Creating the Ranger Plugin for HDF Services
Also available as:
PDF

Deployment Scenarios for NiFi Registry Ranger Plugin

To integrate secured NiFi Registry and Ranger environments using Ambari, you might need to update or change settings based on you deployment scenarios.

Scenario Notes
Installing an HDF Cluster
  • To use the NiFi Registry Ranger plugin, you must update the value of the Ranger audit service users property as {default_ranger_audit_users}, nifiregistry in the Advanced infra-solr-security-json section for Infra Solr service. It enables NiFi Registry to audit logs to Solr.
  • To configure Ranger policies for NiFi Registry, ensure the following:

    - NiFi node users must have all permissions for /proxy.

    - NiFi node users must have read and write permissions for the target bucket or allow all buckets to use /buckets. For example, a bucket resource identifier looks like: /buckets/a4651561-e36f-4dca-8216-330d97043195.

Upgrading an HDF Cluster
  • Before executing upgrade mpack command, you must stop the Ambari Server.

  • You must update the Template for authorizers.xml property in the Advanced nifi-registry-authorizers-env section. If you do not update the template and enable the NiFi Registry Ranger plugin, NiFi Registry fails to start with the following error message: org.apache.nifi.registry.security.authorization.AuthorizerFactoryException: The specified authorizer 'ranger-authorizer' could not be found.

  • If Kerberos is enabled in your cluster, then you need to generate additional key tabs for NiFi Registry service. For instructions on generating key tabs in Ambari, see https://docs.cloudera.com/HDPDocuments/Ambari-2.6.2.2/bk_ambari-operations/content/how_to_regenerate_keytabs.html.

Installing HDF Services on an Existing HDP Cluster
  • The NiFi Registry Ranger Plugin toggle does not appear, by default, in the Ranger > CONFIGS > RANGER PLUGIN tab. You need to enable it in the Advanced ranger-nifi-registry-plugin-properties section from NiFi Registry > CONFIGS tab. Go to the specified location and select the Enable Ranger for NiFi Registry checkbox.

  • Set the value of the Authentication property as SSL in the Advanced ranger-nifi-registry-plugin-properties section for Ranger to access NiFi Registry. Because HDP Ranger service adviser is not updated when you install HDF services on an existing HDP cluster.