Ranger NiFi plugin

Prerequisites

Prerequisites for logging in to NiFi with Ranger:

  1. ADS cluster is installed with authentication configured for a user with an Active Directory account.

  2. ADPS cluster is installed.

  3. SSL (using SSL certificates or Active Directory certificates) is enabled and configured on ADPS cluster.

  4. ADS cluster integration is enabled on ADPS cluster.

NOTE
  • This article describes authorization with self-signed SSL certificates.

  • Minimum requirements to enable authorization in Ranger for NiFi service:

    • ADPS version 1.0.4.b3.

    • ADS version 1.7.1.b1 (for NiFi Server) and ADS version 1.7.2.b1 (for NiFi Registry).

Establish trust over SSL

Enabling the Ranger plugin requires each cluster to trust the other’s SSL certificates.

For this you need:

  1. Import the certificate *.crt for each host in the cluster into the truststore of each host in another cluster.

    On each host where certificates are imported, run:

    $ keytool -import -file /tmp/sov-test-1.ru-central1.internal.crt -keystore /tmp/truststore.jks -storepass bigdata -noprompt
  2. On all hosts, re-import truststore into the operating system’s trust store:

    $ keytool -importkeystore -srckeystore /tmp/truststore.jks -destkeystore /etc/pki/java/cacerts -deststorepass changeit -srcstorepass bigdata -noprompt
  3. On each host, add certificates to ca-bundle.pem with the following commands:

    $ chmod 777 /etc/pki/ca-trust/extracted/pem/ca-bundle.pem
    $ echo "#######################" >> /etc/pki/ca-trust/extracted/pem/ca-bundle.pem
    $ cat /tmp/sov-test-1.ru-central1.internal.crt >> /etc/pki/ca-trust/extracted/pem/ca-bundle.pem
    $ chmod 444 /etc/pki/ca-trust/extracted/pem/ca-bundle.pem
NOTE

If your ADPS cluster uses Active Directory certificates to enable SSL, you should import the Active Directory root and client certificates into the truststore.jks of the ADS cluster hosts.

Activate the Ranger NiFi plugin

To activate the Ranger NiFi plugin, do the following:

  1. Initiate activation of the Ranger NiFi plugin. To do this, apply the action Manage Ranger plugin by clicking on the actions default dark actions default light in the Actions column of the NiFi service.

  2. In the Run an action window that opens, specify the required parameters and click Run.

    nifi ranger 05
    Plugin activation

    The required parameters are described below:

    • Desired plugin state — after selecting the enable state, the default policy for the Ranger NiFi plugin will be applied to the Ranger.

    • Ranger Admin Identity — DN of the ADPS host certificate that was generated when setting up SSL using self-signed certificates and imported to the host (for example, CN=sov-test-1.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RU). This DN Ranger will use to communicate with NiFi. Specify Ranger Admin Identity — DN of the ADPS host certificate that was generated when configuring SSL using self-signed certificates and imported to the host (for example, CN=sov-test-1.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RUADS). This DN Ranger will be used to communicate with NiFi.

  3. Wait until the activation process of the Ranger NiFi plugin is completed and the default policy is created on the Ranger side. Analyze and correct errors if they occur.

  4. Verify that the Ranger Admin Identity property in the NiFi configuration is populated with the DN value.

    nifi ranger 09
    Ranger Admin Identity value

Check the activated Ranger NiFi plugin

After authorization in Ranger web interface authorization policy services for the NiFi service components of the selected ADS cluster appear in the Service manager window.

To view the created policies for the cluster, click on the name of the service.

nifi ranger 01 dark
Go to the created policy service
nifi ranger 01 light
Go to the created policy service

This makes available the policies automatically created for the cluster servers.

To view, edit, or delete policies, use the buttons in the Action column.

nifi ranger 02 dark
Created policies for the NiFi Server component
nifi ranger 02 light
Created policies for the NiFi Server component
Found a mistake? Seleсt text and press Ctrl+Enter to report it