Support Questions

3ebs · ‎07-10-2024

i face the mentuioned error while logging to nifi althogh in log files no error found and according to logs my ldap user logged successfully as below:

2024-07-10 11:12:19,489 INFO [NiFi Web Server-33] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for AMOHAMED279
2024-07-10 11:20:07,893 INFO [NiFi Web Server-71] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://node_name:9443/nifi-api/flow/current-user (source ip: 10.230.237.150)
2024-07-10 11:20:07,895 INFO [NiFi Web Server-71] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for AMOHAMED279

VidyaSargur · ‎07-16-2024

@3ebs, Welcome to our community! To help you get the best possible answer, I have tagged in our NiFi experts @SAMSAL @MattWho who may be able to assist you further.

Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.

Regards,

Vidya Sargur,
Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
Community Guidelines
How to use the forum

MattWho · ‎07-16-2024

@3ebs

The "Insufficient Permissions Untrusted proxy CN=Node_name,OU=NIFI" shown in the webui when you try to login is not an error. It is an authorization issue.

It tells me that you have a multi-node NiFi cluster setup. You are accessing the UI of one of the NiFi cluster nodes where you are successfully authenticating your user resulting the a user identity of "AMOHAMED279". At this point your user is only successfully authenticated to the one node. What that node does next is to load the NiFi canvas. In order to display that canvas, information that the user is authorized to see (PG, stats, etc) must be collected from all nodes. That requets is forwarded to the elected cluster coordinator node which then replicates that request to all nodes to get those details. So the node itself acts as a proxy in this process making these requests on the authenticated users behalf. In order for this to be successful, the NiFi nodes in your cluster must be authorized to proxy user requests. This message is telling you that one or more of your node identities has not been authorized to proxy user requests.

To help here more, I would need to know what you have configured in the authorizers.xml for user identity authorization. The most common NiFi cluster setup utilizes the standardManagedAuthorizer which calls the file-access-policy-provider (builds the authorizations.xml if it does not already exist) which call one of the user-group-providers (There are multiple options: Composite-Configurable-User-Group-Provider, Composite-User-group-Provider, Ldap-User-Group-Provider, File-User-Group-Provider, etc.). The user-group-providers are responsible for generating user identities (case sensitive) for the purpose of setting up authorization policies. The file-user-group-provider is most commonly used to add the node user identities by creating the users.xml (if it does not already exist).

So somewhere in your authorizers.xml setup, your node user identities have not been added and/or authorized for various policies to include the very important "proxy user requests" which would have been automatically handled on initial startup and first creation of the authorizations.xml and users.xml files assuming a proper setup in the authorizers.xml.

Resources:

Configuring Users & Access Policies

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Support Questions

Insufficient Permissions Untrusted proxy CN=Node_name, OU=NIFI