Support Questions

Find answers, ask questions, and share your expertise

Nifi Integration with Ranger Not Working

avatar
Contributor

HI All,

In our cluster NIFI is SSL enabled. Ranger is not SSL enabled. Both NIFI and Ranger are integrated with AD/LDAP.

Before enabling NIFI plugin in Ranger, our AD/LDAP users are able to see NIFI UI.

But after enabling NIFI plugin in Ranger, our AD/LDAP users are not able to see NIFI UI.

We are getting following message on NIFI screen:

Insufficient Permissions
   
Untrusted proxy CN=*.test.com, OU=NIFI

nifi-user.log shows Authentication success but Untrusted proxy error as follows:

2018-06-07 07:00:13,447 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://usdf24v0075.test.com:9091/nifi-api/flow/current-user (source ip: 10.23.118.51)
2018-06-07 07:00:13,449 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for test-user
2018-06-07 07:00:13,612 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<test-user><CN=*.test.com, OU=NIFI>) GET https://usdf24v0075.test.com:9091/nifi-api/flow/current-user (source ip: 10.23.132.140)
2018-06-07 07:00:13,615 WARN [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=*.test.com, OU=NIFI

I have also deleted authorizers.xml and users.xml file from NIFI node and restarted NIFI as well.

How to resolve it.?

Please suggest.

Thanks

1 ACCEPTED SOLUTION

avatar
Master Mentor
@Bhushan Kandalka

-

Once the Ranger plugin is enabled, the authorizations.xml file is no longer used to determine what authorizations both users and Nifi nodes have.

In a NiFi cluster each node must be authorized to act as a proxy so that requests made by users logged in to any one of the nodes's UIs can be replicated to the other nodes.

This means that you will need to set an authorization policy in Ranger that authorizes "CN=*.test.com, OU=NIFI" against the "/proxy" policy.

-

Thank you,

Matt

View solution in original post

11 REPLIES 11

avatar

avatar
Contributor

@Abdelkrim Hadjidj

Yes, I have added Ranger policies for user to see UI. Still getting same exception.

avatar

What about proxy ? as you can see in the provided link

To allow users to view the NiFi UI, create the following policies for each host:

  • /flow – read
  • /proxy – read/write

avatar
Master Mentor
@Bhushan Kandalka

-

Once the Ranger plugin is enabled, the authorizations.xml file is no longer used to determine what authorizations both users and Nifi nodes have.

In a NiFi cluster each node must be authorized to act as a proxy so that requests made by users logged in to any one of the nodes's UIs can be replicated to the other nodes.

This means that you will need to set an authorization policy in Ranger that authorizes "CN=*.test.com, OU=NIFI" against the "/proxy" policy.

-

Thank you,

Matt

avatar
Contributor

@Matt Clarke

Do I need to create "CN=*.test.com, OU=NIFI" user with password in Ranger and need to add "/proxy" policy for it?

avatar
Master Mentor

@Bhushan Kandalkar

That is correct.

avatar
Contributor

@Matt Clarke

While adding "CN=*.test.com, OU=NIFI" user in Ranger its giving invalid username error. How to resolve it?

avatar
Master Mentor

@Bhushan Kandalkar

I was afraid of that. Ranger does not allow wildcards in the user names.

From a security standpoint it is generally a bad idea to create a server certificate that uses wildcards.

In order to use Ranger as your authorizer, you are going to need to create new NiFi node certificates/keystores that do not use wildcards in the "Owner" DN.

-

This means you will have a unique keystore for each of your NiFi nodes (which is a security best practice). You will then need to authorize each of those nodes with /proxy.

-

Thanks,

Matt

avatar
Contributor

@Matt Clarke

Could you please provide link about how to configure SSL for NIFI which have a unique keystore for each of your NiFi nodes and which authorizes using Ranger.It will be great if you provide that link.