Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-10762: Ranger Authorizer accepts multiple Ranger Admin Identity property values (#6625)

This commit is contained in:
Peter Gyori 2022-11-14 14:28:24 +01:00 committed by GitHub
parent 08bc44715e
commit 412c1f2e43
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 190 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java
View File

@ -48,9 +48,12 @@ import java.io.File;
import java.net.MalformedURLException;
import java.text.NumberFormat;
import java.util.Date;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* Authorizer implementation that uses Apache Ranger to make authorization decisions.
@ -61,9 +64,10 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin Identity";
static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
static final String RANGER_APP_ID_PROP = "Ranger Application Id";
static final String RANGER_ADMIN_IDENTITY_PROP_PREFIX = "Ranger Admin Identity";
static final Pattern RANGER_ADMIN_IDENTITY_PATTERN = Pattern.compile(RANGER_ADMIN_IDENTITY_PROP_PREFIX + "\\s?\\S*");
static final String RANGER_NIFI_RESOURCE_NAME = "nifi-resource";
static final String DEFAULT_SERVICE_TYPE = "nifi";
@ -76,7 +80,7 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
private volatile RangerBasePluginWithPolicies nifiPlugin = null;
private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
private volatile String rangerAdminIdentity = null;
private volatile Set<String> rangerAdminIdentity = null;
private volatile boolean rangerKerberosEnabled = false;
private volatile NiFiProperties nifiProperties;
private final NumberFormat numberFormat = NumberFormat.getInstance();
@ -129,7 +133,7 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
nifiPlugin.init();
defaultAuditHandler = new RangerDefaultAuditHandler();
rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
rangerAdminIdentity = getConfigValues(configurationContext, RANGER_ADMIN_IDENTITY_PATTERN, null);
} else {
logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
@ -149,9 +153,9 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
final Set<String> userGroups = request.getGroups();
final String resourceIdentifier = request.getResource().getIdentifier();
// if a ranger admin identity was provided, and it equals the identity making the request,
// if a ranger admin identity was provided, and it contains the identity making the request,
// and the request is to retrieve the resources, then allow it through
if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
if (rangerAdminIdentity != null && rangerAdminIdentity.contains(identity)
&& resourceIdentifier.equals(RESOURCES_RESOURCE)) {
return AuthorizationResult.approved();
}
@ -287,4 +291,20 @@ public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
return retValue;
}
private Set<String> getConfigValues(final AuthorizerConfigurationContext context, final Pattern namePattern, final String defaultValue) {
final Set<String> configValues = new HashSet<>();
for (Map.Entry<String,String> entry : context.getProperties().entrySet()) {
Matcher matcher = namePattern.matcher(entry.getKey());
if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
configValues.add(entry.getValue());
}
}
if (configValues.isEmpty() && (defaultValue != null)) {
configValues.add(defaultValue);
}
return configValues;
}
}

85
nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java
View File

@ -45,6 +45,8 @@ import org.mockito.Mockito;
import java.io.File;
import java.util.HashMap;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
@ -70,6 +72,8 @@ public class TestRangerNiFiAuthorizer {
private RangerAccessResult allowedResult;
private RangerAccessResult notAllowedResult;
private Map<String, String> authorizersXmlContent = null;
@BeforeEach
public void setup() {
// have to initialize this system property before anything else
@ -82,6 +86,13 @@ public class TestRangerNiFiAuthorizer {
securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
UserGroupInformation.setConfiguration(securityConf);
// initialize the content of authorizers.xml in case tests added further entries to it
authorizersXmlContent = Stream.of(new String[][] {
{RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP, "src/test/resources/ranger/ranger-nifi-security.xml"},
{RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP, "src/test/resources/ranger/ranger-nifi-audit.xml"},
{RangerNiFiAuthorizer.RANGER_APP_ID_PROP, appId},
{RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP, serviceType}
}).collect(Collectors.toMap(entry -> entry[0], entry -> entry[1]));
configurationContext = createMockConfigContext();
rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
@ -103,17 +114,12 @@ public class TestRangerNiFiAuthorizer {
private AuthorizerConfigurationContext createMockConfigContext() {
AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class);
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP)))
.thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml"));
for (Map.Entry<String, String> entry : authorizersXmlContent.entrySet()) {
when(configurationContext.getProperty(eq(entry.getKey())))
.thenReturn(new MockPropertyValue(entry.getValue()));
}
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP)))
.thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml"));
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_APP_ID_PROP)))
.thenReturn(new MockPropertyValue(appId));
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP)))
.thenReturn(new MockPropertyValue(serviceType));
when(configurationContext.getProperties()).thenReturn(authorizersXmlContent);
return configurationContext;
}
@ -339,20 +345,63 @@ public class TestRangerNiFiAuthorizer {
@Test
public void testRangerAdminApproved() {
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, AuthorizationResult.approved().getResult());
final String acceptableIdentity = "ranger-admin";
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
final String requestIdentity = "ranger-admin";
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
}
@Test
public void testRangerAdminApprovedMultipleAcceptableIdentities() {
final String acceptableIdentity1 = "ranger-admin1";
final String acceptableIdentity2 = "ranger-admin2";
final String acceptableIdentity3 = "ranger-admin3";
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
final String requestIdentity = "ranger-admin2";
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
}
@Test
public void testRangerAdminApprovedMultipleAcceptableIdentities2() {
final String acceptableIdentity1 = "ranger-admin1";
final String acceptableIdentity2 = "ranger-admin2";
final String acceptableIdentity3 = "ranger-admin3";
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
final String requestIdentity = "ranger-admin3";
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
}
@Test
public void testRangerAdminDenied() {
runRangerAdminTest("/flow", AuthorizationResult.denied().getResult());
final String acceptableIdentity = "ranger-admin";
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
final String requestIdentity = "ranger-admin";
runRangerAdminTest("/flow", requestIdentity, AuthorizationResult.denied().getResult());
}
private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) {
configurationContext = createMockConfigContext();
@Test
public void testRangerAdminDeniedMultipleAcceptableIdentities() {
final String acceptableIdentity1 = "ranger-admin1";
final String acceptableIdentity2 = "ranger-admin2";
final String acceptableIdentity3 = "ranger-admin3";
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
authorizersXmlContent.put(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
final String rangerAdminIdentity = "ranger-admin";
when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP)))
.thenReturn(new MockPropertyValue(rangerAdminIdentity));
final String requestIdentity = "ranger-admin4";
runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.denied().getResult());
}
private void runRangerAdminTest(final String resourceIdentifier, final String requestIdentity, final AuthorizationResult.Result expectedResult) {
configurationContext = createMockConfigContext();
rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
@ -368,7 +417,7 @@ public class TestRangerNiFiAuthorizer {
final AuthorizationRequest request = new AuthorizationRequest.Builder()
.resource(new MockResource(resourceIdentifier, resourceIdentifier))
.action(action)
.identity(rangerAdminIdentity)
.identity(requestIdentity)
.resourceContext(new HashMap<>())
.accessAttempt(true)
.anonymous(false)

31
nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/main/java/org/apache/nifi/registry/ranger/RangerAuthorizer.java
View File

@ -67,9 +67,12 @@ import java.io.StringWriter;
import java.net.MalformedURLException;
import java.nio.charset.StandardCharsets;
import java.util.Date;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* Authorizer implementation that uses Apache Ranger to make authorization decisions.
@ -85,9 +88,10 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin Identity";
static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
static final String RANGER_APP_ID_PROP = "Ranger Application Id";
static final String RANGER_ADMIN_IDENTITY_PROP_PREFIX = "Ranger Admin Identity";
static final Pattern RANGER_ADMIN_IDENTITY_PATTERN = Pattern.compile(RANGER_ADMIN_IDENTITY_PROP_PREFIX + "\\s?\\S*");
static final String RANGER_NIFI_REG_RESOURCE_NAME = "nifi-registry-resource";
private static final String DEFAULT_SERVICE_TYPE = "nifi-registry";
@ -100,7 +104,7 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
private volatile RangerBasePluginWithPolicies rangerPlugin = null;
private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
private volatile String rangerAdminIdentity = null;
private volatile Set<String> rangerAdminIdentity = null;
private volatile NiFiRegistryProperties registryProperties;
private UserGroupProviderLookup userGroupProviderLookup;
@ -165,7 +169,7 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
rangerPlugin.init();
defaultAuditHandler = new RangerDefaultAuditHandler();
rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
rangerAdminIdentity = getConfigValues(configurationContext, RANGER_ADMIN_IDENTITY_PATTERN, null);
} else {
logger.info("base plugin already initialized");
@ -185,9 +189,9 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
final Set<String> userGroups = request.getGroups();
final String resourceIdentifier = request.getResource().getIdentifier();
// if a ranger admin identity was provided, and it equals the identity making the request,
// if a ranger admin identity was provided, and it contains the identity making the request,
// and the request is to retrieve the resources, then allow it through
if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
if (rangerAdminIdentity != null && rangerAdminIdentity.contains(identity)
&& resourceIdentifier.equals(RESOURCES_RESOURCE)) {
return AuthorizationResult.approved();
}
@ -317,6 +321,23 @@ public class RangerAuthorizer implements ManagedAuthorizer, AuthorizationAuditor
return retValue;
}
private Set<String> getConfigValues(final AuthorizerConfigurationContext context, final Pattern namePattern, final String defaultValue) {
final Set<String> configValues = new HashSet<>();
for (Map.Entry<String,String> entry : context.getProperties().entrySet()) {
Matcher matcher = namePattern.matcher(entry.getKey());
if (matcher.matches() && !StringUtils.isBlank(entry.getValue())) {
configValues.add(entry.getValue());
}
}
if (configValues.isEmpty() && (defaultValue != null)) {
configValues.add(defaultValue);
}
return configValues;
}
@Override
public String getFingerprint() throws AuthorizationAccessException {
final StringWriter out = new StringWriter();

94
nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/src/test/java/org/apache/nifi/registry/ranger/TestRangerAuthorizer.java
View File

@ -41,21 +41,24 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatcher;
import java.io.File;
import java.util.HashMap;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.ArgumentMatchers.argThat;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
@ -96,6 +99,18 @@ public class TestRangerAuthorizer {
private RangerAccessResult allowedResult;
private RangerAccessResult notAllowedResult;
private Map<String, String> authorizersXmlContent = null;
@BeforeEach
public void initialization() {
authorizersXmlContent = Stream.of(new String[][] {
{RangerAuthorizer.USER_GROUP_PROVIDER, "user-group-provider"},
{RangerAuthorizer.RANGER_SECURITY_PATH_PROP, "src/test/resources/ranger/ranger-nifi-registry-security.xml"},
{RangerAuthorizer.RANGER_AUDIT_PATH_PROP, "src/test/resources/ranger/ranger-nifi-registry-audit.xml"},
{RangerAuthorizer.RANGER_APP_ID_PROP, appId},
{RangerAuthorizer.RANGER_SERVICE_TYPE_PROP, serviceType}
}).collect(Collectors.toMap(entry -> entry[0], entry -> entry[1]));
}
private void setup(final NiFiRegistryProperties registryProperties,
final UserGroupProvider userGroupProvider,
@ -139,20 +154,12 @@ public class TestRangerAuthorizer {
private AuthorizerConfigurationContext createMockConfigContext() {
AuthorizerConfigurationContext configurationContext = mock(AuthorizerConfigurationContext.class);
when(configurationContext.getProperty(eq(RangerAuthorizer.USER_GROUP_PROVIDER)))
.thenReturn(new StandardPropertyValue("user-group-provider"));
for (Map.Entry<String, String> entry : authorizersXmlContent.entrySet()) {
when(configurationContext.getProperty(eq(entry.getKey())))
.thenReturn(new StandardPropertyValue(entry.getValue()));
}
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_SECURITY_PATH_PROP)))
.thenReturn(new StandardPropertyValue("src/test/resources/ranger/ranger-nifi-registry-security.xml"));
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_AUDIT_PATH_PROP)))
.thenReturn(new StandardPropertyValue("src/test/resources/ranger/ranger-nifi-registry-audit.xml"));
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_APP_ID_PROP)))
.thenReturn(new StandardPropertyValue(appId));
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_SERVICE_TYPE_PROP)))
.thenReturn(new StandardPropertyValue(serviceType));
when(configurationContext.getProperties()).thenReturn(authorizersXmlContent);
return configurationContext;
}
@ -388,20 +395,63 @@ public class TestRangerAuthorizer {
@Test
public void testRangerAdminApproved() {
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, AuthorizationResult.approved().getResult());
final String acceptableIdentity = "ranger-admin";
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
final String requestIdentity = "ranger-admin";
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
}
@Test
public void testRangerAdminApprovedMultipleAcceptableIdentities() {
final String acceptableIdentity1 = "ranger-admin1";
final String acceptableIdentity2 = "ranger-admin2";
final String acceptableIdentity3 = "ranger-admin3";
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
final String requestIdentity = "ranger-admin2";
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
}
@Test
public void testRangerAdminApprovedMultipleAcceptableIdentities2() {
final String acceptableIdentity1 = "ranger-admin1";
final String acceptableIdentity2 = "ranger-admin2";
final String acceptableIdentity3 = "ranger-admin3";
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
final String requestIdentity = "ranger-admin3";
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.approved().getResult());
}
@Test
public void testRangerAdminDenied() {
runRangerAdminTest("/flow", AuthorizationResult.denied().getResult());
final String acceptableIdentity = "ranger-admin";
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity);
final String requestIdentity = "ranger-admin";
runRangerAdminTest("/flow", requestIdentity, AuthorizationResult.denied().getResult());
}
private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) {
final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
@Test
public void testRangerAdminDeniedMultipleAcceptableIdentities() {
final String acceptableIdentity1 = "ranger-admin1";
final String acceptableIdentity2 = "ranger-admin2";
final String acceptableIdentity3 = "ranger-admin3";
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX, acceptableIdentity1);
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 2", acceptableIdentity2);
authorizersXmlContent.put(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP_PREFIX + " 3", acceptableIdentity3);
final String rangerAdminIdentity = "ranger-admin";
when(configurationContext.getProperty(eq(RangerAuthorizer.RANGER_ADMIN_IDENTITY_PROP)))
.thenReturn(new StandardPropertyValue(rangerAdminIdentity));
final String requestIdentity = "ranger-admin4";
runRangerAdminTest(RangerAuthorizer.RESOURCES_RESOURCE, requestIdentity, AuthorizationResult.denied().getResult());
}
private void runRangerAdminTest(final String resourceIdentifier, final String requestIdentity, final AuthorizationResult.Result expectedResult) {
final AuthorizerConfigurationContext configurationContext = createMockConfigContext();
setup(mock(NiFiRegistryProperties.class), mock(UserGroupProvider.class), configurationContext);
@ -411,7 +461,7 @@ public class TestRangerAuthorizer {
final AuthorizationRequest request = new AuthorizationRequest.Builder()
.resource(new MockResource(resourceIdentifier, resourceIdentifier))
.action(action)
.identity(rangerAdminIdentity)
.identity(requestIdentity)
.resourceContext(new HashMap<>())
.accessAttempt(true)
.anonymous(false)