https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Insufficient-Privileges-usoing-Ranger/m-p/197835#M62370 <P>Can you check if you have rules to translate kerberos principal to short username?</P> Tue, 06 Jun 2017 00:14:30 GMT vperiasamy 2017-06-06T00:14:30Z https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Insufficient-Privileges-usoing-Ranger/m-p/197834#M62369 <P>Hi,</P><P>I have a cluster with 2 nodes, installed HDF and use Ranger for security policies. I just installed kerberos on my cluster using an existing AD.</P><P>I am now trying to connect to NiFi UI but I have insufficient privileges (login/password is ok).</P><P>I created a policy READ/WRITE for my user raphael.mary (existing in AD) on /* like following :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="16008-2017-06-05-10-31-42.png" style="width: 1518px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/17804i1AEC774B02FAF20B/image-size/medium?v=v2&amp;px=400" role="button" title="16008-2017-06-05-10-31-42.png" alt="16008-2017-06-05-10-31-42.png" /></span></P><P>When I try to connect to NiFi I have insufficient privileges and I get this in Ranger Audt :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="16009-2017-06-05-10-31-02.png" style="width: 1521px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/17805i682C8AC69C7FBD90/image-size/medium?v=v2&amp;px=400" role="button" title="16009-2017-06-05-10-31-02.png" alt="16009-2017-06-05-10-31-02.png" /></span></P><P>The user trying to connect is raph.mary@ZZZZ.COM</P><P>1. Is that normal that the user name is with the realm name in the audit log?</P><P>2. When I try to connect I use raphael.mary as login, do I need to specify another user name?</P><P>Thank you for your help.</P> Sun, 18 Aug 2019 06:13:29 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Insufficient-Privileges-usoing-Ranger/m-p/197834#M62369 raphamarymtl 2019-08-18T06:13:29Z https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Insufficient-Privileges-usoing-Ranger/m-p/197835#M62370 <P>Can you check if you have rules to translate kerberos principal to short username?</P> Tue, 06 Jun 2017 00:14:30 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Insufficient-Privileges-usoing-Ranger/m-p/197835#M62370 vperiasamy 2017-06-06T00:14:30Z https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Insufficient-Privileges-usoing-Ranger/m-p/197836#M62371 <P><A rel="user" href="https://community.cloudera.com/users/47/vperiasamy.html" nodeid="47">@vperiasamy</A></P><P><A rel="user" href="https://community.cloudera.com/users/47/vperiasamy.html" nodeid="47"></A>I added this after my post :</P><P>nifi.security.identity.mapping.pattern.kerb = ^(.*?)@(.*?)$</P><P>nifi.security.identity.mapping.value.kerb = $1</P><P>The policy is now working but I get the following error : Untrusted proxy corenifi01-vm.zzzzz.com</P><P>Do I have to add the nodes of my cluster in Active Directory as well or do I have to add the nodes of my cluster in Ranger (principal is : corenifi01-vm.zzzzz.com@ZZZZZ.COM) ? I added them at the beginning but with this name : corenifi01-vm.zzzzz.com@AA.ZZZZ.COM</P> Tue, 06 Jun 2017 00:45:11 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Insufficient-Privileges-usoing-Ranger/m-p/197836#M62371 raphamarymtl 2017-06-06T00:45:11Z https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Insufficient-Privileges-usoing-Ranger/m-p/197837#M62372 <P>yes, i believe the hostname should match. </P> Tue, 06 Jun 2017 00:51:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Insufficient-Privileges-usoing-Ranger/m-p/197837#M62372 vperiasamy 2017-06-06T00:51:05Z