Created on 03-21-2018 07:31 PM
This article assumes that you're already configured to use Ranger authorization in HDF 3.0.x or earlier and that Ranger instance is syncing the available users/groups with your Directory Server. In order to leverage policies defined with these groups, we'll need to upgrade to HDF 3.1.0 or later and migrate your configuration to utilize a new Ranger authorizer in NiFi.
In short, you’ll need to update your authorizers.xml file to configure a userGroupProvider and modify your authorizer to be a ManagedRangerAuthorizer. The idea is that previously an Authorizer was configured which was responsible for making access decisions, managing policies, and managing users/groups. Whether or not the Authorizer supported managing policies and users/groups was optional. The default File base authorizer supported this. The existing Ranger authorizer did not (it only made access decisions).
For HDF 3.1 we decoupled these concepts so you can independently configure the Authorizer (makes access decisions), an AccessPolicyProvider (manage policies), and a UserGroupProvider (manage users/groups). Documentation exists for these three concepts and includes examples [1].
What you’ll need to do is update your authorizers.xml and add a UserGroupProvider to bind your users/groups from your Directory Server that Ranger is syncing to. There are a couple detailed examples of binding users/groups from a Directory Server using the LdapUserGroupProvider. Searching for this term in [1] should direct you to the relevant examples.
Following the concepts defined above, the ManagedRangerAuthorizer will act as the AccessPolicyProvider (since the policies are defined there) and the Authorizer (Ranger ultimately makes the access decisions). To configure your ManagedRangerAuthorizer, we can take your existing configuration for RangerNiFiAuthorizer and 1) modify the class and 2) add a reference to your LdapUserGroupProvider. The remainder of the configuration should remain unchanged. This should look something like this:
<authorizer> <identifier>ranger-provider</identifier> <class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class> <!-- 1) UPDATE CLASS NAME --> <property name="User Group Provider">ldap-user-group-provider</property> <!-- 2) REFERENCE USER GROUP PROVIDER --> <property name="Ranger Audit Config Path">…</property> <property name="Ranger Security Config Path">…</property> <property name="Ranger Service Type">…</property> <property name="Ranger Application Id">…</property> <property name="Ranger Admin Identity">…</property> </authorizer>
This is all that you should need to do. In totality, the structure of your authorizers.xml file should looks like this:
<authorizers> <userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">...</property> <property name="Manager DN">...</property> <property name="Manager Password">...</property> <property name="TLS - Keystore">...</property> <property name="TLS - Keystore Password">...</property> <property name="TLS - Keystore Type">...</property> <property name="TLS - Truststore">...</property> <property name="TLS - Truststore Password">...</property> <property name="TLS - Truststore Type">...</property> <property name="TLS - Client Auth">...</property> <property name="TLS - Protocol">...</property> <property name="TLS - Shutdown Gracefully">...</property> <property name="Referral Strategy">...</property> <property name="Connect Timeout">...</property> <property name="Read Timeout">...</property> <property name="Url">...</property> <property name="Page Size">...</property> <property name="Sync Interval">...</property> <property name="User Search Base">...</property> <property name="User Object Class">...</property> <property name="User Search Scope">...</property> <property name="User Search Filter">...</property> <property name="User Identity Attribute">...</property> <property name="User Group Name Attribute">...</property> <property name="Group Search Base">...</property> <property name="Group Object Class">...</property> <property name="Group Search Scope">...</property> <property name="Group Search Filter">...</property> <property name="Group Name Attribute">...</property> <property name="Group Member Attribute">...</property> </userGroupProvider> <authorizer> <identifier>ranger-provider</identifier> <class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class> <property name="User Group Provider">ldap-user-group-provider</property> <property name="Ranger Audit Config Path">...</property> <property name="Ranger Security Config Path">...</property> <property name="Ranger Service Type">...</property> <property name="Ranger Application Id">...</property> <property name="Ranger Admin Identity">...</property> </authorizer> </authorizers>
[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup
Created on 03-22-2018 06:45 PM
Thanks for the information @mgilman . Is there any tutorial/possibility to use group based authorization in Nifi with file based authorization (no Ranger)?
Created on 03-23-2018 01:06 PM
Created on 04-10-2018 01:18 PM
The `authorizers.xml` template seems to have gone awry.
One thing I'm wondering: How do you set the `User Search Filter`? Normally I would assume it should be something like `(&(sAMAccountName={0})(memberof=OU=users,OU=company,...))`, with the added twist that the ampersand needs escaping - otherwise expat bails (&, you'd think). My problem is that once I do set that, `nifi-app.log` does not contain any entry of `LdapUserGroupProvider` nor do my users contain any groups:
2018-04-10 13:30:55,093 INFO [NiFi Web Server-20] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=meixner,...],
groups[] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.
What gives?
Created on 07-09-2020 01:32 PM
The only place you would use "{0}" would be in the ldap-provider used for user authentication. The {0} gets replaced with the username entered in the login UI. The LdapUserGroupProvider however is used by the nifi authorizer to assemble a list of users and group strings (along with the association/membership between those user and groups) which can be used to assign authorizations against. The LdapUserGroupProvider executes on NiFi startup and then on a configured schedule to refresh the synced users and groups. Since it takes no input you can not use "{0}" in the search filter.