Support Questions
Find answers, ask questions, and share your expertise

NiFi Authorization with Ranger in Kerberized environment

Contributor

Hello,

I am setting up an HDF 3.2 cluster that's fully Kerberized and I am trying to handle authorization through Ranger.

We have a single Active Directory which also acts as KDC.

The technical users (for example the service principals automatically created by HDF) are mapped in the following organization unit: OU=HDF,DC=example,DC=com while "normal" users (devs/admins) are mapped in OU=USERS,DC=example,DC=com

The problem is that after enabling NiFi plugin and Kafka plugin I have not been able to use any of the two (I added my username to the "admin" policies of both services in ranger).

Since the two problems are probably linked, I will start from NiFi and if necessary expand on Kafka in another post.

NiFi authentication works (the user is recognized) but I receive the following error: "Unable to view the user interface. Contact the system administrator."

When I check the audit log I notice that the User is indicated with the full qualified domain name USER@EXAMPLE.COM (instead of just the username) and the access is denied.

nifi.security.user.login.identity.provider=kerberos-provider 

I tried the following NiFi properties without success:

nifi.security.identity.mapping.pattern.kerb=^(.?)@(.?)$
nifi.security.identity.mapping.value.kerb=$1

Could you help me solve this problem?

Thanks

1 ACCEPTED SOLUTION

Contributor

Properly setting up the nifi.security.identity.mapping.pattern.kerb and nifi.security.identity.mapping.pattern.dn fixed the problem.

Also, while debugging these kind of problems, it's best to delete ranger plugin cache (under /etc/ranger/SERVICE_NAME/policycache/) to ensure that there are no communication problem between NiFi and Ranger.

View solution in original post

7 REPLIES 7

@Raffaele S

I think you may need to adjust the user/group sync in ranger. Be sure to tail the ranger user sync logs while running the sync so that you can validate things are arriving correctly. Here are my configs:

87420-usersync.jpg

87421-groupsync.jpg

Additionally you will need to create policies in ranger admin as follows:

87422-rangeradminui.png

the scrambled user for NiFi Proxy is cn=NIFIHOSTNAME, OU=NIFI

Be sure to watch the log files and restart everything after making any changes.

If this answer is helpful, please choose ACCEPT to mark the question as resolved.

Contributor

Hello @Steven Matison,

thanks for replying.

I believe that everything is setup as you proposed, I also added the NiFi proxy users to their own policy but nothing changed.

Tailing the usersync.log doesn't provide any additional evidence.

Contributor

There aren't many information in the manual is it possible I have to manually configure all the options under "Advanced ranger-nifi-plugin-properties" (in the ambari console)?
Currently only a few of those properties are configured.

Mentor

@Raffaele S

To avoid unwanted groups and users loaded please see this HCC doc

Contributor

Thanks, I will use this configuration while testing in the future.

Mentor

@Raffaele S

That's the default behavior if you are using AD it appends the REALM to username.

Contributor

Properly setting up the nifi.security.identity.mapping.pattern.kerb and nifi.security.identity.mapping.pattern.dn fixed the problem.

Also, while debugging these kind of problems, it's best to delete ranger plugin cache (under /etc/ranger/SERVICE_NAME/policycache/) to ensure that there are no communication problem between NiFi and Ranger.

; ;