Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

NIFI Insufficient Permissions for LDAP User Group

Labels:
avatar
author-rank ajignacio
Explorer

Created ‎09-09-2022 04:17 AM

Hello Nifi Community,

 

We have integrated our Nifi 1.16.2 with LDAP AD server.
We have created an Initial Local Admin (nifi_ldap) and used "composite-configurable-user-group-provider" as user group provider. We also restricted to one particular group of LDAP server (namely "EDH_ML"). But none of the users of this group ("EDH_ML") is able to access the Nifi and getting "Insufficient Permission Error".

 

Could someone can help us to resolve this error? -- Sharing nifi screenshot and configuration settings/logs

 

Nifi Users

ajignacio_1-1662721667073.png

 

Nifi Login Error

ajignacio_2-1662721848127.png

 

Nifi User Policies

ajignacio_3-1662721920829.png

 

Authorizer.xml


<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">cn=Service Account\, nifi_ldap,ou=Service Accounts,ou=Xyz Dev,dc=dev,dc=coorporate</property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>

<property name="Manager DN">cn=Service Account\, nifi_ldap,ou=Service Accounts,ou=Xyz Dev,dc=dev,dc=coorporate</property>
<property name="Manager Password">pass321</property>

<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>

<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>

<property name="Url">ldap://ldap.dev:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">30 mins</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>

<property name="User Search Base">dc=dev,dc=coorporate</property>
<property name="User Object Class">user</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(|(memberof=cn=EDH_ML,ou=Groups - Applications,ou=Groups,ou=Xyz Dev,dc=dev,dc=coorporate))</property>
<property name="User Identity Attribute">cn</property>
<property name="User Group Name Attribute">memberOf</property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>

<property name="Group Search Base">ou=Groups - Applications,ou=Groups,ou=Xyz Dev,dc=dev,dc=coorporate</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">SUBTREE</property>
<property name="Group Search Filter">(|(cn=EDH_ML))</property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
 <userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>

 <accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-configurable-user-group-provider</property> 
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">cn=Service Account\, nifi_ldap,ou=Service Accounts,ou=Xyz Dev,dc=dev,dc=coorporate</property> 
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider> 

 <authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>

 <authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
<property name="Initial Admin Identity">cn=Service Account\, nifi_ldap,ou=Service Accounts,ou=Xyz Dev,dc=dev,dc=coorporate</property> 
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</authorizer>

 <authorizer>
<identifier>single-user-authorizer</identifier>
<class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class>
</authorizer>

 

login-identity-providers.xml

 

<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">cn=Service Account\, nifi_ldap,ou=Service Accounts,ou=Xyz Dev,dc=dev,dc=coorporate</property>
<property name="Manager Password">pass321</property>

<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>

<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://ldap.dev:389</property> 
<property name="User Search Base">dc=dev,dc=coorporate</property>
<property name="User Search Filter">sAMAccountName={0}</property>

<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>

 

nifi-user.log

 

2022-09-08 14:17:25,082 INFO [NiFi Web Server-19] org.apache.nifi.web.api.AccessResource Logout Started [cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate]
2022-09-08 14:17:25,102 INFO [NiFi Web Server-186] org.apache.nifi.web.api.AccessResource Logout Request [97418afe-fd34-4cee-b788-0b9ade8a7fb4] Completed [cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate]
2022-09-08 14:17:28,208 INFO [NiFi Web Server-145] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 127.0.0.1 [<anonymous>] GET https://localhost:8080/nifi-api/flow/current-user
2022-09-08 14:17:28,208 WARN [NiFi Web Server-145] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 127.0.0.1 GET https://localhost:8080/nifi-api/flow/current-user [Anonymous authentication has not been configured.]
2022-09-08 14:17:37,864 INFO [NiFi Web Server-194] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate'. Returning Forbidden response.
2022-09-08 14:17:42,240 INFO [NiFi Web Server-145] org.apache.nifi.web.api.AccessResource Logout Started [cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate]
2022-09-08 14:17:42,253 INFO [NiFi Web Server-153] org.apache.nifi.web.api.AccessResource Logout Request [b3ebfab9-4149-4d02-a65d-4b59907a0a67] Completed [cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate]
2022-09-08 14:17:44,325 INFO [NiFi Web Server-194] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 127.0.0.1 [<anonymous>] GET https://localhost:8080/nifi-api/flow/current-user
2022-09-08 14:17:44,325 WARN [NiFi Web Server-194] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 127.0.0.1 GET https://localhost:8080/nifi-api/flow/current-user [Anonymous authentication has not been configured.]
2022-09-08 14:18:19,841 INFO [NiFi Web Server-153] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=User_LN\, User_FN,ou=abcde,ou=Users,ou=coorporate,dc=dev,dc=coorporate'. Returning Forbidden response.

 

 

Thanks,

Alvin

 

 

 

1,174 Views
0 Kudos
1 REPLY 1

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎09-12-2022 01:52 PM

@ajignacio 

User and group identity strings much match identically.
Your ldap-user-group-provider is syncing users and groups by the identity string found in the CN AD attribute.  This is why you are seeing only the CN username and CN groupname strings in the users UI within NiFi.

However, when you are logging in to NiFi to authenticate you user via the ldap-provider, the resulting user identity sting is the users full AD Distinguished Name (DN).  NiFi treats different strings as different users.
The  ldap-provider can be changed to use the user identity string typed in the username field instead of using the full DN.  This is done by changing the following property:

<property name="Identity Strategy">USE_DN</property>

change it to :

<property name="Identity Strategy">USE_USERNAME</property>


Upon successful authentication the resulting user identity is evaluated against any identity mapping patterns that may be configured in the nifi.properties file.  The resulting mapped value is then passed to the configured authorizer (managed-authorizer in your setup).  There the authorizers is looking up that user identity string (case sensitive) against the user strings synced by your configured users group providers.  If an exact match is found both the user string and the now learned group string(s) are checked against the configured NiFi policies to determine authorization.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

 

Thank you,

Matt

 

 

1,117 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements