Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

NiFi - Insufficient Privileges usoing Ranger

Labels:
avatar
author-rank raphamarymtl
Rising Star

Created on ‎06-05-2017 02:38 PM - edited ‎08-17-2019 11:13 PM

Hi,

I have a cluster with 2 nodes, installed HDF and use Ranger for security policies. I just installed kerberos on my cluster using an existing AD.

I am now trying to connect to NiFi UI but I have insufficient privileges (login/password is ok).

I created a policy READ/WRITE for my user raphael.mary (existing in AD) on /* like following :

16008-2017-06-05-10-31-42.png

When I try to connect to NiFi I have insufficient privileges and I get this in Ranger Audt :

16009-2017-06-05-10-31-02.png

The user trying to connect is raph.mary@ZZZZ.COM

1. Is that normal that the user name is with the realm name in the audit log?

2. When I try to connect I use raphael.mary as login, do I need to specify another user name?

Thank you for your help.

2,603 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank vperiasamy author-rank
Guru

Created ‎06-05-2017 05:51 PM

yes, i believe the hostname should match.

View solution in original post

2,513 Views
3 REPLIES 3

avatar
author-rank vperiasamy author-rank
Guru

Created ‎06-05-2017 05:14 PM

Can you check if you have rules to translate kerberos principal to short username?

2,513 Views

avatar
author-rank raphamarymtl
Rising Star

Created ‎06-05-2017 05:45 PM

@vperiasamy

I added this after my post :

nifi.security.identity.mapping.pattern.kerb = ^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb = $1

The policy is now working but I get the following error : Untrusted proxy corenifi01-vm.zzzzz.com

Do I have to add the nodes of my cluster in Active Directory as well or do I have to add the nodes of my cluster in Ranger (principal is : corenifi01-vm.zzzzz.com@ZZZZZ.COM) ? I added them at the beginning but with this name : corenifi01-vm.zzzzz.com@AA.ZZZZ.COM

2,513 Views
0 Kudos

avatar
author-rank vperiasamy author-rank
Guru

Created ‎06-05-2017 05:51 PM

yes, i believe the hostname should match.

2,514 Views
Announcements
What's New @ Cloudera
Product Update: Cloudera Flow Management Operator for Kubern...
What's New @ Cloudera
Product Update: Cloudera Data Flow v3.1 for Cloudera on Clou...
Community Announcements
May 2026 Community Highlights
Community Announcements
Testing the tags to new post
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
View More Announcements