question Re: LDAP authorization issue with NiFi cluster in Support Questions

LDAP authorization issue with NiFi cluster

dilnafathimath8 — Sun, 18 Aug 2019 02:14:12 GMT

Environment:

2 Node NiFi cluster running NiFi 1.5.0
Basic LDAP server for user authentication.

Issue background:

I am trying to secure NiFi using LDAP authentication. I have used `tls-toolkit` to generate security.keystore and `security.truststore` files and configured `nifi.properties` in both the nodes to access NiFi UI using HTTPS:

# tls-toolkit.sh standalone -n 'node[1-2]-nifi.jp.local' -C 'CN=admin,OU=NIFI'

I also configured 'login-identity-providers.xml' and 'authorizers.xml' but NiFi is not getting started due to LDAP configuration issue.

Error message:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=admin,OU=NIFI to seed policies

        ... 95 common frames omitted
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=admin,OU=NIFI to seed policies

login-identity-providers.xml:

<loginIdentityProviders> <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>


        <property name="Manager DN">cn=admin,dc=nifi,dc=ldap,dc=jp</property>
        <property name="Manager Password">secret</property>


        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>


        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>


        <property name="Url">ldap://192.168.2.1:389</property>
        <property name="User Search Base">ou=users,dc=nifi,dc=ldap,dc=jp</property>
        <property name="User Search Filter">uid={0}</property>


        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider></loginIdentityProviders>

authorizers.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>


        <property name="Initial User Identity 1">cn=node1-nifi.jp.local,ou=users,dc=nifi,dc=ldap,dc=jp</property>
        <property name="Initial User Identity 2">cn=node2-nifi.jp.local,ou=users,dc=nifi,dc=ldap,dc=jp</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">CN=admin,OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>


        <property name="Node Identity 1">cn=node1-nifi.jp.local,ou=users,dc=nifi,dc=ldap,dc=jp</property>
        <property name="Node Identity 2">cn=node2-nifi.jp.local,ou=users,dc=nifi,dc=ldap,dc=jp</property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

nifi.properties (security settings)

nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=xx
nifi.security.keyPasswd=xx
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=xxx
nifi.security.needClientAuth=
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=ldap-provider
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

Refer attachment for LDAP configuration. I checked https://community.hortonworks.com/questions/131557/nifi-authorizercreationexception-unable-to-locate.html but it didn't worked. Please guide me to secure my NiFi cluster using LDAP authentication.

Re: LDAP authorization issue with NiFi cluster

bbende — Wed, 21 Feb 2018 21:31:13 GMT

In authorizers.xml you have "Initial User Identity 1" and "Initial User Identity 2" for your two node identities, you need to add another one for your initial admin.

You may need to delete users.xml and authorizations.xml before trying again, in case they are already created in a bad state.

Re: LDAP authorization issue with NiFi cluster

dilnafathimath8 — Thu, 22 Feb 2018 11:06:02 GMT

Thank you very much @Bryan Bende for your valuable inputs. I finally got it working by following your suggestion. Here is my working authorizers.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">CN=node1-nifi.jp.local, OU=NIFI</property>
        <property name="Initial User Identity 2">CN=node2-nifi.jp.local, OU=NIFI</property>
        <property name="Initial User Identity 3">cn=admin,ou=users,dc=nifi,dc=ldap,dc=jp</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">cn=admin,ou=users,dc=nifi,dc=ldap,dc=jp</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1">CN=node1-nifi.jp.local, OU=NIFI</property>
        <property name="Node Identity 2">CN=node2-nifi.jp.local, OU=NIFI</property>
        <property name="Node Identity 3">cn=admin,ou=users,dc=nifi,dc=ldap,dc=jp</property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

Apart from the above changes, I have modified identity mapping pattern in nifi.properties

nifi.security.identity.mapping.pattern.dn=^cn=(.*?),ou=(.*?),dc=(.*?),dc=(.*?),dc=(.*?)$
nifi.security.identity.mapping.value.dn=$1

Thanks again!