ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Bosco Durai <bo...@apache.org>
Subject Re: Users & Certificates
Date Tue, 03 May 2016 05:06:36 GMT
>From the Ranger point of view it is just any other user, but we have to check whether Ranger
supports all the characters valid in the DN.

The interesting part is how we classify this user. Will it be in LDAP/AD or if it is device,
then it might not be. So we have a couple of options:

1. Add the DN to Ranger in the raw format and give permissions to it using policy. It will
have usability issue in UI.
2. Map the DN to simple name. E.g. In Hadoop, it could be the CN or UID attribute. Or sAMAccountName
from AD. In your case, both provisioning to Ranger and NiFiRangerAuthorizer has to do the
same conversion.

Do you think, #2 is possible for you? 

Regardless, you could use Ranger’s file upload feature to load the users. I feel, we might
get into special character issues like space or comma. I think, we can fix this if required.

Another suggestion is, can we have group concept for these DN?



On 5/2/16, 9:43 AM, "Bryan Bende" <bbende@gmail.com> wrote:

>If an application is authenticating users with 2-way SSL, how would those
>users be entered into Ranger in order to define policies for them? or is
>that not really a supported scenario?
>For example, if I authenticate to my application with a certificate, the
>identity passed to the plugin will be the DN from the certificate like:
>CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US
>So I was trying to see if it was possible to define a policy for that user.

View raw message