Ranger NiFi plugin
Prerequisites
Prerequisites for logging in to NiFi with Ranger:
-
ADS cluster is installed with authentication configured for a user with an Active Directory account.
-
ADPS cluster is installed.
-
SSL (using SSL certificates or Active Directory certificates) is enabled and configured on ADPS cluster.
-
ADS cluster integration is enabled on ADPS cluster.
|
NOTE
|
Establish trust over SSL
Enabling the Ranger plugin requires each cluster to trust the other’s SSL certificates.
For this you need:
-
Import the certificate *.crt for each host in the cluster into the truststore of each host in another cluster.
On each host where certificates are imported, run:
$ keytool -import -file /tmp/sov-test-1.ru-central1.internal.crt -keystore /tmp/truststore.jks -storepass bigdata -noprompt -
On all hosts, re-import truststore into the operating system’s trust store:
$ keytool -importkeystore -srckeystore /tmp/truststore.jks -destkeystore /etc/pki/java/cacerts -deststorepass changeit -srcstorepass bigdata -noprompt -
On each host, add certificates to ca-bundle.pem with the following commands:
$ chmod 777 /etc/pki/ca-trust/extracted/pem/ca-bundle.pem $ echo "#######################" >> /etc/pki/ca-trust/extracted/pem/ca-bundle.pem $ cat /tmp/sov-test-1.ru-central1.internal.crt >> /etc/pki/ca-trust/extracted/pem/ca-bundle.pem $ chmod 444 /etc/pki/ca-trust/extracted/pem/ca-bundle.pem
|
NOTE
If your ADPS cluster uses Active Directory certificates to enable SSL, you should import the Active Directory root and client certificates into the truststore.jks of the ADS cluster hosts. |
Activate the Ranger NiFi plugin
To activate the Ranger NiFi plugin, do the following:
-
Initiate activation of the Ranger NiFi plugin. To do this, apply the action Manage Ranger plugin by clicking
in the Actions column of the NiFi service. -
In the Run an action: Manage Ranger plugin window that opens, activate the Active ranger plugin switch. Wherein:
-
If necessary, set the name of the Ranger service that will be added. If a service with the same name already exists, it can be recreated by activating the Override service policies parameter (
true— the parameter is active,false— inactive), in this case, the old service will be deleted, and policies will be regenerated for the new service. If the Override service policies parameter is inactive, after activating the plugin, a connection to the existing Ranger service will be made. -
Specify Ranger Admin Identity — DN of the ADPS host certificate that was generated when configuring SSL using self-signed certificates and imported to the host (for example,
CN=sov-test-1.ru-central1.internal, OU=AD, O=AD, L=MSK, S=MO, C=RUADS). This DN Ranger will be used to communicate with NiFi.
Plugin activation
-
-
Wait until the activation process of the Ranger NiFi plugin is completed and the default policy is created on the Ranger side. Analyze and correct errors if they occur.
-
Verify that the Ranger Admin Identity property in the NiFi configuration is populated with the DN value.
Ranger Admin Identity value
Check the activated Ranger NiFi plugin
After authorization in Ranger web interface, authorization policy services for the NiFi service components of the selected ADS cluster appear in the Service manager window.
To view the created policies for the cluster, click the name of the service.
This makes available the policies automatically created for the cluster servers.
To view, edit, or delete policies, use the buttons in the Action column.
