ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Bosco Durai <bo...@apache.org>
Subject Re: Users & Certificates
Date Wed, 04 May 2016 00:55:56 GMT
>I think the file upload could be the best option for now, depending if there are any issues
with special characters.
https://cwiki.apache.org/confluence/display/RANGER/File+Source+User+Group+Sync+process


>For #1, I wasn't able to add a raw DN as a user through the Ranger UI. I think the '='
character violates the validation rules, but maybe that is an easy change to allow it.
Yes, this should be an easy change. Can you create a JIRA. I feel, in the long run we should
probably take some of these rules by property. It might already by. Gautam, are you aware
of it?

>For #2, I think the issue would be that two users could have the same CN from different
organizations, and so the full the DN is really the unique identifier.
Yes, it is possible. Note, if you will be doing any Hadoop related operations behalf of the
user, then you will will get into other issues. If you are, then you will have to tokenize
it to unix friendly name

>For grouping, I see that RangerAccessRequest allows setting the user groups.
Grouping will help you minimize the number of policies. If you feel, we can break the DN and
create logical groups, and if that works, then it will easy for the admins to configure policies.
Essentially, you could have each level as a group. And give group level permissions...
"OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US”, "O=Apache, L=Santa Monica, ST=CA,
C=US”, "L=Santa Monica, ST=CA, C=US”, …



>One scenario is when two NiFi instances communicate directly over a secure connection,
we would need to create a policy in Ranger for the DN of one instance to give access to the
resource being accessed on the other instance.
This would be easy. You might need very few policy line items and it will be easy to manage.

>We could also have scenarios where regular users are issued certificates and accessing
the NiFi UI with those certificates.
If these are human users, then there might be more policies/line items, but still manageable.
If each device is an user, then you should consider creating the policies using REST API.

Thanks

Bosco







On 5/3/16, 7:15 AM, "Bryan Bende" <bbende@gmail.com> wrote:

>Hi Bosco,
>
>Thanks for the response. Could you elaborate on Ranger's file upload
>feature? Is this done through the REST API?
>I think the file upload could be the best option for now, depending if
>there are any issues with special characters.
>
>For #1, I wasn't able to add a raw DN as a user through the Ranger UI. I
>think the '=' character violates the validation rules, but maybe that is an
>easy change to allow it.
>
>For #2, I think the issue would be that two users could have the same CN
>from different organizations, and so the full the DN is really the unique
>identifier.
>
>For grouping, I see that RangerAccessRequest allows setting the user
>groups. I think the issue is that on the NiFi side when we authenticate a
>user who presents a certificate,
>we don't have knowledge of a group for that user, so we wouldn't know what
>to set on the access request.
>
>For some general background, NiFi has a pluggable authentication mechanism
>and currently has three mechanisms: 2-way SSL, LDAP, and Kerberos.... 2-way
>SSL is always enabled when running a secured instance.
>One scenario is when two NiFi instances communicate directly over a secure
>connection, we would need to create a policy in Ranger for the DN of one
>instance to give access to the resource being accessed on the other
>instance.
>We could also have scenarios where regular users are issued certificates
>and accessing the NiFi UI with those certificates.
>
>Thanks,
>
>Bryan
>
>
>On Tue, May 3, 2016 at 1:06 AM, Don Bosco Durai <bosco@apache.org> wrote:
>
>> From the Ranger point of view it is just any other user, but we have to
>> check whether Ranger supports all the characters valid in the DN.
>>
>> The interesting part is how we classify this user. Will it be in LDAP/AD
>> or if it is device, then it might not be. So we have a couple of options:
>>
>> 1. Add the DN to Ranger in the raw format and give permissions to it using
>> policy. It will have usability issue in UI.
>> 2. Map the DN to simple name. E.g. In Hadoop, it could be the CN or UID
>> attribute. Or sAMAccountName from AD. In your case, both provisioning to
>> Ranger and NiFiRangerAuthorizer has to do the same conversion.
>>
>> Do you think, #2 is possible for you?
>>
>> Regardless, you could use Ranger’s file upload feature to load the users.
>> I feel, we might get into special character issues like space or comma. I
>> think, we can fix this if required.
>>
>> Another suggestion is, can we have group concept for these DN?
>>
>> Thanks
>>
>>
>> Bosco
>>
>>
>>
>>
>>
>> On 5/2/16, 9:43 AM, "Bryan Bende" <bbende@gmail.com> wrote:
>>
>> >Hello,
>> >
>> >If an application is authenticating users with 2-way SSL, how would those
>> >users be entered into Ranger in order to define policies for them? or is
>> >that not really a supported scenario?
>> >
>> >For example, if I authenticate to my application with a certificate, the
>> >identity passed to the plugin will be the DN from the certificate like:
>> >
>> >CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US
>> >
>> >So I was trying to see if it was possible to define a policy for that
>> user.
>> >
>> >Thanks,
>> >
>> >Bryan
>>
>>


Mime
View raw message