Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Trying to integrate Apache Nifi with Apache Ranger gives: Unable to retrieve any resources using given parameters. Status Code = 401

avatar
Rising Star

I have been trying to integrate Nifi with Apache Ranger. When I manually configure policies in Ranger for Nifi the policies are fetched by Nifi and authorization works fine.  But when I try to define the service definition and test the connection its is giving the following error.

pacman_1-1694966395073.png

The configuration in service definition is shown below.

 

pacman_2-1694966453709.pngpacman_3-1694966492341.png

pacman_5-1694966617120.png

The authentication in nifi is setup by following this article.

Note: Only Nifi is setup in SSL mode. Apache Ranger doesn't have SSL mode.

What could be the possible reason this is happening?

 

2 ACCEPTED SOLUTIONS

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
6 REPLIES 6

avatar
Rising Star

Looks like my issue is with specifying policy.download.auth.users as nifi. I was integrating pluggin following this article. I skipped the step 7 

  • Give user and group ownership with nifi process user and set permission 400 to files ranger-nifi-audit.xml and ranger-nifi-security.xml

I tried adding a new user nifi and group nifi in my ubuntu and permission 400 and ownership to nifi user for files ranger-nifi-audit.xml and ranger-nifi-security.xml. But still its throwing 401.

Update:

I modified the bootstrap.conf file in Nifi to update run.as  property to nifi and other users as well. But still there isn't any effect.

@MattWho  @bbende  any thoughts on this?

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Rising Star

@MattWho  the 401 issue was a silly issue with specifying truststore instead of keystore and viceversa. But now it is throwing SSL Handshake exeception as below.

pacman_0-1695101522365.png

 

Since both nifi and ranger is running on my local machine I configured the same truststore and keystore for both.

Update: 

Not sure what is wrong with the SSL certs I created using openSSL, but when I create certifcates with nifi tool kit the exception has gone. Now its throwing 403.

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Rising Star

Thank you @MattWho for your valuable insights. Integrations are working fine now. But before we end this thread I have a  few more questions that you can possibly answer. 
1) Currently I have configured an SSL user and users from LDAP. When logging in browser during loading nifi the first option that comes in is sign in with the SSL user. Is there a way to disable it?

2) Currently I have added the SSL user as initial admin identity, then removed excessive permissions from authorizations.xml. 

Are there any best practice for achieving both?

Also I don't think apart from /flow other resource access are working properly. I added the resource paths for creating processors but doesn't seem to work.

avatar
Super Mentor

@pacman 
1. There is noway to disable TLS. If you remove your TLS certificate from your browser or use and incognito window your client certificate will not be presented in the TLS exchange. NiFi requires TLS certificate authentication for NiFi to NiFi authenticated and authorized connections (for example in a multi-node NiFi cluster or utilizing NiFi Site-to-Site between different NiFi deployments).  When NiFi is secured an NO other methods of authentication are configured, NiFi will "REQUIRE" a MutualTLS exchange.  Once at least one additional method of authentication is  configured, NiFi will "WANT" a client certificate and if one is not presented from the client, NiFi will move on to next authentication method.

2. I am not clear what you mean by "removed excessive permissions from authorizations.xml".  If you are using Ranger, the authorizations.xml file is not being used.  That file would have been created by the file-access-policy-provider.  Ranger does not use this provider.  There really is no concept of an "initial admin" when using Ranger.  You'll need to add authorization for what you need manually in Ranger.  The "Initial Admin" is used when NiFi authorization is handled by a local file provider so that a user can be setup on startup that has ability to access NiFi and setup additional authorizations from within the NiFi UI. 

I recommend starting a new community question so we don't make this thread overly complicated by solving many unrelated issues.   There are some NiFi Resource Identifiers that would only apply to file based authorization, but all other do work when used correctly.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt