question Re: NiFi Authorization with Ranger in Kerberized environment in Archives of Support Questions (Read Only)

NiFi Authorization with Ranger in Kerberized environment

rsg — Tue, 21 Apr 2026 12:15:08 GMT

Hello,

I am setting up an HDF 3.2 cluster that's fully Kerberized and I am trying to handle authorization through Ranger.

We have a single Active Directory which also acts as KDC.

The technical users (for example the service principals automatically created by HDF) are mapped in the following organization unit: OU=HDF,DC=example,DC=com while "normal" users (devs/admins) are mapped in OU=USERS,DC=example,DC=com

The problem is that after enabling NiFi plugin and Kafka plugin I have not been able to use any of the two (I added my username to the "admin" policies of both services in ranger).

Since the two problems are probably linked, I will start from NiFi and if necessary expand on Kafka in another post.

NiFi authentication works (the user is recognized) but I receive the following error: "Unable to view the user interface. Contact the system administrator."

When I check the audit log I notice that the User is indicated with the full qualified domain name USER@EXAMPLE.COM (instead of just the username) and the access is denied.

nifi.security.user.login.identity.provider=kerberos-provider

I tried the following NiFi properties without success:

nifi.security.identity.mapping.pattern.kerb=^(.?)@(.?)$
nifi.security.identity.mapping.value.kerb=$1

Could you help me solve this problem?

Thanks

Re: NiFi Authorization with Ranger in Kerberized environment

stevenmatison — Sun, 18 Aug 2019 10:14:23 GMT

@Raffaele S

I think you may need to adjust the user/group sync in ranger. Be sure to tail the ranger user sync logs while running the sync so that you can validate things are arriving correctly. Here are my configs:

Additionally you will need to create policies in ranger admin as follows:

the scrambled user for NiFi Proxy is cn=NIFIHOSTNAME, OU=NIFI

Be sure to watch the log files and restart everything after making any changes.

If this answer is helpful, please choose ACCEPT to mark the question as resolved.

Re: NiFi Authorization with Ranger in Kerberized environment

Shelton — Thu, 30 Aug 2018 00:16:39 GMT

@Raffaele S

To avoid unwanted groups and users loaded please see this HCC doc

Re: NiFi Authorization with Ranger in Kerberized environment

Shelton — Thu, 30 Aug 2018 00:19:19 GMT

@Raffaele S

That's the default behavior if you are using AD it appends the REALM to username.

Re: NiFi Authorization with Ranger in Kerberized environment

rsg — Thu, 30 Aug 2018 21:43:38 GMT

Hello @Steven Matison,

thanks for replying.

I believe that everything is setup as you proposed, I also added the NiFi proxy users to their own policy but nothing changed.

Tailing the usersync.log doesn't provide any additional evidence.

Re: NiFi Authorization with Ranger in Kerberized environment

rsg — Thu, 30 Aug 2018 21:44:14 GMT

Thanks, I will use this configuration while testing in the future.

Re: NiFi Authorization with Ranger in Kerberized environment

rsg — Thu, 30 Aug 2018 22:35:38 GMT

There aren't many information in the manual is it possible I have to manually configure all the options under "Advanced ranger-nifi-plugin-properties" (in the ambari console)?
Currently only a few of those properties are configured.

Re: NiFi Authorization with Ranger in Kerberized environment

rsg — Tue, 30 Oct 2018 18:08:45 GMT

Properly setting up the nifi.security.identity.mapping.pattern.kerb and nifi.security.identity.mapping.pattern.dn fixed the problem.

Also, while debugging these kind of problems, it's best to delete ranger plugin cache (under /etc/ranger/SERVICE_NAME/policycache/) to ensure that there are no communication problem between NiFi and Ranger.