question Re: Nifi UI forbidden in Archives of Support Questions (Read Only)

Nifi UI forbidden

vnandigam — Mon, 03 Oct 2016 10:12:01 GMT

Hi,

Recently i enabled SSL for my nifi cluster, genearted certificates and then trying to access from browser. but am getting fallowing exception.capture.png

Re: Nifi UI forbidden

jpercivall — Mon, 03 Oct 2016 10:31:59 GMT

The user that corresponds to the cert you are using doesn't have access to the UI. An admin has to add the user to the "view the UI" policy first.

You can read more about the Multi-tenant authorization in the NiFi docs: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#UI-with-multi-tenant-authorization

Re: Nifi UI forbidden

vnandigam — Mon, 03 Oct 2016 10:50:47 GMT

Hi@jpercivall

i already address intial admin in my authorizations.xml file as specified in document.

<authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.FileAuthorizer</class>

<property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property>

<property name="Users File">/var/lib/nifi/conf/users.xml</property>

<property name="Initial Admin Identity">CN=nifiadmin,OU=hortonworks</property>

but still facing same issue

Re: Nifi UI forbidden

vnandigam — Mon, 03 Oct 2016 19:02:20 GMT

any thoughts in this issue?

Re: Nifi UI forbidden

MattWho — Mon, 03 Oct 2016 19:18:25 GMT

@vnandigam

There are two parts to successfully accessing the NiFi UI, Authentication and Authorization. Since you are getting the insufficient permissions screen, you have successfully authenticated.

First you should confirm the DN pattern of this user that has successfully authenticated. If you tail the nifi-user.log while you access your NiFi's UI, you will see a line similar to the following:

2016-10-03 11:47:15,134 INFO [NiFi Web Server-65795] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=nifiadmin,OU=hortonworks

Examine the DN presented. Does it match exactly what you had in your "Initial Admin Identity" property you set?

Next you will want to confirm that this user was properly added to the users.xml file:

<user identifier="9d7b4fe2-8e8b-30a5-8e2a-f6a6a18addfa" identity="CN=nifiadmin,OU=hortonworks"/>

The user if it exists will be assigned a UUID (The above UUID is just an example and yours will be different.)

Next, verify this user was given the ability to "view the user interface" by examining the authorizations.xml file.

Within this file you would expect to see the user's UUID above assigned to one or more policies.

In order to even see the UI, users must have the "R" to the "/flow" policy:

<policy identifier="6a57bf03-2a93-39d0-87dd-e3aa30f0cd4d" resource="/flow" action="R">
            <user identifier="9d7b4fe2-8e8b-30a5-8e2a-f6a6a18addfa"/>
</policy>

In order to be able to add users to additional access policies, the user would also need "R" and "W" to the "/policies" policy (You can think of this as the Global Admin policy):

<policy identifier="9a3a1c92-fa10-3f9d-b2f7-5cd56cd2ca00" resource="/policies" action="R">
            <user identifier="9d7b4fe2-8e8b-30a5-8e2a-f6a6a18addfa"/>
</policy>
<policy identifier="1ff611dd-1536-31f5-a610-64e192e4c43c" resource="/policies" action="W">
            <user identifier="9d7b4fe2-8e8b-30a5-8e2a-f6a6a18addfa"/>
</policy>

If you user has both of the above, you should be able to access the UI and use the interface to grant additional users access and add additional levels of access for yourself and/or any user you added.

The following policies are what gives a user the ability to create, modify, and delete new users and/or groups:

<policy identifier="dee16f9e-1f09-37ee-806b-e372f1051816" resource="/tenants" action="R">
            <user identifier="9d7b4fe2-8e8b-30a5-8e2a-f6a6a18addfa"/>
</policy>
<policy identifier="69839728-eaf3-345d-849f-e2790cf236ab" resource="/tenants" action="W">
            <user identifier="9d7b4fe2-8e8b-30a5-8e2a-f6a6a18addfa"/>
</policy>

If you find that your authorizations.xml file was empty (Had no policies set in it), it is likely your NiFi had been started previous to you setting the "Initial Admin Identity" property. This Property ONLY works the first time NiFi is started. If the authorizations.xml file was already generated, it will not be re-generated or updated on later starts of NiFi. To correct this, you can delete the authorizations.xml file and restart your NiFi. Since it does not exist this time, the "Initial Admin Identity" user will be created this time.

***Note, if other users already have granted authorizations in this file, those will be lost and will need to be re-created. Only delete the authorizations.xml file if wishing to start over from scratch.

Thanks,

Matt

Re: Nifi UI forbidden

vnandigam — Mon, 03 Oct 2016 20:35:08 GMT

thanks @mclark

As per i remember i already checked authorization,xml, that contains polices for UUID. but am not sure weather it has access R access to /polices ... will check that by tomorrow let u guys know.

Re: Nifi UI forbidden

vnandigam — Mon, 03 Oct 2016 22:18:27 GMT

@mclark

Hi, I have check all things you mentioned in the above, it has policies, users too.. but still facing authorization issue.

any thoughts on this?

Re: Nifi UI forbidden

brosander — Tue, 04 Oct 2016 00:38:26 GMT

There should probably be a space between the comma and OU of your initial admin identity.

E.g. CN=nifiadmin, OU=hortonworks

Re: Nifi UI forbidden

vnandigam — Tue, 04 Oct 2016 01:17:13 GMT

@brosander

. pleaswplease check fallowing immages am fallowing exactly same way including spaces too.c1.png

Re: Nifi UI forbidden

vnandigam — Tue, 04 Oct 2016 01:17:48 GMT

c2.png second immage

Re: Nifi UI forbidden

vnandigam — Tue, 04 Oct 2016 01:33:14 GMT

brosander.

thanks or your help brosander. its working now, isssue with white space as like u mentioned. thanks for help