Support Questions

Find answers, ask questions, and share your expertise

NIFI Unable to locate initial admin CN=admin,OU=people to seed policies

avatar
New Contributor

Hello!

I installed Nifi, Nifi toolkit.

I have an error "Unknown user with identity 'CN=admin, OU=people, DC=nifi, DC=com'. Contact the system administrator." or

"Unable to locate initial admin CN=admin,OU=people,DC=nifi,DC=com to seed policies".

96729-ldap.png

Ldap config -> ldap.png

nifi.properties:

# security properties #
nifi.sensitive.props.key=
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=

nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=C952nQSnvjyqA38F4Z5WHB80qzzCGPjB8qCrfIUTXWs
nifi.security.keyPasswd=C952nQSnvjyqA38F4Z5WHB80qzzCGPjB8qCrfIUTXWs
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=0f9v05dN9t15lVRklQ3B6jGphb5fbtfYuEKjefQyb7A
nifi.security.needClientAuth=yes
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=ldap-provider
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

authorizers.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>    
 <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">CN=admin,OU=people,DC=nifi,DC=com</property>
        <property name="Legacy Authorized Users File"></property>


        <property name="Node Identity 1">CN=admin,OU=people,DC=nifi,DC=com</property>
    </authorizer>


</authorizers>

login-identity-providers.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<loginIdentityProviders>
 
    <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">LDAPS</property>


        <property name="Manager DN">CN=admin,OU=people,DC=nifi,DC=com</property>
        <property name="Manager Password">password</property>


        <property name="TLS - Keystore">./conf/keystore.jks</property>
        <property name="TLS - Keystore Password">C952nQSnvjyqA38F4Z5WHB80qzzCGPjB8qCrfIUTXWs</property>
        <property name="TLS - Keystore Type">jks</property>
        <property name="TLS - Truststore">./conf/truststore.jks</property>
        <property name="TLS - Truststore Password">0f9v05dN9t15lVRklQ3B6jGphb5fbtfYuEKjefQyb7A</property>
        <property name="TLS - Truststore Type">jks</property>
        <property name="TLS - Client Auth">WANT</property>
        <property name="TLS - Protocol">TLS</property>
        <property name="TLS - Shutdown Gracefully">true</property>
        
        <property name="Referral Strategy">IGNORE</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>


        <property name="Url">ldap://localhost:10389</property>
        <property name="User Search Base">OU=PEOPLE,DC=NIFI,DC=COM</property>
        <property name="User Search Filter">cn={0}</property>


        <property name="Identity Strategy">USE_USERNAME</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>


</loginIdentityProviders>
C:\nifi-toolkit\bin>tls-toolkit.bat standalone -n "localhost" -C "cn=admin,ou=people,dc=nifi,dc=com"
As I did not change the file "authorizers.xml", I always got an error "Unable to locate initial admin.." 😞
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=admin,OU=people,DC=nifi,DC=com to seed policies
 at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175)
 at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
 at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1634)
 at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317)
 at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
 at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
 ... 91 common frames omitted
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=admin,OU=people,DC=nifi,DC=com to seed policies
 at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:234)
 at org.apache.nifi.authorization.FileAuthorizer.doOnConfigured(FileAuthorizer.java:137)
 at org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer.onConfigured(AbstractPolicyBasedAuthorizer.java:67)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
 at java.lang.reflect.Method.invoke(Unknown Source)
 at org.apache.nifi.authorization.AuthorizerInvocationHandler.invoke(AuthorizerInvocationHandler.java:55)
 at com.sun.proxy.$Proxy77.onConfigured(Unknown Source)
 at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:166)
 at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
 ... 96 common frames omitted
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=admin,OU=people,DC=nifi,DC=com to seed policies
 at org.apache.nifi.authorization.FileAccessPolicyProvider.populateInitialAdmin(FileAccessPolicyProvider.java:569)
 at org.apache.nifi.authorization.FileAccessPolicyProvider.load(FileAccessPolicyProvider.java:512)
 at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:225)
 ... 106 common frames omitted
2019-01-16 10:58:25,580 INFO [Thread-1] org.apache.nifi.NiFi Initiating shutdown of Jetty web server...
2019-01-16 10:58:25,585 INFO [Thread-1] o.eclipse.jetty.server.AbstractConnector Stopped ServerConnector@7a7bb083{SSL,[ssl, http/1.1]}{localhost:9443}
2019-01-16 10:58:25,585 INFO [Thread-1] org.eclipse.jetty.server.session Stopped scavenging
Can anyone please help? Thank!
1 ACCEPTED SOLUTION

avatar
Master Mentor
@Michael Vikulin

-

Your nifi.properties file is configured to look for an Authoriuzer with the identifier Managed-authorizer.

nifi.security.user.authorizer=managed-authorizer

The shared authorizers.xml does not contain a "managed-authorizer".

If you want to use the "file-provider" you need to update your nifi.properties file.

-

I also see that you are using ldap-provider for logging in to your NiFi. It is configured with:

<propertyname="Identity Strategy">USE_USERNAME</property>

This means that whatever string the user enters in the username login box will be parsed by any configured Identity.mapping.pattens configured in nifi.properties file and then resulting value string passed to authorizer.

-

So even once you fix your auithorizer.xml or nifi.properties file, You are likely going to send "admin" to your authorizer rather then the admin user's full DN.

-

Thanks,

Matt

-

If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.

View solution in original post

2 REPLIES 2

avatar
Master Mentor
@Michael Vikulin

-

Your nifi.properties file is configured to look for an Authoriuzer with the identifier Managed-authorizer.

nifi.security.user.authorizer=managed-authorizer

The shared authorizers.xml does not contain a "managed-authorizer".

If you want to use the "file-provider" you need to update your nifi.properties file.

-

I also see that you are using ldap-provider for logging in to your NiFi. It is configured with:

<propertyname="Identity Strategy">USE_USERNAME</property>

This means that whatever string the user enters in the username login box will be parsed by any configured Identity.mapping.pattens configured in nifi.properties file and then resulting value string passed to authorizer.

-

So even once you fix your auithorizer.xml or nifi.properties file, You are likely going to send "admin" to your authorizer rather then the admin user's full DN.

-

Thanks,

Matt

-

If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.

avatar
Rising Star

@wikulinme  where you able to solve this?