Support Questions
Find answers, ask questions, and share your expertise

Could not login Nifi using user of define group on Flow policies

New Contributor

We have a development cluster consists of CDP 7.1.6 with Nifi 1.13.2. The enviromment is Kerberised and use Ranger for the security, and connected to the AD server through sssd service.

We already setup the Flows policies on the ranger, by defining user and group that exisiting in the ranger.

When we try to access the Nifi UI, for user which define on Users of Flows policies, it works properly. But when login using user that define on the Groups of Flows policies, it gives error message: “INFO [NiFi Web Server-225822] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[18330301], groups[] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.” Nifi could not identified this user group.

Could you please give advice how to resolve this issues, so Nifi could give access to this user, which define in the Groups of Flow policies. Thank you in advance for you help.

1 REPLY 1

Master Guru

Hello @edoS 


Welcome to the community!

NiFi's provides so many option for user authentication and authorization, setting up exactly what you need can be overwhelming at times.

This is certainly something the Cloudera support could walk you through if you have a support contract with us that covers the NiFi service.

At a high level, here is what you need to understand about the authentication and authorization process in NiFi.

  1. Authentication happens first and must be successful before any authorization is verified.  NiFi supports numerous ways to authenticate users/clients (TLS, Kerberos, LDAP, openID, etc...).  No matter which method is used, the end result of any authentication is a user string that identifies the successfully authenticated user/client.
  2. That user string is then evaluated against the identity mappings [1] you may have configured in the nifi.properties file.  These identity mappings are used to normalize the user strings. for example:
    1. Trim the CN from the full DN in a user/client certificate
    2. Trim the user name from a kerberos principal
    3. convert the user string to all uppercase or lowercase
  3. The resulting user/client string is then passed to the authorizer to verify that user/client is authorized for the NiFi Resource Identifier being requested. NiFi authorizers.xml is where this configuration is setup.  This file is easiest to read from the bottom up.  
  4. At the bottom of the authorizers.xml you will find your authorizer which you have setup as the "Ranger-Provider".  It is important to understand how this authorizer works.  NiFi runs a background thread that checks in with Ranger to see if there is a new policy definition for the NiFi service.  If so, the new definition is downloaded by NiFi. What Ranger provides to NiFi in this downloaded policy definition are all the polices setup in Ranger.  For each there will be the "NiFi Resource Identifier(s)" along with the user strings and group strings that have been assigned "Read" and/or "Write" permissions.  Now remember up to this point all NiFi knows about the authenticated user is the user string.  NiFi has no idea yet what groups that user string may belong to.  Within the Ranger-Provider, you will find a property name with "User Group Provider". The value set here tell the authorizer where to check to see if the user string passed from authentication has any known user to group associations.
  5. Search your authorizers.xml for configured User Group Provider [2].  There are numerous options that can be configured for determining user to group associations.  Some of the available providers allow you to configured multiple providers.  While the authorizer "ranger-provider" can only point at 1, it may point at a "composite-configurable-user-group-provider" [3] for example that can be setup to reference multiple user-group-providers.  The key here is making sure you have added 1 or more user group providers that will return all the user to group associations you need.  Based on the log output you shared from the nifi-user.log. We know that none of the user group providers you may have setup returned any group strings associated to your user string (identity[18330301],groups[] ).  This is why "groups [ ]" is empty.
  6. The "file-user-group-provider" [4] allows you to create user string to group string associations manually via the NiFi UI directly.  The commonly used "ldap-user-group-provider" [5] determines user and group associations via user and/or group syncs with ldap/AD.
  7. Now that NiFi knows what groups the authenticated user string is associated with, the user and the groups can be checked against the downloaded policies to see if the user is authorized for the action being performed or the end-point trying to be accessed.

 

[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties
[2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup

[3] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#composite-implementations

[4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#fileusergroupprovider

[5] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider

 

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

; ;