Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Client cert authentication without admin privileges on Apache Nifi

Labels:
avatar
author-rank mkoszutowski
New Contributor

Created ‎07-05-2018 08:49 AM

I'm trying to configure Apache Nifi 1.6 with client site certificate to authenticate users. It works, a can log in but I don't have admin privileges.

How I generated cert:

docker run -v $PWD:/data apache/nifi-toolkit tls-toolkit standalone -o /data -n 'nifi.local' -C 'CN=admin, L=Bmore, ST=MD, O=Apache, OU=NiFi, C=US'

How I started Nifi instance:

docker run --name nifi \
  -v /path/to/certs/:/opt/certs/ \
  -p 443:8443 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=tQAouUIDCe9k0+j4hBxTfJ4dHDgOw2LQbdfQpKmCKuQ \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=L8rTW2VUEoXQvAWbhf1JEkCKZ/B80ac21sRF5tFqfOg \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin, L=Bmore, ST=MD, O=Apache, OU=NiFi, C=US' \
  -e NIFI_WEB_PROXY_HOST=nifi.local \
  apache/nifi:latest

I can log in but I don't have admin privileges. Everything is inactive and I can't do anything as in the image below. What could be the reason?

Kindly have a look and advise.


nifi-without-admin-priv.png
3,047 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank alim author-rank
Guru

Created ‎07-05-2018 02:56 PM

Hi @Mateusz Koszutowski

It looks like you need to give your admin user permissions to modify the root process group.

You can see how this is done in the "Setup NiFi Access Policies for Sys_Admin" section of this HCC article:

https://community.hortonworks.com/content/kbentry/171173/setting-up-a-secure-nifi-to-integrate-with-...

More documentation on setting access policies can be found in the NiFi Administration Guide, specifically the section on Multi-Tenant Authorization:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization

View solution in original post

2,650 Views
3 REPLIES 3

avatar
author-rank alim author-rank
Guru

Created ‎07-05-2018 02:56 PM

Hi @Mateusz Koszutowski

It looks like you need to give your admin user permissions to modify the root process group.

You can see how this is done in the "Setup NiFi Access Policies for Sys_Admin" section of this HCC article:

https://community.hortonworks.com/content/kbentry/171173/setting-up-a-secure-nifi-to-integrate-with-...

More documentation on setting access policies can be found in the NiFi Administration Guide, specifically the section on Multi-Tenant Authorization:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization

2,651 Views

avatar
author-rank mkoszutowski
New Contributor

Created ‎07-06-2018 08:14 AM

Thanks for your quick answer it resolved my problem 🙂

2,650 Views
0 Kudos

avatar
author-rank alim author-rank
Guru

Created ‎07-06-2018 01:47 PM

@Mateusz Koszutowski

Glad your issue was resolved. To help others who run into the same problem, could you please select the Accept link for the answer that I provided? Thanks!

2,650 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements