question Re: Nifi Failed authorization in Support Questions

Nifi Failed authorization

wbivp — Tue, 21 Apr 2026 08:58:51 GMT

Hi All,

I get the following issue when logging in to nifi UI , user success login but UI not showing NIFI Menu :
2021-09-01 13:24:02,942 INFO [NiFi Web Server-1911] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cdpadmindev@DOMAIN], groups[] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.

I'm using cloudera private base with kerberos and AD

The NIFI configuration is still the default, is there anything that needs to be changed?

Thanks

Re: Nifi Failed authorization

Scharan — Wed, 01 Sep 2021 06:54:42 GMT

@wbivp You need to create /proxy policy for Nifi in ranger, Refer to below document for more info

https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/246586

https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/authorization-ranger/content/resource_policy_create_a_nifi_policy.html

Re: Nifi Failed authorization

wbivp — Wed, 01 Sep 2021 07:00:02 GMT

Hi @Scharan
thanks for your response, we already have the policy in ranger by default :

and i already assign our user and group to this policy , but still failed authorization

Re: Nifi Failed authorization

MattWho — Wed, 01 Sep 2021 19:04:42 GMT

@wbivp

The nifi-user.log output you shared indicates that the user string "cdpadmindev@DOMAIN" has not been authorized to against the NiFi /flow resource identifier (View the user interface).

The authorizers.xml configuration file controls how user and/or group based authorizations are setup and managed. So first things is what is configured in that file?

Is it using a file based authorizer or external Ranger based authorizer?
Is it using any user group providers?
Did you configure and initial admin identity? if so, does that initial admin identity string exactly match your user string from the nifi-user.log you shared?

If using the file based authorizer, you should have in the authorizers.xml both the "file-user-group-provider" and the "file-access-policy-provider". These providers are used to create the users.xml and authorizations.xml file on startup if they do NOT already exist. so even if you do have the initial admin set correctly, if NiFi was started previously before the user string was set, you would have existing users.xml and authorizations.xml files without this user and the required admin policies set. (remove these files and restart NiFi so they are generated again).

If using Ranger as your authorizer, you need to make sure that the user string exactly as you see in the nifi-user.log exists as a user in Ranger and the the NiFi service plugin in ranger is setup and has the correct NiFi resource identifier policies authorized for that user. Here is a reference article on those Ranger based NiFi policies:
https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/246586

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

Re: Nifi Failed authorization

MattWho — Wed, 01 Sep 2021 19:07:19 GMT

@wbivp

Is the exact user string you see in the nifi-user.log the same (case sensitive) as what is set in Ranger?
is this user string authorized for the /flow policy?

Thank you,

Matt

Re: Nifi Failed authorization

wbivp — Thu, 02 Sep 2021 03:51:38 GMT

Hi @MattWho

We using ranger authorizer , user string exactly same with nifi-user.log and ranger user

below authorizers.xml content :

<authorizer>
<identifier>ranger-provider</identifier>
<class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class>
<classpath>/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/hadoop-conf</classpath>
<property name="Ranger Security Config Path">/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/ranger-nifi-security.xml</property>
<property name="User Group Provider">composite-configurable-user-group-provider</property>
<property name="Ranger Admin Identity">rangerhostname</property>
<property name="Ranger Service Type">nifi</property>
<property name="Ranger Audit Config Path">/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/ranger-nifi-audit.xml</property>
<property name="Ranger Application Id">Cluster1_nifi</property>
<property name="Ranger Kerberos Enabled">true</property>
</authorizer>

Re: Nifi Failed authorization

wbivp — Thu, 02 Sep 2021 04:09:56 GMT

Hi @MattWho

Our Nifi using ranger authorizers , after we set ranger nifi policy (/flow , /proxies , etc) to my username, i can login and access web UI , the next question about group authorization, because other user with same group still cannot acces web UI

below the log :
2021-09-02 10:57:45,166 INFO [NiFi Web Server-424] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifihostname:8443/nifi-api/flow/current-user (source ip: )
2021-09-02 10:57:45,169 INFO [NiFi Web Server-424] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for test.username
2021-09-02 10:57:45,172 INFO [NiFi Web Server-424] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[test.username], groups[] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.

Thanks ,

WahyuB

Re: Nifi Failed authorization

MattWho — Thu, 02 Sep 2021 17:21:55 GMT

@wbivp

Within Ranger you can authorizer users and/or groups to the policies you define.
The Ranger plugin with the NiFi service runs in the background within NiFi that connects with Ranger to download the latest set of policies.

What is provided by Ranger is simply user(s) A, B, C strings and/or group(s) X, Y, Z strings are authorized read and/or write to NiFi Resource Identifier(s). There is nothin in what is downloaded from Ranger that will tell NiFi as the client what users belong to group(s) X, Y, or Z. This means that NiFi itself needs to be aware of these associations.

This is why in the nifi-user.log you see the following:

o.a.n.w.a.c.AccessDeniedExceptionMapper identity[test.username], groups[] does ...

This log line tells us that NiFi is unaware of any groups the the authenticated user string "test.username" is a member. If NiFi was aware the "groups[]" in this log line would show a comma separated list of all these group strings.

NiFi offers numerous user-group-providers that can be added to the authorizers.xml that allow these associations between user and groups to be set. Your authorizers.xml file shared contains the "cm-user-group-provider" (only used to assign NiFi node hostnames to a group string "nifi") and the "file-user-group-provider" [1] which gives users a way of manually adding group strings and associating users to that group directly from the NiFi UI.

So with your current setup, you would login as your authorized user, go to the NiFi Global Menu, and then select "users". This will open the NiFi Users UI where you should see your initial admin user which you defined in your file-user-group-provider. You would need to click on the

icon to add additional users and groups manually. Adding users and groups here has nothing to do with authentication. You are using this Ui to establish user to group associations. So I would start by creating a new group. The Identity string used must match case sensitive the exact group string as seen in Ranger.
Then you can start adding your user strings (must match user strings case sensitive as seen in Ranger)
As you add users you will be able to select the group(s) you added as those that user should be associated with.

Using above as an example, NiFi would then associate user string "JoeSmith" with group string "admins".

To see what other user-group-providers exist within your NiFi version, you should look at the "Admin Guide" found under help within your NiFi's embedded documentation access via the UI.

A very commonly used user-group-provider is the "ldap-user-group-provider" [2] which can be used to sync user and groups strings from LDAP/AD and establish the associations between them based on what is in LDAP/AD.

[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#fileusergroupprovider
[2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider

If you found these responses assisted with your query, please take a moment to login and click on "Accept as Solution" below each post.

Thank you,

Matt

Re: Nifi Failed authorization

wbivp — Sat, 04 Sep 2021 10:09:30 GMT

Hi @MattWho

I try your suggestion to setup "ldap-user-group-provider" , and now nifi service cannot start ,

this is the error message , do you have an example of the required parameters ?

Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setAnonymousAuthenticationProvider' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'anonymousAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563]

Re: Nifi Failed authorization

MattWho — Wed, 08 Sep 2021 18:16:48 GMT

@wbivp

When NiFi is configured to use the ldap-user-group-provider, it must be able to successfully execute that provider during startup to generate a list of users and groups within NiFi.

The exception points that that provider being unable to execute successfully.
The exception in the logs shows:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563]

This points at an authentication issue when trying to communicate with your ldap server.
(misconfiguration int the provider, bad Manager or Manager password provided)

From the NiFi host can you make run a ldapsearch query against your ldap server using all the same configured values from your provider?

Without your authorizers.xml file, it would be difficult for me to point out any other misconfigurations if present.

If you found the provided response(s) assisted with your query, please take a moment to login and click on "Accept as Solution" below each solution that helped you.

Thank you,

Matt

Re: Nifi Failed authorization

wbivp — Thu, 09 Sep 2021 14:23:25 GMT

hi @MattWho , this is my authorizer.xml , for now i still cannot get authorize within group

<userGroupProvider>
<identifier>cm-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CMUserGroupProvider</class>
<property name="Knox Nodes Properties Location">/var/run/cloudera-scm-agent/process/1546339525-nifi-NIFI_NODE/knox-conf/knox-gateway.properties</property>
<property name="NiFi Registry Nodes Properties Location">/var/run/cloudera-scm-agent/process/1546339525-nifi-NIFI_NODE/nifiregistry-conf/peer.properties</property>
<property name="NiFi Group">nifi</property>
<property name="Infer Unqualified Hostnames">false</property>
<property name="NiFi Nodes Properties Location">/var/run/cloudera-scm-agent/process/1546339525-nifi-NIFI_NODE/nifinode-conf/peer.properties</property>
</userGroupProvider><userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
<property name="User Group Provider 1">ldap-user-group-provider</property>
<property name="User Group Provider 2">cm-user-group-provider</property>
</userGroupProvider><userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Connect Timeout">10 secs</property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="User Identity Attribute">cn</property>
<property name="Group Name Attribute">cn</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="Group Object Class">group</property>
<property name="Url">ldap://msad.local.co:389</property>
<property name="TLS - Keystore Type"></property>
<property name="User Search Base">OU=DEVELOPER,DC=msad,DC=local,DC=co</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Group Search Base"></property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
<property name="Group Member Attribute"></property>
<property name="TLS - Keystore"></property>
<property name="TLS - Truststore"></property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property encryption="aes/gcm/256" name="Manager Password">Yf41</property>
<property name="User Group Name Attribute"></property>
<property name="TLS - Truststore Password"></property>
<property name="User Object Class">user</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Page Size"></property>
<property name="Read Timeout">10 secs</property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Sync Interval">30 mins</property>
<property name="Manager DN">CN=CDP Admin,OU=DEVELOPER,DC=msad,DC=local,DC=co</property>
<property name="User Search Filter"></property>
<property name="TLS - Truststore Type"></property>
<property name="Group Search Filter"></property>
</userGroupProvider>

<authorizer>
<identifier>ranger-provider</identifier>
<class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class>
<classpath>/var/run/cloudera-scm-agent/process/1546339525-nifi-NIFI_NODE/hadoop-conf</classpath>
<property name="Ranger Security Config Path">/var/run/cloudera-scm-agent/process/1546339525-nifi-NIFI_NODE/ranger-nifi-security.xml</property>
<property name="User Group Provider">composite-user-group-provider</property>
<property name="Ranger Admin Identity">host_ranger</property>
<property name="Ranger Service Type">nifi</property>
<property name="Ranger Audit Config Path">/var/run/cloudera-scm-agent/process/1546339525-nifi-NIFI_NODE/ranger-nifi-audit.xml</property>
<property name="Ranger Application Id">Cluster1_nifi</property>
<property name="Ranger Kerberos Enabled">true</property>
</authorizer>

</authorizers>

Re: Nifi Failed authorization

MattWho — Thu, 09 Sep 2021 18:53:45 GMT

@wbivp

The exception form the logs you shared is telling you that the ldap-user-group-provider is failing to connect to the configured ldap server using the manager DN and Manager password that has been configured. So first thing you need to do is validate, re-enter, and test your manager DN and password from command line to make sure they work from the NiFi host. Any need to engage with your ldap team.

Here is your ldap-user-group-provider (I re-order the properties to make it easier to read:

<userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">CN=CDP Admin,OU=DEVELOPER,DC=msad,DC=local,DC=co</property> <property encryption="aes/gcm/256" name="Manager Password">Yf41</property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password"></property> <property name="TLS - Keystore Type"></property> <property name="TLS - Truststore"></property> <property name="TLS - Truststore Password"></property> <property name="TLS - Truststore Type"></property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://msad.local.co:389</property> <property name="Page Size"></property> <property name="Sync Interval">30 mins</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">OU=DEVELOPER,DC=msad,DC=local,DC=co</property> <property name="User Object Class">user</property> <property name="User Search Scope">ONE_LEVEL</property> <property name="User Search Filter"></property> <property name="User Identity Attribute">cn</property> <property name="User Group Name Attribute"></property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Group Search Base"></property> <property name="Group Object Class">group</property> <property name="Group Search Scope">ONE_LEVEL</property> <property name="Group Search Filter"></property> <property name="Group Name Attribute">cn</property> <property name="Group Member Attribute"></property> <property name="Group Member Attribute - Referenced User Attribute"></property> </userGroupProvider>

Now unrelated to your Manager credentials issue, I see some other configuration issues:
1. "Page Size" <-- I aways recommend that users set this to 500 (this allows NiFi to request return in multiple pages of 500. If unset, NiFi expects a single return and for large returns the LDAP server likely has a max for how many returns it will provide in a single page).
2. Within the "User" properties I see:
- "User Search Scope" <-- Are all users being synced actually at same level as configured "Search Base"? Maybe use "SUBTREE" instead.
- "User Group Name Attribute" <-- With this unset, only users strings from the ldap "cn" attribute will be synced since there is no ldap attribute provided which identifies which groups this user belongs to. This property tells NiFi which ldap user entry attribute contains the groups that the returned user is a member of.
- "User Group Name Attribute - Referenced Group Attribute". <-- by default this uses ldap "DN" attribute
3. Within the "Group" properties I see:
- "Group Search Base" <-- With this set to blank a group based sync is not performed. So with out "User Group Name Attribute" set in the "User" section and no Group sync being executed, NiFi will not get any group strings returned.
- "Group Name Attribute" - Set to CN, which tells NiFi to use the value assigned to the ldap "cn" group entry attribute to as the group identity string in NiFi (but since other properties i mentioned are not set, none will be added to NiFi).
- "Group Member Attribute" <-- If you were to determine user/group associations via a group sync this would need to be set so that NiFi knows which ldap group entry attribute defines which user are a member to each group returned by the group sync.

So....
Step1 : Address the manager DN and/or Manager password issue blocking the provider from being able to successfully connect to your ldap.
Step 2: Fix the user and group sync sections so that NiFi can determine property what user and groups to sync and how to determine the associations between those groups. This requires knowledge of your LDAP/AD user and group entries in your LDAP/AD. I can't help you further here without an sample ldapsearch output for a user and a group from your ldap that you are trying to use for authorization in NiFi.

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider

Please be sure to login and click "Accept as Solution" on all responses the assisted you within this query.

Thank you,

Matt

Re: Nifi Failed authorization

VidyaSargur — Mon, 13 Sep 2021 06:02:50 GMT

@wbivp, Has any of the replies helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.

Re: Nifi Failed authorization

wbivp — Wed, 15 Sep 2021 14:49:07 GMT

Hi @MattWho

this is the sample from ldapsearch :
distinguishedName: CN=wbivp,OU=DEVELOPER,DC=msad,DC=local,DC=co
memberOf: CN=cdpconsultant,OU=Groups,OU=DEVELOPER,DC=msad,DC=local,DC=co

my username wbivp , with group cdpconsultant

from this information, please advise to fill in the configuration required by NIFI

Re: Nifi Failed authorization

wbivp — Sat, 18 Sep 2021 15:46:29 GMT

Hi All,

if there is an example for NIFI User Group with ranger configuration it is very helpful

Re: Nifi Failed authorization

MattWho — Wed, 22 Sep 2021 13:45:29 GMT

@wbivp

Without full ldapsearch output for a user and group, I'd have to make some guesses and assumption with regards to your specific setup, but it looks like you are using AD so here is a configuration you may want to try:

<property name="User Search Base">OU=DEVELOPER,DC=msad,DC=local,DC=co</property> <property name="User Object Class">user</property> <property name="User Search Scope">SUBTREE</property> <property name="User Search Filter"></property> <property name="User Identity Attribute">sAMAccountName</property> <property name="User Group Name Attribute">memberOf</property> <property name="User Group Name Attribute - Referenced Group Attribute">distinquishedName</property> <property name="Group Search Base">OU=Groups,OU=DEVELOPER,DC=msad,DC=local,DC=co</property> <property name="Group Object Class">group</property> <property name="Group Search Scope">SUBTREE</property> <property name="Group Search Filter"></property> <property name="Group Name Attribute">cn</property> <property name="Group Member Attribute">member</property> <property name="Group Member Attribute - Referenced User Attribute">distinquishedName</property>

Another thing you should do is enable DEBUG on the ldap-user-group-provider class. With DEBUG, this provider will output to the nifi-app.log the list of user and groups strings that are being synced from your AD and also show the associations discovered between them.

Adding this logger involves editing the contents of the NiFi's logback.xml file. Scroll down in the logback.xml until you start seeing lines that start with "<logger..../>" and insert the following new line:

Those user and groups strings are absolute and case sensitive. So they must identically exist with Ranger when they get associated to policies you setup.

If the strings logged in the nifi-app.log do not match what you have in Ranger exactly, you'll need to adjust your configuration until they do. If the strings don't match but can be manipulated to match using java regular expressions, take a look at the user and group mapping pattern [1] capabilities that can be configured in the nifi.properties file (there are different properties for manipulting identity/user strings and group strings. These mappings are evaluated against the strings returned by the providers in the authorizers.xml and returned by the login providers before they are used to check authorization. What is output to the log would be post any mapping being applied.

[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

Hope this helps,

Matt

Re: Nifi Failed authorization

MattWho — Wed, 22 Sep 2021 13:52:53 GMT

@wbivp

I created a community article long ago that details the Ranger based "NiFi Resource Identifier" policy strings you would use in Ranger to provide various levels of authorization within NiFi.

https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/246586

For example, it you want to grant access so that users can access and create components within a PG:

/process-groups/<uuid of PG> .
Grant Read and Write for your "group" and/or "user" to allow them to view configurations and added components (processors, controller services, child PGs, etc...) within this PG
/data/process-groups/<uuid of PG>
Granting Read and Write for your "group" and/or "user" to allow user to view and delete content (flowfiles) queued within connection within this PG.

Keep in mind that child PGs will inherit the access granted to the parent PG unless explicit policies have been set on the child PG.

Hope this helps,

Matt