# NiFi Registry Ranger extension This extension provides `org.apache.nifi.registry.ranger.RangerAuthorizer` class for NiFi Registry to authorize user requests by access policies defined at [Apache Ranger](https://ranger.apache.org/). ## Prerequisites * Apache Ranger 1.2.0 or later is needed. ## How to install ### Enable Ranger extension at NiFi Registry build In order to enable Ranger extension when you build NiFi Registry, specify `include-ranger` profile with a maven install command: ``` cd nifi-registry mvn clean install -Pinclude-ranger ``` Then the extension will be installed at `${NIFI_REG_HOME}/ext/ranger` directory. ### Add Ranger extension to existing NiFi Registry Alternatively, you can add Ranger extension to an existing NiFi Registry. To do so, build the extension with the following command: ``` cd nifi-registry mvn clean install -f nifi-registry-extensions/nifi-registry-ranger ``` The extension zip will be created as `nifi-registry-extensions/nifi-registry-ranger-extension/target/nifi-registry-ranger-extension-xxx-bin.zip`. Unzip the file into arbitrary directory so that NiFi Registry can use, such as `${NIFI_REG_HOME}/ext/ranger`. For example: ``` mkdir -p ${NIFI_REG_HOME}/ext/ranger unzip -d ${NIFI_REG_HOME}/ext/ranger nifi-registry-extensions/nifi-registry-ranger-extension/target/nifi-registry-ranger-extension-xxx-bin.zip ``` ## NiFi Registry Configuration In order to use this extension, following NiFi Registry files need to be configured. ### nifi-registry.properties ``` # Specify Ranger extension dir nifi.registry.extension.dir.ranger=./ext/ranger/lib # Specify Ranger authorizer identifier, which is defined at authorizers.xml nifi.registry.security.authorizer=ranger-authorizer ``` ### authorizers.xml Add following `authorizer` element: ``` ranger-authorizer org.apache.nifi.registry.ranger.RangerAuthorizer nifi-registry file-user-group-provider nifi-registry-service-name ./ext/ranger/conf/ranger-nifi-registry-security.xml ./ext/ranger/conf/ranger-nifi-registry-audit.xml ranger@NIFI false ``` ## Ranger Configuration At Ranger side, add a NiFi Registry service. NiFi Registry service has following configuration properties: - NiFi Registry URL: Specify corresponding NiFi Registry URL that will be managed by this Ranger service. E.g. `https://nifi-registry.example.com:18443/nifi-registry-api/policies/resources` - Authentication Type: Should be `SSL`. Ranger authenticates itself to NiFi Registry by X.509 client certificate in the configured Keystore. - Keystore: Specify a Keystore filepath to use for X.509 client certificate. - Keystore Type: Specify the type of Keystore. E.g. `JKS` - Keystore Password: Specify the password of Keystore. - Truststore: Specify a Truststore filepath to verify NiFi Registry server certificate. - Truststore Type: Specify the type of Truststore. E.g. `JKS` - Truststore Password: Specify the password of Truststore. - Add New Configurations: - policy.download.auth.users: Required if Ranger is Kerberized. Specify the NiFi Registry user to download policies, which is configured by 'nifi.registry.kerberos.service.principal' at nifi-registry.properties, when NiFi Registry Ranger authorizer is configured as 'Ranger Kerberos Enabled' to true.