Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Apache NiFi Authentication Using an Azure AD Token Generated by Another Application

Labels:
avatar
author-rank AlokVenugopal
Explorer

Created on ‎02-26-2025 07:19 PM - edited ‎02-26-2025 08:18 PM

I have deployed an Apache NiFi instance (v2.1.0) and configured Azure AD authentication by following this guide:
NiFi Authentication with Azure AD.

Authentication is working correctly—I can log in, configure multiple users, and assign policies.

Now, I have another application that also uses Azure AD authentication. I am trying to implement a scenario where a user first logs into my application, then gets redirected to NiFi using the same token generated for my application. However, this approach is failing, and I am encountering an error.

I have attached the log below. Can anyone help me troubleshoot this issue?

 

 

 

2025-02-21 06:26:47,841 INFO [NiFi Web Server-117] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[kLM-4Eld2dZnX_dD3iB0df2fTvXQxa1J2ffdLoK-ozas], groups[] does not have permission to access the requested resource. Unable to view Process Group with ID fa3a74d9-0194-1000-85b2-d20263f3e54b. Returning Forbidden response.
2025-02-21 06:26:47,841 DEBUG [NiFi Web Server-117] o.a.n.w.a.c.AccessDeniedExceptionMapper
org.apache.nifi.authorization.AccessDeniedException: Unable to view Process Group with ID fa3a74d9-0194-1000-85b2-d20263f3e54b.
        at org.apache.nifi.authorization.resource.Authorizable.authorize(Authorizable.java:285)
        at org.apache.nifi.authorization.resource.Authorizable.authorize(Authorizable.java:298)
        at org.apache.nifi.web.api.ProcessGroupResource.lambda$getProcessGroup$0(ProcessGroupResource.java:269)
        at org.apache.nifi.web.StandardNiFiServiceFacade.authorizeAccess(StandardNiFiServiceFacade.java:517)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:359)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:196)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
        at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
        at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:727)
        at org.apache.nifi.web.StandardNiFiServiceFacade$$SpringCGLIB$$0.authorizeAccess(<generated>)
        at org.apache.nifi.web.api.ProcessGroupResource.getProcessGroup(ProcessGroupResource.java:267)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189)
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:93)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)

 

 

 

Here kLM-4Eld2dZnX_dD3iB0df2fTvXQxa1J2ffdLoK-ozas is said to be an unique Id from Azure AD. if i use Nifi token then no issue. application login and works fine. But when i use the token generated from my application this error occur for same user. 
When i analyze the tokens, this id is there in the sub field of my token. But for Nifi token sub field is the email id. I am assuming Nifi is taking the sub filed of the token to authorize a user. For nifi token the sub is email Id. so works fine. In my token sub field is this ID and nifi cannot authorize user. Is there a way for me to use my token

185 Views
0 Kudos
0
1 REPLY 1

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎02-27-2025 11:14 AM

@AlokVenugopal 

Welcome to the community.

What you are encountering is an authorization issue and not an authentication issue.  NiFi is accepting your token issued through your application login, but then authorization does not exist for the user identity derived from you token.

In NiFi, after successful authentication, the user identity is passed to the NiFi authorizer to determine what NiFi policies have been authorized for that user identity.  When using yoru application's token, this result in no authorization found because neither the user Identity or any known groups that user identity belongs to are authorized for the required policy.

identity[kLM-4Eld2dZnX_dD3iB0df2fTvXQxa1J2ffdLoK-ozas], groups[]

 Supporting the user "unique id" would require that NiFi's authorizer contained that unique id and it was authorized to the necessary NiFi policies.  Authorizing users based in these unique id does not make much sense in NiFi as it would be error prone and difficult to manage authorization.  An Admin would need to know what user these unique ID map to in order to setup authorization successfully.

The first option would be modifying your app so that the returned token contain and ID that matches the user identity similar to what NiFi does.

Assuming this "unique id" does not change and is always the same for the specific user, perhaps you can work around this creatively within NiFi through group based authorization.

This would requiring using the file-user-group-provider within the NiFi authorizers.xml. This will allow you to manual add user identities and group identities.
 
So you create a new group such as "username" via the NiFi UI.  You then add your existing user (the one that successfully gets authorized when you authenticate through NiFi) to this new group.  You then add a new user identity for that "unique id" and make that new user a member of that same group via the NiFi UI.   Now authorize the group to whichever policies are necessary.    Now no matter if your user authenticates via NiFi to get token or through your app to get a token, the user will successfully be authorized via the shared group membership.

Please help our community grow and thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

150 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements