Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to enable LDAP Group Authorization for Nifi in Ranger?

Highlighted

How to enable LDAP Group Authorization for Nifi in Ranger?

New Contributor

Users in a group are not authorized to access the Nifi UI if policy is defined for a LDAP group in Ranger . Specifying the user works without any issues.

5 REPLIES 5

Re: How to enable LDAP Group Authorization for Nifi in Ranger?

Super Guru

Is there a question here?

Re: How to enable LDAP Group Authorization for Nifi in Ranger?

This is currently a known limitation in the way groups work between NiFi and Ranger. When NiFi is using an external authorizer it only knows the user's identity string and defers everything else to the external authorizer (Ranger), but Ranger needs systems to pass the user's groups on the authorization request so that it can evaluate the request with the groups against the local policy cache.

Re: How to enable LDAP Group Authorization for Nifi in Ranger?

New Contributor

Why can't Ranger query the LDAP to know a user's group....? Why would it expect group info to be passed? A Lazy Ranger, Indeed. @Bryan Bende @Balaji Ganesula

Re: How to enable LDAP Group Authorization for Nifi in Ranger?

This support should be added on the Nifi side. I think this is already in the plan for next HDF release and see the below are already in NIFI repo.

https://issues.apache.org/jira/browse/NIFI-3653

https://issues.apache.org/jira/browse/NIFI-4032

Re: How to enable LDAP Group Authorization for Nifi in Ranger?

Guru

Just wanted to close the loop on this issue as LDAP-group based policies is supported. This functionality is in NiFi 1.4.0 and HDF 3.1.1 (NiFi 1.5.0 component):

https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.1/bk_security/content/ch05s04.html