question Re: NiFi Insufficient privileges post enabling SSL in Archives of Support Questions (Read Only)

NiFi Insufficient privileges post enabling SSL

sunile_manjee — Sat, 28 Jan 2017 03:23:52 GMT

I have enabled SSL and created cert

/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-1.1.0.2.1.1.0-2/bin/tls-toolkit.sh client -c xxxxx.field.hortonworks.com -D 'CN=nifiadmin, OU=FIELD.HORTONWORKS.COM' -p 10443 -t admin -T pkcs12

Add cert to my keychain. and loaded pem in chrome

I have my initial admin identity set to

CN=nifiadmin, OU=FIELD.HORTONWORKS.COM

This is in my users.xml

<tenants>
    <groups/>
    <users>
        <user identifier="92f3fcec-cd4d-347d-b750-c54eb8f7d04f" identity="CN=nifiadmin, OU=FIELD.HORTONWORKS.COM">
        <role name="ROLE_ADMIN"/>
        <user identifier="b7851c46-a903-34d5-928e-483bf61ddc17" identity="xxxxx.field.hortonworks.com">
        <role name="ROLE_ADMIN"/>
    </users>
</tenants>

When I hit the UI it says I have insufficient privileges. Any ideas?

I have deleted authorizations.xml and users.xml, restarted nifi and same issue. I have also updated the users.xml and set <role name="ROLE_ADMIN"/> for each user. I removed this spinet as well. same issue.

Re: NiFi Insufficient privileges post enabling SSL

alopresto — Sat, 28 Jan 2017 03:29:06 GMT

<role> elements are from NiFi 0.x. As you are on 1.x, you need to populate the authorizations.xml file with the appropriate mappings of the user (identified by the UUID) to the specific policies which will grant them access to perform the desired behavior. If you paste the contents of your authorizations.xml file here, we can correct any issues. Specifically, to view the UI, your user needs READ on the "view the UI" policy.

Re: NiFi Insufficient privileges post enabling SSL

bbende — Sat, 28 Jan 2017 03:29:40 GMT

There is no such thing as "roles" in Apache NiFi 1.x, I would expect that to fail start-up with those role elements.

When you receive the insufficient privileges message, what is shown in nifi-user.log? There should be a message with a user identity that was denied and we need to compare that identity to what you entered as your initial admin.

Re: NiFi Insufficient privileges post enabling SSL

sunile_manjee — Sat, 28 Jan 2017 03:32:10 GMT

@Andy LoPresto got it. but how am I suppose to provide read access to admin if i am not able to get into UI using admin cert.

Re: NiFi Insufficient privileges post enabling SSL

MattWho — Sat, 28 Jan 2017 03:39:46 GMT

@Sunile Manjee

The users.xml file you have above was not generated by NiFi. Did you manually create that?

You should not need to do that. On First start of NiFi after enabling https, NiFi will generate both the users.xml and authorizations.xml files from the configurations in the authorizers.xml file.

If the users.xml and authorizations.xml files already exist, NiFi will not modify them or re-create them during startup even if you change the configurations in the authorizers.xml file for "Initial Admin Identities" or "node identities".

In order to to have NiFi create those files over, you will need to remove or rename the current users.xml and authorizations.xml files before restarting NiFi.

Thanks,

Matt

Re: NiFi Insufficient privileges post enabling SSL

alopresto — Sat, 28 Jan 2017 03:42:46 GMT

When you set the Initial Admin Identity, NiFi does populate the roles for that user, including "view the UI", which allows you to then configure other users via the interface. Obviously there was an issue with generating your authorizations.xml, so that policy doesn't exist at this time. If you provide the authorizations.xml, we can fix it.

Re: NiFi Insufficient privileges post enabling SSL

sunile_manjee — Sat, 28 Jan 2017 03:44:14 GMT

Thank you all for responses. Great stuff. I was able to parse the nifi user log as suggested and found my cert was wrong user. I am getting proxy error now. will open another post. thank you again.