Support Questions
Find answers, ask questions, and share your expertise

Insufficient Permissions for UI when using SSL certificates

Explorer

Hello,

I have set up a Nifi instance running in azure kubernetes, I mostly used the helm cetic/nifi package, although it is slightly modified (removed mounted volumes for the config files, included those files in my nifi image). 

 

I have the server up and running, no errors in any of the logs.  I had a little trouble bringing up the UI, but I am now using `kubectl port-forward` and accessing the UI at `localhost:<nifi https port>/nifi` and it is almost working.

 

I load my certificate into my macOS keychain, and then visit the site, and I get:

Insufficient Permissions
Unknown user with identity 'CN=admin, DC=example, DC=be'. Contact the system administrator.
 
When I check the users.xml file, that user is listed there.  The capitalization varies though, in users.xml "CN" and "DC" is lowercase, but in the certificate and in the users.log it's capitalized. users.xml:
<users>
   <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe" identity="cn=admin,dc=example,dc=be"/>
</users>

 

 

In the authorizations.xml I have a policy entry for everything that I need I believe.
<policies>
  <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
     <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
  </policy>
  <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
     <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
  </policy>
  <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
    <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
  </policy>
  <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
     <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
  </policy>
  <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
     <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
  </policy>
  <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
     <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
  </policy>
  <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
    <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
  </policy>
  <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
    <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
  </policy>
</policies>
 

 

 

So, I'm not really suer why I'm not authorized.  Any help is greatly appreciated
 
 
 
0 REPLIES 0