Nick Thanks for documenting those findings. Will definitely help in resolving it in a more consistent manner.
As for the release of any vendor specific distributions of NiFi you'll want to connect directly with that vendor for those sorts of questions. Thanks Joe On Sun, Nov 27, 2016 at 7:40 PM, Nicholas Hughes <[email protected]> wrote: > This won't matter very soon with the impending release that will fix this > issue, but just so it's recorded somewhere... > > I tried setting up UserSync in Ranger to pull in the distinguishedName from > Active Directory since that is what was passed by NiFi. Unfortunately, there > are two problems with that... > > First, UserSync brings the DN in from AD with capital letters in the field > names (CN=,OU=,DC=) while NiFi is passing them as lowercase (cn=,ou=,dc=). > This causes the access request to fail to match any policies due to the case > mismatch. I manually converted the case in the Ranger MySQL DB as a > workaround. > > Second, any policies created which contain the DN user names (or any other > names containing commas) will not be able to be edited after the initial > creation. This is due to how Ranger is encoding the URL when accessing the > Ranger API. A ticket has been created for this issue [1], but I don't think > it'll get much priority since there was a comment about not having commas in > user names. > > Does anybody know how long it's likely to take for the 1.1.0 release (once > completed) to get rolled into HDF? I'd rather not have to hack up NiFi in an > HDF install in order to take advantage of the fix for sAMAccountNames [2] > that's in that release. > > -Nick > > [1] - https://issues.apache.org/jira/browse/RANGER-1224 > [2] - https://issues.apache.org/jira/browse/NIFI-3020 > > On Mon, Nov 14, 2016 at 10:59 AM, Joe Witt <[email protected]> wrote: >> >> Nick - there does appear to be agreement with your finding. Take a >> look here https://issues.apache.org/jira/browse/NIFI-3020 >> >> On Mon, Nov 14, 2016 at 10:57 AM, Nicholas Hughes >> <[email protected]> wrote: >> > Has anyone implemented Apache NiFi with authentication against Microsoft >> > Active Directory and Apache Ranger for authorization (also using AD >> > accounts)? >> > >> > The authentication works as expected and UserSync works properly in >> > Ranger, >> > but I think NiFi and Ranger might not be on the same page page when it >> > comes >> > to the expected username format. >> > >> > I can type in my AD sAMAccountName and password at the NiFi login >> > screen, >> > and authentication is successful. Additionally, Ranger is set to sync >> > users >> > from AD using the sAMAccountName and that seems to work fine. However, >> > authorization fails with a "Unable to perform the desired action due to >> > insufficient permissions. Contact the system administrator." error. I >> > decoded the JWT from the user log, and the payload looks like: >> > >> > { >> > "sub": "cn=Nick Hughes,ou=Users,ou=Accounts,dc=example,dc=com", >> > "iss": "LdapProvider", >> > "aud": "LdapProvider", >> > "preferred_username": "Nick Hughes", >> > "kid": 1, >> > "exp": 1479180675, >> > "iat": 1479137475 >> > } >> > >> > I suspect that authorization isn't working since the usernames in Ranger >> > are >> > the short sAMAccountName (nhughes for example) while the JWT has the CN >> > and >> > DN in the token. Totally guessing, so feel free to set me straight... >> > >> > Anyone have any experience here? I saw some posts on the Internet >> > regarding >> > Ranger with LDAP, but there may be some idiosyncrasies with AD. >> > >> > Thanks! >> > >> > -Nick >> > > >
