Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can't login with the Admin user that configure in Initial Admin Identity. I am not sure if I configure correctly for the user to have the correct permission to access UI.

Highlighted

Can't login with the Admin user that configure in Initial Admin Identity. I am not sure if I configure correctly for the user to have the correct permission to access UI.

New Contributor

Here is what I put in the Initial Admin Identity.

<property name="Initial Admin Identity">cn=Mark Nguyen, ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com</property>

Here is the log from nifi-user.log

2016-10-27 20:51:17,166 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null

2016-10-27 20:51:17,166 DEBUG [NiFi Web Server-20] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.

2016-10-27 20:51:17,166 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null

2016-10-27 20:51:17,166 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1NYXJrIE5ndXllbixvdT1FTVBMT1lFRVMsb3U9UGF5b2ZmX1VzZXJzLGRjPWludCxkYz1wYXlvZmYsZGM9Y29tIiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiTWFyayBOZ3V5ZW4iLCJraWQiOjEsImV4cCI6MTQ3NzY0NDY3NSwiaWF0IjoxNDc3NjAxNDc1fQ.xKt2GsxiJFcpSWZhmHUit5OCt7vXd2LOtibn63UzfQM) GET https://dbr-lncn-01:9443/nifi-api/flow/current-user (source ip: 10.10.4.23)

2016-10-27 20:51:17,170 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com

2016-10-27 20:51:17,170 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com

2016-10-27 20:51:17,170 DEBUG [NiFi Web Server-20] o.a.n.w.s.a.NiFiAnonymousUserFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com'

2016-10-27 20:51:17,172 INFO [NiFi Web Server-20] o.a.n.w.a.c.AccessDeniedExceptionMapper cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com does not have permission to access the requested resource. Returning Forbidden response.

2016-10-27 20:51:17,174 DEBUG [NiFi Web Server-20] o.a.n.w.a.c.AccessDeniedExceptionMapper

org.apache.nifi.authorization.AccessDeniedException: Unknown user with identity 'cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com'.

at org.apache.nifi.web.api.FlowResource.authorizeFlow(FlowResource.java:226) ~[classes/:na]

at org.apache.nifi.web.api.FlowResource.getCurrentUser(FlowResource.java:312) ~[classes/:na]

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_102]

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_102]

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_102]

at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_102]

at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) ~[jersey-server-1.19.jar:1.19]

at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:205) ~[jersey-server-1.19.jar:1.19]

at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) ~[jersey-server-1.19.jar:1.19]

at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302) ~[jersey-server-1.19.jar:1.19]

at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) ~[jersey-server-1.19.jar:1.19]

at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) ~[jersey-server-1.19.jar:1.19]

at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) ~[jersey-server-1.19.jar:1.19]

at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) ~[jersey-server-1.19.jar:1.19]

at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542) [jersey-server-1.19.jar:1.19]

at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473) [jersey-server-1.19.jar:1.19]

at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419) [jersey-server-1.19.jar:1.19]

at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409) [jersey-server-1.19.jar:1.19]

at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409) [jersey-servlet-1.19.jar:1.19]

at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:558) [jersey-servlet-1.19.jar:1.19]

at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:733) [jersey-servlet-1.19.jar:1.19]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:845) [jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1689) [jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:51) [jetty-servlets-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1676) [jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66) [classes/:na]

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1676) [jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:316) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:122) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:59) [nifi-web-security-1.0.0.jar:1.0.0]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:83) [nifi-web-security-1.0.0.jar:1.0.0]

at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:57) [nifi-web-security-1.0.0.jar:1.0.0]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:83) [nifi-web-security-1.0.0.jar:1.0.0]

at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:57) [nifi-web-security-1.0.0.jar:1.0.0]

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1676) [jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51) [classes/:na]

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668) [jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:581) [jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [jetty-security-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1174) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:511) [jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1106) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.server.Server.handle(Server.java:524) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:319) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:253) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273) [jetty-io-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) [jetty-io-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:186) [jetty-io-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273) [jetty-io-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) [jetty-io-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) [jetty-io-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]

at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]

at java.lang.Thread.run(Thread.java:745) [na:1.8.0_102]

9 REPLIES 9

Re: Can't login with the Admin user that configure in Initial Admin Identity. I am not sure if I configure correctly for the user to have the correct permission to access UI.

In your property config you have a space after the "cn=Mark Nguyen" before "ou=EMPLOYEES". This property is whitespace sensitive and is probably causing your problems.

Re: Can't login with the Admin user that configure in Initial Admin Identity. I am not sure if I configure correctly for the user to have the correct permission to access UI.

Looks like white space issue...

The value in Initial Admin is "cn=Mark Nguyen, ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com"

The value returned from LDAP in the log is "cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com"

Try making the Initial Admin exactly what was in the log, delete users.xml and authorizations.xml, and restart NiFi.

Re: Can't login with the Admin user that configure in Initial Admin Identity. I am not sure if I configure correctly for the user to have the correct permission to access UI.

New Contributor

@jpercivall and @Bryan Bende

I had made the change and I still see the error but slightly different error.

This is what I configure in authorizers.xml right now.

<identifier>file-provider</identifier>

<class>org.apache.nifi.authorization.FileAuthorizer</class>

<property name="Authorizations File">./conf/authorizations.xml</property>

<property name="Users File">./conf/users.xml</property>

<property name="Initial Admin Identity">cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com</property>

<property name="Legacy Authorized Users File"></property>

<property name="Node Identity 1">CN=dbr-lncn-01.int.payoff.com, OU=NIFI</property>

<property name="Node Identity 2">CN=dbr-lncn-02.int.payoff.com, OU=NIFI</property>

Here is an error from nifi-user.log:

2016-10-27 21:07:44,370 DEBUG [NiFi Web Server-22] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.

2016-10-27 21:07:45,780 DEBUG [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null

2016-10-27 21:07:45,780 DEBUG [NiFi Web Server-19] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.

2016-10-27 21:07:45,780 DEBUG [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null

2016-10-27 21:07:45,780 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1NYXJrIE5ndXllbixvdT1FTVBMT1lFRVMsb3U9UGF5b2ZmX1VzZXJzLGRjPWludCxkYz1wYXlvZmYsZGM9Y29tIiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiTWFyayBOZ3V5ZW4iLCJraWQiOjEsImV4cCI6MTQ3NzY0NTY2NCwiaWF0IjoxNDc3NjAyNDY0fQ.kCvBWM7_Qf5oVYxXt3PfhX7JMgCTixLRXDXpo-uxTa8) GET https://dbr-lncn-01:9443/nifi-api/flow/current-user (source ip: 10.10.4.23)

2016-10-27 21:07:45,781 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com

2016-10-27 21:07:45,781 DEBUG [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com

2016-10-27 21:07:45,781 DEBUG [NiFi Web Server-19] o.a.n.w.s.a.NiFiAnonymousUserFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com'

Re: Can't login with the Admin user that configure in Initial Admin Identity. I am not sure if I configure correctly for the user to have the correct permission to access UI.

@Mark Nguyen can you check the $NIFI_HOME/conf/users.xml document to determine the UUID associated with cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com and then check $NIFI_HOME/conf/authorizations.xml to see which policies are associated with that user? It appears that you can successfully authenticate, but the access control policies are preventing you from accessing the canvas. I had the same problem adding an LDAP user when I had only configured the Initial Admin Identity for a client certificate user today.

Re: Can't login with the Admin user that configure in Initial Admin Identity. I am not sure if I configure correctly for the user to have the correct permission to access UI.

New Contributor

@Andy LoPresto

I can see or tell that LDAP authentication is working but access to UI is not working. I can show you the users.xml and authorizations.xml files.

|=> cat users.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<tenants>

<groups/>

<users>

<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271" identity="cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com"/>

<user identifier="eef8e5ba-348e-3bc3-877f-7d48d870a862" identity="CN=dbr-lncn-01.int.payoff.com, OU=NIFI"/>

<user identifier="7a6460a6-2944-388c-a947-1f098e13c112" identity="CN=dbr-lncn-02.int.payoff.com, OU=NIFI"/>

</users>

</tenants>

cat authorizations.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<authorizations>

<policies>

<policy identifier="7d9b57ab-8ebf-3542-988b-a32b1da355df" resource="/flow" action="R">

<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271"/>

</policy>

<policy identifier="507ffc62-7e44-313d-bcec-e002640e175c" resource="/data/process-groups/0ea38e78-0158-1000-a83f-fe4d3c688026" action="R">

<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271"/>

<user identifier="eef8e5ba-348e-3bc3-877f-7d48d870a862"/>

<user identifier="7a6460a6-2944-388c-a947-1f098e13c112"/>

</policy>

<policy identifier="3c2e612c-b5fe-3da7-b557-b985a43bc782" resource="/data/process-groups/0ea38e78-0158-1000-a83f-fe4d3c688026" action="W">

<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271"/>

<user identifier="eef8e5ba-348e-3bc3-877f-7d48d870a862"/>

<user identifier="7a6460a6-2944-388c-a947-1f098e13c112"/>

</policy>

<policy identifier="da73a3b0-8df9-3209-85b9-18b727361619" resource="/process-groups/0ea38e78-0158-1000-a83f-fe4d3c688026" action="R">

<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271"/>

</policy>

<policy identifier="3830354b-3830-33e7-b892-e66ff3d35b86" resource="/process-groups/0ea38e78-0158-1000-a83f-fe4d3c688026" action="W">

<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271"/>

</policy>

<policy identifier="9767035e-7434-3740-98ba-3be1fa3f3065" resource="/tenants" action="R">

<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271"/>

</policy>

<policy identifier="a8de6af2-bca6-364c-96b0-ade39356e07f" resource="/tenants" action="W">

<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271"/>

</policy>

<policy identifier="7e1bf2cd-1984-32c4-9e3f-5c79500c510f" resource="/policies" action="R">

<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271"/>

</policy>

<policy identifier="ed1cbec1-dfcf-365c-800a-fa74dfa9331d" resource="/policies" action="W">

<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271"/>

</policy>

<policy identifier="d107ea0f-6add-3f6f-81af-66f32a568df6" resource="/controller" action="R">

<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271"/>

</policy>

<policy identifier="2a4681ac-f34c-351d-a23c-4146fb2a0493" resource="/controller" action="W">

<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271"/>

</policy>

<policy identifier="65515573-d9f6-34e0-b063-78629cab88c5" resource="/proxy" action="R">

<user identifier="eef8e5ba-348e-3bc3-877f-7d48d870a862"/>

<user identifier="7a6460a6-2944-388c-a947-1f098e13c112"/>

</policy>

<policy identifier="86612edf-e53a-3e5a-aa55-f09842c9971f" resource="/proxy" action="W">

<user identifier="eef8e5ba-348e-3bc3-877f-7d48d870a862"/>

<user identifier="7a6460a6-2944-388c-a947-1f098e13c112"/>

</policy>

</policies>

</authorizations>

When I login, I see the below error from UI.

An unexpected error has occurred

  • log out
  • home

Please check the logs.

And here what I see in the nifi-user.log

2016-10-29 05:59:46,822 DEBUG [NiFi Web Server-18] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.

2016-10-29 06:00:16,425 DEBUG [NiFi Web Server-16] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.

2016-10-29 06:00:17,353 DEBUG [NiFi Web Server-101] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null

2016-10-29 06:00:17,354 DEBUG [NiFi Web Server-101] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.

2016-10-29 06:00:17,354 DEBUG [NiFi Web Server-101] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null

2016-10-29 06:00:17,354 INFO [NiFi Web Server-101] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1NYXJrIE5ndXllbixvdT1FTVBMT1lFRVMsb3U9UGF5b2ZmX1VzZXJzLGRjPWludCxkYz1wYXlvZmYsZGM9Y29tIiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiTWFyayBOZ3V5ZW4iLCJraWQiOjEsImV4cCI6MTQ3Nzc2NDAxNiwiaWF0IjoxNDc3NzIwODE2fQ.C8e4gXybyTRmEftjZoaPw2XyRJ6ZP1L0Wp3895gtEx4) GET https://dbr-lncn-01.int.payoff.com:9443/nifi-api/flow/current-user (source ip: 10.10.180.37)

2016-10-29 06:00:17,357 INFO [NiFi Web Server-101] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com

2016-10-29 06:00:17,357 DEBUG [NiFi Web Server-101] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com

2016-10-29 06:00:17,357 DEBUG [NiFi Web Server-101] o.a.n.w.s.a.NiFiAnonymousUserFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com'

Re: Can't login with the Admin user that configure in Initial Admin Identity. I am not sure if I configure correctly for the user to have the correct permission to access UI.

Mark, it appears the $NIFI_HOME/conf/users.xml is malformed. The section below should be fixed:
<users>
<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271" identity="cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com"/>
dbr-lncn-01.int.payoff.com, OU=NIFI"/>
dbr-lncn-02.int.payoff.com, OU=NIFI"/>
</users>

should be:

<users>
<user identifier="e55f1fc3-2eaa-33bd-ad25-6ec6f1a3d271" identity="cn=Mark Nguyen,ou=EMPLOYEES,ou=Payoff_Users,dc=int,dc=payoff,dc=com"/>
<user identifier="eef8e5ba-348e-3bc3-877f-7d48d870a862" identity="dbr-lncn-01.int.payoff.com, OU=NIFI"/>
<user identifier="7a6460a6-2944-388c-a947-1f098e13c112" identity="dbr-lncn-02.int.payoff.com, OU=NIFI"/>
</users>

It appears that at some point the user definition elements for your nodes were corrupted.

You can also enable more detailed logging by modifying $NIFI_HOME/conf/logback.xml to change the severity level to DEBUG and add an additional appender:

    <!--
        Logger for capturing user events. We do not want to propagate these
        log events to the root logger. These messages are only sent to the
        user-log appender.
    -->
    <logger name="org.apache.nifi.web.security" level="DEBUG" additivity="false">
        <appender-ref ref="USER_FILE"/>
    </logger>
    <logger name="org.apache.nifi.web.api.config" level="INFO" additivity="false">
        <appender-ref ref="USER_FILE"/>
    </logger>
    <logger name="org.apache.nifi.authorization" level="DEBUG" additivity="false">
        <appender-ref ref="USER_FILE"/>
    </logger>
    <logger name="org.apache.nifi.cluster.authorization" level="INFO" additivity="false">
        <appender-ref ref="USER_FILE"/>
    </logger>
    <logger name="org.apache.nifi.web.filter.RequestLogger" level="INFO" additivity="false">
        <appender-ref ref="USER_FILE"/>
    </logger>
    <logger name="org.springframework.security.ldap.authentication" level="DEBUG" additivity="false">
        <appender-ref ref="USER_FILE"/>
    </logger>

Re: Can't login with the Admin user that configure in Initial Admin Identity. I am not sure if I configure correctly for the user to have the correct permission to access UI.

New Contributor

@Andy LoPresto

Hello Andy,

I'm also getting similar problem. Can you please suggest how to do changes in users.xml for below user identifier. In which section need to define node details?

<users>

<user identifier="eef8e5ba-348e-3bc3-877f-7d48d870a862" identity="dbr-lncn-01.int.payoff.com, OU=NIFI"/>
<user identifier="7a6460a6-2944-388c-a947-1f098e13c112" identity="dbr-lncn-02.int.payoff.com, OU=NIFI"/>
</users>

Re: Can't login with the Admin user that configure in Initial Admin Identity. I am not sure if I configure correctly for the user to have the correct permission to access UI.

Hi Suraj,

This isn't sufficient information to diagnose your issue. Please ask a new question and provide a description of your installation, the problem you are encountering and the expected behavior, and the complete content of your users.xml, authorizations.xml, and nifi-app.log and nifi-user.log.

Re: Can't login with the Admin user that configure in Initial Admin Identity. I am not sure if I configure correctly for the user to have the correct permission to access UI.

New Contributor

Thank you @Andy LoPresto

I found the solution. Issue is fixed now.

In my case, one of LDAP username is 'dvteam' but in LDAP database there was full description of username as 'architecture dev team, locations, team details, etc'.

Error messages I found in nifi-user.log. is 'architecture dev team' user was trying to authenticate with nifi nodes. Authentication was successful but authorizations not happening.

The username which I've mentioned in initial admin identity was 'dvteam'.(cn=dvteam,ou=xx,ou=xx,ou=xx,ou=xx,dc=abc,dc=com) Then as per logs, I changed it to (cn=architecture dev team,ou=xx,ou=xx,ou=xx,ou=xx,dc=abc,dc=com)

Also there was some mismatch about host names in node identities section. 'hostname -f' shows a hostname ip-zz-xx-ec2-internal. So, I have given 'ip-zz-xx-ec2-internal' in node identities section but that was not working. Then I have changed the hostnames to 'nifi1.abc.local' and mentioned in node identities.

In 'Template for login-identity-providers.xml' I've made some changes. Earlier I had set 'use_username' in '<property name="Identity Strategy">USE_DN</property>' this section.

later I've changed to use_dn. because as per nifi-user log authentication is happening with LDAP user 'architecture dev team'.

So in my case user_username was not working for authentications.

Every configurations changes I used to remove authorizations.xml and users.xml file from my all nifi nodes.

Also There was confusion on about 'OU' in Node identities section.

What does it mean OU in node identities section? I don't know yet.

Later I've mentioned 'OU=nifi' and also gave host names as 'nifi1.abc.local' , 'nifi2.abc.local', etc.

I have added AD/LDAP user in Initial Admin Identity(cn=architecture dev team,ou=xx,ou=xx,ou=xx,ou=xx,dc=abc,dc=com)

After setting above all, I was facing an error about setting nifi.security.identity.mapping.pattern.dn.

There was a challenge about the pattern definition.

There was 4 'ou' I have defined in initial admin identities and login-identity-providers.xml.

So I've used below pattern and it worked well.

^cn=(.?),ou=(.?),ou=(.?),ou=(.?),ou=(.?),dc=(.?),dc=(.?)$

Thanks,

Suraj

Don't have an account?
Coming from Hortonworks? Activate your account here