Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

LDAP authorization issue with NiFi cluster

Solved Go to solution

LDAP authorization issue with NiFi cluster

New Contributor

62464-ldap.png

Environment:

  • 2 Node NiFi cluster running NiFi 1.5.0
  • Basic LDAP server for user authentication.

Issue background:

I am trying to secure NiFi using LDAP authentication. I have used `tls-toolkit` to generate security.keystore and `security.truststore` files and configured `nifi.properties` in both the nodes to access NiFi UI using HTTPS:

# tls-toolkit.sh standalone -n 'node[1-2]-nifi.jp.local' -C 'CN=admin,OU=NIFI'

I also configured 'login-identity-providers.xml' and 'authorizers.xml' but NiFi is not getting started due to LDAP configuration issue.

Error message:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=admin,OU=NIFI to seed policies

        ... 95 common frames omitted
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=admin,OU=NIFI to seed policies

login-identity-providers.xml:

<loginIdentityProviders> <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>


        <property name="Manager DN">cn=admin,dc=nifi,dc=ldap,dc=jp</property>
        <property name="Manager Password">secret</property>


        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>


        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>


        <property name="Url">ldap://192.168.2.1:389</property>
        <property name="User Search Base">ou=users,dc=nifi,dc=ldap,dc=jp</property>
        <property name="User Search Filter">uid={0}</property>


        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider></loginIdentityProviders>

authorizers.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>


        <property name="Initial User Identity 1">cn=node1-nifi.jp.local,ou=users,dc=nifi,dc=ldap,dc=jp</property>
        <property name="Initial User Identity 2">cn=node2-nifi.jp.local,ou=users,dc=nifi,dc=ldap,dc=jp</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">CN=admin,OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>


        <property name="Node Identity 1">cn=node1-nifi.jp.local,ou=users,dc=nifi,dc=ldap,dc=jp</property>
        <property name="Node Identity 2">cn=node2-nifi.jp.local,ou=users,dc=nifi,dc=ldap,dc=jp</property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

nifi.properties (security settings)

nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=xx
nifi.security.keyPasswd=xx
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=xxx
nifi.security.needClientAuth=
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=ldap-provider
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

Refer attachment for LDAP configuration. I checked https://community.hortonworks.com/questions/131557/nifi-authorizercreationexception-unable-to-locate... but it didn't worked. Please guide me to secure my NiFi cluster using LDAP authentication.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: LDAP authorization issue with NiFi cluster

In authorizers.xml you have "Initial User Identity 1" and "Initial User Identity 2" for your two node identities, you need to add another one for your initial admin.

You may need to delete users.xml and authorizations.xml before trying again, in case they are already created in a bad state.

2 REPLIES 2

Re: LDAP authorization issue with NiFi cluster

In authorizers.xml you have "Initial User Identity 1" and "Initial User Identity 2" for your two node identities, you need to add another one for your initial admin.

You may need to delete users.xml and authorizations.xml before trying again, in case they are already created in a bad state.

Re: LDAP authorization issue with NiFi cluster

New Contributor

Thank you very much @Bryan Bende for your valuable inputs. I finally got it working by following your suggestion. Here is my working authorizers.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">CN=node1-nifi.jp.local, OU=NIFI</property>
        <property name="Initial User Identity 2">CN=node2-nifi.jp.local, OU=NIFI</property>
        <property name="Initial User Identity 3">cn=admin,ou=users,dc=nifi,dc=ldap,dc=jp</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">cn=admin,ou=users,dc=nifi,dc=ldap,dc=jp</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1">CN=node1-nifi.jp.local, OU=NIFI</property>
        <property name="Node Identity 2">CN=node2-nifi.jp.local, OU=NIFI</property>
        <property name="Node Identity 3">cn=admin,ou=users,dc=nifi,dc=ldap,dc=jp</property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

Apart from the above changes, I have modified identity mapping pattern in nifi.properties

nifi.security.identity.mapping.pattern.dn=^cn=(.*?),ou=(.*?),dc=(.*?),dc=(.*?),dc=(.*?)$
nifi.security.identity.mapping.value.dn=$1

Thanks again!

Don't have an account?
Coming from Hortonworks? Activate your account here