NIFI-4032: Managed Ranger Authorizer #2019
NIFI-4032: Managed Ranger Authorizer
I've worked through 3 Ranger configuration scenarios that leveraged the ldap user group provider, or the composite configurable user group provider (pairing the ldap provider with the file provider):
All three scenarios worked well with an established cluster. I was able to go from one scenario to the next through changing configurations, updating policies and restarting without issue. However a bug was encountered on the third test case when I wanted to add a new node to the cluster.
The process of adding a new node requires that no information that would seed the users.xml file be provided in configurations (e.g. Initial Admin, Node Identifiers, etc). Therefore the expectation is once the node attempts to join the cluster it would receive the necessary user information from the cluster to create it's own local version of the file. When using the ManagedRangerAuthorizer along with the Configurable provider it doesn't appear to have that functionality, since the users.xml generated was empty. This led to the node starting up fine however when attempting to access the UI from any node a proxy error occurred. Given the users.xml file was empty this error made sense because NiFi was unable to determine the users (node identities) or groups they should be mapped to, hence unable to apply the Ranger policy that allowed the nodes group to perform proxying.
In speaking with @mcgilman offline this error was due to the ManagedRangerAuthorizer not extracting user group information for cases when it's paired with configurable user group providers.