NiFi Plugin Prerequisites Installation Configure Ranger NiFi plugin Update authorizer Create service for Nifi in Ranger Admin UI Create policy cache directory Create spool directory Create NiFi Ranger plugin Audit config file Create NiFi Ranger plugin Security config file Change ownership and permissions of files Update ranger authorizer in nifi.properties Create Users and Policies Prerequisites Installation Install, configure NiFi in SSL mode and start. Install Ranger Admin manually. Update value of property policymgr_supportedcomponents=nifi under install.properties file before running Ranger setup script. This property controls the components visible on Ranger Admin UI (feel free to add name of other Ranger supported components based on your requirement). Install and configure and start Ranger Usersync. Configure Ranger NiFi plugin 1. Update authorizer Update authorizers.xml file under conf directory of nifi with new authorizer given below: <authorizer> <identifier>ranger-provider</identifier> <class>org.apache.nifi.ranger.authorization. RangerNiFiAuthorizer</class> <property name="ranger Audit Config Path">../nifi/conf /ranger-nifi-audit.xml <property name="ranger Security Config Path">../nifi/conf /ranger-nifi-security.xml <property name="ranger Service Type">nifi <property name="ranger Application Id">nifi <property name="ranger Admin Identity"> <property name="ranger Kerberos Enabled">false </authorizer> Properties in authorizer Ranger Audit Config Path - path to the NiFi Ranger plugin Audit config file. Ranger Security Config Path - path to the NiFi Ranger plugin Security config file. Ranger Service Type - is the type of service definition in Ranger. Ranger Application Id - is the service-name create in Ranger Admin UI. Refer point 2 on how to create service. Ranger Admin Identity - is the DN of the certificate that Ranger will use to communicate with Nifi.
2. Ranger Kerberos Enabled - if Ranger is setup in kerberos. Create service for Nifi in Ranger Admin UI Service Name - nifi Nifi URL - https://{nifi-host}:{nifi-port}/nifi-api/resources Authentication Type - SSL Keystore - value of nifi.security.keystore from nifi.properties Keystore Type - jks Keystore Password - value of nifi.security.keypasswd from nifi.properties Truststore - value of nifi.security.truststore from nifi.properties Truststore Type - jks Truststore Password - value of nifi.security.truststorepasswd from nifi.properties Under Add New Configurations, add policy.download.auth.users with value as nifi process user 3. 4. 5. Create policy cache directory mkdir -p /etc/ranger/{service-name}/policycache Change the user and group ownership of directory /{service-name} and /policycache with Nifi process user. While creating file ranger-nifi-security.xml file, will need to update the policy cache directory path in property ranger.plugin.nifi. policy.cache.dir as /etc/ranger/{service-name}/policycache. Create spool directory mkdir -p /var/log/nifi/audit/solr/spool While creating ranger-nifi-audit.xml file, will need to update spool directory path in property xasecure.audit.destination.solr.batch. filespool.dir as /var/log/nifi/audit/solr/spool. Create NiFi Ranger plugin Audit config file Create ranger-nifi-audit.xml file under conf directory of nifi
<configuration> <name>xasecure.audit.is.enabled</name> <value>true</value> <name>xasecure.audit.destination.solr</name> <value>true</value> <name>xasecure.audit.destination.solr.batch.filespool.dir< /name> <value>/var/log/nifi/audit/solr/spool</value> <name>xasecure.audit.destination.solr.urls</name> <value>none</value> <name>xasecure.audit.destination.solr.zookeepers</name> <value>z1:2181/znode</value> </configuration> 6. If using solr standalone for audits, update xasecure.audit.destination.solr.urls property as per your cluster configuration else make it NONE If using SolrCloud, update xasecure.audit.destination.solr.zookeepers property as per your zookeeper hosts and znode else NONE If you have SolrCloud enabled in kerberos and Ranger also enabled in kerberos need to add below properties: xasecure.audit.jaas.client.option.principal - nifi principal xasecure.audit.jaas.client.option.keytab - nifi keytab path xasecure.audit.jaas.client.loginmodulename - com.sun.security.auth.module.krb5loginmodule xasecure.audit.jaas.client.loginmodulecontrolflag - required xasecure.audit.jaas.client.option.usekeytab - true xasecure.audit.jaas.client.option.storekey - false xasecure.audit.jaas.client.option.servicename - solr xasecure.audit.destination.solr.force.use.inmemory.jaas.config - true Create NiFi Ranger plugin Security config file Create ranger-nifi-security.xml file under conf directory of nifi <configuration> <name>ranger.plugin.nifi.policy.rest.url</name> <value>http://{ranger-host}:6080</value> <description>url to Ranger Admin</description>
<name>ranger.plugin.nifi.service.name</name> <value>{service-name}</value> <description>name of the Ranger service containing policies for this nifi instance</description> <name>ranger.plugin.nifi.policy.source.impl</name> <value>org.apache.ranger.admin.client.rangeradminrestclient< /value> <description>class to retrieve policies from the source< /description> <name>ranger.plugin.nifi.policy.rest.ssl.config.file</name> <value>ranger-policymgr-ssl.xml</value> <description>path to the file containing SSL details to contact Ranger Admin</description> <name>ranger.plugin.nifi.policy.pollintervalms</name> <value>30000</value> <description>how often to poll for changes in policies?< /description> <name>ranger.plugin.nifi.policy.cache.dir</name> <value>/etc/ranger/{service-name}/policycache</value> <description>directory where Ranger policies are cached after successful retrieval from the source</description> <name>ranger.plugin.nifi.policy.rest.client.connection. timeoutms</name> <value>120000</value> <description>rangerrestclient Connection Timeout in Milli Seconds</description> <name>ranger.plugin.nifi.policy.rest.client.read.timeoutms< /name> <value>30000</value> <description>rangerrestclient read Timeout in Milli Seconds< /description>
</configuration> 7. 8. 9. Change ownership and permissions of files Give user and group ownership with nifi process user and set permission 400 to files ranger-nifi-audit.xml and ranger-nifisecurity.xml Update ranger authorizer in nifi.properties Update property nifi.security.user.authorizer=ranger-provider in file nifi.properties. This will tell NiFi to use the Ranger authorizer, rather than the default file-based authorizer. 1. Restart NiFi process Create Users and Policies Create user with username which is same as DN of the client certificate used to access NiFi Create policy for above created user to give READ, WRITE permission for resource /flow
Check Audits generated under Audit Tab