Support Questions

Find answers, ask questions, and share your expertise

Apache NIFI Integration with LDAP Issue

avatar
New Contributor

HI, 

 

I am having an issue in LDAP integration with NIFI version 1.15.3.

I can able to login the admin screen, i added policy for "modify component". but when i drag and drop the process or process group into the screen. it appear in read only ( with doted line). in the log it is saying

"Unable to find access policy for write on /process-groups/2740a80a-017f-1000-a4b3-70d6580cdb38. Returning Not Found response"

 

Screen Shot 2022-02-23 at 10.08.39 PM.png

 

My configuration below

login-identity-providers.xml

 

 

 <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">cn=admin,dc=ae,dc=test,dc=com</property>
        <property name="Manager Password">a@psswd</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://ldapurl.com:389</property>
        <property name="User Search Base">dc=ae,dc=tt,dc=com</property>
        <property name="User Search Filter">uid={0}</property>

        <property name="Identity Strategy">USE_DN</property> 

        <property name="Authentication Expiration">12 hours</property>
    </provider>

 

 

authorizers.xml

 

<userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1"></property>
  
    </userGroupProvider>
     <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">cn=admin,dc=ae,dc=test,dc=com</property>
        <property name="Manager Password">passwd</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://ldapurl.com:389</property>
        <property name="Page Size"></property>
        <property name="Sync Interval">30 mins</property>
        <property name="Group Membership - Enforce Case Sensitivity">false</property>

        <property name="User Search Base">ou=users,dc=ae,dc=test,dc=com</property>
        <property name="User Object Class">person</property>
        <property name="User Search Scope">ONE_LEVEL</property>
        <property name="User Search Filter">(uid=*)</property>
        <property name="User Identity Attribute">cn</property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base"></property>
        <property name="Group Object Class">posixGroup</property>
        <property name="Group Search Scope">ONE_LEVEL</property>
        <property name="Group Search Filter"></property>
        <property name="Group Name Attribute"></property>
        <property name="Group Member Attribute"></property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>
    </userGroupProvider>
    <userGroupProvider>
       <identifier>composite-configurable-user-group-provider</identifier>
       <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
       <property name="Configurable User Group Provider">file-user-group-provider</property>
       <property name="User Group Provider 1">ldap-user-group-provider</property>
      
  </userGroupProvider> 
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
         <property name="User Group Provider">composite-configurable-user-group-provider</property>
         <property name="Authorizations File">./conf/authorizations.xml</property>
         <property name="Initial Admin Identity">admin</property>
         <property name="Legacy Authorized Users File"></property>
         <property name="Node Identity 1"></property>
         <property name="Node Group"></property>
    </accessPolicyProvider>
  

    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

 

 

nifi.properties

 

# cluster node properties (only configure for cluster nodes) #
nifi.cluster.is.node=false
nifi.cluster.node.address=
nifi.cluster.node.protocol.port=
nifi.cluster.node.protocol.max.threads=50
nifi.cluster.node.event.history.size=25
nifi.cluster.node.connection.timeout=5 sec
nifi.cluster.node.read.timeout=5 sec
nifi.cluster.node.max.concurrent.requests=100
nifi.cluster.firewall.file=

nifi.security.autoreload.enabled=false
nifi.security.autoreload.interval=10 secs
nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=0qIPg+dsdassfsff/alLIAP0KzS7Wug
nifi.security.keyPasswd=0qIPg+dfsdfsdds/alLIAP0KzS7Wug
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=Vj1hmYot5b+adfsfdssdf/Ep+jVBH37O7E
nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=ldap-provider
nifi.security.user.jws.key.rotation.period=PT1H

nifi.security.identity.mapping.pattern.dn=^cn=(.*?),ou=(.*?),dc=(.*?),dc=(.*?),dc=(.*?)$
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.transform.dn=NONE

 

 

Not sure what is wrong here. not able to create process group.

 

1 ACCEPTED SOLUTION

avatar
Super Guru

Hi, @STK ,

 

Your user probably has been granted two policies:

  • The global "view the user interface" policy, which you can access via the Policies menu:
    araujo_0-1645695792143.png
  • The "Modify component" policy that you configure for the root "NiFi Flow" process group component:
    araujo_2-1645695938109.png
    araujo_3-1645695988398.png

     

Your user is probably missing the "view the component" policy for the NiFi Flow process group:

araujo_4-1645696068916.png

 

Try granting this and see if it resolves your problem.

 

Regards,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

2 REPLIES 2

avatar
Super Guru

Hi, @STK ,

 

Your user probably has been granted two policies:

  • The global "view the user interface" policy, which you can access via the Policies menu:
    araujo_0-1645695792143.png
  • The "Modify component" policy that you configure for the root "NiFi Flow" process group component:
    araujo_2-1645695938109.png
    araujo_3-1645695988398.png

     

Your user is probably missing the "view the component" policy for the NiFi Flow process group:

araujo_4-1645696068916.png

 

Try granting this and see if it resolves your problem.

 

Regards,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
New Contributor

Great .. This works 🕺Thank you @araujo