For the information, file credentialbuilder*.jar is not missing. The problem is this variable, RANGER_OZONE_PLUGIN_INSTALL_LIB, is pointing to wrong directory,  /opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313:GPLEXTRAS-7.1.6-1.gplextras7.1.6.p0.10506313/lib/ranger-ozone-plugin/install/lib The correct directory is  /opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/ranger-ozone-plugin/install/lib Before installing the parcel, this variable is pointing to the correct directory. I don't know why after GPL Extras parcel being installed, Cloudera Manager insert some string (:GPLEXTRAS-7.1.6-1.gplextras7.1.6.p0.10506313) in the variable. I think if I could edit it from Cloudera Manager, it should resolve the issues. Any advice how to edit this variable using Cloudera Manager?  ... View more

Hello @edoS  Welcome to the community! NiFi's provides so many option for user authentication and authorization, setting up exactly what you need can be overwhelming at times. This is certainly something the Cloudera support could walk you through if you have a support contract with us that covers the NiFi service. At a high level, here is what you need to understand about the authentication and authorization process in NiFi. Authentication happens first and must be successful before any authorization is verified.  NiFi supports numerous ways to authenticate users/clients (TLS, Kerberos, LDAP, openID, etc...).  No matter which method is used, the end result of any authentication is a user string that identifies the successfully authenticated user/client. That user string is then evaluated against the identity mappings [1] you may have configured in the nifi.properties file.  These identity mappings are used to normalize the user strings. for example: Trim the CN from the full DN in a user/client certificate Trim the user name from a kerberos principal convert the user string to all uppercase or lowercase The resulting user/client string is then passed to the authorizer to verify that user/client is authorized for the NiFi Resource Identifier being requested. NiFi authorizers.xml is where this configuration is setup.  This file is easiest to read from the bottom up.   At the bottom of the authorizers.xml you will find your authorizer which you have setup as the "Ranger-Provider".  It is important to understand how this authorizer works.  NiFi runs a background thread that checks in with Ranger to see if there is a new policy definition for the NiFi service.  If so, the new definition is downloaded by NiFi. What Ranger provides to NiFi in this downloaded policy definition are all the polices setup in Ranger.  For each there will be the "NiFi Resource Identifier(s)" along with the user strings and group strings that have been assigned "Read" and/or "Write" permissions.  Now remember up to this point all NiFi knows about the authenticated user is the user string.  NiFi has no idea yet what groups that user string may belong to.  Within the Ranger-Provider, you will find a property name with "User Group Provider". The value set here tell the authorizer where to check to see if the user string passed from authentication has any known user to group associations. Search your authorizers.xml for configured User Group Provider [2].  There are numerous options that can be configured for determining user to group associations.  Some of the available providers allow you to configured multiple providers.  While the authorizer "ranger-provider" can only point at 1, it may point at a "composite-configurable-user-group-provider" [3] for example that can be setup to reference multiple user-group-providers.  The key here is making sure you have added 1 or more user group providers that will return all the user to group associations you need.  Based on the log output you shared from the nifi-user.log. We know that none of the user group providers you may have setup returned any group strings associated to your user string (identity[18330301],groups[] ).  This is why "groups [ ]" is empty. The "file-user-group-provider" [4] allows you to create user string to group string associations manually via the NiFi UI directly.  The commonly used "ldap-user-group-provider" [5] determines user and group associations via user and/or group syncs with ldap/AD. Now that NiFi knows what groups the authenticated user string is associated with, the user and the groups can be checked against the downloaded policies to see if the user is authorized for the action being performed or the end-point trying to be accessed.   [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties [2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup [3] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#composite-implementations [4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#fileusergroupprovider [5] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider   If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post. Thank you, Matt ... View more