Nick - there does appear to be agreement with your finding. Take a look here https://issues.apache.org/jira/browse/NIFI-3020
On Mon, Nov 14, 2016 at 10:57 AM, Nicholas Hughes <[email protected]> wrote: > Has anyone implemented Apache NiFi with authentication against Microsoft > Active Directory and Apache Ranger for authorization (also using AD > accounts)? > > The authentication works as expected and UserSync works properly in Ranger, > but I think NiFi and Ranger might not be on the same page page when it comes > to the expected username format. > > I can type in my AD sAMAccountName and password at the NiFi login screen, > and authentication is successful. Additionally, Ranger is set to sync users > from AD using the sAMAccountName and that seems to work fine. However, > authorization fails with a "Unable to perform the desired action due to > insufficient permissions. Contact the system administrator." error. I > decoded the JWT from the user log, and the payload looks like: > > { > "sub": "cn=Nick Hughes,ou=Users,ou=Accounts,dc=example,dc=com", > "iss": "LdapProvider", > "aud": "LdapProvider", > "preferred_username": "Nick Hughes", > "kid": 1, > "exp": 1479180675, > "iat": 1479137475 > } > > I suspect that authorization isn't working since the usernames in Ranger are > the short sAMAccountName (nhughes for example) while the JWT has the CN and > DN in the token. Totally guessing, so feel free to set me straight... > > Anyone have any experience here? I saw some posts on the Internet regarding > Ranger with LDAP, but there may be some idiosyncrasies with AD. > > Thanks! > > -Nick >
