Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Please see the Cloudera blog for information on the Cloudera Response to CVE-2021-4428

How to enable LDAP Group Authorization for Nifi in Ranger?

New Contributor

Users in a group are not authorized to access the Nifi UI if policy is defined for a LDAP group in Ranger . Specifying the user works without any issues.

5 REPLIES 5

Super Guru

Is there a question here?

This is currently a known limitation in the way groups work between NiFi and Ranger. When NiFi is using an external authorizer it only knows the user's identity string and defers everything else to the external authorizer (Ranger), but Ranger needs systems to pass the user's groups on the authorization request so that it can evaluate the request with the groups against the local policy cache.

Explorer

Why can't Ranger query the LDAP to know a user's group....? Why would it expect group info to be passed? A Lazy Ranger, Indeed. @Bryan Bende @Balaji Ganesula

This support should be added on the Nifi side. I think this is already in the plan for next HDF release and see the below are already in NIFI repo.

https://issues.apache.org/jira/browse/NIFI-3653

https://issues.apache.org/jira/browse/NIFI-4032

Guru

Just wanted to close the loop on this issue as LDAP-group based policies is supported. This functionality is in NiFi 1.4.0 and HDF 3.1.1 (NiFi 1.5.0 component):

https://docs.hortonworks.com/HDPDocuments/HDF3/HDF-3.1.1/bk_security/content/ch05s04.html