Support Questions

Hi @Scharan 
thanks for your response, we already have the policy in ranger by default :

and i already assign our user and group to this policy , but still failed authorization

@wbivp 

Is the exact user string you see in the nifi-user.log the same (case sensitive)  as what is set in Ranger?
is this user string authorized for the /flow policy?

Thank you,

Matt

Hi @MattWho 

We using ranger authorizer , user string exactly same with nifi-user.log and ranger user 

below authorizers.xml content :

<authorizers>

<userGroupProvider>
<identifier>cm-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CMUserGroupProvider</class>
<property name="Knox Nodes Properties Location">/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/knox-conf/knox-gateway.properties</property>
<property name="NiFi Registry Nodes Properties Location">/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/nifiregistry-conf/peer.properties</property>
<property name="NiFi Group">nifi</property>
<property name="Infer Unqualified Hostnames">false</property>
<property name="NiFi Nodes Properties Location">/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/nifinode-conf/peer.properties</property>
</userGroupProvider><userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="User Group Provider 1">cm-user-group-provider</property>
<property name="Configurable User Group Provider">file-user-group-provider</property>
</userGroupProvider><userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Initial User Identity 1">wahyu.budiman</property>
<property name="Users File">/var/lib/nifi/users.xml</property>
</userGroupProvider>

<authorizer>
<identifier>ranger-provider</identifier>
<class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class>
<classpath>/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/hadoop-conf</classpath>
<property name="Ranger Security Config Path">/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/ranger-nifi-security.xml</property>
<property name="User Group Provider">composite-configurable-user-group-provider</property>
<property name="Ranger Admin Identity">rangerhostname</property>
<property name="Ranger Service Type">nifi</property>
<property name="Ranger Audit Config Path">/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/ranger-nifi-audit.xml</property>
<property name="Ranger Application Id">Cluster1_nifi</property>
<property name="Ranger Kerberos Enabled">true</property>
</authorizer>

Hi @MattWho 

Our Nifi using ranger authorizers , after we set ranger nifi policy (/flow , /proxies , etc) to my username, i can login and access web UI , the next question about group authorization, because other user with same group still cannot acces web UI 

below the log :
2021-09-02 10:57:45,166 INFO [NiFi Web Server-424] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifihostname:8443/nifi-api/flow/current-user (source ip: )
2021-09-02 10:57:45,169 INFO [NiFi Web Server-424] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for test.username
2021-09-02 10:57:45,172 INFO [NiFi Web Server-424] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[test.username], groups[] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.

Thanks ,

WahyuB

@wbivp 

Within Ranger you can authorizer users and/or groups to the policies you define.
The Ranger plugin with the NiFi service runs in the background within NiFi that connects with Ranger to download the latest set of policies.

What is provided by Ranger is simply user(s) A, B, C strings and/or group(s) X, Y, Z strings are authorized read and/or write to NiFi Resource Identifier(s).  There is nothin in what is downloaded from Ranger that will tell NiFi as the client what users belong to group(s) X, Y, or Z.   This means that NiFi itself needs to be aware of these associations.

This is why in the nifi-user.log you see the following:

o.a.n.w.a.c.AccessDeniedExceptionMapper identity[test.username], groups[] does ...

 This log line tells us that NiFi is unaware of any groups the the authenticated user string "test.username" is a member.  If NiFi was aware the "groups[]" in this log line would show a comma separated list of all these group strings.

NiFi offers numerous user-group-providers that can be added to the authorizers.xml that allow these associations between user and groups to be set.  Your authorizers.xml file shared contains the "cm-user-group-provider" (only used to assign NiFi node hostnames to a group string "nifi") and the "file-user-group-provider" [1] which gives users a way of manually adding group strings and associating users to that group directly from the NiFi UI.

So with your current setup, you would login as your authorized user, go to the NiFi Global Menu, and then select "users".  This will open the NiFi Users UI where you should see your initial admin user which you defined in your file-user-group-provider.  You would need to click on the 

icon to add additional users and groups manually.  Adding users and groups here has nothing to do with authentication. You are using this Ui to establish user to group associations.  So I would start by creating a new group.  The Identity string used must match case sensitive the exact group string as seen in Ranger.
Then you can start adding your user strings (must match user strings case sensitive as seen in Ranger)
As you add users you will be able to select the group(s) you added as those that user should be associated with.

Using above as an example, NiFi would then associate user string "JoeSmith" with group string "admins".

To see what other user-group-providers exist within your NiFi version, you should look at the "Admin Guide" found under help within your NiFi's embedded documentation access via the UI.

A very commonly used user-group-provider is the "ldap-user-group-provider" [2] which can be used to sync user and groups strings from LDAP/AD and establish the associations between them based on what is in LDAP/AD.

[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#fileusergroupprovider
[2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider

If you found these responses assisted with your query, please take a moment to login and click on "Accept as Solution" below each post.

Thank you,

Matt

Hi @MattWho 

I try your suggestion to setup "ldap-user-group-provider" , and now nifi service cannot start ,

this is the error message , do you have an example of the required parameters ?

Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setAnonymousAuthenticationProvider' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'anonymousAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563]

@wbivp 

When NiFi is configured to use the ldap-user-group-provider, it must be able to successfully execute that provider during startup to generate a list of users and groups within NiFi.

The exception points that that provider being unable to execute successfully.
The exception in the logs shows:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563]

This points at an authentication issue when trying to communicate with your ldap server.
(misconfiguration int the provider, bad Manager or Manager password provided)

From the NiFi host can you make run a ldapsearch query against your ldap server using all the same configured values from your provider?

Without your authorizers.xml file, it would be difficult for me to point out any other misconfigurations if present.

If you found the provided response(s) assisted with your query, please take a moment to login and click on "Accept as Solution" below each solution that helped you.

Thank you,

Matt