question Re: NiFi AuthorizerCreationException: Unable to locate initial admin to seed policies in Archives of Support Questions (Read Only)

NiFi AuthorizerCreationException: Unable to locate initial admin to seed policies

alvinuw — Fri, 01 Sep 2017 02:52:48 GMT

Hi guys,

When I secure a three nodes nifi cluster, I got below errors during start up.

I use TLS tool to create certificates, and use client-certificate for authentication.

The setting in my authorizers.xml is below:

<identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>

<property name="User Group Provider">file-user-group-provider</property>

<property name="Authorizations File">./conf/authorizations.xml</property>

<property name="Initial Admin Identity">CN=nifiadmin, OU=NIFI.COM</property>

</accessPolicyProvider>

From nifi-user.log ouput, it seems NiFi can locate the DN set in authorizers.xml.

However, I don't understand why nifi-bootstrap.log says NiFi can't initial admin.

Are users.xml and authorizations.xml auto-created and populated by NiFi?

After checking, it seems "Initial Admin Identity" user and administrative policies are NOT added to the users.xml and authorizations.xml files.

$ cat nifi-user.log

2017-08-31 18:54:28,424 INFO [main] o.a.n.a.FileUserGroupProvider Creating new users file at /opt/nifi/nifi-1.4.0-SNAPSHOT/./conf/users.xml

2017-08-31 18:54:28,453 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Thu Aug 31 18:54:28 UTC 2017

2017-08-31 18:54:28,458 INFO [main] o.a.n.a.FileAccessPolicyProvider Creating new authorizations file at /opt/nifi/nifi-1.4.0-SNAPSHOT/./conf/authorizations.xml

2017-08-31 18:54:28,475 WARN [main] org.apache.nifi.authorization.FlowParser Flow Configuration does not exist or was empty

2017-08-31 18:54:28,475 INFO [main] o.a.n.a.FileAccessPolicyProvider Populating authorizations for Initial Admin: CN=nifiadmin, OU=NIFI.COM

$ cat nifi-bootstrap.log

2017-08-31 18:54:13,151 INFO [NiFi Bootstrap Command Listener] org.apache.nifi.bootstrap.RunNiFi Apache NiFi now running and listening for Bootstrap requests on port 41600

2017-08-31 18:54:29,443 ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiSecurityConfiguration': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException:

Could not autowire method: public void org.apache.nifi.web.NiFiWebApiSecurityConfiguration.setJwtAuthenticationProvider(org.apache.nifi.web.security.jwt.JwtAuthenticationProvider); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]:

Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException:

org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=nifiadmin, OU=NIFI.COM to seed policies

2017-08-31 18:54:29,444 ERROR [NiFi logging handler] org.apache.nifi.StdErr Shutting down...

2017-08-31 18:54:30,576 INFO [main] org.apache.nifi.bootstrap.RunNiFi NiFi never started. Will not restart NiFi

Re: NiFi AuthorizerCreationException: Unable to locate initial admin to seed policies

Wynner — Fri, 01 Sep 2017 03:55:15 GMT

@Alvin Jin

That authorizers.xml file looks a little off.

This is what it should look like:

<authorizers>
   <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">CN=nifiadmin, OU= NIFI.COM</property>
        <property name="Legacy Authorized Users File"></property>


        <!-- Provide the identity (typically a DN) of each node when clustered, see above description of Node Identity. -->
        <property name="Node Identity 1">CN=nifi-0, OU=NIFI.COM</property>
        <property name="Node Identity 2">CN=nifi-1, OU=NIFI.COM</property>
        <property name="Node Identity 2">CN=nifi-2, OU=NIFI.COM</property>
    </authorizer>
</authorizers>

You will have to remove the current users.xml and authorizations.xml file so NiFi will recreate them on restart.

Re: NiFi AuthorizerCreationException: Unable to locate initial admin to seed policies

alvinuw — Fri, 01 Sep 2017 21:56:47 GMT

Hi @Wynner,

Thanks for your comments. You are right, it's the authorizers.xml format issue.

Actually, I am using nifi-1.4-snapshot. That's why my authorizers.xml is different from the 1.3 one.

When I switched to the 1.3 version authorizers.xml with nifi-1.4-snapshot, the above issue was gone.This confuses me.

Then, when I have below in authorizers.xml file

<propertyname="Node Identity 1">CN=nifi-0, OU= NIFI.COM</property>

I saw errors from nifi-app.log, it seems the default OU of node identity is "NIFI".

2017-09-01 14:09:08,854 DEBUG [NiFi Web Server-19] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi. at org.apache.nifi.web.api.AccessResource.createAccessTokenFromTicket(AccessResource.java:349)

2017-09-01 14:09:09,045 INFO [NiFi Web Server-127] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<CN=nifiadmin, OU=NIFI.COM><CN=nifi-0, OU=NIFI>) GET https://nifi-0:9443/nifi-api/flow/current-user (source ip: 10.244.1.95) 2017-09-01 14:09:09,048 WARN [NiFi Web Server-127] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=nifi-0, OU=NIFI

2017-09-01 14:09:09,048 WARN [NiFi Web Server-127] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=nifi-0, OU=NIFI

But whenIf I set it as "CN=nifi-0, OU= NIFI" in above file, it works.

Re: NiFi AuthorizerCreationException: Unable to locate initial admin to seed policies

Wynner — Sat, 02 Sep 2017 00:17:55 GMT

@Alvin Jin

Remove the space between "OU =NIFI" so it looks like "OU=NIFI".

Also, don't forget to remove the old users.xml and authorizations.xml files before restarting NiFi.

You should stick with released versions, instead of using the snapshot version.