question How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping in Support Questions

How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

qiwang — Sun, 18 Aug 2019 12:02:51 GMT

I have a test environment with OpenLDAP and MIT KDC as backend directory services. I tried to use it to test Nifi authorization through Ranger and running into an issue where the user name seems to not matching correctly.

Here is my setup

HDF 2.1.1.0, Nifi 1.1.0 and Ranger 0.6.2
Cluster installed with all HDF components except Storm and kafka
Cluster Kerberized with MIT KDC
Credentials in OpenLDAP
Ranger sync with OpenLDAP
Ranger Nifi policy created for a user with all permissions.

I could get to Nifi login page and login with the credentials from OpenLDAP, but then it complains about not have enough access

Looking at the audit log, the user name get logged in Ranger is hadoopadmin@FIELD.HORTONWORKS.COM rather than hadoopadmin, it seems the KDC principal name get used here

I haven't setup identity mapping and the values are empty now.

What values should I use to get the username mapped correctly?

Thanks,

Re: How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

bbende — Sat, 04 Feb 2017 01:42:08 GMT

The identity mappings in NiFi use regular expressions with capture groups, so you could do:

nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb=$1

That pattern should match hadoopadmin@FIELD.HORTONWORKS.COM where group 1 would be hadoopadmin and group 2 would be FIELD.HORTONWORKS.COM.

Then the value property says use group 1 as the actual identity.

The NiFi admin guide has a description:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

Re: How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

slachterman — Sat, 04 Feb 2017 01:53:31 GMT

You can use the following for the Kerberos identity mapping, if you want the principal to be mapped to just the shortname:

nifi.security.identity.mapping.pattern.kerb = ^(.*?)@(.*?)$
nifi.security.identity.mapping.value.kerb = $1

See https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.0.0/bk_administration/content/identity-mapping-properties.html and https://community.hortonworks.com/articles/61729/nifi-identity-conversion.html

Re: How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

qiwang — Sat, 04 Feb 2017 02:53:18 GMT

So here are the values that work in my environment

nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)$
nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.value.kerb=$1

Also in Ranger the Nifi nodes need to be added as internal user and create policy for them to access proxy, flow and data