diff --git a/nifi-assembly/NOTICE b/nifi-assembly/NOTICE
index e6c9f15b94..ad3a6d7833 100644
--- a/nifi-assembly/NOTICE
+++ b/nifi-assembly/NOTICE
@@ -44,6 +44,21 @@ The following binary components are provided under the Apache Software License v
The following NOTICE information applies:
Copyright 2006 Envoi Solutions LLC
+ (ASLv2) Jets3t
+ The following NOTICE information applies:
+
+ This product includes software developed by:
+
+ The Apache Software Foundation (http://www.apache.org/).
+
+ The ExoLab Project (http://www.exolab.org/)
+
+ Sun Microsystems (http://www.sun.com/)
+
+ Codehaus (http://castor.codehaus.org)
+
+ Tatu Saloranta (http://wiki.fasterxml.com/TatuSaloranta)
+
(ASLv2) Jasypt
The following NOTICE information applies:
Copyright (c) 2007-2010, The JASYPT team (http://www.jasypt.org)
@@ -585,6 +600,11 @@ The following binary components are provided under the Apache Software License v
from and not be held liable to the user for any such damages as noted
above as far as the program is concerned.
+ (ASLv2) Apache Solr
+ The following NOTICE information applies:
+ Apache Solrj
+ Copyright 2006-2014 The Apache Software Foundation
+
(ASLv2) Joda Time
The following NOTICE information applies:
This product includes software developed by
@@ -920,6 +940,9 @@ The following binary components are provided under the Eclipse Public License 1.
The following NOTICE information applies:
Copyright (c) 2007-2015 The JRuby project
(EPL 1.0) Eclipse Paho MQTT Client (org.eclipse.paho:org.eclipse.paho.client.mqttv3:1.0.2 - https://github.com/eclipse/paho.mqtt.java)
+ (EPL 1.0) Eclipse Link (org.eclipse.persistence:eclipselink:2.5.2 - http://www.eclipse.org/eclipselink/)
+ (EPL 1.0) Common Service Data Objects (org.eclipse.persistence:commonj.sdo:2.1.1 - http://www.eclipse.org/eclipselink/)
+ (EPL 1.0) Java Persistence API (org.eclipse.persistence:javax.persistence:2.1.0 - http://www.eclipse.org/eclipselink/)
*****************
Mozilla Public License v2.0
diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
index fb6bf87a8b..4dca67b92d 100644
--- a/nifi-assembly/pom.xml
+++ b/nifi-assembly/pom.xml
@@ -344,8 +344,8 @@ language governing permissions and limitations under the License. -->
org.apache.nifi
nifi-mqtt-nar
- nar
-
+ nar
+
org.apache.nifi
nifi-snmp-nar
@@ -689,5 +689,57 @@ language governing permissions and limitations under the License. -->
+
+ include-ranger
+
+ false
+
+
+
+
+ maven-assembly-plugin
+
+ nifi-${project.version}
+ false
+
+
+
+ make shared resource
+
+ single
+
+ package
+
+
+ 0775
+ 0775
+ 0664
+
+
+ src/main/assembly/ranger.xml
+
+ posix
+
+
+
+
+
+
+
+
+ org.apache.nifi
+ nifi-ranger-nar
+ nar
+
+
+ org.apache.ranger
+ credentialbuilder
+
+
+ org.apache.nifi
+ nifi-ranger-resources
+
+
+
diff --git a/nifi-assembly/src/main/assembly/common.xml b/nifi-assembly/src/main/assembly/common.xml
new file mode 100644
index 0000000000..ec26548370
--- /dev/null
+++ b/nifi-assembly/src/main/assembly/common.xml
@@ -0,0 +1,117 @@
+
+
+
+
+
+
+ runtime
+ false
+ lib/bootstrap
+ 0770
+ 0660
+ true
+
+ nifi-bootstrap
+ slf4j-api
+ logback-classic
+ nifi-api
+
+
+
+
+
+ runtime
+ false
+ ./
+ 0770
+ 0664
+ true
+
+ nifi-resources
+
+ true
+
+ true
+
+ conf/*
+
+
+
+
+
+
+ runtime
+ false
+ ./
+ 0770
+ 0770
+ true
+
+ nifi-resources
+
+ true
+
+ true
+
+ bin/*
+
+
+
+
+
+
+ runtime
+ false
+ docs/
+ true
+
+ nifi-docs
+
+ true
+
+ false
+
+
+ LICENSE
+ NOTICE
+
+
+
+
+
+
+ ./README.md
+ ./
+ README
+ 0644
+ true
+
+
+ ./LICENSE
+ ./
+ LICENSE
+ 0644
+ true
+
+
+ ./NOTICE
+ ./
+ NOTICE
+ 0644
+ true
+
+
+
\ No newline at end of file
diff --git a/nifi-assembly/src/main/assembly/dependencies.xml b/nifi-assembly/src/main/assembly/dependencies.xml
index 6c22c033a9..792353d70c 100644
--- a/nifi-assembly/src/main/assembly/dependencies.xml
+++ b/nifi-assembly/src/main/assembly/dependencies.xml
@@ -23,6 +23,10 @@
true
nifi-${project.version}
+
+ src/main/assembly/common.xml
+
+
@@ -33,109 +37,11 @@
0660
true
- nifi-bootstrap
+ nifi-bootstrap
nifi-resources
nifi-docs
-
-
-
- runtime
- false
- lib/bootstrap
- 0770
- 0660
- true
-
- nifi-bootstrap
- slf4j-api
- logback-classic
- nifi-api
-
-
-
-
-
- runtime
- false
- ./
- 0770
- 0664
- true
-
- nifi-resources
-
- true
-
- true
-
- conf/*
-
-
-
-
-
-
- runtime
- false
- ./
- 0770
- 0770
- true
-
- nifi-resources
-
- true
-
- true
-
- bin/*
-
-
-
-
-
-
- runtime
- false
- docs/
- true
-
- nifi-docs
-
- true
-
- false
-
-
- LICENSE
- NOTICE
-
-
-
-
-
- ./README.md
- ./
- README
- 0644
- true
-
-
- ./LICENSE
- ./
- LICENSE
- 0644
- true
-
-
- ./NOTICE
- ./
- NOTICE
- 0644
- true
-
-
+
diff --git a/nifi-assembly/src/main/assembly/ranger.xml b/nifi-assembly/src/main/assembly/ranger.xml
new file mode 100644
index 0000000000..04b8016b60
--- /dev/null
+++ b/nifi-assembly/src/main/assembly/ranger.xml
@@ -0,0 +1,81 @@
+
+
+
+ bin
+
+ dir
+ zip
+ tar.gz
+
+ true
+ nifi-${project.version}
+
+
+ src/main/assembly/common.xml
+
+
+
+
+
+ runtime
+ false
+ lib
+ 0770
+ 0660
+ true
+
+ nifi-bootstrap
+ nifi-resources
+ nifi-docs
+ org.apache.ranger:credentialbuilder:jar
+ org.apache.nifi:nifi-ranger-resources:jar
+
+
+
+
+ runtime
+ false
+ ext/ranger/install/lib/
+ 0770
+ 0660
+ true
+
+ org.apache.ranger:credentialbuilder:jar
+ org.slf4j:slf4j-api
+
+
+
+
+ runtime
+ false
+ ext/ranger/
+ 0770
+ 0770
+ false
+
+ org.apache.nifi:nifi-ranger-resources:jar
+
+ true
+
+ true
+
+ scripts/
+
+
+
+
+
+
diff --git a/nifi-nar-bundles/nifi-geo-bundle/nifi-geo-processors/pom.xml b/nifi-nar-bundles/nifi-geo-bundle/nifi-geo-processors/pom.xml
index ae397a863f..9ca429a657 100644
--- a/nifi-nar-bundles/nifi-geo-bundle/nifi-geo-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-geo-bundle/nifi-geo-processors/pom.xml
@@ -38,6 +38,17 @@
com.maxmind.geoip2
geoip2
2.1.0
-
+
+
+ com.google.code.findbugs
+ jsr305
+
+
+
+
+ com.github.stephenc.findbugs
+ findbugs-annotations
+ 1.3.9-1
+
diff --git a/nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/pom.xml b/nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/pom.xml
index 77d2be2a4a..be8dfbfe2d 100644
--- a/nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-hadoop-bundle/nifi-hdfs-processors/pom.xml
@@ -37,6 +37,12 @@
org.apache.nifi
nifi-hadoop-utils
+
+
+ org.apache.hadoop
+ hadoop-common
+
+
org.apache.nifi
diff --git a/nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml b/nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
index ec724b8d25..9cfa8b3d67 100644
--- a/nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
+++ b/nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
@@ -30,10 +30,21 @@
org.apache.hadoop
hadoop-client
+
+
+ com.google.code.findbugs
+ jsr305
+
+
org.apache.avro
avro
+
+ com.github.stephenc.findbugs
+ findbugs-annotations
+ 1.3.9-1
+
diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/pom.xml
index e00cbd0f13..f2e834f599 100644
--- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/pom.xml
@@ -133,6 +133,10 @@
com.google.protobuf
protobuf-java
+
+ com.google.code.findbugs
+ jsr305
+
@@ -155,6 +159,11 @@
+
+ com.github.stephenc.findbugs
+ findbugs-annotations
+ 1.3.9-1
+
org.apache.nifi
nifi-mock
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/pom.xml
new file mode 100644
index 0000000000..dac9c4b825
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/pom.xml
@@ -0,0 +1,41 @@
+
+
+
+ 4.0.0
+
+
+ org.apache.nifi
+ nifi-ranger-bundle
+ 1.0.0-SNAPSHOT
+
+
+ nifi-ranger-nar
+ 1.0.0-SNAPSHOT
+ nar
+
+ true
+ true
+
+
+
+
+ org.apache.nifi
+ nifi-ranger-plugin
+ 1.0.0-SNAPSHOT
+
+
+
+
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/src/main/resources/META-INF/LICENSE b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/src/main/resources/META-INF/LICENSE
new file mode 100644
index 0000000000..7425294e2e
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/src/main/resources/META-INF/LICENSE
@@ -0,0 +1,389 @@
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+APACHE NIFI SUBCOMPONENTS:
+
+The Apache NiFi project contains subcomponents with separate copyright
+notices and license terms. Your use of the source code for the these
+subcomponents is subject to the terms and conditions of the following
+licenses.
+
+ The binary distribution of this product bundles 'Scala Library' under a BSD
+ style license.
+
+ Copyright (c) 2002-2015 EPFL
+ Copyright (c) 2011-2015 Typesafe, Inc.
+
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without modification,
+ are permitted provided that the following conditions are met:
+
+ Redistributions of source code must retain the above copyright notice, this list of
+ conditions and the following disclaimer.
+
+ Redistributions in binary form must reproduce the above copyright notice, this list of
+ conditions and the following disclaimer in the documentation and/or other materials
+ provided with the distribution.
+
+ Neither the name of the EPFL nor the names of its contributors may be used to endorse
+ or promote products derived from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS
+ OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+ CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+ IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ The binary distribution of this product bundles 'JOpt Simple' under an MIT
+ style license.
+
+ Copyright (c) 2009 Paul R. Holser, Jr.
+
+ Permission is hereby granted, free of charge, to any person obtaining
+ a copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+
+ The above copyright notice and this permission notice shall be
+ included in all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+ The binary distribution of this product bundles 'JCraft Jsch' which is available
+ under a BSD style license.
+
+ Copyright (c) 2002-2015 Atsuhiko Yamanaka, JCraft,Inc.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in
+ the documentation and/or other materials provided with the distribution.
+
+ 3. The names of the authors may not be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT,
+ INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+ OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ The binary distribution of this product bundles 'ParaNamer' and 'Paranamer Core'
+ which is available under a BSD style license.
+
+ Copyright (c) 2006 Paul Hammant & ThoughtWorks Inc
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. Neither the name of the copyright holders nor the names of its
+ contributors may be used to endorse or promote products derived from
+ this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ THE POSSIBILITY OF SUCH DAMAGE.
+
+ The binary distribution of this product bundles 'Protocol Buffers - Google's data interchange format'
+ which is available under a BSD style license.
+
+ Copyright 2008 Google Inc. All rights reserved.
+ http://code.google.com/p/protobuf/
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are
+ met:
+
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following disclaimer
+ in the documentation and/or other materials provided with the
+ distribution.
+ * Neither the name of Google Inc. nor the names of its
+ contributors may be used to endorse or promote products derived from
+ this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ The binary distribution of this product bundles 'Woodstox StAX 2 API' which is
+ "licensed under standard BSD license"
+
+ The binary distribution of this product bundles 'XMLENC' which is available
+ under a BSD license. More details found here: http://xmlenc.sourceforge.net.
+
+ Copyright 2003-2005, Ernst de Haan
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice, this
+ list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+
+ 3. Neither the name of the copyright holder nor the names of its contributors
+ may be used to endorse or promote products derived from this software
+ without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS"
+ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/src/main/resources/META-INF/NOTICE b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/src/main/resources/META-INF/NOTICE
new file mode 100644
index 0000000000..279e057239
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-nar/src/main/resources/META-INF/NOTICE
@@ -0,0 +1,378 @@
+nifi-ranger-nar
+Copyright 2014-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+******************
+Apache Software License v2
+******************
+
+ (ASLv2) Apache Avro
+ The following NOTICE information applies:
+ Apache Avro
+ Copyright 2009-2013 The Apache Software Foundation
+
+ (ASLv2) Apache Commons Collections
+ The following NOTICE information applies:
+ Apache Commons Collections
+ Copyright 2001-2013 The Apache Software Foundation
+
+ (ASLv2) Apache Commons Compress
+ The following NOTICE information applies:
+ Apache Commons Compress
+ Copyright 2002-2014 The Apache Software Foundation
+
+ The files in the package org.apache.commons.compress.archivers.sevenz
+ were derived from the LZMA SDK, version 9.20 (C/ and CPP/7zip/),
+ which has been placed in the public domain:
+
+ "LZMA SDK is placed in the public domain." (http://www.7-zip.org/sdk.html)
+
+ (ASLv2) Apache Commons Codec
+ The following NOTICE information applies:
+ Apache Commons Codec
+ Copyright 2002-2014 The Apache Software Foundation
+
+ src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java
+ contains test data from http://aspell.net/test/orig/batch0.tab.
+ Copyright (C) 2002 Kevin Atkinson (kevina@gnu.org)
+
+ ===============================================================================
+
+ The content of package org.apache.commons.codec.language.bm has been translated
+ from the original php source code available at http://stevemorse.org/phoneticinfo.htm
+ with permission from the original authors.
+ Original source copyright:
+ Copyright (c) 2008 Alexander Beider & Stephen P. Morse.
+
+ (ASLv2) Apache Commons CLI
+ The following NOTICE information applies:
+ Apache Commons CLI
+ Copyright 2001-2009 The Apache Software Foundation
+
+ (ASLv2) Apache Commons Configuration
+ The following NOTICE information applies:
+ Apache Commons Configuration
+ Copyright 2001-2008 The Apache Software Foundation
+
+ (ASLv2) Apache Commons EL
+ The following NOTICE information applies:
+ Apache Commons EL
+ Copyright 1999-2007 The Apache Software Foundation
+
+ EL-8 patch - Copyright 2004-2007 Jamie Taylor
+ http://issues.apache.org/jira/browse/EL-8
+
+ (ASLv2) Apache Directory Server
+ The following NOTICE information applies:
+ ApacheDS Protocol Kerberos Codec
+ Copyright 2003-2013 The Apache Software Foundation
+
+ ApacheDS I18n
+ Copyright 2003-2013 The Apache Software Foundation
+
+ Apache Directory API ASN.1 API
+ Copyright 2003-2013 The Apache Software Foundation
+
+ Apache Directory LDAP API Utilities
+ Copyright 2003-2013 The Apache Software Foundation
+
+ (ASLv2) Apache Jakarta HttpClient
+ The following NOTICE information applies:
+ Apache Jakarta HttpClient
+ Copyright 1999-2007 The Apache Software Foundation
+
+ (ASLv2) Apache Commons IO
+ The following NOTICE information applies:
+ Apache Commons IO
+ Copyright 2002-2012 The Apache Software Foundation
+
+ (ASLv2) Apache Commons Lang
+ The following NOTICE information applies:
+ Apache Commons Lang
+ Copyright 2001-2015 The Apache Software Foundation
+
+ This product includes software from the Spring Framework,
+ under the Apache License 2.0 (see: StringUtils.containsWhitespace())
+
+ (ASLv2) Apache Commons Logging
+ The following NOTICE information applies:
+ Apache Commons Logging
+ Copyright 2003-2014 The Apache Software Foundation
+
+ (ASLv2) Apache Commons Math
+ The following NOTICE information applies:
+ Apache Commons Math
+ Copyright 2001-2012 The Apache Software Foundation
+
+ This product includes software developed by
+ The Apache Software Foundation (http://www.apache.org/).
+
+ ===============================================================================
+
+ The BracketFinder (package org.apache.commons.math3.optimization.univariate)
+ and PowellOptimizer (package org.apache.commons.math3.optimization.general)
+ classes are based on the Python code in module "optimize.py" (version 0.5)
+ developed by Travis E. Oliphant for the SciPy library (http://www.scipy.org/)
+ Copyright © 2003-2009 SciPy Developers.
+ ===============================================================================
+
+ The LinearConstraint, LinearObjectiveFunction, LinearOptimizer,
+ RelationShip, SimplexSolver and SimplexTableau classes in package
+ org.apache.commons.math3.optimization.linear include software developed by
+ Benjamin McCann (http://www.benmccann.com) and distributed with
+ the following copyright: Copyright 2009 Google Inc.
+ ===============================================================================
+
+ This product includes software developed by the
+ University of Chicago, as Operator of Argonne National
+ Laboratory.
+ The LevenbergMarquardtOptimizer class in package
+ org.apache.commons.math3.optimization.general includes software
+ translated from the lmder, lmpar and qrsolv Fortran routines
+ from the Minpack package
+ Minpack Copyright Notice (1999) University of Chicago. All rights reserved
+ ===============================================================================
+
+ The GraggBulirschStoerIntegrator class in package
+ org.apache.commons.math3.ode.nonstiff includes software translated
+ from the odex Fortran routine developed by E. Hairer and G. Wanner.
+ Original source copyright:
+ Copyright (c) 2004, Ernst Hairer
+ ===============================================================================
+
+ The EigenDecompositionImpl class in package
+ org.apache.commons.math3.linear includes software translated
+ from some LAPACK Fortran routines. Original source copyright:
+ Copyright (c) 1992-2008 The University of Tennessee. All rights reserved.
+ ===============================================================================
+
+ The MersenneTwister class in package org.apache.commons.math3.random
+ includes software translated from the 2002-01-26 version of
+ the Mersenne-Twister generator written in C by Makoto Matsumoto and Takuji
+ Nishimura. Original source copyright:
+ Copyright (C) 1997 - 2002, Makoto Matsumoto and Takuji Nishimura,
+ All rights reserved
+ ===============================================================================
+
+ The LocalizedFormatsTest class in the unit tests is an adapted version of
+ the OrekitMessagesTest class from the orekit library distributed under the
+ terms of the Apache 2 licence. Original source copyright:
+ Copyright 2010 CS Systèmes d'Information
+ ===============================================================================
+
+ The HermiteInterpolator class and its corresponding test have been imported from
+ the orekit library distributed under the terms of the Apache 2 licence. Original
+ source copyright:
+ Copyright 2010-2012 CS Systèmes d'Information
+ ===============================================================================
+
+ The creation of the package "o.a.c.m.analysis.integration.gauss" was inspired
+ by an original code donated by Sébastien Brisard.
+ ===============================================================================
+
+ (ASLv2) Apache Commons Net
+ The following NOTICE information applies:
+ Apache Commons Net
+ Copyright 2001-2013 The Apache Software Foundation
+
+ (ASLv2) Apache Curator
+ The following NOTICE information applies:
+ Curator Framework
+ Copyright 2011-2014 The Apache Software Foundation
+
+ Curator Client
+ Copyright 2011-2014 The Apache Software Foundation
+
+ Curator Recipes
+ Copyright 2011-2014 The Apache Software Foundation
+
+ (ASLv2) Apache HttpComponents
+ The following NOTICE information applies:
+ Apache HttpClient
+ Copyright 1999-2015 The Apache Software Foundation
+
+ Apache HttpCore
+ Copyright 2005-2015 The Apache Software Foundation
+
+ Apache HttpMime
+ Copyright 1999-2013 The Apache Software Foundation
+
+ This project contains annotations derived from JCIP-ANNOTATIONS
+ Copyright (c) 2005 Brian Goetz and Tim Peierls. See http://www.jcip.net
+
+ (ASLv2) Apache Ranger
+ The following NOTICE information applies:
+ Apache Ranger Credential Builder
+ Copyright 2014-2016 The Apache Software Foundation
+
+ Apache Ranger Plugins Audit
+ Copyright 2014-2016 The Apache Software Foundation
+
+ Apache Ranger Plugins Common
+ Copyright 2014-2016 The Apache Software Foundation
+
+ Apache Ranger Plugins Cred
+ Copyright 2014-2016 The Apache Software Foundation
+
+ (ASLv2) Google GSON
+ The following NOTICE information applies:
+ Copyright 2008 Google Inc.
+
+ (ASLv2) HTrace Core
+ The following NOTICE information applies:
+ In addition, this product includes software dependencies. See
+ the accompanying LICENSE.txt for a listing of dependencies
+ that are NOT Apache licensed (with pointers to their licensing)
+
+ Apache HTrace includes an Apache Thrift connector to Zipkin. Zipkin
+ is a distributed tracing system that is Apache 2.0 Licensed.
+ Copyright 2012 Twitter, Inc.
+
+ (ASLv2) Jackson JSON processor
+ The following NOTICE information applies:
+ # Jackson JSON processor
+
+ Jackson is a high-performance, Free/Open Source JSON processing library.
+ It was originally written by Tatu Saloranta (tatu.saloranta@iki.fi), and has
+ been in development since 2007.
+ It is currently developed by a community of developers, as well as supported
+ commercially by FasterXML.com.
+
+ ## Licensing
+
+ Jackson core and extension components may licensed under different licenses.
+ To find the details that apply to this artifact see the accompanying LICENSE file.
+ For more information, including possible other licensing options, contact
+ FasterXML.com (http://fasterxml.com).
+
+ ## Credits
+
+ A list of contributors may be found from CREDITS file, which is included
+ in some artifacts (usually source distributions); but is always available
+ from the source code management (SCM) system project uses.
+
+ (ASLv2) Jettison
+ The following NOTICE information applies:
+ Copyright 2006 Envoi Solutions LLC
+
+ (ASLv2) Jets3t
+ The following NOTICE information applies:
+
+ This product includes software developed by:
+
+ The Apache Software Foundation (http://www.apache.org/).
+
+ The ExoLab Project (http://www.exolab.org/)
+
+ Sun Microsystems (http://www.sun.com/)
+
+ Codehaus (http://castor.codehaus.org)
+
+ Tatu Saloranta (http://wiki.fasterxml.com/TatuSaloranta)
+
+ (ASLv2) Jetty
+ The following NOTICE information applies:
+ Jetty Web Container
+ Copyright 1995-2015 Mort Bay Consulting Pty Ltd.
+
+ (ASLv2) Apache Kafka
+ The following NOTICE information applies:
+ Apache Kafka
+ Copyright 2012 The Apache Software Foundation.
+
+ (ASLv2) Apache log4j
+ The following NOTICE information applies:
+ Apache log4j
+ Copyright 2007 The Apache Software Foundation
+
+ (ASLv2) Apache Solr
+ The following NOTICE information applies:
+ Apache Solrj
+ Copyright 2006-2014 The Apache Software Foundation
+
+ (ASLv2) Apache ZooKeeper
+ The following NOTICE information applies:
+ Apache ZooKeeper
+ Copyright 2009-2012 The Apache Software Foundation
+
+ (ASLv2) The Netty Project
+ The following NOTICE information applies:
+ The Netty Project
+ Copyright 2011 The Netty Project
+
+ (ASLv2) Snappy Java
+ The following NOTICE information applies:
+ This product includes software developed by Google
+ Snappy: http://code.google.com/p/snappy/ (New BSD License)
+
+ This product includes software developed by Apache
+ PureJavaCrc32C from apache-hadoop-common http://hadoop.apache.org/
+ (Apache 2.0 license)
+
+ This library containd statically linked libstdc++. This inclusion is allowed by
+ "GCC RUntime Library Exception"
+ http://gcc.gnu.org/onlinedocs/libstdc++/manual/license.html
+
+ (ASLv2) Woodstox Core ASL
+ The following NOTICE information applies:
+ This product currently only contains code developed by authors
+ of specific components, as identified by the source code files.
+
+ Since product implements StAX API, it has dependencies to StAX API
+ classes.
+
+ (ASLv2) Yammer Metrics
+ The following NOTICE information applies:
+ Metrics
+ Copyright 2010-2012 Coda Hale and Yammer, Inc.
+
+ This product includes software developed by Coda Hale and Yammer, Inc.
+
+ This product includes code derived from the JSR-166 project (ThreadLocalRandom), which was released
+ with the following comments:
+
+ Written by Doug Lea with assistance from members of JCP JSR-166
+ Expert Group and released to the public domain, as explained at
+ http://creativecommons.org/publicdomain/zero/1.0/
+
+ (ASLv2) ZkClient
+ The following NOTICE information applies:
+ ZkClient
+ Copyright 2009 Stefan Groschupf
+
+************************
+Common Development and Distribution License 1.0
+************************
+
+The following binary components are provided under the Common Development and Distribution License 1.0. See project link for details.
+
+ (CDDL 1.0) JavaBeans Activation Framework (JAF) (javax.activation:activation:jar:1.1 - http://java.sun.com/products/javabeans/jaf/index.jsp)
+ (CDDL 1.0) JSR311 API (javax.ws.rs:jsr311-api:jar:1.1.1 - https://jsr311.dev.java.net)
+ (CDDL 1.0) (GPL3) Streaming API For XML (javax.xml.stream:stax-api:jar:1.0-2 - no url provided)
+
+************************
+Common Development and Distribution License 1.1
+************************
+
+The following binary components are provided under the Common Development and Distribution License 1.1. See project link for details.
+
+ (CDDL 1.1) (GPL2 w/ CPE) Old JAXB Runtime (com.sun.xml.bind:jaxb-impl:jar:2.2.3-1 - http://jaxb.java.net/)
+ (CDDL 1.1) (GPL2 w/ CPE) Java Architecture For XML Binding (javax.xml.bind:jaxb-api:jar:2.2.2 - https://jaxb.dev.java.net/)
+ (CDDL 1.1) (GPL2 w/ CPE) jersey-bundle (com.sun.jersey:jersey-bundle:jar:1.17 - https://jersey.java.net/jersey-bundle/)
+ (CDDL 1.1) (GPL2 w/ CPE) jersey-core (com.sun.jersey:jersey-core:jar:1.19 - https://jersey.java.net/jersey-core/)
+ (CDDL 1.1) (GPL2 w/ CPE) jersey-server (com.sun.jersey:jersey-server:jar:1.19 - https://jersey.java.net/jersey-server/)
+ (CDDL 1.1) (GPL2 w/ CPE) jersey-json (com.sun.jersey:jersey-json:jar:1.19 - https://jersey.java.net/jersey-json/)
+ (CDDL 1.1) (GPL2 w/ CPE) JavaServer Pages(TM) API (javax.servlet.jsp:javax.servlet.jsp-api:jar:2.1 - http://jsp.java.net)
+ (CDDL 1.1) (GPL2 w/ CPE) Java Servlet API (javax.servlet:javax.servlet-api:jar:2.5 - http://servlet-spec.java.net)
+
+************************
+Eclipse Public License 1.0
+************************
+
+The following binary components are provided under the Eclipse Public License 1.0. See project link for details.
+
+ (EPL 1.0) Eclipse Link (org.eclipse.persistence:eclipselink:2.5.2 - http://www.eclipse.org/eclipselink/)
+ (EPL 1.0) Common Service Data Objects (org.eclipse.persistence:commonj.sdo:2.1.1 - http://www.eclipse.org/eclipselink/)
+ (EPL 1.0) Java Persistence API (org.eclipse.persistence:javax.persistence:2.1.0 - http://www.eclipse.org/eclipselink/)
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
new file mode 100644
index 0000000000..4f5d693748
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/pom.xml
@@ -0,0 +1,93 @@
+
+
+
+ 4.0.0
+
+
+ org.apache.nifi
+ nifi-ranger-bundle
+ 1.0.0-SNAPSHOT
+
+
+ nifi-ranger-plugin
+ jar
+
+
+
+ org.apache.nifi
+ nifi-api
+
+
+ org.apache.nifi
+ nifi-properties
+
+
+ org.apache.ranger
+ ranger-plugins-common
+
+
+ org.slf4j
+ slf4j-log4j12
+
+
+ com.google.code.findbugs
+ jsr305
+
+
+
+
+ org.apache.ranger
+ ranger-plugins-audit
+
+
+ org.slf4j
+ slf4j-log4j12
+
+
+
+
+ org.apache.ranger
+ credentialbuilder
+
+
+ org.slf4j
+ slf4j-log4j12
+
+
+ org.slf4j
+ slf4j-api
+
+
+
+
+ com.github.stephenc.findbugs
+ findbugs-annotations
+ 1.3.9-1
+
+
+
+ org.apache.nifi
+ nifi-mock
+ test
+
+
+ junit
+ junit
+ 4.11
+ test
+
+
+
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java
new file mode 100644
index 0000000000..8b664de618
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.nifi.ranger.authorization;
+
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+import org.apache.ranger.plugin.util.ServicePolicies;
+
+import java.util.HashSet;
+import java.util.Set;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.stream.Collectors;
+
+/**
+ * Extends the base plugin to add ability to check if a policy exists for a given resource.
+ */
+public class RangerBasePluginWithPolicies extends RangerBasePlugin {
+
+ private AtomicReference> resources = new AtomicReference<>(new HashSet<>());
+
+ public RangerBasePluginWithPolicies(String serviceType, String appId) {
+ super(serviceType, appId);
+ }
+
+ @Override
+ public void setPolicies(ServicePolicies policies) {
+ super.setPolicies(policies);
+
+ if (policies == null || policies.getPolicies() == null) {
+ this.resources.set(new HashSet<>());
+ } else {
+ final Set newResources = policies.getPolicies().stream()
+ .flatMap(p -> p.getResources().values().stream())
+ .flatMap(r -> r.getValues().stream())
+ .collect(Collectors.toSet());
+
+ this.resources.set(newResources);
+ }
+ }
+
+ /**
+ * Determines if a policy exists for the given resource.
+ *
+ * @param resourceIdentifier the id of the resource
+ *
+ * @return true if a policy exists for the given resource, false otherwise
+ */
+ public boolean doesPolicyExist(String resourceIdentifier) {
+ if (resourceIdentifier == null) {
+ return false;
+ }
+
+ final Set currResources = resources.get();
+ if (currResources == null) {
+ return false;
+ } else {
+ return currResources.contains(resourceIdentifier);
+ }
+ }
+
+}
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java
new file mode 100644
index 0000000000..ab31fa3f29
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.java
@@ -0,0 +1,248 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.nifi.ranger.authorization;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.nifi.authorization.AuthorizationRequest;
+import org.apache.nifi.authorization.AuthorizationResult;
+import org.apache.nifi.authorization.Authorizer;
+import org.apache.nifi.authorization.AuthorizerConfigurationContext;
+import org.apache.nifi.authorization.AuthorizerInitializationContext;
+import org.apache.nifi.authorization.UserContextKeys;
+import org.apache.nifi.authorization.annotation.AuthorizerContext;
+import org.apache.nifi.authorization.exception.AuthorizationAccessException;
+import org.apache.nifi.authorization.exception.AuthorizerCreationException;
+import org.apache.nifi.authorization.exception.AuthorizerDestructionException;
+import org.apache.nifi.components.PropertyValue;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.net.MalformedURLException;
+import java.util.Date;
+
+/**
+ * Authorizer implementation that uses Apache Ranger to make authorization decisions.
+ */
+public class RangerNiFiAuthorizer implements Authorizer {
+
+ private static final Logger logger = LoggerFactory.getLogger(RangerNiFiAuthorizer.class);
+
+ static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
+ static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
+ static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
+ static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin Identity";
+ static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
+ static final String RANGER_APP_ID_PROP = "Ranger Application Id";
+
+ static final String RANGER_NIFI_RESOURCE_NAME = "nifi-resource";
+ static final String DEFAULT_SERVICE_TYPE = "nifi";
+ static final String DEFAULT_APP_ID = "nifi";
+ static final String RESOURCES_RESOURCE = "/resources";
+ static final String HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication";
+ static final String KERBEROS_AUTHENTICATION = "kerberos";
+
+ private volatile RangerBasePluginWithPolicies nifiPlugin = null;
+ private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
+ private volatile String rangerAdminIdentity = null;
+ private volatile boolean rangerKerberosEnabled = false;
+ private volatile NiFiProperties nifiProperties;
+
+ @Override
+ public void initialize(AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException {
+
+ }
+
+ @Override
+ public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
+ try {
+ if (nifiPlugin == null) {
+ logger.info("RangerNiFiAuthorizer(): initializing base plugin");
+
+ final PropertyValue securityConfigValue = configurationContext.getProperty(RANGER_SECURITY_PATH_PROP);
+ addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue);
+
+ final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP);
+ addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue);
+
+ final String rangerKerberosEnabledValue = getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString());
+ rangerKerberosEnabled = rangerKerberosEnabledValue.equals(Boolean.TRUE.toString()) ? true : false;
+
+ if (rangerKerberosEnabled) {
+ // configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled()
+ final Configuration securityConf = new Configuration();
+ securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION);
+ UserGroupInformation.setConfiguration(securityConf);
+
+ // login with the nifi principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which
+ // will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab();
+ final String nifiPrincipal = nifiProperties.getKerberosServicePrincipal();
+ final String nifiKeytab = nifiProperties.getKerberosKeytabLocation();
+
+ if (StringUtils.isBlank(nifiPrincipal) || StringUtils.isBlank(nifiKeytab)) {
+ throw new AuthorizerCreationException("Principal and Keytab must be provided when Kerberos is enabled");
+ }
+
+ UserGroupInformation.loginUserFromKeytab(nifiPrincipal.trim(), nifiKeytab.trim());
+ }
+
+ final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE);
+ final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID);
+
+ nifiPlugin = createRangerBasePlugin(serviceType, appId);
+ nifiPlugin.init();
+
+ defaultAuditHandler = new RangerDefaultAuditHandler();
+ rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
+
+ } else {
+ logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
+ }
+ } catch (Throwable t) {
+ throw new AuthorizerCreationException("Error creating RangerBasePlugin", t);
+ }
+ }
+
+ protected RangerBasePluginWithPolicies createRangerBasePlugin(final String serviceType, final String appId) {
+ return new RangerBasePluginWithPolicies(serviceType, appId);
+ }
+
+ @Override
+ public AuthorizationResult authorize(final AuthorizationRequest request) throws AuthorizationAccessException {
+ final String identity = request.getIdentity();
+ final String resourceIdentifier = request.getResource().getIdentifier();
+
+ // if a ranger admin identity was provided, and it equals the identity making the request,
+ // and the request is to retrieve the resources, then allow it through
+ if (StringUtils.isNotBlank(rangerAdminIdentity) && rangerAdminIdentity.equals(identity)
+ && resourceIdentifier.equals(RESOURCES_RESOURCE)) {
+ return AuthorizationResult.approved();
+ }
+
+ final String clientIp;
+ if (request.getUserContext() != null) {
+ clientIp = request.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name());
+ } else {
+ clientIp = null;
+ }
+
+ final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
+ resource.setValue(RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);
+
+ final RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
+ rangerRequest.setResource(resource);
+ rangerRequest.setAction(request.getAction().name());
+ rangerRequest.setAccessType(request.getAction().name());
+ rangerRequest.setUser(identity);
+ rangerRequest.setAccessTime(new Date());
+
+ if (!StringUtils.isBlank(clientIp)) {
+ rangerRequest.setClientIPAddress(clientIp);
+ }
+
+ // for a direct access request use the default audit handler so we generate audit logs
+ // for non-direct access provide a null result processor so no audit logs get generated
+ final RangerAccessResultProcessor resultProcessor = request.isAccessAttempt() ? defaultAuditHandler : null;
+
+ final RangerAccessResult result = nifiPlugin.isAccessAllowed(rangerRequest, resultProcessor);
+
+ if (result != null && result.getIsAllowed()) {
+ return AuthorizationResult.approved();
+ } else {
+ // if result.getIsAllowed() is false, then we need to determine if it was because no policy exists for the
+ // given resource, or if it was because a policy exists but not for the given user or action
+ final boolean doesPolicyExist = nifiPlugin.doesPolicyExist(request.getResource().getIdentifier());
+
+ if (doesPolicyExist) {
+ // a policy does exist for the resource so we were really denied access here
+ final String reason = result == null ? null : result.getReason();
+ if (reason == null) {
+ return AuthorizationResult.denied();
+ } else {
+ return AuthorizationResult.denied(result.getReason());
+ }
+ } else {
+ // a policy doesn't exist so return resource not found so NiFi can work back up the resource hierarchy
+ return AuthorizationResult.resourceNotFound();
+ }
+ }
+ }
+
+ @Override
+ public void preDestruction() throws AuthorizerDestructionException {
+ if (nifiPlugin != null) {
+ try {
+ nifiPlugin.cleanup();
+ nifiPlugin = null;
+ } catch (Throwable t) {
+ throw new AuthorizerDestructionException("Error cleaning up RangerBasePlugin", t);
+ }
+ }
+ }
+
+ @AuthorizerContext
+ public void setNiFiProperties(final NiFiProperties properties) {
+ this.nifiProperties = properties;
+ }
+
+ /**
+ * Adds a resource to the RangerConfiguration singleton so it is already there by the time RangerBasePlugin.init()
+ * is called.
+ *
+ * @param name the name of the given PropertyValue from the AuthorizationConfigurationContext
+ * @param resourceValue the value for the given name, should be a full path to a file
+ */
+ private void addRequiredResource(final String name, final PropertyValue resourceValue) {
+ if (resourceValue == null || StringUtils.isBlank(resourceValue.getValue())) {
+ throw new AuthorizerCreationException(name + " must be specified.");
+ }
+
+ final File resourceFile = new File(resourceValue.getValue());
+ if (!resourceFile.exists() || !resourceFile.canRead()) {
+ throw new AuthorizerCreationException(resourceValue + " does not exist, or can not be read");
+ }
+
+ try {
+ RangerConfiguration.getInstance().addResource(resourceFile.toURI().toURL());
+ } catch (MalformedURLException e) {
+ throw new AuthorizerCreationException("Error creating URI for " + resourceValue, e);
+ }
+ }
+
+ private String getConfigValue(final AuthorizerConfigurationContext context, final String name, final String defaultValue) {
+ final PropertyValue configValue = context.getProperty(name);
+
+ String retValue = defaultValue;
+ if (configValue != null && !StringUtils.isBlank(configValue.getValue())) {
+ retValue = configValue.getValue();
+ }
+
+ return retValue;
+ }
+
+}
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer
new file mode 100755
index 0000000000..607d979e0e
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/resources/META-INF/services/org.apache.nifi.authorization.Authorizer
@@ -0,0 +1,15 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java
new file mode 100644
index 0000000000..6a12ba7497
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java
@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.nifi.ranger.authorization;
+
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.util.ServicePolicies;
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.HashMap;
+
+public class TestRangerBasePluginWithPolicies {
+
+ @Test
+ public void testDoesPolicyExist() {
+ final String resourceIdentifier1 = "resource1";
+ RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
+
+ final Map policy1Resources = new HashMap<>();
+ policy1Resources.put(resourceIdentifier1, resource1);
+
+ final RangerPolicy policy1 = new RangerPolicy();
+ policy1.setResources(policy1Resources);
+
+ final String resourceIdentifier2 = "resource2";
+ RangerPolicy.RangerPolicyResource resource2 = new RangerPolicy.RangerPolicyResource(resourceIdentifier2);
+
+ final Map policy2Resources = new HashMap<>();
+ policy2Resources.put(resourceIdentifier2, resource2);
+
+ final RangerPolicy policy2 = new RangerPolicy();
+ policy2.setResources(policy2Resources);
+
+ final List policies = new ArrayList<>();
+ policies.add(policy1);
+ policies.add(policy2);
+
+ final ServicePolicies servicePolicies = new ServicePolicies();
+ servicePolicies.setPolicies(policies);
+
+ // set all the policies in the plugin
+ final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
+ pluginWithPolicies.setPolicies(servicePolicies);
+
+ Assert.assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1));
+ Assert.assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2));
+ Assert.assertFalse(pluginWithPolicies.doesPolicyExist("resource3"));
+ }
+
+}
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java
new file mode 100644
index 0000000000..876b3f3d13
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerNiFiAuthorizer.java
@@ -0,0 +1,561 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.nifi.ranger.authorization;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.nifi.authorization.AuthorizationRequest;
+import org.apache.nifi.authorization.AuthorizationResult;
+import org.apache.nifi.authorization.Authorizer;
+import org.apache.nifi.authorization.AuthorizerConfigurationContext;
+import org.apache.nifi.authorization.AuthorizerInitializationContext;
+import org.apache.nifi.authorization.RequestAction;
+import org.apache.nifi.authorization.Resource;
+import org.apache.nifi.authorization.UserContextKeys;
+import org.apache.nifi.authorization.exception.AuthorizerCreationException;
+import org.apache.nifi.util.MockPropertyValue;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.mockito.ArgumentMatcher;
+import org.mockito.Mockito;
+
+import javax.security.auth.login.LoginException;
+import java.io.File;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Matchers.notNull;
+import static org.mockito.Mockito.argThat;
+import static org.mockito.Mockito.eq;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+public class TestRangerNiFiAuthorizer {
+
+ private MockRangerNiFiAuthorizer authorizer;
+ private RangerBasePluginWithPolicies rangerBasePlugin;
+ private AuthorizerConfigurationContext configurationContext;
+ private NiFiProperties nifiProperties;
+
+ private String serviceType = "nifiService";
+ private String appId = "nifiAppId";
+
+ private RangerAccessResult allowedResult;
+ private RangerAccessResult notAllowedResult;
+
+ @Before
+ public void setup() {
+ // have to initialize this system property before anything else
+ File krb5conf = new File("src/test/resources/krb5.conf");
+ assertTrue(krb5conf.exists());
+ System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath());
+
+ // rest the authentication to simple in case any tests set it to kerberos
+ final Configuration securityConf = new Configuration();
+ securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple");
+ UserGroupInformation.setConfiguration(securityConf);
+
+ configurationContext = createMockConfigContext();
+ rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
+ authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
+ authorizer.onConfigured(configurationContext);
+
+ assertFalse(UserGroupInformation.isSecurityEnabled());
+
+ allowedResult = Mockito.mock(RangerAccessResult.class);
+ when(allowedResult.getIsAllowed()).thenReturn(true);
+
+ notAllowedResult = Mockito.mock(RangerAccessResult.class);
+ when(notAllowedResult.getIsAllowed()).thenReturn(false);
+ }
+
+ private AuthorizerConfigurationContext createMockConfigContext() {
+ AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class);
+
+ when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP)))
+ .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml", null));
+
+ when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP)))
+ .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml", null));
+
+ when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_APP_ID_PROP)))
+ .thenReturn(new MockPropertyValue(appId, null));
+
+ when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SERVICE_TYPE_PROP)))
+ .thenReturn(new MockPropertyValue(serviceType, null));
+
+ return configurationContext;
+ }
+
+ @Test
+ public void testOnConfigured() {
+ verify(rangerBasePlugin, times(1)).init();
+
+ assertEquals(appId, authorizer.mockRangerBasePlugin.getAppId());
+ assertEquals(serviceType, authorizer.mockRangerBasePlugin.getServiceType());
+ }
+
+ @Test
+ public void testKerberosEnabledWithoutKeytab() {
+ when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_KERBEROS_ENABLED_PROP)))
+ .thenReturn(new MockPropertyValue("true", null));
+
+ nifiProperties = Mockito.mock(NiFiProperties.class);
+ when(nifiProperties.getKerberosServicePrincipal()).thenReturn("");
+
+ authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
+ authorizer.setNiFiProperties(nifiProperties);
+
+ try {
+ authorizer.onConfigured(configurationContext);
+ Assert.fail("Should have thrown exception");
+ } catch (AuthorizerCreationException e) {
+ // want to make sure this exception is from our authorizer code
+ veryifyOnlyAuthorizerCreationExceptions(e);
+ }
+ }
+
+ @Test
+ public void testKerberosEnabledWithoutPrincipal() {
+ when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_KERBEROS_ENABLED_PROP)))
+ .thenReturn(new MockPropertyValue("true", null));
+
+ nifiProperties = Mockito.mock(NiFiProperties.class);
+ when(nifiProperties.getKerberosKeytabLocation()).thenReturn("");
+
+ authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
+ authorizer.setNiFiProperties(nifiProperties);
+
+ try {
+ authorizer.onConfigured(configurationContext);
+ Assert.fail("Should have thrown exception");
+ } catch (AuthorizerCreationException e) {
+ // want to make sure this exception is from our authorizer code
+ veryifyOnlyAuthorizerCreationExceptions(e);
+ }
+ }
+
+ @Test
+ public void testKerberosEnabledWithoutKeytabOrPrincipal() {
+ when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_KERBEROS_ENABLED_PROP)))
+ .thenReturn(new MockPropertyValue("true", null));
+
+ nifiProperties = Mockito.mock(NiFiProperties.class);
+ when(nifiProperties.getKerberosKeytabLocation()).thenReturn("");
+ when(nifiProperties.getKerberosServicePrincipal()).thenReturn("");
+
+ authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
+ authorizer.setNiFiProperties(nifiProperties);
+
+ try {
+ authorizer.onConfigured(configurationContext);
+ Assert.fail("Should have thrown exception");
+ } catch (AuthorizerCreationException e) {
+ // want to make sure this exception is from our authorizer code
+ veryifyOnlyAuthorizerCreationExceptions(e);
+ }
+ }
+
+ private void veryifyOnlyAuthorizerCreationExceptions(AuthorizerCreationException e) {
+ boolean foundOtherException = false;
+ Throwable cause = e.getCause();
+ while (cause != null) {
+ if (!(cause instanceof AuthorizerCreationException)) {
+ foundOtherException = true;
+ break;
+ }
+ cause = cause.getCause();
+ }
+ assertFalse(foundOtherException);
+ }
+
+ @Test
+ public void testKerberosEnabled() {
+ when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_KERBEROS_ENABLED_PROP)))
+ .thenReturn(new MockPropertyValue("true", null));
+
+ nifiProperties = Mockito.mock(NiFiProperties.class);
+ when(nifiProperties.getKerberosKeytabLocation()).thenReturn("test");
+ when(nifiProperties.getKerberosServicePrincipal()).thenReturn("test");
+
+ authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
+ authorizer.setNiFiProperties(nifiProperties);
+
+ try {
+ authorizer.onConfigured(configurationContext);
+ Assert.fail("Should have thrown exception");
+ } catch (AuthorizerCreationException e) {
+ // getting a LoginException here means we attempted to login which is what we want
+ boolean foundLoginException = false;
+ Throwable cause = e.getCause();
+ while (cause != null) {
+ if (cause instanceof LoginException) {
+ foundLoginException = true;
+ break;
+ }
+ cause = cause.getCause();
+ }
+ assertTrue(foundLoginException);
+ }
+ }
+
+ @Test
+ public void testApprovedWithDirectAccess() {
+ final String systemResource = "/system";
+ final RequestAction action = RequestAction.WRITE;
+ final String user = "admin";
+ final String clientIp = "192.168.1.1";
+
+ final Map userContext = new HashMap<>();
+ userContext.put(UserContextKeys.CLIENT_ADDRESS.name(), clientIp);
+
+ // the incoming NiFi request to test
+ final AuthorizationRequest request = new AuthorizationRequest.Builder()
+ .resource(new MockResource(systemResource, systemResource))
+ .action(action)
+ .identity(user)
+ .resourceContext(new HashMap<>())
+ .userContext(userContext)
+ .accessAttempt(true)
+ .anonymous(false)
+ .build();
+
+ // the expected Ranger resource and request that are created
+ final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
+ resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
+
+ final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
+ expectedRangerRequest.setResource(resource);
+ expectedRangerRequest.setAction(request.getAction().name());
+ expectedRangerRequest.setAccessType(request.getAction().name());
+ expectedRangerRequest.setUser(request.getIdentity());
+ expectedRangerRequest.setClientIPAddress(clientIp);
+
+ // a non-null result processor should be used for direct access
+ when(rangerBasePlugin.isAccessAllowed(
+ argThat(new RangerAccessRequestMatcher(expectedRangerRequest)),
+ notNull(RangerAccessResultProcessor.class))
+ ).thenReturn(allowedResult);
+
+ final AuthorizationResult result = authorizer.authorize(request);
+ assertEquals(AuthorizationResult.approved().getResult(), result.getResult());
+ }
+
+ @Test
+ public void testApprovedWithNonDirectAccess() {
+ final String systemResource = "/system";
+ final RequestAction action = RequestAction.WRITE;
+ final String user = "admin";
+
+ // the incoming NiFi request to test
+ final AuthorizationRequest request = new AuthorizationRequest.Builder()
+ .resource(new MockResource(systemResource, systemResource))
+ .action(action)
+ .identity(user)
+ .resourceContext(new HashMap<>())
+ .accessAttempt(false)
+ .anonymous(false)
+ .build();
+
+ // the expected Ranger resource and request that are created
+ final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
+ resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
+
+ final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
+ expectedRangerRequest.setResource(resource);
+ expectedRangerRequest.setAction(request.getAction().name());
+ expectedRangerRequest.setAccessType(request.getAction().name());
+ expectedRangerRequest.setUser(request.getIdentity());
+
+ // no result processor should be provided used non-direct access
+ when(rangerBasePlugin.isAccessAllowed(
+ argThat(new RangerAccessRequestMatcher(expectedRangerRequest)),
+ eq(null))
+ ).thenReturn(allowedResult);
+
+ final AuthorizationResult result = authorizer.authorize(request);
+ assertEquals(AuthorizationResult.approved().getResult(), result.getResult());
+ }
+
+ @Test
+ public void testResourceNotFound() {
+ final String systemResource = "/system";
+ final RequestAction action = RequestAction.WRITE;
+ final String user = "admin";
+
+ // the incoming NiFi request to test
+ final AuthorizationRequest request = new AuthorizationRequest.Builder()
+ .resource(new MockResource(systemResource, systemResource))
+ .action(action)
+ .identity(user)
+ .resourceContext(new HashMap<>())
+ .accessAttempt(true)
+ .anonymous(false)
+ .build();
+
+ // the expected Ranger resource and request that are created
+ final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
+ resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
+
+ final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
+ expectedRangerRequest.setResource(resource);
+ expectedRangerRequest.setAction(request.getAction().name());
+ expectedRangerRequest.setAccessType(request.getAction().name());
+ expectedRangerRequest.setUser(request.getIdentity());
+
+ // no result processor should be provided used non-direct access
+ when(rangerBasePlugin.isAccessAllowed(
+ argThat(new RangerAccessRequestMatcher(expectedRangerRequest)),
+ notNull(RangerAccessResultProcessor.class))
+ ).thenReturn(notAllowedResult);
+
+ // return false when checking if a policy exists for the resource
+ when(rangerBasePlugin.doesPolicyExist(systemResource)).thenReturn(false);
+
+ final AuthorizationResult result = authorizer.authorize(request);
+ assertEquals(AuthorizationResult.resourceNotFound().getResult(), result.getResult());
+ }
+
+ @Test
+ public void testDenied() {
+ final String systemResource = "/system";
+ final RequestAction action = RequestAction.WRITE;
+ final String user = "admin";
+
+ // the incoming NiFi request to test
+ final AuthorizationRequest request = new AuthorizationRequest.Builder()
+ .resource(new MockResource(systemResource, systemResource))
+ .action(action)
+ .identity(user)
+ .resourceContext(new HashMap<>())
+ .accessAttempt(true)
+ .anonymous(false)
+ .build();
+
+ // the expected Ranger resource and request that are created
+ final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
+ resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, systemResource);
+
+ final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
+ expectedRangerRequest.setResource(resource);
+ expectedRangerRequest.setAction(request.getAction().name());
+ expectedRangerRequest.setAccessType(request.getAction().name());
+ expectedRangerRequest.setUser(request.getIdentity());
+
+ // no result processor should be provided used non-direct access
+ when(rangerBasePlugin.isAccessAllowed(
+ argThat(new RangerAccessRequestMatcher(expectedRangerRequest)),
+ notNull(RangerAccessResultProcessor.class))
+ ).thenReturn(notAllowedResult);
+
+ // return true when checking if a policy exists for the resource
+ when(rangerBasePlugin.doesPolicyExist(systemResource)).thenReturn(true);
+
+ final AuthorizationResult result = authorizer.authorize(request);
+ assertEquals(AuthorizationResult.denied().getResult(), result.getResult());
+ }
+
+ @Test
+ public void testRangerAdminApproved() {
+ runRangerAdminTest(RangerNiFiAuthorizer.RESOURCES_RESOURCE, AuthorizationResult.approved().getResult());
+ }
+
+ @Test
+ public void testRangerAdminDenied() {
+ runRangerAdminTest("/flow", AuthorizationResult.denied().getResult());
+ }
+
+ private void runRangerAdminTest(final String resourceIdentifier, final AuthorizationResult.Result expectedResult) {
+ configurationContext = createMockConfigContext();
+
+ final String rangerAdminIdentity = "ranger-admin";
+ when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_ADMIN_IDENTITY_PROP)))
+ .thenReturn(new MockPropertyValue(rangerAdminIdentity, null));
+
+ rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class);
+ authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin);
+ authorizer.onConfigured(configurationContext);
+
+ final RequestAction action = RequestAction.WRITE;
+
+ // the incoming NiFi request to test
+ final AuthorizationRequest request = new AuthorizationRequest.Builder()
+ .resource(new MockResource(resourceIdentifier, resourceIdentifier))
+ .action(action)
+ .identity(rangerAdminIdentity)
+ .resourceContext(new HashMap<>())
+ .accessAttempt(true)
+ .anonymous(false)
+ .build();
+
+ // the expected Ranger resource and request that are created
+ final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
+ resource.setValue(RangerNiFiAuthorizer.RANGER_NIFI_RESOURCE_NAME, resourceIdentifier);
+
+ final RangerAccessRequestImpl expectedRangerRequest = new RangerAccessRequestImpl();
+ expectedRangerRequest.setResource(resource);
+ expectedRangerRequest.setAction(request.getAction().name());
+ expectedRangerRequest.setAccessType(request.getAction().name());
+ expectedRangerRequest.setUser(request.getIdentity());
+
+ // return true when checking if a policy exists for the resource
+ when(rangerBasePlugin.doesPolicyExist(resourceIdentifier)).thenReturn(true);
+
+ // a non-null result processor should be used for direct access
+ when(rangerBasePlugin.isAccessAllowed(
+ argThat(new RangerAccessRequestMatcher(expectedRangerRequest)),
+ notNull(RangerAccessResultProcessor.class))
+ ).thenReturn(notAllowedResult);
+
+ final AuthorizationResult result = authorizer.authorize(request);
+ assertEquals(expectedResult, result.getResult());
+ }
+
+ @Test
+ @Ignore
+ public void testIntegration() {
+ final AuthorizerInitializationContext initializationContext = Mockito.mock(AuthorizerInitializationContext.class);
+ final AuthorizerConfigurationContext configurationContext = Mockito.mock(AuthorizerConfigurationContext.class);
+
+ when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_SECURITY_PATH_PROP)))
+ .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-security.xml", null));
+
+ when(configurationContext.getProperty(eq(RangerNiFiAuthorizer.RANGER_AUDIT_PATH_PROP)))
+ .thenReturn(new MockPropertyValue("src/test/resources/ranger/ranger-nifi-audit.xml", null));
+
+ Authorizer authorizer = new RangerNiFiAuthorizer();
+ try {
+ authorizer.initialize(initializationContext);
+ authorizer.onConfigured(configurationContext);
+
+ final AuthorizationRequest request = new AuthorizationRequest.Builder()
+ .resource(new Resource() {
+ @Override
+ public String getIdentifier() {
+ return "/system";
+ }
+
+ @Override
+ public String getName() {
+ return "/system";
+ }
+ })
+ .action(RequestAction.WRITE)
+ .identity("admin")
+ .resourceContext(new HashMap<>())
+ .accessAttempt(true)
+ .anonymous(false)
+ .build();
+
+
+ final AuthorizationResult result = authorizer.authorize(request);
+
+ Assert.assertEquals(AuthorizationResult.denied().getResult(), result.getResult());
+
+ } finally {
+ authorizer.preDestruction();
+ }
+ }
+
+ /**
+ * Extend RangerNiFiAuthorizer to inject a mock base plugin for testing.
+ */
+ private static class MockRangerNiFiAuthorizer extends RangerNiFiAuthorizer {
+
+ RangerBasePluginWithPolicies mockRangerBasePlugin;
+
+ public MockRangerNiFiAuthorizer(RangerBasePluginWithPolicies mockRangerBasePlugin) {
+ this.mockRangerBasePlugin = mockRangerBasePlugin;
+ }
+
+ @Override
+ protected RangerBasePluginWithPolicies createRangerBasePlugin(String serviceType, String appId) {
+ when(mockRangerBasePlugin.getAppId()).thenReturn(appId);
+ when(mockRangerBasePlugin.getServiceType()).thenReturn(serviceType);
+ return mockRangerBasePlugin;
+ }
+ }
+
+ /**
+ * Resource implementation for testing.
+ */
+ private static class MockResource implements Resource {
+
+ private String identifier;
+ private String name;
+
+ public MockResource(String identifier, String name) {
+ this.identifier = identifier;
+ this.name = name;
+ }
+
+ @Override
+ public String getIdentifier() {
+ return identifier;
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+ }
+
+ /**
+ * Custom Mockito matcher for RangerAccessRequest objects.
+ */
+ private static class RangerAccessRequestMatcher extends ArgumentMatcher {
+
+ private final RangerAccessRequest request;
+
+ public RangerAccessRequestMatcher(RangerAccessRequest request) {
+ this.request = request;
+ }
+
+ @Override
+ public boolean matches(Object o) {
+ if (!(o instanceof RangerAccessRequest)) {
+ return false;
+ }
+
+ final RangerAccessRequest other = (RangerAccessRequest) o;
+
+ final boolean clientIpsMatch = (other.getClientIPAddress() == null && request.getClientIPAddress() == null)
+ || (other.getClientIPAddress() != null && request.getClientIPAddress() != null && other.getClientIPAddress().equals(request.getClientIPAddress()));
+
+ return other.getResource().equals(request.getResource())
+ && other.getAccessType().equals(request.getAccessType())
+ && other.getAction().equals(request.getAction())
+ && other.getUser().equals(request.getUser())
+ && clientIpsMatch;
+ }
+ }
+
+}
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/authorizers.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/authorizers.xml
new file mode 100644
index 0000000000..ef87a8c51c
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/authorizers.xml
@@ -0,0 +1,27 @@
+
+
+
+
+ ranger-provider
+ org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer
+ src/test/resources/ranger/ranger-nifi-audit.xml
+ src/test/resources/ranger/ranger-nifi-security.xml
+ nifi
+ nifi
+ CN=ranger-admin, OU=Apache Ranger, O=Apache, L=Santa Monica, ST=CA, C=US
+ false
+
+
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/krb5.conf b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/krb5.conf
new file mode 100644
index 0000000000..0e3f142a9b
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/krb5.conf
@@ -0,0 +1,25 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[libdefaults]
+ default_realm = EXAMPLE.COM
+ dns_lookup_kdc = false
+ dns_lookup_realm = false
+
+[realms]
+ EXAMPLE.COM = {
+ kdc = kerberos.example.com
+ admin_server = kerberos.example.com
+ }
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/log4j.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/log4j.xml
new file mode 100644
index 0000000000..8d3fa67d9a
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/log4j.xml
@@ -0,0 +1,42 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/core-site.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/core-site.xml
new file mode 100644
index 0000000000..d590a5039c
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/core-site.xml
@@ -0,0 +1,22 @@
+
+
+
+
+
+ hadoop.security.authentication
+ simple
+
+
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-audit.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-audit.xml
new file mode 100644
index 0000000000..3dbd576334
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-audit.xml
@@ -0,0 +1,101 @@
+
+
+
+
+
+ xasecure.audit.is.enabled
+ true
+
+
+
+
+ xasecure.audit.destination.db
+ false
+
+
+
+ xasecure.audit.destination.db.jdbc.driver
+ com.mysql.jdbc.Driver
+
+
+
+ xasecure.audit.destination.db.jdbc.url
+ jdbc:mysql://localhost/ranger_audit
+
+
+
+ xasecure.audit.destination.db.password
+ rangerlogger
+
+
+
+ xasecure.audit.destination.db.user
+ rangerlogger
+
+
+
+ xasecure.audit.destination.db.batch.filespool.dir
+ /tmp/audit/db/spool
+
+
+
+
+
+ xasecure.audit.destination.hdfs
+ false
+
+
+
+ xasecure.audit.destination.hdfs.dir
+ hdfs://localhost:8020/ranger/audit
+
+
+
+ xasecure.audit.destination.hdfs.batch.filespool.dir
+ /tmp/audit/hdfs/spool
+
+
+
+
+
+ xasecure.audit.destination.log4j
+ false
+
+
+
+ xasecure.audit.destination.log4j.logger
+ ranger_audit_logger
+
+
+
+
+ xasecure.audit.destination.solr
+ true
+
+
+
+ xasecure.audit.destination.solr.batch.filespool.dir
+ /tmp/audit/solr/spool
+
+
+
+ xasecure.audit.destination.solr.urls
+ http://localhost:6083/solr/ranger_audits
+
+
+
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-security.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-security.xml
new file mode 100644
index 0000000000..b371dcc843
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-nifi-security.xml
@@ -0,0 +1,83 @@
+
+
+
+
+
+ ranger.plugin.nifi.policy.rest.url
+ http://localhost:6080
+
+ URL to Ranger Admin
+
+
+
+
+ ranger.plugin.nifi.service.name
+ nifi
+
+ Name of the Ranger service containing policies for this nifi instance
+
+
+
+
+ ranger.plugin.nifi.policy.source.impl
+ org.apache.ranger.admin.client.RangerAdminRESTClient
+
+ Class to retrieve policies from the source
+
+
+
+
+ ranger.plugin.nifi.policy.rest.ssl.config.file
+ ranger-policymgr-ssl.xml
+
+ Path to the file containing SSL details to contact Ranger Admin
+
+
+
+
+ ranger.plugin.nifi.policy.pollIntervalMs
+ 30000
+
+ How often to poll for changes in policies?
+
+
+
+
+ ranger.plugin.nifi.policy.cache.dir
+ /tmp
+
+ Directory where Ranger policies are cached after successful retrieval from the source
+
+
+
+
+ ranger.plugin.nifi.policy.rest.client.connection.timeoutMs
+ 120000
+
+ RangerRestClient Connection Timeout in Milli Seconds
+
+
+
+
+ ranger.plugin.nifi.policy.rest.client.read.timeoutMs
+ 30000
+
+ RangerRestClient read Timeout in Milli Seconds
+
+
+
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml
new file mode 100644
index 0000000000..a6e05747a3
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger/ranger-policymgr-ssl.xml
@@ -0,0 +1,63 @@
+
+
+
+
+
+
+ xasecure.policymgr.clientssl.keystore
+
+
+ Java Keystore files
+
+
+
+ xasecure.policymgr.clientssl.keystore.password
+ none
+
+ password for keystore
+
+
+
+ xasecure.policymgr.clientssl.truststore
+
+
+ java truststore file
+
+
+
+ xasecure.policymgr.clientssl.truststore.password
+ none
+
+ java truststore password
+
+
+
+ xasecure.policymgr.clientssl.keystore.credential.file
+
+
+ java keystore credential file
+
+
+
+ xasecure.policymgr.clientssl.truststore.credential.file
+
+
+ java truststore credential file
+
+
+
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml
new file mode 100644
index 0000000000..8949a48f35
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/pom.xml
@@ -0,0 +1,28 @@
+
+
+
+ 4.0.0
+
+
+ org.apache.nifi
+ nifi-ranger-bundle
+ 1.0.0-SNAPSHOT
+
+
+ nifi-ranger-resources
+ jar
+
+
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/src/main/resources/scripts/ranger_credential_helper.py b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/src/main/resources/scripts/ranger_credential_helper.py
new file mode 100644
index 0000000000..940dbf1688
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-resources/src/main/resources/scripts/ranger_credential_helper.py
@@ -0,0 +1,75 @@
+#!/usr/bin/python
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import sys
+import os
+from subprocess import Popen,PIPE
+from optparse import OptionParser
+
+if os.getenv('JAVA_HOME') is None:
+ print "[W] ---------- JAVA_HOME environment property not defined, using java in path. ----------"
+ JAVA_BIN='java'
+else:
+ JAVA_BIN=os.path.join(os.getenv('JAVA_HOME'),'bin','java')
+print "Using Java:" + str(JAVA_BIN)
+
+def main():
+
+ parser = OptionParser()
+
+ parser.add_option("-l", "--libpath", dest="library_path", help="Path to folder where credential libs are present")
+ parser.add_option("-f", "--file", dest="jceks_file_path", help="Path to jceks file to use")
+ parser.add_option("-k", "--key", dest="key", help="Key to use")
+ parser.add_option("-v", "--value", dest="value", help="Value to use")
+ parser.add_option("-c", "--create", dest="create", help="Add a new alias")
+
+ (options, args) = parser.parse_args()
+ library_path = options.library_path
+ jceks_file_path = options.jceks_file_path
+ key = options.key
+ value = options.value
+ getorcreate = 'create' if options.create else 'get'
+ call_keystore(library_path, jceks_file_path, key, value, getorcreate)
+
+
+def call_keystore(libpath, filepath, aliasKey, aliasValue='', getorcreate='get'):
+ finalLibPath = libpath.replace('\\','/').replace('//','/')
+ finalFilePath = 'jceks://file/'+filepath.replace('\\','/').replace('//','/')
+ if getorcreate == 'create':
+ commandtorun = [JAVA_BIN, '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks' ,'create', aliasKey, '-value', aliasValue, '-provider',finalFilePath]
+ p = Popen(commandtorun,stdin=PIPE, stdout=PIPE, stderr=PIPE)
+ output, error = p.communicate()
+ statuscode = p.returncode
+ if statuscode == 0:
+ print "Alias " + aliasKey + " created successfully!"
+ else :
+ print "Error creating Alias!! Error: " + str(error)
+
+ elif getorcreate == 'get':
+ commandtorun = [JAVA_BIN, '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks' ,'get', aliasKey, '-provider',finalFilePath]
+ p = Popen(commandtorun,stdin=PIPE, stdout=PIPE, stderr=PIPE)
+ output, error = p.communicate()
+ statuscode = p.returncode
+ if statuscode == 0:
+ print "Alias : " + aliasKey + " Value : " + str(output)
+ else :
+ print "Error getting value!! Error: " + str(error)
+
+ else:
+ print 'Invalid Arguments!!'
+
+if __name__ == '__main__':
+ main()
diff --git a/nifi-nar-bundles/nifi-ranger-bundle/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml
new file mode 100644
index 0000000000..be915ecd3b
--- /dev/null
+++ b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml
@@ -0,0 +1,61 @@
+
+
+
+ 4.0.0
+
+
+ org.apache.nifi
+ nifi-nar-bundles
+ 1.0.0-SNAPSHOT
+
+
+ org.apache.nifi
+ nifi-ranger-bundle
+ 1.0.0-SNAPSHOT
+ pom
+
+
+ 4.4.1
+ 4.4.1
+ 4.4.1
+
+
+
+ nifi-ranger-plugin
+ nifi-ranger-nar
+ nifi-ranger-resources
+
+
+
+
+
+ org.apache.httpcomponents
+ httpclient
+ ${httpcomponents.httpclient.version}
+
+
+ org.apache.httpcomponents
+ httpcore
+ ${httpcomponents.httpcore.version}
+
+
+ org.apache.httpcomponents
+ httpmime
+ ${httpcomponents.httpmime.version}
+
+
+
+
diff --git a/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml b/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml
index 2248ad8264..7d4c488342 100644
--- a/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml
@@ -38,6 +38,17 @@
com.twitter
hbc-twitter4j
2.2.0
+
+
+ com.google.code.findbugs
+ jsr305
+
+
+
+
+ com.github.stephenc.findbugs
+ findbugs-annotations
+ 1.3.9-1
org.apache.nifi
diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml
index 0196b1d596..156d4e51a5 100644
--- a/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml
+++ b/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml
@@ -44,6 +44,12 @@
org.apache.nifi
nifi-hadoop-utils
+
+
+ org.apache.hadoop
+ hadoop-common
+
+
org.apache.hbase
@@ -53,8 +59,17 @@
org.slf4j
slf4j-log4j12
+
+ com.google.code.findbugs
+ jsr305
+
+
+ com.github.stephenc.findbugs
+ findbugs-annotations
+ 1.3.9-1
+
org.apache.commons
commons-lang3
diff --git a/nifi-nar-bundles/pom.xml b/nifi-nar-bundles/pom.xml
index 63ed50e33e..291feb2b4c 100644
--- a/nifi-nar-bundles/pom.xml
+++ b/nifi-nar-bundles/pom.xml
@@ -55,13 +55,13 @@
nifi-scripting-bundle
nifi-elasticsearch-bundle
nifi-amqp-bundle
- nifi-splunk-bundle
+ nifi-splunk-bundle
nifi-jms-bundle
nifi-lumberjack-bundle
nifi-cassandra-bundle
nifi-spring-bundle
nifi-hive-bundle
- nifi-site-to-site-reporting-bundle
+ nifi-site-to-site-reporting-bundle
nifi-mqtt-bundle
nifi-evtx-bundle
nifi-slack-bundle
@@ -69,9 +69,10 @@
nifi-windows-event-log-bundle
nifi-ignite-bundle
nifi-email-bundle
-
-
-
+ nifi-ranger-bundle
+
+
+
org.apache.nifi
diff --git a/pom.xml b/pom.xml
index 24ef0a4fd0..602ac22605 100644
--- a/pom.xml
+++ b/pom.xml
@@ -98,6 +98,7 @@ language governing permissions and limitations under the License. -->
12.0.1
4.2.5
2.2.0
+ 0.6.0
@@ -1150,8 +1151,8 @@ language governing permissions and limitations under the License. -->
org.apache.nifi
nifi-elasticsearch-nar
1.0.0-SNAPSHOT
- nar
-
+ nar
+
org.apache.nifi
nifi-lumberjack-nar
@@ -1182,13 +1183,13 @@ language governing permissions and limitations under the License. -->
1.0.0-SNAPSHOT
nar
-
+
org.apache.nifi
nifi-site-to-site-reporting-nar
1.0.0-SNAPSHOT
nar
-
+
org.apache.nifi
nifi-evtx-nar
1.0.0-SNAPSHOT
@@ -1271,6 +1272,33 @@ language governing permissions and limitations under the License. -->
aws-java-sdk
1.11.8
+
+
+ org.apache.nifi
+ nifi-ranger-nar
+ 1.0.0-SNAPSHOT
+ nar
+
+
+ org.apache.nifi
+ nifi-ranger-resources
+ 1.0.0-SNAPSHOT
+
+
+ org.apache.ranger
+ ranger-plugins-common
+ ${ranger.version}
+
+
+ org.apache.ranger
+ ranger-plugins-audit
+ ${ranger.version}
+
+
+ org.apache.ranger
+ credentialbuilder
+ ${ranger.version}
+
org.codehaus.groovy