Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

NiFi Plugin Error getting policies from Ranger

avatar
Explorer

Hi all, I tried to integrate secured NiFi with secured Ranger for Authorization Management in HDF-3.1.0.0.

Refer to the article:

https://community.hortonworks.com/content/kbentry/60001/hdf-20-integrating-secured-nifi-with-secured...



After all steps are complete, I run the connection test on Ranger NiFi service and get 403 status code.

It seems authentication success but authorization fail, but I cant figure out the problem in a long time.

85791-authentication-success.png

(CN=ranger, OU=NiFi is the DN of Ranger's certificate)

(CN=ambari03.xxxx.xxxx, OU=NiFi is the DN of NiFi node's certificate)

(Both DN of Ranger and NiFi nodes user manually created in Ranger admin UI as internal)



Why NiFi cant sync policies from Ranger(message in nifi-app.log).

2018-08-30 09:18:28,095 WARN [Thread-22] o.a.r.admin.client.RangerAdminRESTClient Error getting policies. secureMode=false, user=nifi (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=hdf_nifi

2018-08-30 09:18:28,095 WARN [Thread-22] o.a.ranger.plugin.util.PolicyRefresher cache file does not exist or not readable '/etc/ranger/hdf_nifi/policycache/hdf_nifi_hdf_nifi.json'



Here is my config and some log files.

authorizers.xml:

85792-authorizersxml.png

nifi-app.log:

85793-nifi-applog.png

xa_portal.log:

85794-xa-portallog.png

The following are the information of configuration:

(1)HDF:

#3 nodes cluster

#Kerberos security is disabled


(2)NiFi:

#install on node1~3

#SSL enabled with certificates manually installed

#Authenticate by AD using SIMPLE connection


(3)Ranger:

#install on node1(Admin & Usersync)

#SSL enabled

#Authenticate by AD

#Sync User from AD



Thanks for your help.

6 REPLIES 6

avatar
Super Guru

I dont think this will be an official answer, but a few things that come to mind:

1. need to make sure the policies are created for at least the normal admin user, then policies for AD users, start with a small test case ( a single user or group) and go forward until all policies satisify all needs

  • i added 2 groups, my personal user, CN=admin,OU=NIFI, and nifi host (cn=HOSTNAME,OU=NIFI) to all - nifi resource policy
  • created a NiFi Proxy policy for cn=HOSTNAME,OU=NIFI

2. in my setups, i was missing a checkbox in nifi config area that turned on the ranger plugin (separate from the ranger config toggle)

3. make sure to restart everything after making adjustment

avatar
Explorer

@Steven Matison

Thanks for reply.



But It looks like the sync policies failed.

2018-08-30 09:18:28,095 WARN [Thread-22] o.a.r.admin.client.RangerAdminRESTClient Error getting policies. secureMode=false, user=nifi (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=hdf_nifi 2018-08-30 09:18:28,095

avatar
Super Guru

@Tony Cheng In my setup I had to edit configuration file to set 3 values to debug for logging to show full details

Tailing the Ranger Sync Logs

In order to see full output for Ranger User Sync it is necessary to modify Log4j XML:

sudo nano /usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/log4j.xml

**NOTE: Edit 3 log entries at bottom of the file from "info" to "debug". Be sure to change them back when done debugging.

Restart All for Ranger and then you can tail these 2 files:

sudo tail -f /var/log/ranger/admin/xa_portal.log
sudo tail -f /var/log/ranger/usersync/usersync.log

avatar
Explorer
@Steven Matison

Thanks for replay.

I will config and tail the log.

avatar

@Tony Cheng

The error:

unable to get client certificate at

In the xa-portal.log means truststore has not been properly configured for ranger admin. I suggest you review the following video where I cover this configuration in detail:

https://community.hortonworks.com/content/supportkb/187924/video-kb-how-to-co-nfigure-ranger-admin-s...

Also there is a good hc article that covers this configuration for nifi:

https://community.hortonworks.com/articles/60001/hdf-20-integrating-secured-nifi-with-secured-range....

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

avatar
Explorer

@felix Albani

Thanks for the viedo.

Sorry to reply after such a long time period.


I have watched and check, but still dont know what I miss config.

Before reinstall HDF and config again, there are some questions I would like to ask.


In the nifi-app.log:

2018-09-05 17:54:07,793 WARN [Thread-22] o.a.r.admin.client.RangerAdminRESTClient Error getting policies. secureMode=false, user=nifi (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=hdf_nifi


Do I need to resolve the WARN message in nifi-app.log.

[Error getting policies. secureMode=false, user=nifi (auth:SIMPLE) user=nifi]


Both NiFi and Ranger had been enabled in SSL mode.

But getting policies does not seems run in secure mode.


I have three NiFi ranger plugin certificate with DN [CN=ambari01.test.com, OU=NiFi、CN=ambari02.test.com, OU=NiFi、CN=ambari03.test.com, OU=NiFi]

A nifi user is manually created in Ranger admin UI as internal.


The following images are my Ranger/Ambari screen shot and question

1.Do the nifi user need to create certificate too?

2.Is the nifi user a OS user in NiFi host or also a NiFi application user?


#nifi user in Ranger admin

87566-ranger-nifi-user.png


#ranger_nifi_policymgr

87567-ranger-nifi-policymgr.png



Thanks for your help.