Support Questions

schrippe · ‎04-03-2024

Hi,

I have set up Nifi(CFM 2.1.6.0-323) on our existing clouder private cloud base cluster.

I have set up Nifi with LDAP and Ranger.
Unfortunately, during the initial installation an error that the Nifi Group is missing occurs.

As soon as I create the Nifi group manually in Ranger, the installation works without errors.

Have any of you ever had the same error?

<userGroupProvider>
<identifier>cm-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CMUserGroupProvider</class>
<property name="Knox Nodes Properties Location">/var/run/cloudera-scm-agent/process/33235-nifi-NIFI_NODE/knox-conf/knox-gateway.properties</property>
<property name="NiFi Registry Nodes Properties Location">/var/run/cloudera-scm-agent/process/33235-nifi-NIFI_NODE/nifiregistry-conf/peer.properties</property>
<property name="NiFi Group">nifi</property>
<property name="Infer Unqualified Hostnames">false</property>
<property name="NiFi Nodes Properties Location">/var/run/cloudera-scm-agent/process/33235-nifi-NIFI_NODE/nifinode-conf/peer.properties</property>
</userGroupProvider><userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
<property name="User Group Provider 1">ldap-user-group-provider</property>
<property name="User Group Provider 2">cm-user-group-provider</property>
</userGroupProvider><userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Connect Timeout">10 secs</property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="User Identity Attribute">cn</property>
<property name="Group Name Attribute">cn</property>
<property name="User Search Scope">SUBTREE</property>
<property name="Group Object Class">group</property>
<property name="Url">ldaps://</property>
<property name="TLS - Keystore Type"></property>
<property name="User Search Base">ou=Benutzerkonten,dc=bk,dc=datev,dc=de</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>
<property name="Authentication Strategy">LDAPS</property>
<property name="Group Search Base">OU=Zentral,OU=Gruppen,DC=bk,DC=datev,DC=de</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
<property name="Group Member Attribute">member</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Truststore"></property>
<property name="Group Search Scope">SUBTREE</property>
<property encryption="aes/gcm/256" name="Manager Password">password</property>
<property name="User Group Name Attribute">memberOf</property>
<property name="TLS - Truststore Password"></property>
<property name="User Object Class">user</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Page Size">1000</property>
<property name="Read Timeout">10 secs</property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Sync Interval">30 mins</property>
<property name="Manager DN">cn=TU10690,OU=Benutzerkonten,DC=bk,DC=datev,DC=de</property>
<property name="User Search Filter">((objectClass=user)(|(memberOf=CN=HDP01-L-Admins,OU=Zentral,OU=Gruppen,DC=bk,DC=datev,DC=de)(memberOf=CN=HDP01-L-Access,OU=Zentral,OU=Gruppen,DC=bk,DC=datev,DC=de)))</property>
<property name="TLS - Truststore Type"></property>
<property name="Group Search Filter"></property>
</userGroupProvider>

<authorizer>
<identifier>ranger-provider</identifier>
<class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class>
<classpath>/var/run/cloudera-scm-agent/process/33235-nifi-NIFI_NODE/hadoop-conf</classpath>
<property name="Ranger Security Config Path">/var/run/cloudera-scm-agent/process/33235-nifi-NIFI_NODE/ranger-nifi-security.xml</property>
<property name="User Group Provider">composite-user-group-provider</property>
<property name="Ranger Admin Identity">....</property>
<property name="Ranger Service Type">NIFI</property>
<property name="Ranger Audit Config Path">/var/run/cloudera-scm-agent/process/33235-nifi-NIFI_NODE/ranger-nifi-audit.xml</property>
<property name="Ranger Application Id">CDPLAB_nifi</property>
<property name="Ranger Kerberos Enabled">true</property>
</authorizer>

Rajat_710 · ‎04-07-2024

Hi, @schrippe can you please run the ldapsearch command on this particular OU "OU=Zentral,OU=Gruppen,DC=bk,DC=datev,DC=de" and check if you are getting your missing group here or not, it could be the group is present on different OU level.

This is your Group search base config "OU=Zentral,OU=Gruppen,DC=bk,DC=datev,DC=de" so run the ldapsearch and verify the o/p.

View solution in original post

ckumar · ‎04-04-2024

If you can post the exact error you were facing? it would help much to understand.

Also, was the error part of the stdout/stderr file or nifi service initially started by Bootstrap but later went down due to exceptions?

What have you added as a group in Ranger?

Rajat_710 · ‎04-07-2024

Hi, @schrippe can you please run the ldapsearch command on this particular OU "OU=Zentral,OU=Gruppen,DC=bk,DC=datev,DC=de" and check if you are getting your missing group here or not, it could be the group is present on different OU level.

This is your Group search base config "OU=Zentral,OU=Gruppen,DC=bk,DC=datev,DC=de" so run the ldapsearch and verify the o/p.

Cloudera Community

Support Questions

Missing Nifi Group