Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Client cert authentication without admin privileges on Apache Nifi

Solved Go to solution
Highlighted

Client cert authentication without admin privileges on Apache Nifi

New Contributor

I'm trying to configure Apache Nifi 1.6 with client site certificate to authenticate users. It works, a can log in but I don't have admin privileges.

How I generated cert:

docker run -v $PWD:/data apache/nifi-toolkit tls-toolkit standalone -o /data -n 'nifi.local' -C 'CN=admin, L=Bmore, ST=MD, O=Apache, OU=NiFi, C=US'

How I started Nifi instance:

docker run --name nifi \
  -v /path/to/certs/:/opt/certs/ \
  -p 443:8443 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=tQAouUIDCe9k0+j4hBxTfJ4dHDgOw2LQbdfQpKmCKuQ \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=L8rTW2VUEoXQvAWbhf1JEkCKZ/B80ac21sRF5tFqfOg \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin, L=Bmore, ST=MD, O=Apache, OU=NiFi, C=US' \
  -e NIFI_WEB_PROXY_HOST=nifi.local \
  apache/nifi:latest

I can log in but I don't have admin privileges. Everything is inactive and I can't do anything as in the image below. What could be the reason?

Kindly have a look and advise.


nifi-without-admin-priv.png
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Client cert authentication without admin privileges on Apache Nifi

Guru

Hi @Mateusz Koszutowski

It looks like you need to give your admin user permissions to modify the root process group.

You can see how this is done in the "Setup NiFi Access Policies for Sys_Admin" section of this HCC article:

https://community.hortonworks.com/content/kbentry/171173/setting-up-a-secure-nifi-to-integrate-with-...

More documentation on setting access policies can be found in the NiFi Administration Guide, specifically the section on Multi-Tenant Authorization:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization

3 REPLIES 3

Re: Client cert authentication without admin privileges on Apache Nifi

Guru

Hi @Mateusz Koszutowski

It looks like you need to give your admin user permissions to modify the root process group.

You can see how this is done in the "Setup NiFi Access Policies for Sys_Admin" section of this HCC article:

https://community.hortonworks.com/content/kbentry/171173/setting-up-a-secure-nifi-to-integrate-with-...

More documentation on setting access policies can be found in the NiFi Administration Guide, specifically the section on Multi-Tenant Authorization:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization

Re: Client cert authentication without admin privileges on Apache Nifi

New Contributor

Thanks for your quick answer it resolved my problem :)

Re: Client cert authentication without admin privileges on Apache Nifi

Guru

@Mateusz Koszutowski

Glad your issue was resolved. To help others who run into the same problem, could you please select the Accept link for the answer that I provided? Thanks!

Don't have an account?
Coming from Hortonworks? Activate your account here