Support Questions
Find answers, ask questions, and share your expertise

AD group not use while trying to connect to nifi



We have a multi host hadoop environment  that use HDP-3.0.1 with Nifi 1.7.0. The environment is Kerberised and we use ranger for the security, it is also connected to the LDAP/AD server for the user and groups.  


Whenever i try to connect to NIFI using a user_test i get the message : 

nifi_insificient permissions.png


The user_test is part of a group who has full access to nifi in ranger...

-Policy Name: All-nifi-Resource

-NIfi Resource Identifier: *

-Allow Conditions:

   -Select Group: group_test

   -Permissions: Read, Write


It seems that the AD group is not used when trying to connect in nifi (If i put the username user_test in the Select User section in Ranger it has access to nifi...). 


I have the following msg in the nifi-user.log:

2019-11-13 12:18:29,368 INFO [NiFi Web Server-65454] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=xx-xx-xx-xxXX.XxxXx.xx, O=XxxXx Inc., L=XXXX, ST=XXXX, C=XX
2019-11-13 12:18:33,097 INFO [NiFi Web Server-65454] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.
2019-11-13 12:18:33,136 INFO [NiFi Web Server-65286] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response.
2019-11-13 12:18:33,151 INFO [NiFi Web Server-65436] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<Knox JWT token>) GET https://xx-xx-xx-xxXX.XxxXx.xx:xxxx/nifi-api/flow/current-user (source ip: XX.XXX.XXX.XXX)
2019-11-13 12:18:33,151 INFO [NiFi Web Server-65436] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for user_test
2019-11-13 12:12:32,122 INFO [NiFi Web Server-65436] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[user_test], groups[none] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.


I am not sure why none appears and not group_test. Thank you in advance for your help on that subject.


Master Guru


There are limitations that Ranger puts on the client applications that use it.  Ranger requires that clients explicitly by user or group string what authorization policies have been assigned to that string.

The nifi-user.log output you provided indicates that NiFi is unaware of any groups being associated to the user "user_test".

AccessDeniedExceptionMapper identity[user_test], groups[none] 


The association between users and groups in NiFi is handled by the NiFi's authorizers.xml file.  NiFi must be able configured itself to sync users and groups from AD so that it can pole Ranger for your authenticated user and any known associated groups of that user.

The provider you would need to setup in your NiFi's authorizers.xml to sync users from your AD is the "ldap-user-group-provider".  At a minimum your authorizer would need to be configured to look like this:

        <property name="Authentication Strategy">SIMPLE</property>
        <property name="Manager DN"></property>
        <property name="Manager Password"></property>

        <property name="TLS - Keystore"/>
        <property name="TLS - Keystore Password"/>
        <property name="TLS - Keystore Type"/>
        <property name="TLS - Truststore"/>
        <property name="TLS - Truststore Password"/>
        <property name="TLS - Truststore Type"/>
        <property name="TLS - Client Auth"/>
        <property name="TLS - Protocol"/>
        <property name="TLS - Shutdown Gracefully"/>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>
        <property name="Url"></property>
        <property name="Page Size">500</property>
        <property name="Sync Interval">30 mins</property>

        <property name="User Search Base"></property>
        <property name="User Object Class"></property>
        <property name="User Search Scope">SUBTREE</property>
        <property name="User Search Filter"/>
        <property name="User Identity Attribute"></property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"/>

        <property name="Group Search Base"></property>
        <property name="Group Object Class"></property>
        <property name="Group Search Scope">SUBTREE</property>
        <property name="Group Search Filter"/>
        <property name="Group Name Attribute"></property>
        <property name="Group Member Attribute"></property>
        <property name="Group Member Attribute - Referenced User Attribute"/>

           <property name="User Group Provider">ldap-user-group-provider</property>
            <property name="Ranger Audit Config Path">/<path to>/ranger-nifi-audit.xml</property>
            <property name="Ranger Security Config Path">/path to>/ranger-nifi-security.xml</property>
            <property name="Ranger Service Type">nifi</property>
            <property name="Ranger Application Id">nifi</property>
            <property name="Ranger Admin Identity" />
            <property name="Ranger Kerberos Enabled">false</property>

Also keep in mind that the resulting user string returned by the NiFi Login provider must match EXACTLY to with the user string returned by the ldap-user-group-provider and what is found in Ranger. This includes case.

If some trimming or normalization is required, you are going to need to use NiFi identity mapping patterns to do so.  These would be configured in the file.

Hope this helps,



Hi @MattWho,

Thank you for your answer, the identification is done through knox and i was wondering which config need to be changed in my case?





Hi @MattWho,

In the case where knox is used for the authentification what type of changes need to be done in order to take into account the ad group? I know that in knox there is the topology where we can define the ldap...

Thank you

Master Guru



Even if you have configured NiFi to use Knox for user authentication, you still need to configure NiFi's authorizers.xml to hand the authorization of the successfully authenticated user via knox.

If you are looking to be able to authorize users based on AD groups that authenticated user is a member of, you will need to include the ldap-user-group-provider in your authorizers.xml configuration.



; ;