Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

NiFi - Insufficient Privileges usoing Ranger

Solved Go to solution
Highlighted

NiFi - Insufficient Privileges usoing Ranger

Contributor

Hi,

I have a cluster with 2 nodes, installed HDF and use Ranger for security policies. I just installed kerberos on my cluster using an existing AD.

I am now trying to connect to NiFi UI but I have insufficient privileges (login/password is ok).

I created a policy READ/WRITE for my user raphael.mary (existing in AD) on /* like following :

16008-2017-06-05-10-31-42.png

When I try to connect to NiFi I have insufficient privileges and I get this in Ranger Audt :

16009-2017-06-05-10-31-02.png

The user trying to connect is raph.mary@ZZZZ.COM

1. Is that normal that the user name is with the realm name in the audit log?

2. When I try to connect I use raphael.mary as login, do I need to specify another user name?

Thank you for your help.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: NiFi - Insufficient Privileges usoing Ranger

yes, i believe the hostname should match.

View solution in original post

3 REPLIES 3
Highlighted

Re: NiFi - Insufficient Privileges usoing Ranger

Can you check if you have rules to translate kerberos principal to short username?

Highlighted

Re: NiFi - Insufficient Privileges usoing Ranger

Contributor

@vperiasamy

I added this after my post :

nifi.security.identity.mapping.pattern.kerb = ^(.*?)@(.*?)$

nifi.security.identity.mapping.value.kerb = $1

The policy is now working but I get the following error : Untrusted proxy corenifi01-vm.zzzzz.com

Do I have to add the nodes of my cluster in Active Directory as well or do I have to add the nodes of my cluster in Ranger (principal is : corenifi01-vm.zzzzz.com@ZZZZZ.COM) ? I added them at the beginning but with this name : corenifi01-vm.zzzzz.com@AA.ZZZZ.COM

Highlighted

Re: NiFi - Insufficient Privileges usoing Ranger

yes, i believe the hostname should match.

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here