Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Mapping kerberos pattern for NiFi

avatar
Expert Contributor

Depending on the user's configuration on their computer, when trying to login to NiFi they either come in as <username> or <username>@<realm>. If the user comes in as <username>@<realm>, for NiFi I have to add them as this user in Ranger instead of their normal username, and then give permissions on <username>@<realm>. This makes permissions difficult to manage.

In NiFi's configuration, I have nifi.security.identity.mapping.pattern.kerb set to `EMAILADDRESS=(.*?), CN=([^@]+)` and nifi.security.identity.mapping.value.kerb set to `$2`. I thought this should match up to the `@` sign so only the username would be passed to NiFi for authentication but this doesn't seem to be the case. What's going on here?

1 ACCEPTED SOLUTION

avatar
Super Mentor

@Josh Nicholson

When using the kerberos-provider via the login-identity-providers.xml file. The user's full kerberos principal is going to be used every time. You can ignore the "default realm" property in the kerberos-provider provider (NiFi's code does not actually use it right now --> https://jira.apache.org/jira/browse/NIFI-6224 )

So when a user enters a username that does not include the "@<realm>" portion, the default realm as configured in the krb5.conf file configured in the nifi.properties file is used.


That full DN is then passed through your configured identity.mapping.patterns.
This means you need to have a pattern that matches on:

^(.*?)@(.*?)$

And a resulting value of:

$1

so that only the username portion is then passed on to your configured authorizer.


In the case of some user coming in with just username and other with full principal names... Those user coming in with just usernames must not being authenticated using the login provider. Even with a login provider configured the default TLS/SSL authentication is attempted first. So if these users have a trusted client certificate loaded in their browser it will be presented for authentication to your NiFi and those user will never see the login window. From a user certificate the full DN will be used to identify the user. That full DN is likely matching on your existing mapping pattern resulting in just the username you are seeing.


So it is important that you not remove this existing mapping pattern, but instead add a second.

nifi.security.identity.mapping.pattern.<any string>
nifi.security.identity.mapping.value.<any string>


Patterns are searched in a alpha-numeric order. First matching regex will be applied.


Thank you,

Matt

View solution in original post

5 REPLIES 5

avatar
Super Mentor

@Josh Nicholson

I am assuming you are using ldap-provider for user authentication?

If so, what value do you have assigned to the following property in your login-identity-providers.xml file:

<property name="Identity Strategy"></property>

I suspect you may have this set to USE_USERNAME?

-

If so, upon successful authentication of the user, the username entered by user on login screen is going to be passed through the mapping patterns and the result sent to Ranger for authorization verification rather then the ldap entry DN.

-

Thanks,

Matt

-

If you found this Answer addressed your original question, please take a moment to login and click "Accept" below the answer.

avatar
Expert Contributor

@Matt Clarke

I actually have it set to `USE_DN`, but have nifi.security.user.login.identity.provider set to `kerberos-provider`. LDAP provider is commented out in that file.

avatar
Super Mentor

@Josh Nicholson

Your regex looks correct. The question is what is actually coming back and being passed to that regex. Have you looked at the authentication output logged in the nifi-user.log.? What is logged when one of these users log in to NiFi?

avatar
Super Mentor

@Josh Nicholson

When using the kerberos-provider via the login-identity-providers.xml file. The user's full kerberos principal is going to be used every time. You can ignore the "default realm" property in the kerberos-provider provider (NiFi's code does not actually use it right now --> https://jira.apache.org/jira/browse/NIFI-6224 )

So when a user enters a username that does not include the "@<realm>" portion, the default realm as configured in the krb5.conf file configured in the nifi.properties file is used.


That full DN is then passed through your configured identity.mapping.patterns.
This means you need to have a pattern that matches on:

^(.*?)@(.*?)$

And a resulting value of:

$1

so that only the username portion is then passed on to your configured authorizer.


In the case of some user coming in with just username and other with full principal names... Those user coming in with just usernames must not being authenticated using the login provider. Even with a login provider configured the default TLS/SSL authentication is attempted first. So if these users have a trusted client certificate loaded in their browser it will be presented for authentication to your NiFi and those user will never see the login window. From a user certificate the full DN will be used to identify the user. That full DN is likely matching on your existing mapping pattern resulting in just the username you are seeing.


So it is important that you not remove this existing mapping pattern, but instead add a second.

nifi.security.identity.mapping.pattern.<any string>
nifi.security.identity.mapping.value.<any string>


Patterns are searched in a alpha-numeric order. First matching regex will be applied.


Thank you,

Matt

avatar
Explorer


Hi Josh,

I faced the same error like you some days ago and I would say if you set the next two nifi parameters it should work (please, let me know if that works for you as well):

108488-1557171004960.png