Understanding the Ranger authorization process for CFM

When you select Ranger during the installation process, Ranger will be used for NiFi and NiFi Registry authorization. A set of predefined access policies at the controller level and component level will be available for you to assign to users.

When Ranger is selected, the NiFi and NiFi Registry CSD scripts perform the following steps:
  • Create a new repository/service in Ranger to store policies for the given NiFi or NiFi Registry instance. Each instance appears on the Ranger UI with a unique name in the following format: <CM cluster name>_nifi or <CM cluster name>_nifiregistry.

    Example: myCFMcluster_nifi

  • Create policies for the following Initial Admin Identity and Initial Admin Groups:
    • For NiFi: nifi.initial.admin.identity and nifi.initial.admin.groups
    • For NiFi Registry: nifi.registry.initial.admin.identity and nifi.registry.initial.admin.groups
  • Create policies for proxies specified by nifi.proxy.group or nifi.registry.proxy.group.

Each authorizers.xml file produced in NiFi and NiFi Registry when using Ranger, contains the following logical configuration:

  • CompositeConfigurableUserGroupProvider
    • FileUserGroupProvider
    • CMUserGroupProvider
  • RangerAuthorizer
    • Configured with CompositeConfigurableUserGroupProvider
The CMUserGroupProvider has the following purposes:
  • Obtain the NiFi node identities (and Knox identity if present) from Cloudera Manager.
  • Associate the NiFi node identities with a group.
The group associated with the identities is used as the proxy group that is placed in the Ranger policy for the/proxy resource.