Member since
12-09-2016
21
Posts
4
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
6935 | 01-17-2017 12:31 PM |
06-28-2017
05:33 PM
I want to setup a reporting task that exposes all flow changes (whats they did, who did it), to an external system. I found this https://issues.apache.org/jira/browse/NIFI-986 Which shows that some work has been done to enable this functionality, but looking at the reporting tasks in NiFi (1.2.0) its not self explanatory how to achieve it. Any suggestion to get started would be greatly appreciated!
... View more
Labels:
- Labels:
-
Apache NiFi
03-09-2017
04:48 PM
Fairly simple issue: I have a 3 node clustered NiFi secured with the ranger plugin (all kerborised). I've created a very simple flow for some testing, but when I query provenance I see no results. I've added my AD principal into the default all resources policy ('*') within ranger. I've also created an 'Administrator' policy where I've added as many combinations of permission's I could come up with, all without any luck. Any suggestion's? Thanks in advance
... View more
Labels:
- Labels:
-
Apache NiFi
-
Apache Ranger
02-02-2017
04:08 PM
@Matt I was a bit unclear. If I attempt to authorise myself to the UI of node1 in my cluster, node2 will throw that error at that moment. The logs in node1 will show a successful authentication. Node 1 will then just happily redirect me to a generic success message page, which I can't progress pass. EDIT CLUE 2:
If I regenerate self signed certs (not my signed certs) using the NIFA CA then login this message goes away!
... View more
02-02-2017
02:21 PM
I have configured kerberos authentication, with file backed authorize. NiFi is using SSL with signed certificates from a windows domain CA, with the relevant DN's added to Node Identities. I can login, and authenticate successfully, but I seem to hit a strange redirect loop on login. I simply endlessly redirect to: Success
You are already logged in. With 'log out' and 'home' buttons available. If I hit home I am redirected to the same message. Despite what it's telling me it doesn't feel very successful! Any ideas? Cheers EDIT: A bit more info:
I have a cluster of two nodes. If I authenticate to node1 my node1 nifi-user.log will show success messages, node2 will throw an error: ERROR [NiFi Web Server-16] o.a.nifi.web.security.jwt.JwtService There was an error validating the JWT
io.jsonwebtoken.JwtException: Unable to validate the access token.
...
Caused by: io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted. Like wise if I authenticate on node2, node1 will show this error.
... View more
Labels:
- Labels:
-
Apache NiFi
02-02-2017
10:37 AM
I'm trying to permission NiFi using Active Directory groups. I'm aware there is a problem using groups in AD with the NiFi-Ranger plugin, but I'm attempting to authorize using the Kerberos identity provider and and the file provider within NiFi itself. Is there any way to pull in AD groups into the NiFi application, and use them to authorize access? Ideally I don't want to create static groups in NiFi that contain my principals, which are updated manually. As a fallback I was considering writing a script that generates NiFi groups based on an ldapsearch and populates it with the relevant principals.
... View more
Labels:
- Labels:
-
Apache NiFi
-
Cloudera DataFlow (CDF)
01-21-2017
10:46 AM
Yes all working when I changed the attribute value in ranger LDAPS config to use UserPrincipalName, pulling in my users named ..@NIFI.LOCAL. Policy management is working as expected! It's a shame that group permissions doesn't work yet, is there a work ticket I can follow its progress on?
... View more
01-20-2017
02:46 PM
More progress. I scripted up the creation of the truststore's and keystore's on both NiFi and Ranger so I was able to tear down and re-deploy the cluster consistently. I realised I'd made a few silly mistakes with the DN's you mentioned above. Fixing these gave me a 403 untrusted proxy, which I fixed by creating the /proxy policy for the nifi nodes. I've now achieved: Big step! And the policies are sync'ing with 200 OK's, as well as I can see active nifi user logging into Ranger. Seem's like I'm getting close. One issue left, is that my ldapsync in ranger has populated users & groups, but these users & groups when applied to the all resources policy don't appear to take effect. I have insufficient privileges to do anything in NiFi with a user I've granted access to inside Ranger: For user oliver (oliver@NIFI,LOCAL), NiFi logs show a successful authentication, but unauthorised to access anything: 2017-01-20 14:43:11,282 INFO [NiFi Web Server-98] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for oliver@NIFI.LOCAL
2017-01-20 14:43:11,283 INFO [NiFi Web Server-98] o.a.n.w.a.c.AccessDeniedExceptionMapper oliver@NIFI.LOCAL does not have permission to access the requested resource. Returning Forbidden response.
I've setup NiFi using AD (ldaps) and Ranger using ldap (couldn't get ldaps to take). I'm not sure if that has triggered a weird issue here? Thanks again for all your help!
... View more
01-19-2017
09:21 AM
Yes I didn't need to delete anything from the stores so I reverted that change. I think there was some issues with the key/trust stores which have been fixed, definitely making progress. I now get an explicit 403 from ranger Service Manager > Edit Service: and nifi-user.log shows: 2017-01-19 09:11:01,627 INFO [NiFi Web Server-16] o.a.n.w.a.c.AccessDeniedExceptionMapper CN=ranger-1, OU=Nifi, O=GR, L=London, ST=Unknown, C=Unknown does not have permission to access the requested resource. Returning Forbidden response. Additionally, in Ranger -> Audit -> Plugins I can see that policies are being sync'd to NiFi: As well as login attempts from NiFi to Ranger being registered: However, nothing is being shown in Audit > Access, and I still receive an error message saying that I cannot connect to Audit Store. Ranger xa_portal.log also shows a big REST error every time I venture to that tab: 2017-01-19 09:19:03,676 [http-bio-6182-exec-4] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:336) - Operation error. response=VXResponse={org.apache.ranger.view.VXResponse@497448d5statusCode={1} msgDesc={Error connecting to search engine} messageList={[VXMessage={org.apache.ranger.view.VXMessage@1912a8acname={ERROR_SYSTEM} rbKey={xa.error.system} message={System Error. Please try later.} objectId={null} fieldName={null} }]} }
javax.ws.rs.WebApplicationException
at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56)
at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:335)
at org.apache.ranger.solr.SolrAccessAuditsService.searchXAccessAudits(SolrAccessAuditsService.java:130)
at org.apache.ranger.biz.AssetMgr.getAccessL
Finally, my access control policies defined in ranger for NiFi do not take effect, I have granted an AD domain account root access to NiFi, NiFi allows me to login in but tells me I have no privileges. EDIT 1: Maybe the 'Access' error is a red herring - I haven't installed any services other than ranger, nifi, zookeeper and kerberos in the cluster. So a connection to Solr doesn't make sense?
... View more
01-18-2017
08:43 PM
I've added those outputs. I'm going to empty my NiFi truststore and reimport the ranger certificate as I'm not sure why I have two certs in that store. Also I'll give it a more useful alias. One question I have about your guide when setting up ranger-nifi-plugin-properties. This configures the ranger plugin sitting on the NiFi host right? The trust and key store that they need access to, are these the rangers trust and key store that need to be copied from the ranger host and distributed out to NiFi when the plugin is active? Maybe I've misunderstood that part..
... View more
01-18-2017
08:20 PM
Hi @yolanda I've added a screen shot of ranger_nifi_plugin_properties, and the ERROR's are coming from ranger's xa_portal.log logfile. I followed the steps in 1 & 2 - I'll do a keytool -list -v -keystore on the relevant stores, which should confirm they have been correctly exported. I'll add that as EDIT 2 to the post. Thanks!
... View more