Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

NiFi Composite Authorization - LDAP and File - Using Cloudera Manager in CDF 1.0

Labels (2)
avatar
author-rank nismaily author-rank
Rising Star

Created on ‎08-19-2019 03:23 PM - edited ‎08-20-2019 10:26 AM

This article describes the configuration of the authorizers.xml for using the Composite User Group Provider for both LDAP and File based authentication in Cloudera Manager for CDF 1.0

 

This article assumes TLS has already been configured for NiFi using either the NiFi CA or your own certs.

 

Here is the Active Directory Structure that I will use for my sync:

Screen Shot 2019-08-19 at 4.50.30 PM.png

Here are the groups in the Groups OU:

Screen Shot 2019-08-19 at 4.51.07 PM.png

Here are the users in the Users OU:

Screen Shot 2019-08-19 at 4.50.51 PM.png

Here are the service users in the ServiceUsers OU:

Screen Shot 2019-08-19 at 4.50.59 PM.png

 

First, I will import my Active Directory root certificate into the NiFi and Java Truststores:

 

 

keytool -import -file adcert.pem -alias ad -keystore /var/lib/nifi/cert/truststore.jks
keytool -import -file adcert.pem -alias ad -keystore /etc/pki/java/cacerts

 

 

Now login to Cloudera Manager and proceed to the NiFi Configuration.

 

Update the configuration to use the "composite-user-group-provider" as follows:

 

 

xml.authorizers.accessPolicyProvider.file-access-policy-provider.property.User Group Provider=composite-user-group-provider

 

 

Next, use the "NiFi Node Advanced Configuration Snippet (Safety Valve) for staging/authorizers.xml" and add the following configurations using the XML view:

 

 

<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.class</name>
    <value>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Manager DN</name>
    <value>CN=ldapbind-svc,OU=ServiceUsers,OU=CLDR,DC=nismaily,DC=com</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Manager Password</name>
    <value>hadoop</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Referral Strategy</name>
    <value>FOLLOW</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Connect Timeout</name>
    <value>10 secs</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Read Timeout</name>
    <value>10 secs</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Url</name>
    <value>ldaps://win-ltfjo4jgo4r.nismaily.com:636</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Sync Interval</name>
    <value>15 mins</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Search Base</name>
    <value>OU=Users,OU=CLDR,DC=nismaily,DC=com</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Object Class</name>
    <value>user</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Search Scope</name>
    <value>SUBTREE</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Identity Attribute</name>
    <value>sAMAccountName</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Group Name Attribute</name>
    <value>memberof</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Search Base</name>
    <value>OU=Groups,OU=CLDR,DC=nismaily,DC=com</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Object Class</name>
    <value>group</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Search Scope</name>
    <value>SUBTREE</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Name Attribute</name>
    <value>cn</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Member Attribute</name>
    <value>member</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.composite-user-group-provider.class</name>
    <value>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.composite-user-group-provider.property.Configurable User Group Provider</name>
    <value>file-user-group-provider</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.composite-user-group-provider.property.User Group Provider 1</name>
    <value>ldap-user-group-provider</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Authentication Strategy</name>
    <value>LDAPS</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.TLS - Keystore</name>
    <value>/var/lib/nifi/cert/keystore.jks</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.TLS - Keystore Password</name>
    <value>hadoop</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.TLS - Keystore Type</name>
    <value>jks</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.TLS - Truststore</name>
    <value>/var/lib/nifi/cert/truststore.jks</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.TLS - Truststore Password</name>
    <value>hadoop</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.TLS - Truststore Type</name>
    <value>jks</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.TLS - Client Auth</name>
    <value>WANT</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.TLS - Protocol</name>
    <value>TLSv1.2</value>
</property>
<property>
    <name>xml.authorizers.userGroupProvider.ldap-user-group-provider.property.TLS - Shutdown Gracefully</name>
    <value>false</value>
</property>

 

 

 

Restart NiFi and login to the NiFi UI.

 

Proceed to the Users Tab:

Screen Shot 2019-08-19 at 5.06.31 PM.png

 

You will see the users synced from Active Directory:

Screen Shot 2019-08-19 at 4.51.39 PM.png

 

 

 

1,342 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎08-20-2019 10:26 AM
Updated by:
Rising Star Rising Star
Contributors