Use Ranger in NiFi

After activating Ranger NiFi plugin, authorization in NiFi Server and NiFi Registry is closed for all users, including the NiFi administrator specified in NiFi Initial Admin when setting authentication in NiFi service.

After trying to log in with NiFi Initial Admin, a message appears that there is no configured policy for the user.

nifi ranger 03 dark
User authorization error
nifi ranger 03 light
User authorization error
NOTE
  • This article describes authorization using SSL-enabled ADPS with self-signed SSL certificates. However, users in Ranger must be created manually. To automatically synchronize with Active Directory users, you should configure LDAP on ADPS.

  • For more information on authorization in NiFi using Ranger you can refer to the article NiFi Plugin.

  • All sensitive values ​​for the NiFi Server and NiFi Registry components are replaced with encrypted values ​​in the configuration files. For more information about data encryption, see the article Encryption of NiFi configuration parameters.

Set an authorization policy in NiFi Server

Authorize NiFi Initial Admin in NiFi Server

To authorize NiFi Initial Admin, do the following:

  1. Create a user in Ranger. To do this, in the top menu of the Ranger interface, select SettingsUsers/Groups/Roles and click Add new user.

    ads ranger 13 dark
    Creating a user in Ranger
    ads ranger 13 light
    Creating a user in Ranger
  2. In the window that opens, fill in the required data for the user:

    • User Name — username.

      The name must match the username in the Active Directory database. The value can be:

      • full DN of the user when setting the value of the Identity Strategy configuration parameter of the LDAP Login Identity Provider group to USE_DN;

      • only login (name) of the user when setting Identity Strategy to USE_USERNAME.

    • New Password — user password.

    • Password Confirm — user password confirmation.

    • First Name — personal username.

    • Last Name — last name of the user.

    • Email Address — user’s email address.

    • Select Role — user role selection (Admin, User). This is a required field.

    • Group — select the group/groups the user belongs to.

      nifi ranger 07 dark
      Creating a user in Ranger
      nifi ranger 07 light
      Creating a user in Ranger
  3. Click Save.

  4. In the Service Manager window, click on the name of the NiFi service.

    nifi ranger 01 dark
    Go to the created policy service
    nifi ranger 01 light
    Go to the created policy service
  5. In the List of Policies window that opens, click the edit icon ranger manager for the created all policy.

    nifi ranger 04 dark
    Go to editing the authorization policy
    nifi ranger 04 light
    Go to editing the authorization policy
  6. In the policy editing window that opens, in the Allow ConditionsSelect User table, select the NiFi Initial Admin user created by above.

    nifi ranger 10 dark
    Adding a user to an access policy
    nifi ranger 10 light
    Adding a user to an access policy
  7. Click Save at the bottom of the page.

    As a result, the NiFi Initial Admin user is assigned full rights.

After setting the access policy in the NiFi Server user interface, it becomes possible to log in as NiFi Initial Admin. At the same time, Users and Policies lines are missing in the global menu of the interface - user authorization is now configured only with the help of Ranger.

nifi ranger 06 dark
After logging with NiFi Initial Admin
nifi ranger 06 light
After logging with NiFi Initial Admin

New user authorization

It is possible to assign access policies to Active Directory users located in the User Search Base specified in the parameter configuration step of the NiFi service.

For this you need:

  1. Create a new user as described by above.

  2. In the List of Policies window that opens, click Add new policy to add a new policy for the user.

    ads ranger 12 dark
    Creating an authorization policy
    ads ranger 12 light
    Creating an authorization policy
  3. In the Create Policy window that opens, fill in the required fields in the Policy Details section:

    • Policy Name — policy name. This name cannot be duplicated for the same service in the system. This field is required.

    • Policy Label — provides the following features:

      • Allows the user to group policy sets using one or more labels.

      • User can search policies by label names. You can search both on the list of policies page and on the report page.

      • Helps the user to export/import policies. If the user needs to export a specific set of policies, they can find the policy label and export the specific set of policies.

    • normal/override — specifies the override policy. If override is selected, the permissions in the policy override the permissions in existing policies.

    • NiFi Resource Identifier — wildcard to identify a resource to read and write to the /data/* resource that is being shared with NiFi nodes.

    • Audit Logging — determines if a particular policy will be audited.

    • Discription — the target of the policy. This field is optional.

  4. In the Allow Condition section of the Create Policy window, fill in the required fields:

    • Select Role — the role this policy applies to. A role is a set of permissions. Roles are an easier way to manage a set of permissions based on specific access criteria.

    • Select Group — the group this policy applies to. To promote a user to an administrator, select the Delegate Admin check box. Administrators can edit or delete a policy and create child policies. A public group contains all users, so granting access to a public group gives access to all users.

    • Select User — the user this policy applies to (outside the group already specified). You can make the user an administrator of this policy. Administrators can create child policies based on existing policies.

    • Permissions — adds or removes permissions:

      • Write — permission to make changes in the NiFi interface.

      • Read — permission to read data in the NiFi interface.

    • Delegate Admin — assignes admin privileges to users or groups specified in the policy.

    • Policy Conditions — by clicking + under Add conditions you can add additional conditions.

      NOTE
      The conditions are met in the order specified in the policy. The condition at the beginning of the list is applied first, then the second, third, and so on.
  5. Click Add.

    nifi ranger 11 dark
    Create Policy window
    nifi ranger 11 light
    Create Policy window

Work of an authorized user in NiFi

After activating Ranger and setting up an authorization policy for the user, work in the NiFi server interface occurs after authorization in accordance with the assigned access policy. For example, for a user assigned only the Read permission, the toolbar is inactive, and the user can only view canvas elements without changing settings.

nifi ranger 08 dark
Authorized user without rights to change parameters
nifi ranger 08 light
Authorized user without rights to change parameters

Configure an authorization policy in NiFi Registry

Authorize NiFi Initial Admin in NiFi Registry

To authorize NiFi Initial Admin in NiFi Registry, do the following:

  1. In the Service Manager window, click on the name of the NiFi Registry service.

    nifi ranger 12 dark
    Go to the created policy service
    nifi ranger 12 light
    Go to the created policy service
  2. In the List of Policies window that opens, click the edit icon ranger manager for the created all policy.

    nifi ranger 13 dark
    Go to editing the authorization policy
    nifi ranger 13 light
    Go to editing the authorization policy
  3. In the policy editing window that opens, in the Allow ConditionsSelect User table, select the NiFi Initial Admin user created by above.

    nifi ranger 14 dark
    Adding a user to an access policy
    nifi ranger 14 light
    Adding a user to an access policy
  4. Click Save at the bottom of the page.

    As a result, the NiFi Initial Admin user is assigned full rights.

After setting the access policy in the NiFi Registry user interface, it becomes possible to log in as NiFi Initial Admin. At the same time, there is no Users tab in the settings menu - user authorization is now configured only with the help of Ranger.

Authorizing a new user and creating a policy in the NiFi registry policy service is similar to NiFi Server, while users can give the following permissions in the Allow ConditionsPermissions table:

  • Write — permission to make changes to thread groups in the NiFi Registry interface.

  • Read — permission to read stream data in the NiFi Registry interface.

  • Delete — permission to delete threads.

After activating Ranger and setting up an authorization policy for the user, work in the NiFi Registry interface occurs after authorization in accordance with the assigned access policy.

Found a mistake? Seleсt text and press Ctrl+Enter to report it