Configuring NiFi to Use Ranger for Managing Group Based Access Policies
About This Task
You can configure NiFi to use Ranger to manage one or more external group based access
policies. You can perform the confirmation either in the NiFi
authorizers.xml file or in Ambari Configs.
Before You Begin
You are running LDAP
You are using Ranger’s user sync to pull LDAP users and groups into Ranger and you have defined your group based access policies in Ranger.
You are already using Ranger based authorization in NiFi/HDF, and you want to take advantage of group based access policies.
Steps for Configuration using the NiFi authorizers.xml file
Open the NiFi
authorizers.xmlfile, located in the NiFiconfdirectoryDefine a User Group Provider (
userGroupProvider) to bind to the same LDAP instance with which Ranger is configured.For example:
<userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">ANONYMOUS</property> <property name="Manager DN"></property> <property name="Manager Password"></property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password"></property> <property name="TLS - Keystore Type"></property> <property name="TLS - Truststore"></property> <property name="TLS - Truststore Password"></property> <property name="TLS - Truststore Type"></property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://localhost:10389</property> <property name="Page Size"></property> <property name="Sync Interval">30 mins</property> <property name="User Search Base">ou=Users,dc=local</property> <property name="User Object Class">posixAccount</property> <property name="User Search Scope">ONE_LEVEL</property> <property name="User Search Filter"></property> <property name="User Identity Attribute">cn</property> <property name="User Group Name Attribute"></property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Group Search Base">ou=Groups,dc=local</property> <property name="Group Object Class">posixGroup</property> <property name="Group Search Scope">ONE_LEVEL</property> <property name="Group Search Filter"></property> <property name="Group Name Attribute">cn</property> <property name="Group Member Attribute">memberUid</property> <property name="Group Member Attribute - Referenced User Attribute">uid</property> </userGroupProvider>![[Note]](../common/images/admon/note.png)
Note Ensure that the LDAP configuration you have set for Ranger is also set up for NiFi.
Update the
ranger-providerinformation:Update the Ranger provider class name.
Add a user group provider property, referencing the user group you defined in Step 1.
For example:
<authorizer> <identifier>ranger-provider</identifier> <class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class> <!-- UPDATE CLASS NAME --> <property name="User Group Provider">ldap-user-group-provider</property> <!-- REFERENCE USER GROUP PROVIDER From Step 1 --> <property name="Ranger Audit Config Path">…</property> <property name="Ranger Security Config Path">…</property> <property name="Ranger Service Type">…</property> <property name="Ranger Application Id">…</property> <property name="Ranger Admin Identity">…</property> </authorizer>
Steps for Configuration using Ambari Configs
From the Ambari UI, go to the NiFi Configs tab.
Add the
authorizers.xmlinformation you created above to the Advanced nifi-authorizers-env field.Click Save.