Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

SOLVED Go to solution
Highlighted

How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

Expert Contributor

I have a test environment with OpenLDAP and MIT KDC as backend directory services. I tried to use it to test Nifi authorization through Ranger and running into an issue where the user name seems to not matching correctly.

Here is my setup

  • HDF 2.1.1.0, Nifi 1.1.0 and Ranger 0.6.2
  • Cluster installed with all HDF components except Storm and kafka
  • Cluster Kerberized with MIT KDC
  • Credentials in OpenLDAP
  • Ranger sync with OpenLDAP
  • Ranger Nifi policy created for a user with all permissions.

12089-screen-shot-2017-02-03-at-122526-pm.png

I could get to Nifi login page and login with the credentials from OpenLDAP, but then it complains about not have enough access

12090-screen-shot-2017-02-03-at-122648-pm.png

Looking at the audit log, the user name get logged in Ranger is hadoopadmin@FIELD.HORTONWORKS.COM rather than hadoopadmin, it seems the KDC principal name get used here

12121-screen-shot-2017-02-03-at-122538-pm.png

I haven't setup identity mapping and the values are empty now.

12122-screen-shot-2017-02-03-at-123046-pm.png

What values should I use to get the username mapped correctly?

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

The identity mappings in NiFi use regular expressions with capture groups, so you could do:

nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb=$1

That pattern should match hadoopadmin@FIELD.HORTONWORKS.COM where group 1 would be hadoopadmin and group 2 would be FIELD.HORTONWORKS.COM.

Then the value property says use group 1 as the actual identity.

The NiFi admin guide has a description:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

3 REPLIES 3

Re: How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

The identity mappings in NiFi use regular expressions with capture groups, so you could do:

nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb=$1

That pattern should match hadoopadmin@FIELD.HORTONWORKS.COM where group 1 would be hadoopadmin and group 2 would be FIELD.HORTONWORKS.COM.

Then the value property says use group 1 as the actual identity.

The NiFi admin guide has a description:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

Re: How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

You can use the following for the Kerberos identity mapping, if you want the principal to be mapped to just the shortname:

nifi.security.identity.mapping.pattern.kerb = ^(.*?)@(.*?)$
nifi.security.identity.mapping.value.kerb = $1

See https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.0.0/bk_administration/content/identity-mapping-... and https://community.hortonworks.com/articles/61729/nifi-identity-conversion.html

Re: How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

Expert Contributor

So here are the values that work in my environment

nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)$
nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.value.kerb=$1

Also in Ranger the Nifi nodes need to be added as internal user and create policy for them to access proxy, flow and data