Creating the Ranger Plugin for HDF Services
Also available as:
PDF

Establish Communication Between NiFi Registry and Ranger

In order for NiFi Registry to communicate with Ranger over SSL, and Ranger to communicate with NiFi Registry over SSL, certificates must be imported from the Ranger host to NiFi Registry and from NiFi Registry to the Ranger host. In this article, same keystore and truststore are used to secure Ranger in order to communicate with NiFi Registry. You can also generate additional keystores and truststores that are dedicated solely to NiFi Registry communication.

  1. Create certificate files from the Ranger keystore by using the following command:
    {java.home}/bin/keytool -export -keystore {ranger.keystore.file} -alias {ranger.keystore.alias} -file {ranger.cert.filename}

    For example, use /usr/jdk64/jdk1.8.0_77/bin/keytool -export -keystore /etc/security/certs/ranger/ranger-admin-keystore.jks -alias rangeradmin -file /etc/security/certs/ranger/ranger-admin-trust.cer

  2. Import the Ranger server certificate into the NiFi Registry truststore, so that NiFi Registry can access Ranger through HTTPS, by using the following command:

    {java.home}/bin/keytool -import -file {ranger.cert.filename} -alias {ranger.keystore.alias} -keystore {nifi-registry.truststore} -storepass {nifi-registry.truststore.password}

  3. Create certificate files for import into the Ranger truststore.
    • If NiFi Certificate Authority is in use, a certificate from the CA can be generated and imported into the Ranger truststore by using the following steps:
      1. Export NiFi CA certificate, so that other component can import and trust it, by using the following command: {java.home}/bin/keytool -export -keystore {nifi-ca.keystore.file} -alias {nifi-ca.keystore-alias} -file {nifi-ca-cert.filename}

        This is required for Ranger. Exporting this certificate once is enough if NiFi and NiFi Registry use the same NiFi CA.

      2. Import the NiFi CA certificate into the truststore of Ranger by using the following command: {java.home}/bin/keytool -import -file {nifi-ca.cert.filename} -alias {nifi-ca.keystore.alias} -keystore {ranger.truststore.file} -storepass {ranger.truststore.password}

        You need to import each certificate that you generate. Remember that any duplicate alias might need to be changed using changealias command before importing new ones. This is required for Ranger. Exporting this certificate once is enough if NiFi and NiFi Registry use the same NiFi CA.

    • If you use an external CA or self-signed certificates and provide manual keystores and truststores for NiFi Registry, then perform the following steps:
      1. Create a certificate file from the NiFi Registry keystore by using the following command: {java.home}/bin/keytool -export -keystore {nifi-registry.keystore.file} -alias {nifi-registry.keystore-alias} -file {nifi-registry.cert.filename}
      2. Import the certificate file into the Ranger truststore by using the following command: {java.home}/bin/keytool -import -file {nifi-registry.cert.filename} -alias {nifi-registry.keystore.alias} -keystore {ranger.truststore} -storepass {ranger.truststore.password}
    Note
    Note
    Truststore used by Ranger might be default truststore cacerts file located in {java_home}/jre/lib/security/cacerts.