Cloudera Docs

Configuring Ranger for NiFi

If your cluster contains Ranger, then you need to configure Ranger service and create the required Ranger policies for NiFi before starting the service. This process involves setting an Initial Admin Identity, creating marker files, and configuring the necessary policies.

  1. Go to Cloudera Manager > Clusters.
  2. Select NiFi.
  3. Go to the Configuration tab.
  4. Search for the RANGER Service configuration and enable it.
  5. Modify the ranger.plugin.nifi.service.name property to match with the new Ranger service name.
  6. Search for the Initial Admin Identity configuration property.

    If the property is blank, set it to a user identity (for example, nifiUser). If a value already exists, take note of it and use that identity in subsequent steps.

  7. In the Ranger WebUI, go to Settings > Users/Groups/Roles > Add New User.
  8. Add the Initial Admin Identity user (for example, nifiUser) with the admin role and assign it to the nifi group.
  9. Confirm that NiFi is in a stopped state.

    The Create Marker File and Create First Run File actions can only be executed when the NiFi service is not running. These actions will be greyed out in the Cloudera Manager UI until NiFi is stopped.

  10. On the Cloudera Manager UI, go to NiFi service settings.
  11. Click on Actions > Create Marker File.
  12. Click on Actions > Create First Run File.
    After executing these actions, 7 default policies should be created for the NiFi service in the Ranger WebUI.
  13. Click on Actions > Create required NiFi objects.
    This action creates the remaining policies for NiFi in Ranger. After this action completes, a total of 11 predefined policies will be present. For details about these predefined policies, see Predefined Ranger access policies for Apache NiFi.
  14. Verify that all required policies exist in Ranger WebUI > Access Manager > Resource Based Policies > cluster_nifi.

    If any policies are missing, you can create them manually by clicking Add New Policy.

  15. Add the TLS certificate Subject string from each NiFi host to the /proxy policy.
    1. To obtain the Subject string, run the following command on each NiFi host: 
      openssl x509 -in <pem_file> -noout -text
    2. Alternatively, if NiFi fails to start, you can retrieve the Subject string from Ranger WebUI > Audit.

      Find the denial event for the NiFi service. The Subject string will be displayed in the User column.

    3. In the Ranger WebUI, navigate to the /proxy policy and add the entire Subject string to the Users section.