Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger Group autharization not working for nifi

avatar
Expert Contributor

Team ,

 

We have upgraded NIFI from 1.5 to 1.11 and trying to configure ranger authorization at group level instead of user level . But its not working . Below are the properties i have given in authorizers.xml

 

<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">LDAPS</property>

<property name="Manager DN">CN=xxxx,OU=Users,OU=Standard Users,OU=Users and Computers,OU=Atlanta Corporate,OU=CCI,DC=CORP,DC=COX,DC=com</property>
<property name="Manager Password">xxxxx</property>

<property name="TLS - Keystore">/etc/nifi/conf/signed-keystore.jks</property>
<property name="TLS - Keystore Password">xxx</property>
<property name="TLS - Keystore Type">JKS</property>
<property name="TLS - Truststore">/etc/nifi/conf/coxca-truststore.jks</property>
<property name="TLS - Truststore Password">xxx</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">WANT</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">TRUE</property>

<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>

<property name="Url">ldaps://xxxxx:636</property>
<property name="Page Size"></property>
<property name="Sync Interval">30 mins</property>

<property name="User Search Base">ou=cci,dc=corp,dc=cox,dc=com</property>
<property name="User Object Class">user</property>
<property name="User Search Scope">sub</property>
<property name="User Search Filter">(|(memberof=CN=CATL0BDDEVSA,OU=groups,OU=Atlanta Corporate,OU=CCI,DC=CORP,DC=COX,DC=com)(memberof=CN=CATL0BDDEVADMINS,OU=groups,OU=Atlanta Corporate,OU=CCI,DC=CORP,DC=COX,DC=com)(memberof=CN=CATL0BDDEVDEVELOPERS,OU=groups,OU=Atlanta Corporate,OU=CCI,DC=CORP,DC=COX,DC=com))</property>
<property name="User Identity Attribute">cn</property>
<property name="User Group Name Attribute">memberof, ismemberof</property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">ou=cci,dc=corp,dc=cox,dc=com</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">sub</property>
<property name="Group Search Filter">(|(cn=CATL0BDDEVSA)(cn=CATL0BDDEVADMINS)(cn=CATL0BDDEVDEVELOPERS))</property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute">uid</property>
</userGroupProvider>

<authorizer>
<identifier>ranger-authorizer</identifier>
<class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class>
<property name="User Group Provider">ldap-user-group-provider</property>
<property name="Ranger Audit Config Path">/usr/hdf/current/nifi/conf/ranger-nifi-audit.xml</property>
<property name="Ranger Security Config Path">/usr/hdf/current/nifi/conf/ranger-nifi-security.xml</property>
<property name="Ranger Service Type">nifi</property>
<property name="Ranger Application Id">nifi</property>
<property name="Allow Anonymous">true</property>
<property name="Ranger Admin Identity"></property>
<property name="Ranger Kerberos Enabled">false</property>
</authorizer>

 

 

when i add AD group in ranger for access i get this error

 

2020-07-13 17:13:33,737 INFO [NiFi Web Server-31] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[bbhimava], groups[none] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.
2020-07-13 17:13:45,698 INFO [NiFi Web Server-41] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=xxxx, OU=NIFI) GET https://xxxxxx/nifi-api/site-to-site (source ip: 10.220.3.176)

 

@MattWhorequesting your help .

 

1 ACCEPTED SOLUTION

avatar
Super Mentor

@bhara 

 

While ldap/AD queries are generally case insensitive by default, NiFi is not case insensitive. So user "bbhimava" and user "Bbhimava" would be treated as two different users.

 

Within the nifi.properties file you can utilize identity and group mapping patterns to manipulate the case of the returned user and groups strings.

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

Note that mapping patterns are evaluate in alphanumeric order. First pattern that matches is applied. so make sure less specific patterns like "^(.*)$" are lats to be evaluated.
For example:

nifi.security.identity.mapping.pattern.dn=<java regex>

Above would be evaluated before:

nifi.security.identity.mapping.pattern.username=<java regex>

 

When/If a match is found, the corresponding value is applied and transform performed:

nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.transform.dn=<NONE, LOWER, or UPPER>

 

 

Looking at your ldap-user-group-provider configuration, I see the following needed changes:
1. I recommend user set the "Page Size" property. If the number of results exceeds the ldap max default page size, not all results may be returned to NiFi. BY setting a page size, NiFi will asks for results in multiple pages instead of one response with all results.  Generally, defaults are either 500 or 1000, so setting a "Page Size" of 500 is safe.

2. The "User Search Scope" and "Group Search Scope" properties should be set to "SUBTREE" and not "sub".
3. The "User Group Name Attribute" property does not support a comma separated list of attributes. Suggest just setting it to "memberOf".

 

Without sample output from your ldap/AD for user bbhimava and one of the groups you are trying to sync based upon, it would be impossible for me to validate any of your other settings.

The log line shared below:

 

 

o.a.n.w.a.c.AccessDeniedExceptionMapper identity[bbhimava], groups[none] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.

 

 

indicates that when NiFi looked for user "bbhimava" was looked for by the NiFi authorizer, no associated groups were returned.  Which means Ranger policies could only be queried for policies assigned directly to "bbhimava".

Adding the following line to your  NiFi logback.xml file will give you debug output in your nifi-app.log when the ldap-user-group-provider executes to show you exactly what users and groups were returned based upon your settings and the resulting user/group associates that were discovered.

<logger name="org.apache.nifi.ldap.tenants.LdapUserGroupProvider" level="DEBUG"/>


Hope this helps,
Matt

View solution in original post

2 REPLIES 2

avatar
Super Mentor

@bhara 

 

While ldap/AD queries are generally case insensitive by default, NiFi is not case insensitive. So user "bbhimava" and user "Bbhimava" would be treated as two different users.

 

Within the nifi.properties file you can utilize identity and group mapping patterns to manipulate the case of the returned user and groups strings.

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

Note that mapping patterns are evaluate in alphanumeric order. First pattern that matches is applied. so make sure less specific patterns like "^(.*)$" are lats to be evaluated.
For example:

nifi.security.identity.mapping.pattern.dn=<java regex>

Above would be evaluated before:

nifi.security.identity.mapping.pattern.username=<java regex>

 

When/If a match is found, the corresponding value is applied and transform performed:

nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.transform.dn=<NONE, LOWER, or UPPER>

 

 

Looking at your ldap-user-group-provider configuration, I see the following needed changes:
1. I recommend user set the "Page Size" property. If the number of results exceeds the ldap max default page size, not all results may be returned to NiFi. BY setting a page size, NiFi will asks for results in multiple pages instead of one response with all results.  Generally, defaults are either 500 or 1000, so setting a "Page Size" of 500 is safe.

2. The "User Search Scope" and "Group Search Scope" properties should be set to "SUBTREE" and not "sub".
3. The "User Group Name Attribute" property does not support a comma separated list of attributes. Suggest just setting it to "memberOf".

 

Without sample output from your ldap/AD for user bbhimava and one of the groups you are trying to sync based upon, it would be impossible for me to validate any of your other settings.

The log line shared below:

 

 

o.a.n.w.a.c.AccessDeniedExceptionMapper identity[bbhimava], groups[none] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.

 

 

indicates that when NiFi looked for user "bbhimava" was looked for by the NiFi authorizer, no associated groups were returned.  Which means Ranger policies could only be queried for policies assigned directly to "bbhimava".

Adding the following line to your  NiFi logback.xml file will give you debug output in your nifi-app.log when the ldap-user-group-provider executes to show you exactly what users and groups were returned based upon your settings and the resulting user/group associates that were discovered.

<logger name="org.apache.nifi.ldap.tenants.LdapUserGroupProvider" level="DEBUG"/>


Hope this helps,
Matt

avatar
Expert Contributor

@MattWho  Thank you Sir .It worked perfectly .

 

Regards

Bharad