADMIN_IDENTITY_PATTERN, null);
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
|
logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
|
||||||
|
@ -149,9 +153,9 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
|
||||||
final Set<String> userGroups = request.getGroups();
|
final Set<String> userGroups = request.getGroups();
|
||||||
final String resourceIdentifier = request.getResource().getIdentifier();
|
final String resourceIdentifier = request.getResource().getIdentifier();
|
||||||
|
|
||||||
// if a ranger admin identity was provided, and it equals the identity making the request,
|
// if a ranger admin identity was provided, and it contains the identity making the request,
|
||||||
// and the request is to retrieve the resources, then allow it through
|
// and the request is to retrieve the resources, then allow it through
|
||||||
if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
|
if (rangerAdminIdentity != null && rangerAdminIdentity.contains(identity)
|
||||||
&& resourceIdentifier.equals(RESOURCES_RESOURCE)) {
|
&& resourceIdentifier.equals(RESOURCES_RESOURCE)) {
|
||||||
return AuthorizationResult.approved();
|
return AuthorizationResult.approved();
|
||||||
}
|
}
|
||||||
|
@ -287,4 +291,20 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
|
||||||
return retValue;
|
return retValue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private Set<String> getConfigValues(final AuthorizerConfigurationContext context, final Pattern namePattern, final String defaultValue) {
|
||||||
|
final Set<String> configValues = new HashSet<>();
|
||||||
|
|
||||||
|
for (Map.Entry<String,String> entry : context.getProperties().entrySet()) {
|
||||||
|
Matcher matcher = namePattern.matcher(entry.getKey());
|
||||||
|
if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
|
||||||
|
configValues.add(entry.getValue());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (configValues.isEmpty() && (defaultValue != null)) {
|
||||||
|
configValues.add(defaultValue);
|
||||||
|
}
|
||||||
|
|
||||||
|
return configValues;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -45,6 +45,8 @@ import org.mockito.Mockito;
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
import java.util.stream.Collectors;
|
||||||
|
import java.util.stream.Stream;
|
||||||
|
|
||||||
import static org.junit.jupiter.api.Assertions.assertEquals;
|
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||||
import static org.junit.jupiter.api.Assertions.assertFalse;
|
import static org.junit.jupiter.api.Assertions.assertFalse;
|
||||||
|
@ -70,6 +72,8 @@ public class TestRangerNiFiAuthorizer {
|
||||||
private RangerAccessResult allowedResult;
|
private RangerAccessResult allowedResult;
|
||||||
private RangerAccessResult notAllowedResult;
|
private RangerAccessResult notAllowedResult;
|
||||||
|
|
||||||
|
private Map<String, String> authorizersXmlContent = null;
|
||||||
|
|
||||||
@BeforeEach
|
@BeforeEach
|
||||||
public void setup() {
|
public void setup() {
|
||||||
// have to initialize this system property before anything else
|
// have to initialize this system property before anything else
|
||||||
|
@ -82,6 +86,13 @@ public class TestRangerNiFiAuthorizer {
|
||||||
securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
|
securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
|
||||||
UserGroupInformation.setConfiguration(securityConf);
|
UserGroupInformation.setConfiguration(securityConf);
|
||||||
|
|
||||||
|
// initialize the content of authorizers.xml in case tests added further entries to it
|
||||||
|
authorizersXmlContent = Stream.of(new String[][] {
|
||||||
|
{RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP, "src/test/resources/ranger/ranger-nifi-security.xml"},
|
||||||
|
{RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP, "src/test/resources/ranger/ranger-nifi-audit.xml"},
|
||||||
|
{RangerNiFiAuthorizer.RANGER_APP_ID_PROP, appId},
|
||||||
|
{RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP, serviceType}
|
||||||
|
}).collect(Collectors.toMap(entry -> entry[0], entry -> entry[1]));
|
||||||
configurationContext = createMockConfigContext();
|
configurationContext = createMockConfigContext();
|
||||||
rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
|
rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
|
||||||
|
|
||||||
|
@ -103,17 +114,12 @@ public class TestRangerNiFiAuthorizer {
|
||||||
private AuthorizerConfigurationContext createMockConfigContext() {
|
private AuthorizerConfigurationContext createMockConfigContext() {
|
||||||
AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class);
|
AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class);
|
||||||
|
|
||||||
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP)))
|
for (Map.Entry<String, String> entry : authorizersXmlContent.entrySet()) {
|
||||||
.thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml"));
|
when(configurationContext.getProperty(eq(entry.getKey())))
|
||||||
|
.thenReturn(new MockPropertyValue(entry.getValue()));
|
||||||
|
}
|
||||||
|
|
||||||
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP)))
|
when(configurationContext.getProperties()).thenReturn(authorizersXmlContent);
|
||||||
.thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml"));
|
|
||||||
|
|
||||||
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_APP_ID_PROP)))
|
|
||||||
.thenReturn(new MockPropertyValue(appId));
|
|
||||||
|
|
||||||
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP)))
|
|
||||||
.thenReturn(new MockPropertyValue(serviceType));
|
|
||||||
|
|
||||||
return configurationContext;
|
return configurationContext;
|
||||||
}
|
}
|
||||||
|
@ -339,20 +345,63 @@ public class TestRangerNiFiAuthorizer {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testRangerAdminApproved() {
|
public void testRangerAdminApproved() {
|
||||||
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, AuthorizationResult.approved().getResult());
|
final String acceptableIdentity = "ranger-admin";
|
||||||
|
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
|
||||||
|
|
||||||
|
final String requestIdentity = "ranger-admin";
|
||||||
|
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRangerAdminApprovedMultipleAcceptableIdentities() {
|
||||||
|
final String acceptableIdentity1 = "ranger-admin1";
|
||||||
|
final String acceptableIdentity2 = "ranger-admin2";
|
||||||
|
final String acceptableIdentity3 = "ranger-admin3";
|
||||||
|
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
|
||||||
|
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
|
||||||
|
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
|
||||||
|
|
||||||
|
final String requestIdentity = "ranger-admin2";
|
||||||
|
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRangerAdminApprovedMultipleAcceptableIdentities2() {
|
||||||
|
final String acceptableIdentity1 = "ranger-admin1";
|
||||||
|
final String acceptableIdentity2 = "ranger-admin2";
|
||||||
|
final String acceptableIdentity3 = "ranger-admin3";
|
||||||
|
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
|
||||||
|
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
|
||||||
|
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
|
||||||
|
|
||||||
|
final String requestIdentity = "ranger-admin3";
|
||||||
|
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testRangerAdminDenied() {
|
public void testRangerAdminDenied() {
|
||||||
runRangerAdminTest("/flow", AuthorizationResult.denied().getResult());
|
final String acceptableIdentity = "ranger-admin";
|
||||||
|
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
|
||||||
|
|
||||||
|
final String requestIdentity = "ranger-admin";
|
||||||
|
runRangerAdminTest("/flow", requestIdentity, AuthorizationResult.denied().getResult());
|
||||||
}
|
}
|
||||||
|
|
||||||
private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) {
|
@Test
|
||||||
configurationContext = createMockConfigContext();
|
public void testRangerAdminDeniedMultipleAcceptableIdentities() {
|
||||||
|
final String acceptableIdentity1 = "ranger-admin1";
|
||||||
|
final String acceptableIdentity2 = "ranger-admin2";
|
||||||
|
final String acceptableIdentity3 = "ranger-admin3";
|
||||||
|
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
|
||||||
|
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
|
||||||
|
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
|
||||||
|
|
||||||
final String rangerAdminIdentity = "ranger-admin";
|
final String requestIdentity = "ranger-admin4";
|
||||||
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP)))
|
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.denied().getResult());
|
||||||
.thenReturn(new MockPropertyValue(rangerAdminIdentity));
|
}
|
||||||
|
|
||||||
|
private void runRangerAdminTest(final String resourceIdentifier, final String requestIdentity, final AuthorizationResult.Result expectedResult) {
|
||||||
|
configurationContext = createMockConfigContext();
|
||||||
|
|
||||||
rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
|
rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
|
||||||
|
|
||||||
|
@ -368,7 +417,7 @@ public class TestRangerNiFiAuthorizer {
|
||||||
final AuthorizationRequest request = new AuthorizationRequest.Builder()
|
final AuthorizationRequest request = new AuthorizationRequest.Builder()
|
||||||
.resource(new MockResource(resourceIdentifier, resourceIdentifier))
|
.resource(new MockResource(resourceIdentifier, resourceIdentifier))
|
||||||
.action(action)
|
.action(action)
|
||||||
.identity(rangerAdminIdentity)
|
.identity(requestIdentity)
|
||||||
.resourceContext(new HashMap<>())
|
.resourceContext(new HashMap<>())
|
||||||
.accessAttempt(true)
|
.accessAttempt(true)
|
||||||
.anonymous(false)
|
.anonymous(false)
|
||||||
|
|
|
@ -67,9 +67,12 @@ import java.io.StringWriter;
|
||||||
import java.net.MalformedURLException;
|
import java.net.MalformedURLException;
|
||||||
import java.nio.charset.StandardCharsets;
|
import java.nio.charset.StandardCharsets;
|
||||||
import java.util.Date;
|
import java.util.Date;
|
||||||
|
import java.util.HashSet;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.WeakHashMap;
|
import java.util.WeakHashMap;
|
||||||
|
import java.util.regex.Matcher;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Authorizer implementation that uses Apache Ranger to make authorization decisions.
|
* Authorizer implementation that uses Apache Ranger to make authorization decisions.
|
||||||
|
@ -85,9 +88,10 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
|
||||||
static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
|
static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
|
||||||
static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
|
static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
|
||||||
static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
|
static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
|
||||||
static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin Identity";
|
|
||||||
static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
|
static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
|
||||||
static final String RANGER_APP_ID_PROP = "Ranger Application Id";
|
static final String RANGER_APP_ID_PROP = "Ranger Application Id";
|
||||||
|
static final String RANGER_ADMIN_IDENTITY_PROP_PREFIX = "Ranger Admin Identity";
|
||||||
|
static final Pattern RANGER_ADMIN_IDENTITY_PATTERN = Pattern.compile(RANGER_ADMIN_IDENTITY_PROP_PREFIX + "\\s?\\S*");
|
||||||
|
|
||||||
static final String RANGER_NIFI_REG_RESOURCE_NAME = "nifi-registry-resource";
|
static final String RANGER_NIFI_REG_RESOURCE_NAME = "nifi-registry-resource";
|
||||||
private static final String DEFAULT_SERVICE_TYPE = "nifi-registry";
|
private static final String DEFAULT_SERVICE_TYPE = "nifi-registry";
|
||||||
|
@ -100,7 +104,7 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
|
||||||
|
|
||||||
private volatile RangerBasePluginWithPolicies rangerPlugin = null;
|
private volatile RangerBasePluginWithPolicies rangerPlugin = null;
|
||||||
private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
|
private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
|
||||||
private volatile String rangerAdminIdentity = null;
|
private volatile Set<String> rangerAdminIdentity = null;
|
||||||
private volatile NiFiRegistryProperties registryProperties;
|
private volatile NiFiRegistryProperties registryProperties;
|
||||||
|
|
||||||
private UserGroupProviderLookup userGroupProviderLookup;
|
private UserGroupProviderLookup userGroupProviderLookup;
|
||||||
|
@ -165,7 +169,7 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
|
||||||
rangerPlugin.init();
|
rangerPlugin.init();
|
||||||
|
|
||||||
defaultAuditHandler = new RangerDefaultAuditHandler();
|
defaultAuditHandler = new RangerDefaultAuditHandler();
|
||||||
rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
|
rangerAdminIdentity = getConfigValues(configurationContext, RANGER_ADMIN_IDENTITY_PATTERN, null);
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
logger.info("base plugin already initialized");
|
logger.info("base plugin already initialized");
|
||||||
|
@ -185,9 +189,9 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
|
||||||
final Set<String> userGroups = request.getGroups();
|
final Set<String> userGroups = request.getGroups();
|
||||||
final String resourceIdentifier = request.getResource().getIdentifier();
|
final String resourceIdentifier = request.getResource().getIdentifier();
|
||||||
|
|
||||||
// if a ranger admin identity was provided, and it equals the identity making the request,
|
// if a ranger admin identity was provided, and it contains the identity making the request,
|
||||||
// and the request is to retrieve the resources, then allow it through
|
// and the request is to retrieve the resources, then allow it through
|
||||||
if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
|
if (rangerAdminIdentity != null && rangerAdminIdentity.contains(identity)
|
||||||
&& resourceIdentifier.equals(RESOURCES_RESOURCE)) {
|
&& resourceIdentifier.equals(RESOURCES_RESOURCE)) {
|
||||||
return AuthorizationResult.approved();
|
return AuthorizationResult.approved();
|
||||||
}
|
}
|
||||||
|
@ -317,6 +321,23 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
|
||||||
return retValue;
|
return retValue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private Set<String> getConfigValues(final AuthorizerConfigurationContext context, final Pattern namePattern, final String defaultValue) {
|
||||||
|
final Set<String> configValues = new HashSet<>();
|
||||||
|
|
||||||
|
for (Map.Entry<String,String> entry : context.getProperties().entrySet()) {
|
||||||
|
Matcher matcher = namePattern.matcher(entry.getKey());
|
||||||
|
if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
|
||||||
|
configValues.add(entry.getValue());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (configValues.isEmpty() && (defaultValue != null)) {
|
||||||
|
configValues.add(defaultValue);
|
||||||
|
}
|
||||||
|
|
||||||
|
return configValues;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String getFingerprint() throws AuthorizationAccessException {
|
public String getFingerprint() throws AuthorizationAccessException {
|
||||||
final StringWriter out = new StringWriter();
|
final StringWriter out = new StringWriter();
|
||||||
|
|
|
@ -41,21 +41,24 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
|
||||||
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
|
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
|
||||||
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
|
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
|
||||||
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
|
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
|
||||||
|
import org.junit.jupiter.api.BeforeEach;
|
||||||
import org.junit.jupiter.api.Test;
|
import org.junit.jupiter.api.Test;
|
||||||
import org.mockito.ArgumentMatcher;
|
import org.mockito.ArgumentMatcher;
|
||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
import java.util.stream.Collectors;
|
||||||
|
import java.util.stream.Stream;
|
||||||
|
|
||||||
import static org.junit.jupiter.api.Assertions.assertEquals;
|
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||||
import static org.junit.jupiter.api.Assertions.assertFalse;
|
import static org.junit.jupiter.api.Assertions.assertFalse;
|
||||||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||||
import static org.junit.jupiter.api.Assertions.assertTrue;
|
import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||||
import static org.mockito.ArgumentMatchers.any;
|
import static org.mockito.ArgumentMatchers.any;
|
||||||
|
import static org.mockito.ArgumentMatchers.anyString;
|
||||||
import static org.mockito.ArgumentMatchers.argThat;
|
import static org.mockito.ArgumentMatchers.argThat;
|
||||||
import static org.mockito.ArgumentMatchers.eq;
|
import static org.mockito.ArgumentMatchers.eq;
|
||||||
import static org.mockito.ArgumentMatchers.anyString;
|
|
||||||
import static org.mockito.Mockito.mock;
|
import static org.mockito.Mockito.mock;
|
||||||
import static org.mockito.Mockito.times;
|
import static org.mockito.Mockito.times;
|
||||||
import static org.mockito.Mockito.verify;
|
import static org.mockito.Mockito.verify;
|
||||||
|
@ -96,6 +99,18 @@ public class TestRangerAuthorizer {
|
||||||
|
|
||||||
private RangerAccessResult allowedResult;
|
private RangerAccessResult allowedResult;
|
||||||
private RangerAccessResult notAllowedResult;
|
private RangerAccessResult notAllowedResult;
|
||||||
|
private Map<String, String> authorizersXmlContent = null;
|
||||||
|
|
||||||
|
@BeforeEach
|
||||||
|
public void initialization() {
|
||||||
|
authorizersXmlContent = Stream.of(new String[][] {
|
||||||
|
{RangerAuthorizer.USER_GROUP_PROVIDER, "user-group-provider"},
|
||||||
|
{RangerAuthorizer.RANGER_SECURITY_PATH_PROP, "src/test/resources/ranger/ranger-nifi-registry-security.xml"},
|
||||||
|
{RangerAuthorizer.RANGER_AUDIT_PATH_PROP, "src/test/resources/ranger/ranger-nifi-registry-audit.xml"},
|
||||||
|
{RangerAuthorizer.RANGER_APP_ID_PROP, appId},
|
||||||
|
{RangerAuthorizer.RANGER_SERVICE_TYPE_PROP, serviceType}
|
||||||
|
}).collect(Collectors.toMap(entry -> entry[0], entry -> entry[1]));
|
||||||
|
}
|
||||||
|
|
||||||
private void setup(final NiFiRegistryProperties registryProperties,
|
private void setup(final NiFiRegistryProperties registryProperties,
|
||||||
final UserGroupProvider userGroupProvider,
|
final UserGroupProvider userGroupProvider,
|
||||||
|
@ -139,20 +154,12 @@ public class TestRangerAuthorizer {
|
||||||
private AuthorizerConfigurationContext createMockConfigContext() {
|
private AuthorizerConfigurationContext createMockConfigContext() {
|
||||||
AuthorizerConfigurationContext configurationContext = mock(AuthorizerConfigurationContext.class);
|
AuthorizerConfigurationContext configurationContext = mock(AuthorizerConfigurationContext.class);
|
||||||
|
|
||||||
when(configurationContext.getProperty(eq(RangerAuthorizer.USER_GROUP_PROVIDER)))
|
for (Map.Entry<String, String> entry : authorizersXmlContent.entrySet()) {
|
||||||
.thenReturn(new StandardPropertyValue("user-group-provider"));
|
when(configurationContext.getProperty(eq(entry.getKey())))
|
||||||
|
.thenReturn(new StandardPropertyValue(entry.getValue()));
|
||||||
|
}
|
||||||
|
|
||||||
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_SECURITY_PATH_PROP)))
|
when(configurationContext.getProperties()).thenReturn(authorizersXmlContent);
|
||||||
.thenReturn(new StandardPropertyValue("src/test/resources/ranger/ranger-nifi-registry-security.xml"));
|
|
||||||
|
|
||||||
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_AUDIT_PATH_PROP)))
|
|
||||||
.thenReturn(new StandardPropertyValue("src/test/resources/ranger/ranger-nifi-registry-audit.xml"));
|
|
||||||
|
|
||||||
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_APP_ID_PROP)))
|
|
||||||
.thenReturn(new StandardPropertyValue(appId));
|
|
||||||
|
|
||||||
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_SERVICE_TYPE_PROP)))
|
|
||||||
.thenReturn(new StandardPropertyValue(serviceType));
|
|
||||||
|
|
||||||
return configurationContext;
|
return configurationContext;
|
||||||
}
|
}
|
||||||
|
@ -388,20 +395,63 @@ public class TestRangerAuthorizer {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testRangerAdminApproved() {
|
public void testRangerAdminApproved() {
|
||||||
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, AuthorizationResult.approved().getResult());
|
final String acceptableIdentity = "ranger-admin";
|
||||||
|
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
|
||||||
|
|
||||||
|
final String requestIdentity = "ranger-admin";
|
||||||
|
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRangerAdminApprovedMultipleAcceptableIdentities() {
|
||||||
|
final String acceptableIdentity1 = "ranger-admin1";
|
||||||
|
final String acceptableIdentity2 = "ranger-admin2";
|
||||||
|
final String acceptableIdentity3 = "ranger-admin3";
|
||||||
|
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
|
||||||
|
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
|
||||||
|
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
|
||||||
|
|
||||||
|
final String requestIdentity = "ranger-admin2";
|
||||||
|
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRangerAdminApprovedMultipleAcceptableIdentities2() {
|
||||||
|
final String acceptableIdentity1 = "ranger-admin1";
|
||||||
|
final String acceptableIdentity2 = "ranger-admin2";
|
||||||
|
final String acceptableIdentity3 = "ranger-admin3";
|
||||||
|
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
|
||||||
|
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
|
||||||
|
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
|
||||||
|
|
||||||
|
final String requestIdentity = "ranger-admin3";
|
||||||
|
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testRangerAdminDenied() {
|
public void testRangerAdminDenied() {
|
||||||
runRangerAdminTest("/flow", AuthorizationResult.denied().getResult());
|
final String acceptableIdentity = "ranger-admin";
|
||||||
|
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
|
||||||
|
|
||||||
|
final String requestIdentity = "ranger-admin";
|
||||||
|
runRangerAdminTest("/flow", requestIdentity, AuthorizationResult.denied().getResult());
|
||||||
}
|
}
|
||||||
|
|
||||||
private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) {
|
@Test
|
||||||
final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
|
public void testRangerAdminDeniedMultipleAcceptableIdentities() {
|
||||||
|
final String acceptableIdentity1 = "ranger-admin1";
|
||||||
|
final String acceptableIdentity2 = "ranger-admin2";
|
||||||
|
final String acceptableIdentity3 = "ranger-admin3";
|
||||||
|
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
|
||||||
|
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
|
||||||
|
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
|
||||||
|
|
||||||
final String rangerAdminIdentity = "ranger-admin";
|
final String requestIdentity = "ranger-admin4";
|
||||||
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP)))
|
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.denied().getResult());
|
||||||
.thenReturn(new StandardPropertyValue(rangerAdminIdentity));
|
}
|
||||||
|
|
||||||
|
private void runRangerAdminTest(final String resourceIdentifier, final String requestIdentity, final AuthorizationResult.Result expectedResult) {
|
||||||
|
final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
|
||||||
|
|
||||||
setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext);
|
setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext);
|
||||||
|
|
||||||
|
@ -411,7 +461,7 @@ public class TestRangerAuthorizer {
|
||||||
final AuthorizationRequest request = new AuthorizationRequest.Builder()
|
final AuthorizationRequest request = new AuthorizationRequest.Builder()
|
||||||
.resource(new MockResource(resourceIdentifier, resourceIdentifier))
|
.resource(new MockResource(resourceIdentifier, resourceIdentifier))
|
||||||
.action(action)
|
.action(action)
|
||||||
.identity(rangerAdminIdentity)
|
.identity(requestIdentity)
|
||||||
.resourceContext(new HashMap<>())
|
.resourceContext(new HashMap<>())
|
||||||
.accessAttempt(true)
|
.accessAttempt(true)
|
||||||
.anonymous(false)
|
.anonymous(false)
|
||||||
|
|
Loading…
Reference in New Issue