nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: NiFi w/ Ranger and AD
Date Mon, 28 Nov 2016 02:37:08 GMT
Hey Nick,

I believe Ranger's user sync has an identity transform capability [1] that
can perform certain transformations to the identity string. So in
ranger-ugsync-site.xml you can have:

<property>
  <name>ranger.usersync.mapping.username.regex.1</name>
  <value>s/regex/replacement/g</value>
</property>

I've only used this with a file as the source of users/groups, but I would
imagine it works the same for LDAP since all the of Ranger's user sync code
is shared regardless of the source, and you can have more than one of them
with a unique id at the end of the name.

You might be able to combine that with NiFi's identity transform [2] to
come up with something that gives you what you are looking for.

-Bryan

[1] https://issues.apache.org/jira/browse/RANGER-684
[2]
https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties#L152-L160



On Sun, Nov 27, 2016 at 5:56 PM, Joe Witt <joe.witt@gmail.com> wrote:

> Nick
>
> Thanks for documenting those findings.  Will definitely help in
> resolving it in a more consistent manner.
>
> As for the release of any vendor specific distributions of NiFi you'll
> want to connect directly with that vendor for those sorts of
> questions.
>
> Thanks
> Joe
>
> On Sun, Nov 27, 2016 at 7:40 PM, Nicholas Hughes
> <nicholasmhughes.nifi@gmail.com> wrote:
> > This won't matter very soon with the impending release that will fix this
> > issue, but just so it's recorded somewhere...
> >
> > I tried setting up UserSync in Ranger to pull in the distinguishedName
> from
> > Active Directory since that is what was passed by NiFi. Unfortunately,
> there
> > are two problems with that...
> >
> > First, UserSync brings the DN in from AD with capital letters in the
> field
> > names (CN=,OU=,DC=) while NiFi is passing them as lowercase
> (cn=,ou=,dc=).
> > This causes the access request to fail to match any policies due to the
> case
> > mismatch. I manually converted the case in the Ranger MySQL DB as a
> > workaround.
> >
> > Second, any policies created which contain the DN user names (or any
> other
> > names containing commas) will not be able to be edited after the initial
> > creation. This is due to how Ranger is encoding the URL when accessing
> the
> > Ranger API. A ticket has been created for this issue [1], but I don't
> think
> > it'll get much priority since there was a comment about not having
> commas in
> > user names.
> >
> > Does anybody know how long it's likely to take for the 1.1.0 release
> (once
> > completed) to get rolled into HDF? I'd rather not have to hack up NiFi
> in an
> > HDF install in order to take advantage of the fix for sAMAccountNames [2]
> > that's in that release.
> >
> > -Nick
> >
> > [1] - https://issues.apache.org/jira/browse/RANGER-1224
> > [2] - https://issues.apache.org/jira/browse/NIFI-3020
> >
> > On Mon, Nov 14, 2016 at 10:59 AM, Joe Witt <joe.witt@gmail.com> wrote:
> >>
> >> Nick - there does appear to be agreement with your finding.  Take a
> >> look here https://issues.apache.org/jira/browse/NIFI-3020
> >>
> >> On Mon, Nov 14, 2016 at 10:57 AM, Nicholas Hughes
> >> <nicholasmhughes.nifi@gmail.com> wrote:
> >> > Has anyone implemented Apache NiFi with authentication against
> Microsoft
> >> > Active Directory and Apache Ranger for authorization (also using AD
> >> > accounts)?
> >> >
> >> > The authentication works as expected and UserSync works properly in
> >> > Ranger,
> >> > but I think NiFi and Ranger might not be on the same page page when it
> >> > comes
> >> > to the expected username format.
> >> >
> >> > I can type in my AD sAMAccountName and password at the NiFi login
> >> > screen,
> >> > and authentication is successful. Additionally, Ranger is set to sync
> >> > users
> >> > from AD using the sAMAccountName and that seems to work fine. However,
> >> > authorization fails with a "Unable to perform the desired action due
> to
> >> > insufficient permissions. Contact the system administrator." error. I
> >> > decoded the JWT from the user log, and the payload looks like:
> >> >
> >> > {
> >> >   "sub": "cn=Nick Hughes,ou=Users,ou=Accounts,dc=example,dc=com",
> >> >   "iss": "LdapProvider",
> >> >   "aud": "LdapProvider",
> >> >   "preferred_username": "Nick Hughes",
> >> >   "kid": 1,
> >> >   "exp": 1479180675,
> >> >   "iat": 1479137475
> >> > }
> >> >
> >> > I suspect that authorization isn't working since the usernames in
> Ranger
> >> > are
> >> > the short sAMAccountName (nhughes for example) while the JWT has the
> CN
> >> > and
> >> > DN in the token. Totally guessing, so feel free to set me straight...
> >> >
> >> > Anyone have any experience here? I saw some posts on the Internet
> >> > regarding
> >> > Ranger with LDAP, but there may be some idiosyncrasies with AD.
> >> >
> >> > Thanks!
> >> >
> >> > -Nick
> >> >
> >
> >
>

Mime
View raw message