Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to use Ranger to authorize access for Nifi with OpenLDAP backend and Identity mapping

Labels:
avatar
author-rank qiwang
Master Collaborator

Created on ‎02-03-2017 05:32 PM - edited ‎08-18-2019 05:02 AM

I have a test environment with OpenLDAP and MIT KDC as backend directory services. I tried to use it to test Nifi authorization through Ranger and running into an issue where the user name seems to not matching correctly.

Here is my setup

  • HDF 2.1.1.0, Nifi 1.1.0 and Ranger 0.6.2
  • Cluster installed with all HDF components except Storm and kafka
  • Cluster Kerberized with MIT KDC
  • Credentials in OpenLDAP
  • Ranger sync with OpenLDAP
  • Ranger Nifi policy created for a user with all permissions.

12089-screen-shot-2017-02-03-at-122526-pm.png

I could get to Nifi login page and login with the credentials from OpenLDAP, but then it complains about not have enough access

12090-screen-shot-2017-02-03-at-122648-pm.png

Looking at the audit log, the user name get logged in Ranger is hadoopadmin@FIELD.HORTONWORKS.COM rather than hadoopadmin, it seems the KDC principal name get used here

12121-screen-shot-2017-02-03-at-122538-pm.png

I haven't setup identity mapping and the values are empty now.

12122-screen-shot-2017-02-03-at-123046-pm.png

What values should I use to get the username mapped correctly?

Thanks,

2,279 Views
1 ACCEPTED SOLUTION

avatar
author-rank bbende author-rank
Master Guru

Created ‎02-03-2017 05:42 PM

The identity mappings in NiFi use regular expressions with capture groups, so you could do:

nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb=$1

That pattern should match hadoopadmin@FIELD.HORTONWORKS.COM where group 1 would be hadoopadmin and group 2 would be FIELD.HORTONWORKS.COM.

Then the value property says use group 1 as the actual identity.

The NiFi admin guide has a description:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

View solution in original post

2,085 Views
3 REPLIES 3

avatar
author-rank bbende author-rank
Master Guru

Created ‎02-03-2017 05:42 PM

The identity mappings in NiFi use regular expressions with capture groups, so you could do:

nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb=$1

That pattern should match hadoopadmin@FIELD.HORTONWORKS.COM where group 1 would be hadoopadmin and group 2 would be FIELD.HORTONWORKS.COM.

Then the value property says use group 1 as the actual identity.

The NiFi admin guide has a description:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

2,086 Views

avatar
author-rank slachterman
Guru

Created ‎02-03-2017 05:53 PM

You can use the following for the Kerberos identity mapping, if you want the principal to be mapped to just the shortname:

nifi.security.identity.mapping.pattern.kerb = ^(.*?)@(.*?)$
nifi.security.identity.mapping.value.kerb = $1

See https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.0.0/bk_administration/content/identity-mapping-... and https://community.hortonworks.com/articles/61729/nifi-identity-conversion.html

2,085 Views

avatar
author-rank qiwang
Master Collaborator

Created ‎02-03-2017 06:53 PM

So here are the values that work in my environment

nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)$
nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.value.kerb=$1

Also in Ranger the Nifi nodes need to be added as internal user and create policy for them to access proxy, flow and data

2,085 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements