@Matt I was a bit unclear. If I attempt to authorise myself to the UI of node1 in my cluster, node2 will throw that error at that moment. The logs in node1 will show a successful authentication. Node 1 will then just happily redirect me to a generic success message page, which I can't progress pass. EDIT CLUE 2: If I regenerate self signed certs (not my signed certs) using the NIFA CA then login this message goes away! ... View more

Yes all working when I changed the attribute value in ranger LDAPS config to use UserPrincipalName, pulling in my users named ..@NIFI.LOCAL. Policy management is working as expected! It's a shame that group permissions doesn't work yet, is there a work ticket I can follow its progress on? ... View more

More progress. I scripted up the creation of the truststore's and keystore's on both NiFi and Ranger so I was able to tear down and re-deploy the cluster consistently. I realised I'd made a few silly mistakes with the DN's you mentioned above. Fixing these gave me a 403 untrusted proxy, which I fixed by creating the /proxy policy for the nifi nodes. I've now achieved: Big step! And the policies are sync'ing with 200 OK's, as well as I can see active nifi user logging into Ranger. Seem's like I'm getting close. One issue left, is that my ldapsync in ranger has populated users & groups, but these users & groups when applied to the all resources policy don't appear to take effect. I have insufficient privileges to do anything in NiFi with a user I've granted access to inside Ranger: For user oliver (oliver@NIFI,LOCAL), NiFi logs show a successful authentication, but unauthorised to access anything: 2017-01-20 14:43:11,282 INFO [NiFi Web Server-98] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for oliver@NIFI.LOCAL 2017-01-20 14:43:11,283 INFO [NiFi Web Server-98] o.a.n.w.a.c.AccessDeniedExceptionMapper oliver@NIFI.LOCAL does not have permission to access the requested resource. Returning Forbidden response. I've setup NiFi using AD (ldaps) and Ranger using ldap (couldn't get ldaps to take). I'm not sure if that has triggered a weird issue here? Thanks again for all your help! ... View more

Yes I didn't need to delete anything from the stores so I reverted that change. I think there was some issues with the key/trust stores which have been fixed, definitely making progress. I now get an explicit 403 from ranger Service Manager > Edit Service: and nifi-user.log shows: 2017-01-19 09:11:01,627 INFO [NiFi Web Server-16] o.a.n.w.a.c.AccessDeniedExceptionMapper CN=ranger-1, OU=Nifi, O=GR, L=London, ST=Unknown, C=Unknown does not have permission to access the requested resource. Returning Forbidden response. Additionally, in Ranger -> Audit -> Plugins I can see that policies are being sync'd to NiFi: As well as login attempts from NiFi to Ranger being registered: However, nothing is being shown in Audit > Access, and I still receive an error message saying that I cannot connect to Audit Store. Ranger xa_portal.log also shows a big REST error every time I venture to that tab: 2017-01-19 09:19:03,676 [http-bio-6182-exec-4] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:336) - Operation error. response=VXResponse={org.apache.ranger.view.VXResponse@497448d5statusCode={1} msgDesc={Error connecting to search engine} messageList={[VXMessage={org.apache.ranger.view.VXMessage@1912a8acname={ERROR_SYSTEM} rbKey={xa.error.system} message={System Error. Please try later.} objectId={null} fieldName={null} }]} } javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56) at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:335) at org.apache.ranger.solr.SolrAccessAuditsService.searchXAccessAudits(SolrAccessAuditsService.java:130) at org.apache.ranger.biz.AssetMgr.getAccessL Finally, my access control policies defined in ranger for NiFi do not take effect, I have granted an AD domain account root access to NiFi, NiFi allows me to login in but tells me I have no privileges. EDIT 1: Maybe the 'Access' error is a red herring - I haven't installed any services other than ranger, nifi, zookeeper and kerberos in the cluster. So a connection to Solr doesn't make sense? ... View more

I've added those outputs. I'm going to empty my NiFi truststore and reimport the ranger certificate as I'm not sure why I have two certs in that store. Also I'll give it a more useful alias. One question I have about your guide when setting up ranger-nifi-plugin-properties. This configures the ranger plugin sitting on the NiFi host right? The trust and key store that they need access to, are these the rangers trust and key store that need to be copied from the ranger host and distributed out to NiFi when the plugin is active? Maybe I've misunderstood that part.. ... View more

Hi @yolanda I've added a screen shot of ranger_nifi_plugin_properties, and the ERROR's are coming from ranger's xa_portal.log logfile. I followed the steps in 1 & 2 - I'll do a keytool -list -v -keystore on the relevant stores, which should confirm they have been correctly exported. I'll add that as EDIT 2 to the post. Thanks! ... View more