Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

avatar
Master Collaborator

I have a test environment with OpenLDAP and MIT KDC as backend directory services. I tried to use it to test Nifi authorization through Ranger and running into an issue where the user name seems to not matching correctly.

Here is my setup

  • HDF 2.1.1.0, Nifi 1.1.0 and Ranger 0.6.2
  • Cluster installed with all HDF components except Storm and kafka
  • Cluster Kerberized with MIT KDC
  • Credentials in OpenLDAP
  • Ranger sync with OpenLDAP
  • Ranger Nifi policy created for a user with all permissions.

12089-screen-shot-2017-02-03-at-122526-pm.png

I could get to Nifi login page and login with the credentials from OpenLDAP, but then it complains about not have enough access

12090-screen-shot-2017-02-03-at-122648-pm.png

Looking at the audit log, the user name get logged in Ranger is hadoopadmin@FIELD.HORTONWORKS.COM rather than hadoopadmin, it seems the KDC principal name get used here

12121-screen-shot-2017-02-03-at-122538-pm.png

I haven't setup identity mapping and the values are empty now.

12122-screen-shot-2017-02-03-at-123046-pm.png

What values should I use to get the username mapped correctly?

Thanks,

1 ACCEPTED SOLUTION

avatar
Master Guru

The identity mappings in NiFi use regular expressions with capture groups, so you could do:

nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb=$1

That pattern should match hadoopadmin@FIELD.HORTONWORKS.COM where group 1 would be hadoopadmin and group 2 would be FIELD.HORTONWORKS.COM.

Then the value property says use group 1 as the actual identity.

The NiFi admin guide has a description:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

View solution in original post

3 REPLIES 3

avatar
Master Guru

The identity mappings in NiFi use regular expressions with capture groups, so you could do:

nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb=$1

That pattern should match hadoopadmin@FIELD.HORTONWORKS.COM where group 1 would be hadoopadmin and group 2 would be FIELD.HORTONWORKS.COM.

Then the value property says use group 1 as the actual identity.

The NiFi admin guide has a description:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

avatar

You can use the following for the Kerberos identity mapping, if you want the principal to be mapped to just the shortname:

nifi.security.identity.mapping.pattern.kerb = ^(.*?)@(.*?)$
nifi.security.identity.mapping.value.kerb = $1

See https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.0.0/bk_administration/content/identity-mapping-... and https://community.hortonworks.com/articles/61729/nifi-identity-conversion.html

avatar
Master Collaborator

So here are the values that work in my environment

nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)$
nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.value.kerb=$1

Also in Ranger the Nifi nodes need to be added as internal user and create policy for them to access proxy, flow and data