Creating the Ranger Plugin for HDF Services
Also available as:
PDF

Enable NiFi Registry Ranger Plugin

Enabling the NiFi Registry Ranger plugin leads to Ambari creating a service repository entry in Ranger which stores information for Ranger to communicate with NiFi Registry and the authorized identity of the NiFi Registry that communicate with Ranger.

To enable NiFi Registry Ranger plugin, perform the following steps from the Ambari UI:
  1. Go to Ranger > CONFIGS > RANGER PLUGIN.
  2. Switch the NiFi Registry Ranger Plugin toggle to ON, and click Save.
  3. Optional. Go to the Ranger Audit tab and, if not already enabled, switch the Audit to Solr toggle to ON.
    It produces options to enter connection properties for a Solr instance.
  4. Optional. To use with Ambari Infra (Internal SolrCloud), switch the SolrCloud toggle to ON, and click Save.
    Ambari will pre-populate the zookeeper connection string values and credentials. If an External Solr is used, you need to provide the connection values.
  5. Go to NiFi Registry > CONFIGS > Advanced ranger-nifi-registry-plugin-properties from the Ambari UI.
    The Advanced ranger-nifi-registry-plugin-properties section stores all the information needed to support Ranger communication with NiFi Registry.
  6. Configure the following properties:
    PropertiesDescription

    Ranger repository config password

    Confirm that the value is populated. The value refers to the admin password for Ranger and is set by Ambari by default.

    Ranger repository config user

    Confirm that the value is populated. The value refers to the admin username for Ranger and is set by Ambari by default.

    Authentication

    Enter SSL if not populated already by Ambari. It informs Ranger that NiFi Registry is running with SSL.

    Keystore for Ranger Service Accessing NiFi Registry

    Enter the keystore filename with location path that Ranger uses for SSL communications with NiFi Registry. This corresponds to the keystore used to generate a certificate that you created during establishing communication between Ranger and NiFi Registry.

    Keystore password

    Enter the password for the keystore.

    Keystore Type

    Enter the keystore type. For example, enter JKS.

    Truststore for Ranger Service Accessing NiFi Registry

    Enter the filename with location path of the truststore for the Ranger service.

    Truststore password

    Enter the password for the truststore.

    Truststore Type

    Enter the truststore type. For example, enter JKS.

    Owner for Certificate

    Enter the identity (Distinguished Name or DN) of the certificate used by Ranger.

    Policy user for NiFi Registry

    Confirm that the value is populated as nifiregistry.

    Enable Ranger for NiFi Registry

    Confirm that the checkbox is enabled.
  7. Go to Advanced ranger-nifi-registry-policymgr-ssl.
    This section stores the information NiFi Registry uses to communicate with the secured Ranger service.
  8. Configure the following properties:
    PropertiesDescription

    owner.for.certificate

    Enter the identity (Distinguished Name or DN) of the NiFi Registry to communicate with Ranger. This value is not required if Kerberos is enabled on HDF.

    xasecure.policymgr.clientssl.keystore

    Enter the keystore location and filename that NiFi Registry uses to communicate with Ranger. This keystore reference must be the same file used to create and import a certificate into Ranger.

    xasecure.policymgr.clientssl.keystore.credential.file

    This value is populated by default and is used by the plugin to generate a file to store credential information. No change to this value is required.

    xasecure.policymgr.clientssl.truststore

    Enter the truststore location and filename that NiFi Registry uses to communicate with Ranger.

    xasecure.policymgr.clientssl.truststore.credential.file

    This value is populated by default and is used by the plugin to generate a file to store credential information. No change to this value is required.

    xasecure.policymgr.clientssl.truststore.password

    Enter the password for the provided truststore file.

  9. Go to Advanced ranger-nifi-registry-security and review the following properties:
    PropertiesDescription

    ranger.plugin.nifi-registry.policy.rest.ssl.config.file

    Check whether it is set to ranger-policymgr-ssl.xml.

    ranger.plugin.nifi-registry.policy.rest.url

    Check whether it refers to the ambari variable for Ranger service {{policy_mgr_url}}.
  10. Go to Advanced ranger-nifi-registry-audit and review the following properties:
    PropertiesDescription

    Audit to SOLR

    Check whether it is enabled.

    xasecure.audit.destination.solr.urls

    Check the status of the property.

    When xasecure.audit.destination.solr.zookeepers is populated, it remains empty.

    xasecure.audit.destination.solr.zookeepers

    Check whether it is enabled and matches the connection string.

    xasecure.audit.is.enabled

    Check whether it is set to true.
  11. Save all NiFi Registry configuration changes.
  12. Restart all required services and ensure that Ambari indicates that the services have been restarted successfully.