Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

NiFi - Insufficient Privileges usoing Ranger

avatar
Rising Star

Hi,

I have a cluster with 2 nodes, installed HDF and use Ranger for security policies. I just installed kerberos on my cluster using an existing AD.

I am now trying to connect to NiFi UI but I have insufficient privileges (login/password is ok).

I created a policy READ/WRITE for my user raphael.mary (existing in AD) on /* like following :

16008-2017-06-05-10-31-42.png

When I try to connect to NiFi I have insufficient privileges and I get this in Ranger Audt :

16009-2017-06-05-10-31-02.png

The user trying to connect is raph.mary@ZZZZ.COM

1. Is that normal that the user name is with the realm name in the audit log?

2. When I try to connect I use raphael.mary as login, do I need to specify another user name?

Thank you for your help.

1 ACCEPTED SOLUTION

avatar

yes, i believe the hostname should match.

View solution in original post

3 REPLIES 3

avatar

Can you check if you have rules to translate kerberos principal to short username?

avatar
Rising Star

@vperiasamy

I added this after my post :

nifi.security.identity.mapping.pattern.kerb = ^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb = $1

The policy is now working but I get the following error : Untrusted proxy corenifi01-vm.zzzzz.com

Do I have to add the nodes of my cluster in Active Directory as well or do I have to add the nodes of my cluster in Ranger (principal is : corenifi01-vm.zzzzz.com@ZZZZZ.COM) ? I added them at the beginning but with this name : corenifi01-vm.zzzzz.com@AA.ZZZZ.COM

avatar

yes, i believe the hostname should match.