We have installed nifi in hdp cluster with security enabled i.e SSL enabled and integrated with ldap.
Now we are working on ranger integration with nifi,We created policy for nifi in ranger but while testing we are getting error.
When we tried from server using curl command we are getting error
Command we are running:curl -k -X GET 'https://<hostname>:9995/nifi-api/resources'
ERROR:Not authorized for the requested resource. Contact the system administrator
Your curl command is not passing any user info for authorization in it.
If you extract your certificate from the keystore setup in Ranger, your curl command would look something like:
curl -kv -cert <client user>:<cert password> https://<hostname>:9995/nifi-api/resources
I am assuming you have setup NiFi in your ranger "Service Manager". The "Config properties:" for that service in Ranger requires you to provide a NiFi URL, keystore, truststore, etc..
When you click "Test Connection", I am guessing you are getting a not authorized response?
So the client certificate from the supplied keystore is being sent to NiFi for authentication. If NiFi mutual trust (NiFi trusts client cert and Ranger trusts NiFi server cert) is successful, NiFi then tries to communicate with Ranger to verify if that "client user" is authorized to access the /nifi-apr/resources endpoint.
You should have a Ranger Policy within the NiFi service that grants the "client user" here "read" permissions to the "/resources" NiFi Resource Identifier.
Note that with a NiFi cluster all the NiFi nodes will need to authorized as well for the "/proxy" NiFi resource Identifier.
Hope this helps,