Archives of Support Questions (Read Only)

alvinuw · ‎08-31-2017

Hi guys,

When I secure a three nodes nifi cluster, I got below errors during start up.

I use TLS tool to create certificates, and use client-certificate for authentication.

The setting in my authorizers.xml is below:

<identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>

<property name="User Group Provider">file-user-group-provider</property>

<property name="Authorizations File">./conf/authorizations.xml</property>

<property name="Initial Admin Identity">CN=nifiadmin, OU=NIFI.COM</property>

</accessPolicyProvider>

From nifi-user.log ouput, it seems NiFi can locate the DN set in authorizers.xml.

However, I don't understand why nifi-bootstrap.log says NiFi can't initial admin.

Are users.xml and authorizations.xml auto-created and populated by NiFi?

After checking, it seems "Initial Admin Identity" user and administrative policies are NOT added to the users.xml and authorizations.xml files.

$ cat nifi-user.log

2017-08-31 18:54:28,424 INFO [main] o.a.n.a.FileUserGroupProvider Creating new users file at /opt/nifi/nifi-1.4.0-SNAPSHOT/./conf/users.xml

2017-08-31 18:54:28,453 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Thu Aug 31 18:54:28 UTC 2017

2017-08-31 18:54:28,458 INFO [main] o.a.n.a.FileAccessPolicyProvider Creating new authorizations file at /opt/nifi/nifi-1.4.0-SNAPSHOT/./conf/authorizations.xml

2017-08-31 18:54:28,475 WARN [main] org.apache.nifi.authorization.FlowParser Flow Configuration does not exist or was empty

2017-08-31 18:54:28,475 INFO [main] o.a.n.a.FileAccessPolicyProvider Populating authorizations for Initial Admin: CN=nifiadmin, OU=NIFI.COM

$ cat nifi-bootstrap.log

2017-08-31 18:54:13,151 INFO [NiFi Bootstrap Command Listener] org.apache.nifi.bootstrap.RunNiFi Apache NiFi now running and listening for Bootstrap requests on port 41600

2017-08-31 18:54:29,443 ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiSecurityConfiguration': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException:

Could not autowire method: public void org.apache.nifi.web.NiFiWebApiSecurityConfiguration.setJwtAuthenticationProvider(org.apache.nifi.web.security.jwt.JwtAuthenticationProvider); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]:

Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException:

org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=nifiadmin, OU=NIFI.COM to seed policies

2017-08-31 18:54:29,444 ERROR [NiFi logging handler] org.apache.nifi.StdErr Shutting down...

2017-08-31 18:54:30,576 INFO [main] org.apache.nifi.bootstrap.RunNiFi NiFi never started. Will not restart NiFi

Wynner · ‎08-31-2017

@Alvin Jin

That authorizers.xml file looks a little off.

This is what it should look like:

<authorizers>
   <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">CN=nifiadmin, OU= NIFI.COM</property>
        <property name="Legacy Authorized Users File"></property>


        <!-- Provide the identity (typically a DN) of each node when clustered, see above description of Node Identity. -->
        <property name="Node Identity 1">CN=nifi-0, OU=NIFI.COM</property>
        <property name="Node Identity 2">CN=nifi-1, OU=NIFI.COM</property>
        <property name="Node Identity 2">CN=nifi-2, OU=NIFI.COM</property>
    </authorizer>
</authorizers>

You will have to remove the current users.xml and authorizations.xml file so NiFi will recreate them on restart.

View solution in original post

Wynner · ‎08-31-2017

@Alvin Jin

That authorizers.xml file looks a little off.

This is what it should look like:

<authorizers>
   <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">CN=nifiadmin, OU= NIFI.COM</property>
        <property name="Legacy Authorized Users File"></property>


        <!-- Provide the identity (typically a DN) of each node when clustered, see above description of Node Identity. -->
        <property name="Node Identity 1">CN=nifi-0, OU=NIFI.COM</property>
        <property name="Node Identity 2">CN=nifi-1, OU=NIFI.COM</property>
        <property name="Node Identity 2">CN=nifi-2, OU=NIFI.COM</property>
    </authorizer>
</authorizers>

You will have to remove the current users.xml and authorizations.xml file so NiFi will recreate them on restart.

alvinuw · ‎09-01-2017

Hi @Wynner,

Thanks for your comments. You are right, it's the authorizers.xml format issue.

Actually, I am using nifi-1.4-snapshot. That's why my authorizers.xml is different from the 1.3 one.

When I switched to the 1.3 version authorizers.xml with nifi-1.4-snapshot, the above issue was gone.This confuses me.

Then, when I have below in authorizers.xml file

<propertyname="Node Identity 1">CN=nifi-0, OU= NIFI.COM</property>

I saw errors from nifi-app.log, it seems the default OU of node identity is "NIFI".

2017-09-01 14:09:08,854 DEBUG [NiFi Web Server-19] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi. at org.apache.nifi.web.api.AccessResource.createAccessTokenFromTicket(AccessResource.java:349)

2017-09-01 14:09:09,045 INFO [NiFi Web Server-127] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<CN=nifiadmin, OU=NIFI.COM><CN=nifi-0, OU=NIFI>) GET https://nifi-0:9443/nifi-api/flow/current-user (source ip: 10.244.1.95) 2017-09-01 14:09:09,048 WARN [NiFi Web Server-127] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=nifi-0, OU=NIFI

2017-09-01 14:09:09,048 WARN [NiFi Web Server-127] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=nifi-0, OU=NIFI

But whenIf I set it as "CN=nifi-0, OU= NIFI" in above file, it works.

Wynner · ‎09-01-2017

@Alvin Jin

Remove the space between "OU =NIFI" so it looks like "OU=NIFI".

Also, don't forget to remove the old users.xml and authorizations.xml files before restarting NiFi.

You should stick with released versions, instead of using the snapshot version.

Cloudera Community

Archives of Support Questions (Read Only)

NiFi AuthorizerCreationException: Unable to locate initial admin to seed policies