Prerequisites

Installation

• Install, configure NiFi in SSL mode and start.
• Install Ranger Admin manually. Update value of property policymgr_supportedcomponents=nifi under install.properties file before running Ranger setup script. This property controls the components visible on Ranger Admin UI (feel free to add name of other Ranger supported components based on your requirement).
• Install and configure and start Ranger Usersync.

Configure Ranger NiFi plugin

1. Update authorizer

   • Update authorizers.xml file under conf directory of nifi with new authorizer given below:
     

     <authorizer>
             <identifier>ranger-provider</identifier>
             <class>org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer</class>
             <property name="Ranger Audit Config Path">../nifi/conf/ranger-nifi-audit.xml</property>
             <property name="Ranger Security Config Path">../nifi/conf/ranger-nifi-security.xml</property>
             <property name="Ranger Service Type">nifi</property>
             <property name="Ranger Application Id">nifi</property>
             <property name="Ranger Admin Identity"></property>
             <property name="Ranger Kerberos Enabled">false</property>
     </authorizer>

     
     

   • Properties in authorizer

     • Ranger Audit Config Path - path to the NiFi Ranger plugin Audit config file.

     • Ranger Security Config Path - path to the NiFi Ranger plugin Security config file.

     • Ranger Service Type - is the type of service definition in Ranger.

     • Ranger Application Id - is the service-name create in Ranger Admin UI. Refer point 2 on how to create service.

     • Ranger Admin Identity - is the DN of the certificate that Ranger will use to communicate with Nifi.

     • Ranger Kerberos Enabled - if Ranger is setup in kerberos.

2. Create service for Nifi in Ranger Admin UI

   • Service Name - nifi

   • Nifi URL - https://{nifi-host}:{nifi-port}/nifi-api/resources

   • Authentication Type - SSL

   • Keystore - value of nifi.security.keystore from nifi.properties

   • Keystore Type - jks

   • Keystore Password - value of nifi.security.keyPasswd from nifi.properties

   • Truststore - value of nifi.security.truststore from nifi.properties

   • Truststore Type - jks

   • Truststore Password - value of nifi.security.truststorePasswd from nifi.properties

   • Under Add New Configurations, add policy.download.auth.users with value as nifi process user
      

3. Create policy cache directory
   

   • mkdir -p /etc/ranger/{service-name}/policycache

   • Change the user and group ownership of directory /{service-name} and /policycache with Nifi process user.

   • While creating file ranger-nifi-security.xml file, will need to update the policy cache directory path in property ranger.plugin.nifi.policy.cache.dir as /etc/ranger/{service-name}/policycache. 
     

4. Create spool directory
   

   • mkdir -p /var/log/nifi/audit/solr/spool

   • While creating ranger-nifi-audit.xml file, will need to update spool directory path in property xasecure.audit.destination.solr.batch.filespool.dir as /var/log/nifi/audit/solr/spool. 
     

5. Create NiFi Ranger plugin Audit config file

   • Create ranger-nifi-audit.xml file under conf directory of nifi
     

     <configuration>
     
        <property>
           <name>xasecure.audit.is.enabled</name>
           <value>true</value>
         </property>
     
         <property>
           <name>xasecure.audit.destination.solr</name>
           <value>true</value>
         </property>
     
         <property>
           <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
           <value>/var/log/nifi/audit/solr/spool</value>
         </property>
     
         <property>
           <name>xasecure.audit.destination.solr.urls</name>
           <value>NONE</value>
         </property>
     
         <property>
           <name>xasecure.audit.destination.solr.zookeepers</name>
           <value>z1:2181/znode</value>
         </property>
     
     </configuration>

   • If using solr standalone for audits, update xasecure.audit.destination.solr.urls property as per your cluster configuration else make it NONE

   • If using SolrCloud, update xasecure.audit.destination.solr.zookeepers property as per your zookeeper hosts and znode else NONE

   • If you have SolrCloud enabled in kerberos and Ranger also enabled in kerberos need to add below properties:

     • xasecure.audit.jaas.Client.option.principal - nifi principal

     • xasecure.audit.jaas.Client.option.keyTab - nifi keytab path

     • xasecure.audit.jaas.Client.loginModuleName - com.sun.security.auth.module.Krb5LoginModule

     • xasecure.audit.jaas.Client.loginModuleControlFlag - required

     • xasecure.audit.jaas.Client.option.useKeyTab - true

     • xasecure.audit.jaas.Client.option.storeKey - false

     • xasecure.audit.jaas.Client.option.serviceName - solr

     • xasecure.audit.destination.solr.force.use.inmemory.jaas.config - true

6. Create NiFi Ranger plugin Security config file

   • Create ranger-nifi-security.xml file under conf directory of nifi
     

     <configuration>
     
       <property>
         <name>ranger.plugin.nifi.policy.rest.url</name>
         <value>http://{ranger-host}:6080</value>
         <description>URL to Ranger Admin</description>
       </property>
     
       <property>
         <name>ranger.plugin.nifi.service.name</name>
         <value>{service-name}</value>
         <description>Name of the Ranger service containing policies for this nifi instance</description>
       </property>
     
       <property>
         <name>ranger.plugin.nifi.policy.source.impl</name>
         <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
         <description>Class to retrieve policies from the source</description>
       </property>
     
       <property>
         <name>ranger.plugin.nifi.policy.rest.ssl.config.file</name>
         <value>ranger-policymgr-ssl.xml</value>
         <description>Path to the file containing SSL details to contact Ranger Admin</description>
       </property>
     
       <property>
         <name>ranger.plugin.nifi.policy.pollIntervalMs</name>
         <value>30000</value>
         <description>How often to poll for changes in policies?</description>
       </property>
     
       <property>
         <name>ranger.plugin.nifi.policy.cache.dir</name>
         <value>/etc/ranger/{service-name}/policycache</value>
         <description>Directory where Ranger policies are cached after successful retrieval from the source</description>
       </property>
     
       <property>
         <name>ranger.plugin.nifi.policy.rest.client.connection.timeoutMs</name>
         <value>120000</value>
         <description>RangerRestClient Connection Timeout in Milli Seconds</description>
       </property>
     
       <property>
         <name>ranger.plugin.nifi.policy.rest.client.read.timeoutMs</name>
         <value>30000</value>
         <description>RangerRestClient read Timeout in Milli Seconds</description>
       </property>
     
     </configuration>

      

7. Change ownership and permissions of files
   

   • Give user and group ownership with nifi process user and set permission 400 to files ranger-nifi-audit.xml and ranger-nifi-security.xml

8. Update ranger authorizer in nifi.properties
   

   • Update property nifi.security.user.authorizer=ranger-provider in file nifi.properties. This will tell NiFi to use the Ranger authorizer, rather than the default file-based authorizer.

   1. Restart NiFi process

9. Create Users and Policies

   • Create user with username which is same as DN of the client certificate used to access NiFi
     
     
     
     
   • Create policy for above created user to give READ, WRITE permission for resource /flow
      
     
     
   • Check Audits generated under Audit Tab