Created 03-09-2017 04:48 PM
Fairly simple issue:
I have a 3 node clustered NiFi secured with the ranger plugin (all kerborised). I've created a very simple flow for some testing, but when I query provenance I see no results.
I've added my AD principal into the default all resources policy ('*') within ranger. I've also created an 'Administrator' policy where I've added as many combinations of permission's I could come up with, all without any luck.
Any suggestion's? Thanks in advance
Created 03-09-2017 05:06 PM
Lets assume you have Node A, Node B, and Node C in your NiFi cluster.
Now your AD user is logged into Node A and runs a provenance query. That provenance query is propagated to all other nodes (A, B, and C) by Node A. Each node runs the query which may return 0 to many results (Actually looking in the nifi-app.log of each node will show a log line that indicates the number of returned results) All those results are returned to the node A where your user is logged in for display in the provenance UI. Node A upon receiving these events will check to see which results Node A is allowed to access to. In you case your user has access to the data but your nodes do not.
The nodes must be granted the access to the data of the component(s) the provenance results belong to. Generally speaking you set data access policies at the process group level and all components and process groups contained within the process group inherit those parent access policies.
For you, you will need the UUID of your root process group. Then in ranger you would add a new policy that grants all your nodes access to "/data/process-group/<uuid of root process group>" resource. After doing so, try running your query again and you should see results.
You should already have an existing policy in Ranger which grants all your nodes the /proxy resource.
Thanks,
Matt
Created 03-09-2017 05:06 PM
Lets assume you have Node A, Node B, and Node C in your NiFi cluster.
Now your AD user is logged into Node A and runs a provenance query. That provenance query is propagated to all other nodes (A, B, and C) by Node A. Each node runs the query which may return 0 to many results (Actually looking in the nifi-app.log of each node will show a log line that indicates the number of returned results) All those results are returned to the node A where your user is logged in for display in the provenance UI. Node A upon receiving these events will check to see which results Node A is allowed to access to. In you case your user has access to the data but your nodes do not.
The nodes must be granted the access to the data of the component(s) the provenance results belong to. Generally speaking you set data access policies at the process group level and all components and process groups contained within the process group inherit those parent access policies.
For you, you will need the UUID of your root process group. Then in ranger you would add a new policy that grants all your nodes access to "/data/process-group/<uuid of root process group>" resource. After doing so, try running your query again and you should see results.
You should already have an existing policy in Ranger which grants all your nodes the /proxy resource.
Thanks,
Matt