Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

AD group not use while trying to connect to nifi

Koffi
Contributor

Created ‎11-15-2019 01:33 PM

HI,

We have a multi host hadoop environment  that use HDP-3.0.1 with Nifi 1.7.0. The environment is Kerberised and we use ranger for the security, it is also connected to the LDAP/AD server for the user and groups.  

 

Whenever i try to connect to NIFI using a user_test i get the message : 

nifi_insificient permissions.png

 

The user_test is part of a group who has full access to nifi in ranger...

-Policy Name: All-nifi-Resource

-NIfi Resource Identifier: *

-Allow Conditions:

   -Select Group: group_test

   -Permissions: Read, Write

 

It seems that the AD group is not used when trying to connect in nifi (If i put the username user_test in the Select User section in Ranger it has access to nifi...). 

 

I have the following msg in the nifi-user.log:

2019-11-13 12:18:29,368 INFO [NiFi Web Server-65454] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=xx-xx-xx-xxXX.XxxXx.xx, O=XxxXx Inc., L=XXXX, ST=XXXX, C=XX
2019-11-13 12:18:33,097 INFO [NiFi Web Server-65454] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.
2019-11-13 12:18:33,136 INFO [NiFi Web Server-65286] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response.
2019-11-13 12:18:33,151 INFO [NiFi Web Server-65436] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<Knox JWT token>) GET https://xx-xx-xx-xxXX.XxxXx.xx:xxxx/nifi-api/flow/current-user (source ip: XX.XXX.XXX.XXX)
2019-11-13 12:18:33,151 INFO [NiFi Web Server-65436] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for user_test
2019-11-13 12:12:32,122 INFO [NiFi Web Server-65436] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[user_test], groups[none] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.

 

I am not sure why none appears and not group_test. Thank you in advance for your help on that subject.

1,517 Views
0 Kudos
4 REPLIES 4

MattWho
Mentor

Created ‎11-18-2019 06:23 AM

@Koffi 

There are limitations that Ranger puts on the client applications that use it.  Ranger requires that clients explicitly by user or group string what authorization policies have been assigned to that string.

The nifi-user.log output you provided indicates that NiFi is unaware of any groups being associated to the user "user_test".

AccessDeniedExceptionMapper identity[user_test], groups[none]

 

The association between users and groups in NiFi is handled by the NiFi's authorizers.xml file.  NiFi must be able configured itself to sync users and groups from AD so that it can pole Ranger for your authenticated user and any known associated groups of that user.

The provider you would need to setup in your NiFi's authorizers.xml to sync users from your AD is the "ldap-user-group-provider".  At a minimum your authorizer would need to be configured to look like this:

<authorizers>
  <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>
        <property name="Manager DN"></property>
        <property name="Manager Password"></property>

        <property name="TLS - Keystore"/>
        <property name="TLS - Keystore Password"/>
        <property name="TLS - Keystore Type"/>
        <property name="TLS - Truststore"/>
        <property name="TLS - Truststore Password"/>
        <property name="TLS - Truststore Type"/>
        <property name="TLS - Client Auth"/>
        <property name="TLS - Protocol"/>
        <property name="TLS - Shutdown Gracefully"/>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>
        <property name="Url"></property>
        <property name="Page Size">500</property>
        <property name="Sync Interval">30 mins</property>

        <property name="User Search Base"></property>
        <property name="User Object Class"></property>
        <property name="User Search Scope">SUBTREE</property>
        <property name="User Search Filter"/>
        <property name="User Identity Attribute"></property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"/>

        <property name="Group Search Base"></property>
        <property name="Group Object Class"></property>
        <property name="Group Search Scope">SUBTREE</property>
        <property name="Group Search Filter"/>
        <property name="Group Name Attribute"></property>
        <property name="Group Member Attribute"></property>
        <property name="Group Member Attribute - Referenced User Attribute"/>
     </userGroupProvider>

     <authorizer>
            <identifier>ranger-provider</identifier>
            <class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class>
           <property name="User Group Provider">ldap-user-group-provider</property>
            <property name="Ranger Audit Config Path">/<path to>/ranger-nifi-audit.xml</property>
            <property name="Ranger Security Config Path">/path to>/ranger-nifi-security.xml</property>
            <property name="Ranger Service Type">nifi</property>
            <property name="Ranger Application Id">nifi</property>
            <property name="Ranger Admin Identity" />
            <property name="Ranger Kerberos Enabled">false</property>
       </authorizer>
</authorizers>


Also keep in mind that the resulting user string returned by the NiFi Login provider must match EXACTLY to with the user string returned by the ldap-user-group-provider and what is found in Ranger. This includes case.

If some trimming or normalization is required, you are going to need to use NiFi identity mapping patterns to do so.  These would be configured in the nifi.properties file.

Hope this helps,

Matt

1,491 Views

Koffi
Contributor

Created on ‎11-18-2019 12:18 PM - edited ‎11-18-2019 12:44 PM

Hi @MattWho,

Thank you for your answer, the identification is done through knox and i was wondering which config need to be changed in my case?

 

knox.png 

 

1,481 Views
0 Kudos

Koffi
Contributor

Created ‎11-22-2019 11:55 AM

Hi @MattWho,

In the case where knox is used for the authentification what type of changes need to be done in order to take into account the ad group? I know that in knox there is the topology where we can define the ldap...

Thank you

1,442 Views
0 Kudos

MattWho
Mentor

Created ‎12-04-2019 09:02 AM

@Koffi 

 

Even if you have configured NiFi to use Knox for user authentication, you still need to configure NiFi's authorizers.xml to hand the authorization of the successfully authenticated user via knox.

If you are looking to be able to authorize users based on AD groups that authenticated user is a member of, you will need to include the ldap-user-group-provider in your authorizers.xml configuration.

 

Matt

1,414 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
CDP Public Cloud: May 2023 Release Summary
What's New @ Cloudera
Cloudera Operational Database (COD) provides enhancements to the --scale-type CDP CLI option
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
View More Announcements