Security
Also available as:
PDF
loading table of contents...

Configuring NiFi to Use Ranger for Managing Group Based Access Policies

About This Task

You can configure NiFi to use Ranger to manage one or more external group based access policies. You can perform the confirmation either in the NiFi authorizers.xml file or in Ambari Configs.

Before You Begin

  • You are running LDAP

  • You are using Ranger’s user sync to pull LDAP users and groups into Ranger and you have defined your group based access policies in Ranger.

  • You are already using Ranger based authorization in NiFi/HDF, and you want to take advantage of group based access policies.

Steps for Configuration using the NiFi authorizers.xml file

  1. Open the NiFi authorizers.xml file, located in the NiFi conf directory

  2. Define a User Group Provider (userGroupProvider) to bind to the same LDAP instance with which Ranger is configured.

    For example:

    <userGroupProvider>
            <identifier>ldap-user-group-provider</identifier>
            <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
            <property name="Authentication Strategy">ANONYMOUS</property>
    
            <property name="Manager DN"></property>
            <property name="Manager Password"></property>
    
            <property name="TLS - Keystore"></property>
            <property name="TLS - Keystore Password"></property>
            <property name="TLS - Keystore Type"></property>
            <property name="TLS - Truststore"></property>
            <property name="TLS - Truststore Password"></property>
            <property name="TLS - Truststore Type"></property>
            <property name="TLS - Client Auth"></property>
            <property name="TLS - Protocol"></property>
            <property name="TLS - Shutdown Gracefully"></property>
    
            <property name="Referral Strategy">FOLLOW</property>
            <property name="Connect Timeout">10 secs</property>
            <property name="Read Timeout">10 secs</property>
    
            <property name="Url">ldap://localhost:10389</property>
            <property name="Page Size"></property>
            <property name="Sync Interval">30 mins</property>
    
            <property name="User Search Base">ou=Users,dc=local</property>
            <property name="User Object Class">posixAccount</property>
            <property name="User Search Scope">ONE_LEVEL</property>
            <property name="User Search Filter"></property>
            <property name="User Identity Attribute">cn</property>
            <property name="User Group Name Attribute"></property>
            <property name="User Group Name Attribute - Referenced Group Attribute"></property>
    
            <property name="Group Search Base">ou=Groups,dc=local</property>
            <property name="Group Object Class">posixGroup</property>
            <property name="Group Search Scope">ONE_LEVEL</property>
            <property name="Group Search Filter"></property>
            <property name="Group Name Attribute">cn</property>
            <property name="Group Member Attribute">memberUid</property>
            <property name="Group Member Attribute - Referenced User Attribute">uid</property>
        </userGroupProvider>
    [Note]Note

    Ensure that the LDAP configuration you have set for Ranger is also set up for NiFi.

  3. Update the ranger-provider information:

    • Update the Ranger provider class name.

    • Add a user group provider property, referencing the user group you defined in Step 1.

    For example:

    <authorizer>
               <identifier>ranger-provider</identifier>
               <class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class>     	<!-- UPDATE CLASS NAME -->
               <property name="User Group Provider">ldap-user-group-provider</property>      	<!-- REFERENCE USER GROUP PROVIDER From Step 1 -->
               <property name="Ranger Audit Config Path">…</property>
               <property name="Ranger Security Config Path">…</property>
               <property name="Ranger Service Type">…</property>
               <property name="Ranger Application Id">…</property>
               <property name="Ranger Admin Identity">…</property>
        	</authorizer>

Steps for Configuration using Ambari Configs

  1. From the Ambari UI, go to the NiFi Configs tab.

  2. Add the authorizers.xml information you created above to the Advanced nifi-authorizers-env field.

  3. Click Save.