Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Nifi Cluster HDF Ranger Issue.

Highlighted

Nifi Cluster HDF Ranger Issue.

Contributor

Hi Team,

We have configured Nifi With HDF and Ranger authorization enabled but we are seeing the below error while testing the connection from ranger to nifi, we are getting the below error.

Unable to retrieve any resources using given parameters. Status Code = 403Unable to retrieve any resources using given parameters. 

16213-nifi-aa.png

Its a 3 node cluster, in the below ranger configuration which node URL i need to place. Please share the config for cluster setup with Ranger.

16215-nifi111.png

3 REPLIES 3
Highlighted

Re: Nifi Cluster HDF Ranger Issue.

Contributor

@Matt Clarke

Need your inputs on this.

Thanks in advance.

Re: Nifi Cluster HDF Ranger Issue.

Contributor

@Anishkumar Valsalam Have you added the policy to grant access for /proxy to all the NiFi Nodes? Check the audit tab in ranger to understand for what resource the access was forbidden.

You can also check the following resources to integrate NiFi with Ranger.

https://community.hortonworks.com/articles/60001/hdf-20-integrating-secured-nifi-with-secured-range....

https://community.hortonworks.com/articles/57980/hdf-20-apache-nifi-integration-with-apache-ambarir....

http://bryanbende.com/development/2016/08/22/apache-nifi-1.0.0-using-the-apache-ranger-authorizer

Highlighted

Re: Nifi Cluster HDF Ranger Issue.

Master Guru

@Anishkumar Valsalam

The ability for Ranger to communicate with NiFi will require that you have authorized your ranger user to have access to the NiFi resources.

The only reason Ranger ever needs to talk to NiFi is to obtain a listing of the current global and component level policies for which users can be granted. This makes setting up policies easier in Ranger since the policy list will display these resources.

The policy that must be granted to your Ranger user is the "/resources" policy:

16247-screen-shot-2017-06-12-at-94236-am.png

When you click the "test connection" button, the client certificate from the configured keystore is passed to the configured NiFi URL. 2-way TLS authentication is performed. Upon successful authentication, Authorization will then be performed. Since you NiFi is now configured to use Ranger, that authorization will be done there. If your Ranger user has not be authorized for /resources, the 403 (forbidden) error response will be received during the test connection.

Once your Ranger user is authorized to access "/resources", it will show all available policies from which you can authorize your various entities:

16248-screen-shot-2017-06-12-at-94538-am.png

Thank you,

Matt

Don't have an account?
Coming from Hortonworks? Activate your account here