Created 08-29-2018 04:32 PM
Hello,
I am setting up an HDF 3.2 cluster that's fully Kerberized and I am trying to handle authorization through Ranger.
We have a single Active Directory which also acts as KDC.
The technical users (for example the service principals automatically created by HDF) are mapped in the following organization unit: OU=HDF,DC=example,DC=com while "normal" users (devs/admins) are mapped in OU=USERS,DC=example,DC=com
The problem is that after enabling NiFi plugin and Kafka plugin I have not been able to use any of the two (I added my username to the "admin" policies of both services in ranger).
Since the two problems are probably linked, I will start from NiFi and if necessary expand on Kafka in another post.
NiFi authentication works (the user is recognized) but I receive the following error: "Unable to view the user interface. Contact the system administrator."
When I check the audit log I notice that the User is indicated with the full qualified domain name USER@EXAMPLE.COM (instead of just the username) and the access is denied.
nifi.security.user.login.identity.provider=kerberos-provider
I tried the following NiFi properties without success:
nifi.security.identity.mapping.pattern.kerb=^(.?)@(.?)$ nifi.security.identity.mapping.value.kerb=$1
Could you help me solve this problem?
Thanks
Created 10-30-2018 11:08 AM
Properly setting up the nifi.security.identity.mapping.pattern.kerb and nifi.security.identity.mapping.pattern.dn fixed the problem.
Also, while debugging these kind of problems, it's best to delete ranger plugin cache (under /etc/ranger/SERVICE_NAME/policycache/) to ensure that there are no communication problem between NiFi and Ranger.
Created on 08-29-2018 05:00 PM - edited 08-18-2019 03:14 AM
I think you may need to adjust the user/group sync in ranger. Be sure to tail the ranger user sync logs while running the sync so that you can validate things are arriving correctly. Here are my configs:
Additionally you will need to create policies in ranger admin as follows:
the scrambled user for NiFi Proxy is cn=NIFIHOSTNAME, OU=NIFI
Be sure to watch the log files and restart everything after making any changes.
If this answer is helpful, please choose ACCEPT to mark the question as resolved.
Created 08-30-2018 02:43 PM
Hello @Steven Matison,
thanks for replying.
I believe that everything is setup as you proposed, I also added the NiFi proxy users to their own policy but nothing changed.
Tailing the usersync.log doesn't provide any additional evidence.
Created 08-30-2018 03:35 PM
There aren't many information in the manual is it possible I have to manually configure all the options under "Advanced ranger-nifi-plugin-properties" (in the ambari console)?
Currently only a few of those properties are configured.
Created 08-29-2018 05:16 PM
To avoid unwanted groups and users loaded please see this HCC doc
Created 08-30-2018 02:44 PM
Thanks, I will use this configuration while testing in the future.
Created 08-29-2018 05:19 PM
That's the default behavior if you are using AD it appends the REALM to username.
Created 10-30-2018 11:08 AM
Properly setting up the nifi.security.identity.mapping.pattern.kerb and nifi.security.identity.mapping.pattern.dn fixed the problem.
Also, while debugging these kind of problems, it's best to delete ranger plugin cache (under /etc/ranger/SERVICE_NAME/policycache/) to ensure that there are no communication problem between NiFi and Ranger.