Support Questions

raphamarymtl · ‎06-05-2017

Hi,

I have a cluster with 2 nodes, installed HDF and use Ranger for security policies. I just installed kerberos on my cluster using an existing AD.

I am now trying to connect to NiFi UI but I have insufficient privileges (login/password is ok).

I created a policy READ/WRITE for my user raphael.mary (existing in AD) on /* like following :

When I try to connect to NiFi I have insufficient privileges and I get this in Ranger Audt :

The user trying to connect is raph.mary@ZZZZ.COM

1. Is that normal that the user name is with the realm name in the audit log?

2. When I try to connect I use raphael.mary as login, do I need to specify another user name?

Thank you for your help.

vperiasamy · ‎06-05-2017

yes, i believe the hostname should match.

View solution in original post

vperiasamy · ‎06-05-2017

Can you check if you have rules to translate kerberos principal to short username?

raphamarymtl · ‎06-05-2017

@vperiasamy

I added this after my post :

nifi.security.identity.mapping.pattern.kerb = ^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb = $1

The policy is now working but I get the following error : Untrusted proxy corenifi01-vm.zzzzz.com

Do I have to add the nodes of my cluster in Active Directory as well or do I have to add the nodes of my cluster in Ranger (principal is : corenifi01-vm.zzzzz.com@ZZZZZ.COM) ? I added them at the beginning but with this name : corenifi01-vm.zzzzz.com@AA.ZZZZ.COM

vperiasamy · ‎06-05-2017

yes, i believe the hostname should match.

Cloudera Community

Support Questions

NiFi - Insufficient Privileges usoing Ranger