Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Nifi Integration with Ranger Not Working

avatar
Contributor

HI All,

In our cluster NIFI is SSL enabled. Ranger is not SSL enabled. Both NIFI and Ranger are integrated with AD/LDAP.

Before enabling NIFI plugin in Ranger, our AD/LDAP users are able to see NIFI UI.

But after enabling NIFI plugin in Ranger, our AD/LDAP users are not able to see NIFI UI.

We are getting following message on NIFI screen:

Insufficient Permissions
   
Untrusted proxy CN=*.test.com, OU=NIFI

nifi-user.log shows Authentication success but Untrusted proxy error as follows:

2018-06-07 07:00:13,447 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://usdf24v0075.test.com:9091/nifi-api/flow/current-user (source ip: 10.23.118.51)
2018-06-07 07:00:13,449 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for test-user
2018-06-07 07:00:13,612 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<test-user><CN=*.test.com, OU=NIFI>) GET https://usdf24v0075.test.com:9091/nifi-api/flow/current-user (source ip: 10.23.132.140)
2018-06-07 07:00:13,615 WARN [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=*.test.com, OU=NIFI

I have also deleted authorizers.xml and users.xml file from NIFI node and restarted NIFI as well.

How to resolve it.?

Please suggest.

Thanks

1 ACCEPTED SOLUTION

avatar
Master Mentor
@Bhushan Kandalka

-

Once the Ranger plugin is enabled, the authorizations.xml file is no longer used to determine what authorizations both users and Nifi nodes have.

In a NiFi cluster each node must be authorized to act as a proxy so that requests made by users logged in to any one of the nodes's UIs can be replicated to the other nodes.

This means that you will need to set an authorization policy in Ranger that authorizes "CN=*.test.com, OU=NIFI" against the "/proxy" policy.

-

Thank you,

Matt

View solution in original post

11 REPLIES 11

avatar
Master Mentor

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html

-

NiFi even provides a toolkit you can use to create your own certificates/keystores for each of your NiFi nodes.

-

Matt