Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger user sync issue for Nifi

Labels:
avatar
author-rank Anishkumarv
Contributor

Created ‎06-08-2017 11:26 AM

Hi Team,

I have configured Ranger for Nifi and ranger already synced with LDAP, do i need to create user in ranger with DN to access nifi eventhough its synced already?

synced username : anish

Manually created username in Ranger : CN=anish, OU=User, OU=Accounts, OU=ITSC, DC=zone1, DC=dcb, DC=net (why its required when its already synced with LDAP?)

because its working if i created user in Ranger else i am getting below error

2017-06-08 09:56:25,528 INFO [NiFi Web Server-1043] o.a.n.w.a.c.AccessDeniedExceptionMapper CN=anish, OU=User, OU=Accounts, OU=ITSC, DC=zone1, DC=dcb, DC=net does not have permission to access the requested resource. Returning Forbidden response.
2,189 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎06-08-2017 12:17 PM - edited ‎08-17-2019 10:20 PM

@Anishkumar Valsalam

There are two parts that need to be successful to access NiFi:

  1. User authentication: In your case, you are using LDAP to authenticate your users. The NiFi login-identity-providers.xml is used to configure the ldap-provider. NiFI offers two supported configurable "Identity Strategy" options (USE_DN or USE_USERNAME). USE_DN is the default. With "USE_DN" the full DN returned by LDAP after successfully authenticating a used. With "USE_USERNAME" the username entered at login will be used. Which ever strategy is used, the value used will be passed through any configured "Identity Mapping Properties" in NiFi before the resulting mapped value is passed to part two. (Review LDAP settings and Identity mapping Properties in NiFi Admin guide for more details on setup)
  2. User Authorization: In you case, you are using Ranger for user authorization. (default is NiFi's file-based authorizer). The final value derived form step one above is passed to the configured authorizer to determine what NiFi resources that authenticated user has been granted access.

Based on your output above, you appear to have two options possibly to match your authenticated value with your ldap sync'd user in Ranger:

  1. Configure an "Identity Mapping Property" in NiFi that will extract on the value from CN= from the entire returned DN. Based on the DN pattern you shared, your pattern mapping would look like this: 
    nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), OU=(.*?), OU=(.*?), DC=(.*?), DC=(.*?), DC=(.*?)$nifi.security.identity.mapping.value.dn=$1
    This will return just "anish" from the DN and that is what will be passed to the authorizer.
  2. Change your "Identity Strategy" configuration in your login-identity-providers.xml file to use "USE_USERNAME". This assumes the username supplied at login matches exactly with the LDAP sync username. Add/Modify the following line in your ldap-provider:
<property name="Identity Strategy">USE_USERNAME</property>

16165-screen-shot-2017-06-08-at-81616-am.png

Thanks,

Matt

View solution in original post

1,974 Views
5 REPLIES 5

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎06-08-2017 12:17 PM - edited ‎08-17-2019 10:20 PM

@Anishkumar Valsalam

There are two parts that need to be successful to access NiFi:

  1. User authentication: In your case, you are using LDAP to authenticate your users. The NiFi login-identity-providers.xml is used to configure the ldap-provider. NiFI offers two supported configurable "Identity Strategy" options (USE_DN or USE_USERNAME). USE_DN is the default. With "USE_DN" the full DN returned by LDAP after successfully authenticating a used. With "USE_USERNAME" the username entered at login will be used. Which ever strategy is used, the value used will be passed through any configured "Identity Mapping Properties" in NiFi before the resulting mapped value is passed to part two. (Review LDAP settings and Identity mapping Properties in NiFi Admin guide for more details on setup)
  2. User Authorization: In you case, you are using Ranger for user authorization. (default is NiFi's file-based authorizer). The final value derived form step one above is passed to the configured authorizer to determine what NiFi resources that authenticated user has been granted access.

Based on your output above, you appear to have two options possibly to match your authenticated value with your ldap sync'd user in Ranger:

  1. Configure an "Identity Mapping Property" in NiFi that will extract on the value from CN= from the entire returned DN. Based on the DN pattern you shared, your pattern mapping would look like this: 
    nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), OU=(.*?), OU=(.*?), DC=(.*?), DC=(.*?), DC=(.*?)$nifi.security.identity.mapping.value.dn=$1
    This will return just "anish" from the DN and that is what will be passed to the authorizer.
  2. Change your "Identity Strategy" configuration in your login-identity-providers.xml file to use "USE_USERNAME". This assumes the username supplied at login matches exactly with the LDAP sync username. Add/Modify the following line in your ldap-provider:
<property name="Identity Strategy">USE_USERNAME</property>

16165-screen-shot-2017-06-08-at-81616-am.png

Thanks,

Matt

1,975 Views

avatar
author-rank Schandhok author-rank
Rising Star

Created ‎06-08-2017 02:18 PM

@Anishkumar Valsalam You would need to do identity mappings for the users. Set the following parameters in your NiFi conf and restart NiFi. 

nifi.security.identity.mapping.pattern.dn = ^CN=(.*?), OU=(.*?), OU=(.*?), OU=(.*?), DC=(.*?), DC=(.*?), DC=(.*?)$
nifi.security.identity.mapping.value.dn = $1

You can read following Knowledge articles for more details.

https://community.hortonworks.com/articles/81184/understanding-the-initial-admin-identity-access-po....

1,974 Views
0 Kudos

avatar
author-rank Anishkumarv
Contributor

Created ‎06-08-2017 03:46 PM

@Matt Clarke Thanks ton you are my saviour 🙂

1,974 Views
0 Kudos

avatar
author-rank Schandhok author-rank
Rising Star

Created ‎06-08-2017 02:18 PM

@Anishkumar Valsalam You would need to do identity mappings for the users. Set the following parameters in your NiFi conf and restart NiFi.

nifi.security.identity.mapping.pattern.dn =^CN=(.*?), OU=(.*?), OU=(.*?), OU=(.*?), DC=(.*?), DC=(.*?), DC=(.*?)$
nifi.security.identity.mapping.value.dn = $1

You can read following Knowledge articles for more details.

https://community.hortonworks.com/articles/81184/understanding-the-initial-admin-identity-access-po....

1,974 Views
0 Kudos

avatar
author-rank Anishkumarv
Contributor

Created ‎06-08-2017 03:47 PM

Thanks for the useful link 🙂 it worked.

1,974 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements