Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

Labels:
avatar
author-rank qiwang
Master Collaborator

Created on ‎02-03-2017 05:32 PM - edited ‎08-18-2019 05:02 AM

I have a test environment with OpenLDAP and MIT KDC as backend directory services. I tried to use it to test Nifi authorization through Ranger and running into an issue where the user name seems to not matching correctly.

Here is my setup

  • HDF 2.1.1.0, Nifi 1.1.0 and Ranger 0.6.2
  • Cluster installed with all HDF components except Storm and kafka
  • Cluster Kerberized with MIT KDC
  • Credentials in OpenLDAP
  • Ranger sync with OpenLDAP
  • Ranger Nifi policy created for a user with all permissions.

12089-screen-shot-2017-02-03-at-122526-pm.png

I could get to Nifi login page and login with the credentials from OpenLDAP, but then it complains about not have enough access

12090-screen-shot-2017-02-03-at-122648-pm.png

Looking at the audit log, the user name get logged in Ranger is hadoopadmin@FIELD.HORTONWORKS.COM rather than hadoopadmin, it seems the KDC principal name get used here

12121-screen-shot-2017-02-03-at-122538-pm.png

I haven't setup identity mapping and the values are empty now.

12122-screen-shot-2017-02-03-at-123046-pm.png

What values should I use to get the username mapped correctly?

Thanks,

1,869 Views
1 ACCEPTED SOLUTION

avatar
author-rank bbende author-rank
Master Guru

Created ‎02-03-2017 05:42 PM

The identity mappings in NiFi use regular expressions with capture groups, so you could do:

nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb=$1

That pattern should match hadoopadmin@FIELD.HORTONWORKS.COM where group 1 would be hadoopadmin and group 2 would be FIELD.HORTONWORKS.COM.

Then the value property says use group 1 as the actual identity.

The NiFi admin guide has a description:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

View solution in original post

1,675 Views
3 REPLIES 3

avatar
author-rank bbende author-rank
Master Guru

Created ‎02-03-2017 05:42 PM

The identity mappings in NiFi use regular expressions with capture groups, so you could do:

nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb=$1

That pattern should match hadoopadmin@FIELD.HORTONWORKS.COM where group 1 would be hadoopadmin and group 2 would be FIELD.HORTONWORKS.COM.

Then the value property says use group 1 as the actual identity.

The NiFi admin guide has a description:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

1,676 Views

avatar
author-rank slachterman
Guru

Created ‎02-03-2017 05:53 PM

You can use the following for the Kerberos identity mapping, if you want the principal to be mapped to just the shortname:

nifi.security.identity.mapping.pattern.kerb = ^(.*?)@(.*?)$
nifi.security.identity.mapping.value.kerb = $1

See https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.0.0/bk_administration/content/identity-mapping-... and https://community.hortonworks.com/articles/61729/nifi-identity-conversion.html

1,675 Views

avatar
author-rank qiwang
Master Collaborator

Created ‎02-03-2017 06:53 PM

So here are the values that work in my environment

nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)$
nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.value.kerb=$1

Also in Ranger the Nifi nodes need to be added as internal user and create policy for them to access proxy, flow and data

1,675 Views
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements