Support Questions

double_z · ‎09-16-2022

Hi. Could somebody help me please with composite group provider settings in authorizers.

I'm not sure what should I put in "Initial admin identity" and "Initial user identity 1".

1) When I write just username (like nifi-admin) I cannot login to NiFi since I don't undertand where I can get a password.

2) When I write a full LDAP name (like uid=freeipa,cn=users,cn=accounts,dc=foo,dc=bar) I successfully log in but I cannot access a NiFi interface.

3) When I use name of user who already exists in LDAP, I get an error, that user presents in both file and LDAP provider settings. This case is configured below in my authorizers.xml file:

<authorizers>

<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">freeipa</property>
<property name="Initial User Identity A">CN=nifi1.foo.bar, OU=NIFI</property>
</userGroupProvider>

<authorizers>

<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">freeipa</property>
<property name="Initial User Identity A">CN=nifi1.foo.bar, OU=NIFI</property>
</userGroupProvider>

<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>

<property name="Manager DN">uid=freeipa,cn=users,cn=accounts,dc=foo,dc=bar</property>
<property name="Manager Password">********</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>

<property name="Url">ldap://192.168.1.1:389</property>
<property name="Sync Interval">30 mins</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>

<property name="User Search Base">cn=users,cn=accounts,dc=foo,dc=bar</property>
<property name="User Object Class">posixaccount</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Identity Attribute">uid</property>
<property name="User Group Name Attribute">memberOf</property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>

<property name="Group Search Base">cn=groups,cn=accounts,dc=foo,dc=bar</property>
<property name="Group Object Class">posixgroup</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>

<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>

<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-configurable-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">freeipa</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">CN=nifi1.foo.bar, OU=NIFI</property>
<property name="Node Group"></property>
</accessPolicyProvider>

<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>

</authorizers>

Thank you.

MattWho · ‎09-16-2022

@double_z
NiFi does not allow users to create locally managed user accounts (meaning creating a username and password directly in NiFi.

NOTE: The latest versions of NiFi provide a single user login provider just so that NiFi can by default be launched securely. This single user would have complete access to do everything and you cannot create additional users. Ideally while this provides some security, it is not a proper recommended deployment method.

The good news here is it sounds like you have successfully setup a ldap-provider in your login-identity.providers.xml. This provider provides a method by which a user can be authenticated via LDAP. Authentication via ldap does not control authorization which is handled within NiFi via the authorizers.xml.

When you login to NiFi, the resulting user identity string (case sensitive) resulting from your login is evaluated against any identity mapping patterns you may have configured in your nifi.properties file. After that the resulting identity string (if pattern match was found) or unmodified identity string from login provider is passed to the NiFi authorization process.

While NiFi loads the providers from the authorizers.xml from the top down, it is easer for a user to read it from bottom up.
- Your are using the "managed-authorizer" which is calling the "file-access-policy-provider"
- The "File-access-policy-provider" is responsible for authorizations.xml file and seeding it with an initial set of authorization policies needed for your NiFi nodes (multi-node nifi cluster) and an initial admin user. You need an initial admin so that the admin user can set additional authorization from with in the NiFi UI.
- In your "file-access-policy-provider" you have told the provider to create the authorization policies for a user identity string "freeipa". So the file-access-policy-provider" must first check to see if that user is known to this NiFi. For that is is configured to use the "composite-configurable-user-group-provider".
- The "composite-configurable-user-group-provider" is then configured to get users and associated groups from the "file-user-group-provider" and "ldap-user-group-provider". You can NOT have to user-group-provider return the exact same user identity string.
- Your "ldap-user-group-provider" has ben configured to sync user and group identity strings from your LDAP. One of those user being returned is "freeipa".
- Your "file-user-group-provider" has been configured to create a local user identity that has the same user identity string of "freeipa". So now you have two user-group-provider returning the same user identity string, so NiFi has not idea which is correct to use and throws the exception you see about two providers providing same user identity.
- What you have shared above also shows the "file-user-group-provider" twice. You can't have same provider defined twice in this file.

- Steps to move forward.
1. The file-user-group-provider and the file-access-policy-provider will only create the users.xml file and authorizations.xml file if they do NOT already exist. So if these two files exist, delete them (authorizers.xml and authorizations.xml are two different files, make sure you delete the correct one)
2. Make sure you ldap-provider is configured to USE_USERNAME and not USE_DN if not already set this way.
3. Unset the "Initial User Identity 1" in the file-user-group-provider. We don't want this provider creating the freeipa user in the users.xml since your ldap-user-group-provider will be providing this user identity.
4. Leave the initial admin "freeipa" set in the file-access-policy-provider.
5. start your NiFi, it will create a new users.xml and authorizations.xml during startup.

At login UI, provide your ldap "freeipa" username and password.
Once in the UI, your freeipa user will have all the authorization policies needed to act as and admin. This does not mean this user has all authorizations, but does have ability to grant additional authorizations to itself or other users.

NiFi global menu (upper right corner) --> users (will allow you to see all users and groups long with their associations to one another synced from LDAP). It will also show any local users identities you may define (locally defined identifies will show an edit and delete icon next to them). local user and group identities are only used to set authorizations, they are not able to be used to authenticate in to NiFi.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

MattWho · ‎09-16-2022

@double_z
NiFi does not allow users to create locally managed user accounts (meaning creating a username and password directly in NiFi.

NOTE: The latest versions of NiFi provide a single user login provider just so that NiFi can by default be launched securely. This single user would have complete access to do everything and you cannot create additional users. Ideally while this provides some security, it is not a proper recommended deployment method.

The good news here is it sounds like you have successfully setup a ldap-provider in your login-identity.providers.xml. This provider provides a method by which a user can be authenticated via LDAP. Authentication via ldap does not control authorization which is handled within NiFi via the authorizers.xml.

When you login to NiFi, the resulting user identity string (case sensitive) resulting from your login is evaluated against any identity mapping patterns you may have configured in your nifi.properties file. After that the resulting identity string (if pattern match was found) or unmodified identity string from login provider is passed to the NiFi authorization process.

While NiFi loads the providers from the authorizers.xml from the top down, it is easer for a user to read it from bottom up.
- Your are using the "managed-authorizer" which is calling the "file-access-policy-provider"
- The "File-access-policy-provider" is responsible for authorizations.xml file and seeding it with an initial set of authorization policies needed for your NiFi nodes (multi-node nifi cluster) and an initial admin user. You need an initial admin so that the admin user can set additional authorization from with in the NiFi UI.
- In your "file-access-policy-provider" you have told the provider to create the authorization policies for a user identity string "freeipa". So the file-access-policy-provider" must first check to see if that user is known to this NiFi. For that is is configured to use the "composite-configurable-user-group-provider".
- The "composite-configurable-user-group-provider" is then configured to get users and associated groups from the "file-user-group-provider" and "ldap-user-group-provider". You can NOT have to user-group-provider return the exact same user identity string.
- Your "ldap-user-group-provider" has ben configured to sync user and group identity strings from your LDAP. One of those user being returned is "freeipa".
- Your "file-user-group-provider" has been configured to create a local user identity that has the same user identity string of "freeipa". So now you have two user-group-provider returning the same user identity string, so NiFi has not idea which is correct to use and throws the exception you see about two providers providing same user identity.
- What you have shared above also shows the "file-user-group-provider" twice. You can't have same provider defined twice in this file.

- Steps to move forward.
1. The file-user-group-provider and the file-access-policy-provider will only create the users.xml file and authorizations.xml file if they do NOT already exist. So if these two files exist, delete them (authorizers.xml and authorizations.xml are two different files, make sure you delete the correct one)
2. Make sure you ldap-provider is configured to USE_USERNAME and not USE_DN if not already set this way.
3. Unset the "Initial User Identity 1" in the file-user-group-provider. We don't want this provider creating the freeipa user in the users.xml since your ldap-user-group-provider will be providing this user identity.
4. Leave the initial admin "freeipa" set in the file-access-policy-provider.
5. start your NiFi, it will create a new users.xml and authorizations.xml during startup.

At login UI, provide your ldap "freeipa" username and password.
Once in the UI, your freeipa user will have all the authorization policies needed to act as and admin. This does not mean this user has all authorizations, but does have ability to grant additional authorizations to itself or other users.

NiFi global menu (upper right corner) --> users (will allow you to see all users and groups long with their associations to one another synced from LDAP). It will also show any local users identities you may define (locally defined identifies will show an edit and delete icon next to them). local user and group identities are only used to set authorizations, they are not able to be used to authenticate in to NiFi.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

double_z · ‎09-19-2022

Thank you, Matt. Everything works fine now.

Cloudera Community

Support Questions

First login to nifi