Understanding the Ranger authorization process for CFM
When you select Ranger during the installation of Cloudera Flow Management (CFM), it will be used in the authorization mechanism for both NiFi and NiFi Registry. A set of predefined access policies at the controller and component levels are automatically created for assignment to users.
How Ranger is set up during installation
-
Create a new Ranger repository/service to store policies for the given NiFi or NiFi Registry instance.
Each instance appears on the Ranger UI with a unique name in the following format: <CM cluster name>_nifi or <CM cluster name>_nifiregistry.
Example: myCFMcluster_nifi
-
Create policies for the following Initial Admin Identity and Initial Admin Groups:
- For NiFi: nifi.initial.admin.identity and nifi.initial.admin.groups
- For NiFi Registry: nifi.registry.initial.admin.identity and nifi.registry.initial.admin.groups
-
Create policies for proxies specified by nifi.proxy.group or nifi.registry.proxy.group.
Components in the authorizers configuration
Each NiFi and NiFi Registry authorizers.xml file contains the following logical configuration when using Ranger:
- CompositeConfigurableUserGroupProvider
- FileUserGroupProvider
- CMUserGroupProvider
- RangerAuthorizer
- Configured with CompositeConfigurableUserGroupProvider
Role of CMUserGroupProvider
- Retrieve NiFi node identities (and Knox identity, if present) from Cloudera Manager
- Associate these NiFi node identities with a group
- Provide the group identity for use in Ranger policies (specifically for /proxy)
Identity mapping and hostname handling
If NiFi is configured to apply identity mapping transforms to node identities (for example
using UPPER, LOWER), you must add the same transform for CMUserGroupProvider using the
Hostname Identity Transform property in authorizers.xml
to ensure correct identity matching.
