Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to enable User Authentication with Kerberos in nifi 1.x

avatar
Rising Star

There is a page to enable User Authentication with Kerberos step by step for nifi 0.x

https://community.hortonworks.com/articles/34147/nifi-security-user-authentication-with-kerberos.htm...

But nifi 1.x change the conf. I follow parts of steps as above, and then login with username/password . But I get following message:

"Unable to perform the desired action due to insufficient permissions. Contact the system administrator."

(it seem that the username/password has been authed by kerberos )

How to resolve? Thanks for you reply.

@Jobin George: please update your article. Thanks very much.

1 ACCEPTED SOLUTION

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
11 REPLIES 11

avatar
Master Guru

In NiFi 1.0 the configuration was separated into a principal/keytab that NiFi uses to talk to other services vs. a principal/keytab used for authenticating users. For authenticating users you would need to populate these two properties:

nifi.kerberos.spnego.principal*The name of the NiFi Kerberos service principal, if used. It is blank by default. Note that this property is used to authenticate NiFi users. Example: HTTP/nifi.example.comor HTTP/nifi.example.com@EXAMPLE.COM
nifi.kerberos.spnego.keytab.location*The file path of the NiFi Kerberos keytab, if used. It is blank by default. Note that this property is used to authenticate NiFi users. Example: /etc/http-nifi.keytab

In step 5 of that article, there is no more authorized-users.xml... you should put the identity of the initial admin user into conf/authorizers.xml. The identity would be kerberos principal you are going to login as. When NiFi starts and sees the initial admin, it will generate permissions for that user giving access to the UI.

avatar
Rising Star

Thank you very much. It work.

avatar
Explorer

hi,Bryan

I changed the two properties in conf/nifi.properties, and put the identity of the initial admin user into conf/authorizers.xml. but I still got the same issue like @David DN ,‘Demo’ user is NiFi Administrator got nothing.

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Rising Star

Thank you very much. It work.

avatar
Explorer

I hava added new user as what @Matt said , but I don't know how get login with the new user?

avatar
Super Mentor

@pholien feng

I need more detail on what you are seeing. There are two parts to accessing a secured NiFi installation, Authentication and authorization.

Authentication by default expects users to authenticate using SSL. A user would need to present a valid certificate via their browser to NiFi for authentication. NiFi can also be configured via the login-identity.providers.xml file to support either LDAP or Kerberos for users authentication.

After a user successfully authenticates, the authorization piece occurs. The above answer deals with the authorization piece only.

Check you nifi-user.log to see if authentication is successful. make sure the DN shown in the nifi-users.log matches exactly (case sensitive and whitespace issues?) what is configured in the "Initial Admin Identity" property in your authorizers.xml file.

When nifi is started for the first time after enabling https the users.xml and authorizations.xml files are generated based on the user supplied configurations in the authorizers.xml file. Should the configurations in the authorizers.xml get edited at a later time, those changes will not be made to the existing users.xml or authorizations.xml files. They are only ever created once, subsequent edits to these files are expected to be done via the NiFi application.

If you made a mistake in these files when setting up https access for the first time, you can remove these two files and they we be re-created next time you start NiFi.

Thanks,

Matt

avatar
Explorer

@Matt

Thanks,Matt!

this page to enable User Authentication with Kerberos step by step for nifi 0.x

https://community.hortonworks.com/articles/34147/nifi-security-user-authentication-with-kerberos.htm...#

But nifi 1.x change the conf. I follow parts of steps as above, and then login with username/password . But I get following message:

"Unable to perform the desired action due to insufficient permissions. Contact the system administrator."

then I add username (same as created in kerberos) in nifi as you said. give the right to the users added earlier. after that, I still get the same problem. "Unable to perform the desired action due to insufficient permissions. Contact the system administrator."

avatar
Super Mentor

@pholien feng

before a user can access the UI, that user must have the "view the interface" policy granted for them. This policy is added through the global policies UI found under the hamburger menu located in the upper right corner. I see that step is missing in the above answer. Sorry about that.

Matt