Ranger NiFi plugin

Olga Semme

Prerequisites

Prerequisites for logging in to NiFi with Ranger:

  1. ADS cluster is installed with authentication configured for a user with an Active Directory account.

  2. ADPS cluster is installed. Installation is carried out in accordance with the section Arenadata Platform Security installation.

  3. SSL (using SSL certificates or Active Directory certificates) is enabled and configured on ADPS cluster.

  4. ADS cluster integration is enabled on ADPS cluster.

NOTE

  • This article describes authorization with self-signed SSL certificates.

  • Minimum requirements to enable authorization in Ranger for NiFi service:

    • ADPS version 1.0.4.b3.

    • ADS version 1.7.1.b1 (for NiFi Server) and ADS version 1.7.2.b1 (for NiFi Registry).

Establish trust over SSL

Enabling the Ranger plugin requires each cluster to trust the other’s SSL certificates.

For this you need:

  1. Import the certificate *.crt for each host in the cluster into the truststore of each host in another cluster.

    On each host where certificates are imported, run:

    $ keytool -import -file /tmp/sov-test-1.ru-central1.internal.crt -keystore /tmp/truststore.jks -storepass bigdata -noprompt

  2. On all hosts, re-import truststore into the operating system’s trust store:

    $ keytool -importkeystore -srckeystore /tmp/truststore.jks -destkeystore /etc/pki/java/cacerts -deststorepass changeit -srcstorepass bigdata -noprompt

  3. On each host, add certificates to ca-bundle.pem with the following commands:

    $ chmod 777 /etc/pki/ca-trust/extracted/pem/ca-bundle.pem
$ echo "#######################" >> /etc/pki/ca-trust/extracted/pem/ca-bundle.pem
$ cat /tmp/sov-test-1.ru-central1.internal.crt >> /etc/pki/ca-trust/extracted/pem/ca-bundle.pem
$ chmod 444 /etc/pki/ca-trust/extracted/pem/ca-bundle.pem
NOTE

If your ADPS cluster uses Active Directory certificates to enable SSL, you should import the Active Directory root and client certificates into the truststore.jks of the ADS cluster hosts.

Ranger NiFi plugin activation

To activate the Ranger NiFi plugin, do the following:

  1. Initiate activation of the Ranger NiFi plugin using the service action Manage Ranger plugin in Actions green arrow of the NiFi service.

    Specify Ranger Admin Identity — DN of the ADPS host certificate that was generated when configuring SSL using self-signed certificates and imported to the host (for example, CN=sov-test-1.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RUADS). This DN Ranger will be used to communicate with NiFi.

    nifi ranger 05
    Plugin activation

  2. Wait until the activation process of the Ranger NiFi plugin is completed and the default policy is created on the Ranger side. Analyze and correct errors if they occur.

  3. Verify that the Ranger Admin Identity property in the NiFi configuration is populated with the DN value.

    nifi ranger 09
    Ranger Admin Identity value

Checking the activated Ranger NiFi plugin

After authorization in Ranger web interface authorization policy services for the NiFi service components of the selected ADS cluster appear in the Service manager window.

To view the created policies for the cluster, click on the name of the service.

nifi ranger 01 dark
Go to the created policy service
nifi ranger 01 light
Go to the created policy service

This makes available the policies automatically created for the cluster servers.

To view, edit, or delete policies, use the buttons in the Action column.

nifi ranger 02 dark
Created policies for the NiFi Server component
nifi ranger 02 light
Created policies for the NiFi Server component
Found a mistake? Seleсt text and press Ctrl+Enter to report it