Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

I want to create a new user entry with multiple attributes like organization name, department name, role and person's name.

Labels:
avatar
author-rank bhushan_babar
Explorer

Created on ‎05-23-2017 06:57 AM - edited ‎08-18-2019 01:49 AM

Using nifi 1.1.2

cn=neha+ou=business,dc=example,dc=com, This is my user entry string which is working. But my requirements are not getting fulfilled as I wish to add more information like organization details also.

I tried this one

cn=Bhushan+organizationName=IBM+organizationalUnitName=HR+employeeType=Business,dc=example,dc=com

by using this user I am getting this response,

Access Denied

Unable to perform the desired action due to insufficient permissions. Contact the system administrator.

15660-screenshot-9.png

15658-screenshot-10.png

15659-screenshot-11.png

I have created the same user in nifi also and added the required polices for it.

I am looking up for help to successfully login the user with all this attributes. I am adding few pages.

Thanks in advance.

1,941 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎05-23-2017 11:59 AM

@Bhushan Babar

In order to access the UI of a secured NiFi instance/cluster two things must be successful:

1. A user must be successfully authenticated.

By default NiFi will always look for a user's certificate being presented in the connection to use for authentication. If a user certificate is not present, the connection will be closed unless and alternative authentication strategy has been configured in your NiFi. NiFi can be configured to also use LDAP or Kerberos for user authentication.

2. A user must be authorized to access the NiFi resource they are requesting.

Only after a user has been successfully authenticated, then the user will be looked up in the configured authorizer to see what NiFi resource that user has been granted access to.

In you case, you have a user (cn=neha+ou=business,dc=example,dc=com) that authenticates successfully. I am going to assume this is via user certificate. The full DN from the user certificate is then being passed to the NiFi file based authorizer to determine what resources that authenticated user has been granted. The user added to the authorizer must match this DN exactly.

When you changed the DN of the user in the authorizer, it no longer matched what was being presented in the user's certificate and authorized access was being denied.

You can always tail the nifi-user.log to see exactly what value is being passed to the authorizer after successful authentication. There will be two entries in this log when a user connects. First you will see a line that says user X successfully authenticated. The next line will say access denied if user was not authorized for the resource.

If you want to change the DN in NiFi's authorizer, you must also issue your user a new certificate with a matching DN.

Thanks,

Matt

View solution in original post

1,852 Views
7 REPLIES 7

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎05-23-2017 11:59 AM

@Bhushan Babar

In order to access the UI of a secured NiFi instance/cluster two things must be successful:

1. A user must be successfully authenticated.

By default NiFi will always look for a user's certificate being presented in the connection to use for authentication. If a user certificate is not present, the connection will be closed unless and alternative authentication strategy has been configured in your NiFi. NiFi can be configured to also use LDAP or Kerberos for user authentication.

2. A user must be authorized to access the NiFi resource they are requesting.

Only after a user has been successfully authenticated, then the user will be looked up in the configured authorizer to see what NiFi resource that user has been granted access to.

In you case, you have a user (cn=neha+ou=business,dc=example,dc=com) that authenticates successfully. I am going to assume this is via user certificate. The full DN from the user certificate is then being passed to the NiFi file based authorizer to determine what resources that authenticated user has been granted. The user added to the authorizer must match this DN exactly.

When you changed the DN of the user in the authorizer, it no longer matched what was being presented in the user's certificate and authorized access was being denied.

You can always tail the nifi-user.log to see exactly what value is being passed to the authorizer after successful authentication. There will be two entries in this log when a user connects. First you will see a line that says user X successfully authenticated. The next line will say access denied if user was not authorized for the resource.

If you want to change the DN in NiFi's authorizer, you must also issue your user a new certificate with a matching DN.

Thanks,

Matt

1,853 Views

avatar
author-rank bhushan_babar
Explorer

Created ‎05-24-2017 07:24 AM

@Matt Clarke

Yes I have checked the users log. My user is authenticated successfully but access denied. I think the my nifi is not allowing to permit the access to new DN value. I am using username and password for authentication. I am using LDAP. I also created the same entry in LDAP. But still its not working.

Is there any extra changes needed in properties.xml or anything to allow the use of new DN value??

1,852 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎05-24-2017 12:02 PM

@Bhushan Babar

When NiFi compares a users authenticated DN against the file based authorizer, the entries must match exactly (case sensitive and spaces count) . Can you share your nifi-user.log entries you see when you try to log in with the new user?

Matt

1,852 Views
0 Kudos

avatar
author-rank bhushan_babar
Explorer

Created on ‎05-24-2017 12:43 PM - edited ‎08-18-2019 01:49 AM

Sure. I am shearing my nifi-user.log for my new user (with new DN type).

15739-screenshot-19.png

1,852 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎05-24-2017 12:57 PM

@Bhushan Babar

And you have created a new user in your authorizer that matches the following exactly:

cn=nifiuser+o=tp1+ou=business,dc=example,dc=com

Thanks,

Matt

1,852 Views
0 Kudos

avatar
author-rank bhushan_babar
Explorer

Created ‎05-24-2017 01:29 PM

Thank you @Matt Clarke I got it.

I created the user as

cn=nifiuser+ou=business+o=tpl,dc=example,dc=com

but i think nifi is comparing it by

cn=nifiuser+o=tpl+ou=business,dc=example,dc=com.

Now i created my user as,

cn=nifiuser+o=tpl+ou=business,dc=example,dc=com

and it is working.

Thanks for the hint.

1,852 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎05-24-2017 01:52 PM

@Bhushan Babar

Glad i was able to help resolve your issue. Could you please click "accept" the answer i provided to close out this question in the community?

Thank you, Matt

1,852 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements