Created 09-09-2022 04:17 AM
Hello Nifi Community,
We have integrated our Nifi 1.16.2 with LDAP AD server.
We have created an Initial Local Admin (nifi_ldap) and used "composite-configurable-user-group-provider" as user group provider. We also restricted to one particular group of LDAP server (namely "EDH_ML"). But none of the users of this group ("EDH_ML") is able to access the Nifi and getting "Insufficient Permission Error".
Could someone can help us to resolve this error? -- Sharing nifi screenshot and configuration settings/logs
Nifi Users
Nifi Login Error
Nifi User Policies
Authorizer.xml
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">cn=Service Account\, nifi_ldap,ou=Service Accounts,ou=Xyz Dev,dc=dev,dc=coorporate</property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">cn=Service Account\, nifi_ldap,ou=Service Accounts,ou=Xyz Dev,dc=dev,dc=coorporate</property>
<property name="Manager Password">pass321</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://ldap.dev:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">30 mins</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>
<property name="User Search Base">dc=dev,dc=coorporate</property>
<property name="User Object Class">user</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(|(memberof=cn=EDH_ML,ou=Groups - Applications,ou=Groups,ou=Xyz Dev,dc=dev,dc=coorporate))</property>
<property name="User Identity Attribute">cn</property>
<property name="User Group Name Attribute">memberOf</property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">ou=Groups - Applications,ou=Groups,ou=Xyz Dev,dc=dev,dc=coorporate</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">SUBTREE</property>
<property name="Group Search Filter">(|(cn=EDH_ML))</property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-configurable-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">cn=Service Account\, nifi_ldap,ou=Service Accounts,ou=Xyz Dev,dc=dev,dc=coorporate</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
<property name="Initial Admin Identity">cn=Service Account\, nifi_ldap,ou=Service Accounts,ou=Xyz Dev,dc=dev,dc=coorporate</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</authorizer>
<authorizer>
<identifier>single-user-authorizer</identifier>
<class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class>
</authorizer>
login-identity-providers.xml
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">cn=Service Account\, nifi_ldap,ou=Service Accounts,ou=Xyz Dev,dc=dev,dc=coorporate</property>
<property name="Manager Password">pass321</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://ldap.dev:389</property>
<property name="User Search Base">dc=dev,dc=coorporate</property>
<property name="User Search Filter">sAMAccountName={0}</property>
<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
nifi-user.log
2022-09-08 14:17:25,082 INFO [NiFi Web Server-19] org.apache.nifi.web.api.AccessResource Logout Started [cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate]
2022-09-08 14:17:25,102 INFO [NiFi Web Server-186] org.apache.nifi.web.api.AccessResource Logout Request [97418afe-fd34-4cee-b788-0b9ade8a7fb4] Completed [cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate]
2022-09-08 14:17:28,208 INFO [NiFi Web Server-145] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 127.0.0.1 [<anonymous>] GET https://localhost:8080/nifi-api/flow/current-user
2022-09-08 14:17:28,208 WARN [NiFi Web Server-145] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 127.0.0.1 GET https://localhost:8080/nifi-api/flow/current-user [Anonymous authentication has not been configured.]
2022-09-08 14:17:37,864 INFO [NiFi Web Server-194] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate'. Returning Forbidden response.
2022-09-08 14:17:42,240 INFO [NiFi Web Server-145] org.apache.nifi.web.api.AccessResource Logout Started [cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate]
2022-09-08 14:17:42,253 INFO [NiFi Web Server-153] org.apache.nifi.web.api.AccessResource Logout Request [b3ebfab9-4149-4d02-a65d-4b59907a0a67] Completed [cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate]
2022-09-08 14:17:44,325 INFO [NiFi Web Server-194] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 127.0.0.1 [<anonymous>] GET https://localhost:8080/nifi-api/flow/current-user
2022-09-08 14:17:44,325 WARN [NiFi Web Server-194] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 127.0.0.1 GET https://localhost:8080/nifi-api/flow/current-user [Anonymous authentication has not been configured.]
2022-09-08 14:18:19,841 INFO [NiFi Web Server-153] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate'. Returning Forbidden response.
Thanks,
Alvin
Created 09-12-2022 01:52 PM
@ajignacio
User and group identity strings much match identically.
Your ldap-user-group-provider is syncing users and groups by the identity string found in the CN AD attribute. This is why you are seeing only the CN username and CN groupname strings in the users UI within NiFi.
However, when you are logging in to NiFi to authenticate you user via the ldap-provider, the resulting user identity sting is the users full AD Distinguished Name (DN). NiFi treats different strings as different users.
The ldap-provider can be changed to use the user identity string typed in the username field instead of using the full DN. This is done by changing the following property:
<property name="Identity Strategy">USE_DN</property>
change it to :
<property name="Identity Strategy">USE_USERNAME</property>
Upon successful authentication the resulting user identity is evaluated against any identity mapping patterns that may be configured in the nifi.properties file. The resulting mapped value is then passed to the configured authorizer (managed-authorizer in your setup). There the authorizers is looking up that user identity string (case sensitive) against the user strings synced by your configured users group providers. If an exact match is found both the user string and the now learned group string(s) are checked against the configured NiFi policies to determine authorization.
If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.
Thank you,
Matt