Missing NiFi and NiFi Registry groups

NiFi and NiFi Registry groups does not show up in Ranger after adding NiFi in the cluster. You can troubleshoot this issue.

Issue

While users are created in Ranger, the expected nifi and nifiregistry groups are not automatically created, causing a failure in the NiFi service startup due to the inability to create default policies in Ranger.

Cause

The root cause of the issue is that the Ranger Usersync service iss configured to use LDAP synchronization for users and groups instead of the default Unix based synchronization. This prevented Ranger from syncing local service-level groups nifi and nifiregistry which exist on the operating system but not in the LDAP directory. As a result, Ranger failed to recognize these required groups during NiFi default policy creation, leading to error due to missing groups.

Remedy

Perform the following steps to fix this issue:

Identify that Ranger Usersync is configured for LDAP user/group sync, which excludes local OS service users/groups.
Change the setting Source for Syncing User and Groups in the Ranger Usersync configuration from org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder to org.apache.ranger.unixusersync.process.UnixUserGroupBuilder.
Restart the Ranger Usersync service to apply the configuration change.
Validate that the missing nifi and nifiregistry groups are now synced and visible in Ranger.
Delete the existing NiFi policy repository from the Ranger UI to clear stale configurations.
Restart the cloudera-scm-server service.
Restart the Cloudera management service from the Cloudera Manager UI.
Restart NiFi services sequentially and confirm that they start successfully and create default policies in Ranger automatically.
Revert Ranger Usersync configuration to the original LDAP sync if desired after confirming groups are synced properly.
Backup the Ranger database before making changes as a precaution.
Optionally, apply the ranger.py script fix in the NiFi CSD jar to avoid a KeyError during policy updates.