Understanding the Ranger Authorization Process for CFM
Selecting Ranger as a dependency during installation, indicates that Ranger must be used for NiFi and NiFi Registry authorization.
When Ranger is selected, the NiFi and NiFi Registry CSD scripts perform the following steps:
- Create a new repository/service in Ranger to store policies for the given NiFi or
NiFi Registry instance. Each instance appears on the Ranger UI with a unique name in the
following format: <CM cluster name>_nifi or <CM cluster
name>_nifiregistry.
Example: myCFMcluster_nifi
- Create policies for the following Initial Admin Identity and Initial Admin Groups:
- For NiFi: nifi.initial.admin.identity and nifi.initial.admin.groups
- For NiFi Registry: nifi.registry.initial.admin.identity and nifi.registry.initial.admin.groups
- Create policies for proxies specified by nifi.proxy.group or nifi.registry.proxy.group.
Each authorizers.xml file produced in NiFi and NiFi Registry when using Ranger, contains the following logical configuration:
- CompositeConfigurableUserGroupProvider
- FileUserGroupProvider
- CMUserGroupProvider
- RangerAuthorizer
- Configured with CompositeConfigurableUserGroupProvider
The CMUserGroupProvider has the following purposes:
- Obtain the NiFi node identities (and Knox identity if present) from Cloudera Manager.
- Associate the NiFi node identities with a group.
The group associated with the identies is used as the proxy group that is placed in the Ranger policy for the/proxy resource.