https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217332#M179241 <P><A href="https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html" target="_blank">https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html</A></P><P>-</P><P>NiFi even provides a toolkit you can use to create your own certificates/keystores for each of your NiFi nodes.</P><P>-</P><P>Matt</P> Fri, 08 Jun 2018 23:25:21 GMT MattWho 2018-06-08T23:25:21Z https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217321#M179230 <P>HI All,</P><P>In our cluster NIFI is SSL enabled. Ranger is not SSL enabled. Both NIFI and Ranger are integrated with AD/LDAP.</P><P>Before enabling NIFI plugin in Ranger, our AD/LDAP users are able to see NIFI UI.</P><P>But after enabling NIFI plugin in Ranger, our AD/LDAP users are not able to see NIFI UI.</P><P>We are getting following message on NIFI screen:</P><PRE>Insufficient Permissions Untrusted proxy CN=*.test.com, OU=NIFI</PRE><P>nifi-user.log shows Authentication success but Untrusted proxy error as follows:</P><PRE>2018-06-07 07:00:13,447 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (&lt;JWT token&gt;) GET <A href="https://usdf24v0075.test.com:9091/nifi-api/flow/current-user" target="_blank">https://usdf24v0075.test.com:9091/nifi-api/flow/current-user</A> (source ip: 10.23.118.51) 2018-06-07 07:00:13,449 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for test-user 2018-06-07 07:00:13,612 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (&lt;test-user&gt;&lt;CN=*.test.com, OU=NIFI&gt;) GET <A href="https://usdf24v0075.test.com:9091/nifi-api/flow/current-user" target="_blank">https://usdf24v0075.test.com:9091/nifi-api/flow/current-user</A> (source ip: 10.23.132.140) 2018-06-07 07:00:13,615 WARN [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=*.test.com, OU=NIFI </PRE><P>I have also deleted authorizers.xml and users.xml file from NIFI node and restarted NIFI as well.</P><P>How to resolve it.?</P><P>Please suggest.</P><P>Thanks</P> Thu, 07 Jun 2018 15:11:21 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217321#M179230 bkandalkar 2018-06-07T15:11:21Z https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217322#M179231 <P>Hi <A rel="user" href="https://community.cloudera.com/users/29224/kandalkarbhushan.html" nodeid="29224">@Bhushan Kandalkar</A></P><P>Have you added Ranger policies to let users see the UI : <A href="https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.2/bk_security/content/policies-to-view-nifi.html" target="_blank">https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.2/bk_security/content/policies-to-view-nifi.html</A> ?</P><P>Thanks</P> Thu, 07 Jun 2018 15:15:44 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217322#M179231 ahadjidj 2018-06-07T15:15:44Z https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217323#M179232 <P><A rel="user" href="https://community.cloudera.com/users/2056/ahadjidj.html" nodeid="2056">@Abdelkrim Hadjidj</A> </P><P>Yes, I have added Ranger policies for user to see UI. Still getting same exception.</P> Thu, 07 Jun 2018 15:28:44 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217323#M179232 bkandalkar 2018-06-07T15:28:44Z https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217324#M179233 <A rel="user" href="https://community.cloudera.com/users/29224/kandalkarbhushan.html" nodeid="29224">@Bhushan Kandalka</A><P>-</P><P>Once the Ranger plugin is enabled, the authorizations.xml file is no longer used to determine what authorizations both users and Nifi nodes have. </P><P>In a NiFi cluster each node must be authorized to act as a proxy so that requests made by users logged in to any one of the nodes's UIs can be replicated to the other nodes.</P><P>This means that you will need to set an authorization policy in Ranger that authorizes "CN=*.test.com, OU=NIFI" against the "/proxy" policy.</P><P>-</P><P>Thank you,</P><P>Matt</P> Thu, 07 Jun 2018 20:43:00 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217324#M179233 MattWho 2018-06-07T20:43:00Z https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217325#M179234 <P>What about proxy ? as you can see in the provided link </P><P>To allow users to view the NiFi UI, create the following policies for each host:</P><UL> <LI>/flow – read</LI><LI>/proxy – read/write</LI></UL> Thu, 07 Jun 2018 21:02:02 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217325#M179234 ahadjidj 2018-06-07T21:02:02Z https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217326#M179235 <P><A href="https://community.hortonworks.com/questions/196475/nifi-integration-with-ranger-not-working.html?childToView=196478#">@Matt Clarke</A></P><P>Do I need to create "CN=*.<A href="http://test.com/">test.com</A>, OU=NIFI" user with password in Ranger and need to add "/proxy" policy for it? </P> Thu, 07 Jun 2018 21:05:41 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217326#M179235 bkandalkar 2018-06-07T21:05:41Z https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217327#M179236 <P><A rel="user" href="https://community.cloudera.com/users/29224/kandalkarbhushan.html" nodeid="29224">@Bhushan Kandalkar</A></P><P>That is correct.</P> Thu, 07 Jun 2018 21:10:24 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217327#M179236 MattWho 2018-06-07T21:10:24Z https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217328#M179237 <P><A rel="user" href="https://community.cloudera.com/users/525/mclarke.html" nodeid="525">@Matt Clarke</A> </P><P>While adding "CN=*.<A href="http://test.com/">test.com</A>, OU=NIFI" user in Ranger its giving invalid username error. How to resolve it?</P> Thu, 07 Jun 2018 21:30:15 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217328#M179237 bkandalkar 2018-06-07T21:30:15Z https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217329#M179238 <P><A rel="user" href="https://community.cloudera.com/users/29224/kandalkarbhushan.html" nodeid="29224">@Bhushan Kandalkar</A> </P><P>I was afraid of that. Ranger does not allow wildcards in the user names.</P><P>From a security standpoint it is generally a bad idea to create a server certificate that uses wildcards.</P><P>In order to use Ranger as your authorizer, you are going to need to create new NiFi node certificates/keystores that do not use wildcards in the "Owner" DN.</P><P>-</P><P>This means you will have a unique keystore for each of your NiFi nodes (which is a security best practice). You will then need to authorize each of those nodes with /proxy.</P><P>-</P><P>Thanks,</P><P>Matt</P> Thu, 07 Jun 2018 22:18:31 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217329#M179238 MattWho 2018-06-07T22:18:31Z https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217330#M179239 <P><A rel="user" href="https://community.cloudera.com/users/525/mclarke.html" nodeid="525">@Matt Clarke</A> </P><P>Could you please provide link about how to configure SSL for NIFI which have a unique keystore for each of your NiFi nodes and which authorizes using Ranger.It will be great if you provide that link.</P> Thu, 07 Jun 2018 23:03:26 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217330#M179239 bkandalkar 2018-06-07T23:03:26Z https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217331#M179240 <A rel="user" href="https://community.cloudera.com/users/29224/kandalkarbhushan.html" nodeid="29224">@Bhushan Kandalkar</A><P>Here a step by step doc : <A href="https://community.hortonworks.com/articles/886/securing-nifi-step-by-step.html" target="_blank">https://community.hortonworks.com/articles/886/securing-nifi-step-by-step.html</A></P><P>And this the official doc : <A href="https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.1/bk_security/content/enabling-ssl-without-ca.html" target="_blank">https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.1/bk_security/content/enabling-ssl-without-ca.html</A></P> Fri, 08 Jun 2018 02:08:31 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217331#M179240 ahadjidj 2018-06-08T02:08:31Z https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217332#M179241 <P><A href="https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html" target="_blank">https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html</A></P><P>-</P><P>NiFi even provides a toolkit you can use to create your own certificates/keystores for each of your NiFi nodes.</P><P>-</P><P>Matt</P> Fri, 08 Jun 2018 23:25:21 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Integration-with-Ranger-Not-Working/m-p/217332#M179241 MattWho 2018-06-08T23:25:21Z