nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicholas Hughes <nicholasmhughes.n...@gmail.com>
Subject Re: NiFi w/ Ranger and AD
Date Mon, 28 Nov 2016 00:40:20 GMT
This won't matter very soon with the impending release that will fix this
issue, but just so it's recorded somewhere...

I tried setting up UserSync in Ranger to pull in the distinguishedName from
Active Directory since that is what was passed by NiFi. Unfortunately,
there are two problems with that...

First, UserSync brings the DN in from AD with capital letters in the field
names (CN=,OU=,DC=) while NiFi is passing them as lowercase (cn=,ou=,dc=).
This causes the access request to fail to match any policies due to the
case mismatch. I manually converted the case in the Ranger MySQL DB as a
workaround.

Second, any policies created which contain the DN user names (or any other
names containing commas) will not be able to be edited after the initial
creation. This is due to how Ranger is encoding the URL when accessing the
Ranger API. A ticket has been created for this issue [1], but I don't think
it'll get much priority since there was a comment about not having commas
in user names.

Does anybody know how long it's likely to take for the 1.1.0 release (once
completed) to get rolled into HDF? I'd rather not have to hack up NiFi in
an HDF install in order to take advantage of the fix for sAMAccountNames
[2] that's in that release.

-Nick

[1] - https://issues.apache.org/jira/browse/RANGER-1224
[2] - https://issues.apache.org/jira/browse/NIFI-3020

On Mon, Nov 14, 2016 at 10:59 AM, Joe Witt <joe.witt@gmail.com> wrote:

> Nick - there does appear to be agreement with your finding.  Take a
> look here https://issues.apache.org/jira/browse/NIFI-3020
>
> On Mon, Nov 14, 2016 at 10:57 AM, Nicholas Hughes
> <nicholasmhughes.nifi@gmail.com> wrote:
> > Has anyone implemented Apache NiFi with authentication against Microsoft
> > Active Directory and Apache Ranger for authorization (also using AD
> > accounts)?
> >
> > The authentication works as expected and UserSync works properly in
> Ranger,
> > but I think NiFi and Ranger might not be on the same page page when it
> comes
> > to the expected username format.
> >
> > I can type in my AD sAMAccountName and password at the NiFi login screen,
> > and authentication is successful. Additionally, Ranger is set to sync
> users
> > from AD using the sAMAccountName and that seems to work fine. However,
> > authorization fails with a "Unable to perform the desired action due to
> > insufficient permissions. Contact the system administrator." error. I
> > decoded the JWT from the user log, and the payload looks like:
> >
> > {
> >   "sub": "cn=Nick Hughes,ou=Users,ou=Accounts,dc=example,dc=com",
> >   "iss": "LdapProvider",
> >   "aud": "LdapProvider",
> >   "preferred_username": "Nick Hughes",
> >   "kid": 1,
> >   "exp": 1479180675,
> >   "iat": 1479137475
> > }
> >
> > I suspect that authorization isn't working since the usernames in Ranger
> are
> > the short sAMAccountName (nhughes for example) while the JWT has the CN
> and
> > DN in the token. Totally guessing, so feel free to set me straight...
> >
> > Anyone have any experience here? I saw some posts on the Internet
> regarding
> > Ranger with LDAP, but there may be some idiosyncrasies with AD.
> >
> > Thanks!
> >
> > -Nick
> >
>

Mime
View raw message