Support Questions

Find answers, ask questions, and share your expertise

Apache NIFI secure cluster, Unable to locate node CN=nifi, OU=NIFI to seed policies

avatar

I need help in Apache NIFI secure cluster configuration.

My purpose is to create Nifi secure cluster and use ldap to manage login accounts and policies.

At the first I only use ldap-user-group-provider, but it can not worked. The error message in Web UI is

Insufficient Permissions
Untrusted proxy CN=nifi, OU=NIFI

 

Then I modified my authorizers.xml to composite-user-group-provider to the following post refferenced web logs. The error message changed to

Unable to locate node CN=nifi, OU=NIFI to seed policies

 

Me deployed steps is:

I use nifi-toolkit.sh to generate certificates, command:

./nifi-toolkit-1.15.3/bin/tls-toolkit.sh standalone -C "CN=nifi, OU=NIFI" -n 'nifi' -o /root/target

 

My authorizers.xml

<authorizers>
   <userGroupProvider>
      <identifier>file-user-group-provider</identifier>
      <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
      <property name="Users File">./conf/users.xml</property>
      <property name="Legacy Authorized Users File"/>
      <property name="Initial User Identity 1">CN=nifi, OU=NIFI</property>
  </userGroupProvider>
  <userGroupProvider>
      <identifier>ldap-user-group-provider</identifier>
      <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
      <property name="Authentication Strategy">SIMPLE</property>
      <property name="Manager DN">cn=Manager,dc=nifi,dc=data</property>
      <property name="Manager Password">xxxx</property>
      <property name="TLS - Keystore"/>
      <property name="TLS - Keystore Password"/>
      <property name="TLS - Keystore Type"/>
      <property name="TLS - Truststore"/>
      <property name="TLS - Truststore Password"/>
      <property name="TLS - Truststore Type"/>
      <property name="TLS - Client Auth"/>
      <property name="TLS - Protocol"/>
      <property name="TLS - Shutdown Gracefully"/>
      <property name="Referral Strategy">FOLLOW</property>
      <property name="Connect Timeout">10 secs</property>
      <property name="Read Timeout">10 secs</property>
      <property name="Url">ldap://ldap:789</property>
      <property name="Page Size"/>
      <property name="Sync Interval">1 mins</property>
      <property name="Group Membership - Enforce Case Sensitivity">false</property>
      <property name="User Search Base">ou=users,dc=nifi,dc=data</property>
      <property name="User Object Class">person</property>
      <property name="User Search Scope">ONE_LEVEL</property>
      <property name="User Search Filter"/>
      <property name="User Identity Attribute">uid</property>
      <property name="User Group Name Attribute"/>
      <property name="User Group Name Attribute - Referenced Group Attribute"/>
      <property name="Group Search Base"/>
      <property name="Group Object Class">group</property>
      <property name="Group Search Scope">ONE_LEVEL</property>
      <property name="Group Search Filter"/>
      <property name="Group Name Attribute"/>
      <property name="Group Member Attribute"/>
     <property name="Group Member Attribute - Referenced User Attribute"/>
  </userGroupProvider>
  <userGroupProvider>
    <identifier>composite-user-group-provider</identifier>
    <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
    <property name="Configurable User Group Provider">file-user-group-provider</property>
    <property name="User Group Provider 1">ldap-user-group-provider</property>
  </userGroupProvider>
  <accessPolicyProvider>
    <identifier>file-access-policy-provider</identifier>
    <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
    <property name="User Group Provider">composite-user-group-provider</property>
    <property name="Authorizations File">./conf/authorizations.xml</property>
    <property name="Initial Admin Identity">nifi</property>
    <property name="Legacy Authorized Users File"></property>
    <property name="Node Identity 1">CN=nifi, OU=NIFI</property>
  </accessPolicyProvider>
  <authorizer>
    <identifier>managed-authorizer</identifier>
    <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
    <property name="Access Policy Provider">file-access-policy-provider</property>
  </authorizer>
</authorizers>

 

Before restart the Nifi service, I already deleted authorizations.xml and users.xml files.

In restart process, I found the users.xml generated, and the content is

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="59486998-e3ac-3150-a4bc-c00e5a9959ba" 
identity="CN=nifi, OU=NIFI"/>
    </users>
</tenants>

 

But Nifi start failed, from the error message is

Unable to locate node CN=nifi, OU=NIFI to seed policies

Nifi version is 1.15.3

Please, can anyone tell me whats wrong?

Thanks.

1 REPLY 1

avatar

I try to change the composite-user-group-provider to file-user-group-provider, and it worked! 

authorizers.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">CN=nifi, OU=NIFI</property>
        <property name="Initial User Identity 2">nifi</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">nifi</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1">CN=nifi, OU=NIFI</property>
        <property name="Node Identity 2">nifi</property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

 

But I still have some questions, if ldap-user-group-provider or composite-user-group-provider can not used for secure cluster ?