This extension provides org.apache.nifi.registry.ranger.RangerAuthorizer class for NiFi Registry to authorize user requests by access policies defined at Apache Ranger.
In order to enable Ranger extension when you build NiFi Registry, specify include-ranger profile with a maven install command:
cd nifi-registry mvn clean install -Pinclude-ranger
Then the extension will be installed at ${NIFI_REG_HOME}/ext/ranger directory.
Alternatively, you can add Ranger extension to an existing NiFi Registry. To do so, build the extension with the following command:
cd nifi-registry mvn clean install -f nifi-registry-extensions/nifi-registry-ranger
The extension zip will be created as nifi-registry-extensions/nifi-registry-ranger-extension/target/nifi-registry-ranger-extension-xxx-bin.zip.
Unzip the file into arbitrary directory so that NiFi Registry can use, such as ${NIFI_REG_HOME}/ext/ranger. For example:
mkdir -p ${NIFI_REG_HOME}/ext/ranger
unzip -d ${NIFI_REG_HOME}/ext/ranger nifi-registry-extensions/nifi-registry-ranger-extension/target/nifi-registry-ranger-extension-xxx-bin.zip
In order to use this extension, following NiFi Registry files need to be configured.
# Specify Ranger extension dir nifi.registry.extension.dir.ranger=./ext/ranger/lib # Specify Ranger authorizer identifier, which is defined at authorizers.xml nifi.registry.security.authorizer=ranger-authorizer
Add following authorizer element:
<authorizer>
<identifier>ranger-authorizer</identifier>
<class>org.apache.nifi.registry.ranger.RangerAuthorizer</class>
<property name="Ranger Service Type">nifi-registry</property>
<property name="User Group Provider">file-user-group-provider</property>
<!-- Specify Ranger service name to use -->
<property name="Ranger Application Id">nifi-registry-service-name</property>
<!--
Specify configuration file paths for Ranger plugin.
See the XML files bundled with this extension for further details.
-->
<property name="Ranger Security Config Path">./ext/ranger/conf/ranger-nifi-registry-security.xml</property>
<property name="Ranger Audit Config Path">./ext/ranger/conf/ranger-nifi-registry-audit.xml</property>
<!--
Specify user identity that is used by Ranger to access NiFi Registry.
This property is used by NiFi Registry for Ranger to get available NiFi Registry policy resource identifiers.
The configured user can access NiFi Registry /policies/resources REST endpoint regardless of configured access policies.
Ranger uses available policies for user input suggestion at Ranger policy editor UI.
-->
<property name="Ranger Admin Identity">ranger@NIFI</property>
<!--
Specify if target Ranger is Kerberized.
If set to true, NiFi Registry will use the principal and keytab defined at nifi-registry.properties:
- nifi.registry.kerberos.service.principal
- nifi.registry.kerberos.service.keytab.location
The specified credential is used to access Ranger API, and to write audit logs into HDFS (if enabled).
At Ranger side, the configured user needs to be added to 'policy.download.auth.users' property, see Ranger configuration section below.
Also, ranger-nifi-registry-security.xml needs additional "xasecure.add-hadoop-authorization = true" configuration.
-->
<property name="Ranger Kerberos Enabled">false</property>
</authorizer>
At Ranger side, add a NiFi Registry service. NiFi Registry service has following configuration properties:
https://nifi-registry.example.com:18443/nifi-registry-api/policies/resourcesSSL. Ranger authenticates itself to NiFi Registry by X.509 client certificate in the configured Keystore.JKSJKS