Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

I want to create a new user entry with multiple attributes like organization name, department name, role and person's name.

avatar

Using nifi 1.1.2

cn=neha+ou=business,dc=example,dc=com, This is my user entry string which is working. But my requirements are not getting fulfilled as I wish to add more information like organization details also.

I tried this one

cn=Bhushan+organizationName=IBM+organizationalUnitName=HR+employeeType=Business,dc=example,dc=com

by using this user I am getting this response,

Access Denied

Unable to perform the desired action due to insufficient permissions. Contact the system administrator.

15660-screenshot-9.png

15658-screenshot-10.png

15659-screenshot-11.png

I have created the same user in nifi also and added the required polices for it.

I am looking up for help to successfully login the user with all this attributes. I am adding few pages.

Thanks in advance.

1 ACCEPTED SOLUTION

avatar
Super Mentor

@Bhushan Babar

In order to access the UI of a secured NiFi instance/cluster two things must be successful:

1. A user must be successfully authenticated.

By default NiFi will always look for a user's certificate being presented in the connection to use for authentication. If a user certificate is not present, the connection will be closed unless and alternative authentication strategy has been configured in your NiFi. NiFi can be configured to also use LDAP or Kerberos for user authentication.

2. A user must be authorized to access the NiFi resource they are requesting.

Only after a user has been successfully authenticated, then the user will be looked up in the configured authorizer to see what NiFi resource that user has been granted access to.

In you case, you have a user (cn=neha+ou=business,dc=example,dc=com) that authenticates successfully. I am going to assume this is via user certificate. The full DN from the user certificate is then being passed to the NiFi file based authorizer to determine what resources that authenticated user has been granted. The user added to the authorizer must match this DN exactly.

When you changed the DN of the user in the authorizer, it no longer matched what was being presented in the user's certificate and authorized access was being denied.

You can always tail the nifi-user.log to see exactly what value is being passed to the authorizer after successful authentication. There will be two entries in this log when a user connects. First you will see a line that says user X successfully authenticated. The next line will say access denied if user was not authorized for the resource.

If you want to change the DN in NiFi's authorizer, you must also issue your user a new certificate with a matching DN.

Thanks,

Matt

View solution in original post

7 REPLIES 7

avatar
Super Mentor

@Bhushan Babar

In order to access the UI of a secured NiFi instance/cluster two things must be successful:

1. A user must be successfully authenticated.

By default NiFi will always look for a user's certificate being presented in the connection to use for authentication. If a user certificate is not present, the connection will be closed unless and alternative authentication strategy has been configured in your NiFi. NiFi can be configured to also use LDAP or Kerberos for user authentication.

2. A user must be authorized to access the NiFi resource they are requesting.

Only after a user has been successfully authenticated, then the user will be looked up in the configured authorizer to see what NiFi resource that user has been granted access to.

In you case, you have a user (cn=neha+ou=business,dc=example,dc=com) that authenticates successfully. I am going to assume this is via user certificate. The full DN from the user certificate is then being passed to the NiFi file based authorizer to determine what resources that authenticated user has been granted. The user added to the authorizer must match this DN exactly.

When you changed the DN of the user in the authorizer, it no longer matched what was being presented in the user's certificate and authorized access was being denied.

You can always tail the nifi-user.log to see exactly what value is being passed to the authorizer after successful authentication. There will be two entries in this log when a user connects. First you will see a line that says user X successfully authenticated. The next line will say access denied if user was not authorized for the resource.

If you want to change the DN in NiFi's authorizer, you must also issue your user a new certificate with a matching DN.

Thanks,

Matt

avatar

@Matt Clarke

Yes I have checked the users log. My user is authenticated successfully but access denied. I think the my nifi is not allowing to permit the access to new DN value. I am using username and password for authentication. I am using LDAP. I also created the same entry in LDAP. But still its not working.

Is there any extra changes needed in properties.xml or anything to allow the use of new DN value??

avatar
Super Mentor

@Bhushan Babar

When NiFi compares a users authenticated DN against the file based authorizer, the entries must match exactly (case sensitive and spaces count) . Can you share your nifi-user.log entries you see when you try to log in with the new user?

Matt

avatar

Sure. I am shearing my nifi-user.log for my new user (with new DN type).

15739-screenshot-19.png

avatar
Super Mentor
@Bhushan Babar

And you have created a new user in your authorizer that matches the following exactly:

cn=nifiuser+o=tp1+ou=business,dc=example,dc=com

Thanks,

Matt

avatar

Thank you @Matt Clarke I got it.

I created the user as

cn=nifiuser+ou=business+o=tpl,dc=example,dc=com

but i think nifi is comparing it by

cn=nifiuser+o=tpl+ou=business,dc=example,dc=com.

Now i created my user as,

cn=nifiuser+o=tpl+ou=business,dc=example,dc=com

and it is working.

Thanks for the hint.

avatar
Super Mentor

@Bhushan Babar

Glad i was able to help resolve your issue. Could you please click "accept" the answer i provided to close out this question in the community?

Thank you, Matt