Support Questions
Find answers, ask questions, and share your expertise

How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

Expert Contributor

I have a test environment with OpenLDAP and MIT KDC as backend directory services. I tried to use it to test Nifi authorization through Ranger and running into an issue where the user name seems to not matching correctly.

Here is my setup

  • HDF 2.1.1.0, Nifi 1.1.0 and Ranger 0.6.2
  • Cluster installed with all HDF components except Storm and kafka
  • Cluster Kerberized with MIT KDC
  • Credentials in OpenLDAP
  • Ranger sync with OpenLDAP
  • Ranger Nifi policy created for a user with all permissions.

12089-screen-shot-2017-02-03-at-122526-pm.png

I could get to Nifi login page and login with the credentials from OpenLDAP, but then it complains about not have enough access

12090-screen-shot-2017-02-03-at-122648-pm.png

Looking at the audit log, the user name get logged in Ranger is hadoopadmin@FIELD.HORTONWORKS.COM rather than hadoopadmin, it seems the KDC principal name get used here

12121-screen-shot-2017-02-03-at-122538-pm.png

I haven't setup identity mapping and the values are empty now.

12122-screen-shot-2017-02-03-at-123046-pm.png

What values should I use to get the username mapped correctly?

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions

The identity mappings in NiFi use regular expressions with capture groups, so you could do:

nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb=$1

That pattern should match hadoopadmin@FIELD.HORTONWORKS.COM where group 1 would be hadoopadmin and group 2 would be FIELD.HORTONWORKS.COM.

Then the value property says use group 1 as the actual identity.

The NiFi admin guide has a description:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

View solution in original post

3 REPLIES 3

The identity mappings in NiFi use regular expressions with capture groups, so you could do:

nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb=$1

That pattern should match hadoopadmin@FIELD.HORTONWORKS.COM where group 1 would be hadoopadmin and group 2 would be FIELD.HORTONWORKS.COM.

Then the value property says use group 1 as the actual identity.

The NiFi admin guide has a description:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

View solution in original post

You can use the following for the Kerberos identity mapping, if you want the principal to be mapped to just the shortname:

nifi.security.identity.mapping.pattern.kerb = ^(.*?)@(.*?)$
nifi.security.identity.mapping.value.kerb = $1

See https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.0.0/bk_administration/content/identity-mapping-... and https://community.hortonworks.com/articles/61729/nifi-identity-conversion.html

Expert Contributor

So here are the values that work in my environment

nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)$
nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.value.kerb=$1

Also in Ranger the Nifi nodes need to be added as internal user and create policy for them to access proxy, flow and data