You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Bryan Bende (JIRA)" <ji...@apache.org> on 2016/05/12 15:11:12 UTC
[jira] [Updated] (RANGER-938) Add NiFi service definition and
NiFiClient
[ https://issues.apache.org/jira/browse/RANGER-938?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Bende updated RANGER-938:
-------------------------------
Attachment: RANGER-938-0001.patch
Attaching the first pass of a patch for the NiFi servicedef and resource lookup.
In order to test this against a real NiFi instance, you can do the following:
Build this branch with "mvn clean install"
https://github.com/bbende/nifi/tree/NIFI-1733
The NiFi distribution will be in nifi-assembly/target, copy the tar.gz somewhere and extract it
In order for NiFi to perform authorization it needs to be secured, this is done by configuring conf/nifi.properties to specify a certificate and truststore through the following properties...
{code}
nifi.security.keystore=
nifi.security.keystoreType=
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
{code}
Also set the web https port:
{code}
nifi.web.https.port=8443
{code}
An authorization provider needs to be configured in conf/authorizers.xml... to add Ranger as a provider, add the following configuration:
{code}
<authorizer>
<identifier>ranger-provider</identifier>
<class>org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer</class>
<property name="Ranger Audit Config Path">/vagrant/stage/authorizer/ranger-nifi-audit.xml</property>
<property name="Ranger Security Config Path">/vagrant/stage/authorizer/ranger-nifi-security.xml</property>
<property name="Ranger Service Type">nifi</property>
<property name="Ranger Application Id">nifi</property>
<property name="Allow Anonymous">true</property>
<property name="Identity Transform 1">s/[,]/_/g</property>
</authorizer>
{code}
The security xml and audit xml config files I am using came from:
https://github.com/bbende/nifi/tree/NIFI-1733/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/resources/ranger
In conf/nifi.properties enable the Ranger provider by setting:
{code}
nifi.security.user.authorizer=ranger-provider
{code}
Run bin/nifi.sh start
Navigate to https://localhost:8443/nifi
You will need a certificate loaded in your browser to authenticate, or configure NiFi to use LDAP.
To access the NiFi Web UI there would need to be two policies in Ranger, one for the "/flow" resource, and one for the root group resource which would be "/process-groups/<ID>" where the ID comes from conf/flow.xml.gz under the rootGroup element (we are working on exposing this ID).
> Add NiFi service definition and NiFiClient
> -------------------------------------------
>
> Key: RANGER-938
> URL: https://issues.apache.org/jira/browse/RANGER-938
> Project: Ranger
> Issue Type: Improvement
> Reporter: Bryan Bende
> Assignee: Bryan Bende
> Priority: Minor
> Fix For: 0.6.0
>
> Attachments: RANGER-938-0001.patch
>
>
> The NiFi integration will be split into two parts...
> The first part will be the service definition and the NiFiClient to perform resource look ups against NiFi. This work will be tracked with this ticket.
> The second part is the plugin that will run in NiFi and this part will live in the NiFi codebase and is being tracked with this JIRA:
> https://issues.apache.org/jira/browse/NIFI-1733
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)