Support Questions

yagoaparecidoti · ‎06-14-2022

I'm configuring LDAP access (AD) on Nifi 1.0.1.0 being managed by Cloudera Manager, but when trying to access nifi with AD credentials, the error is returned:

"Unknown user with identity 'user.bind'. Contact the system administrator."

In Nifi's "nifi.initial.admin.identity" settings it looks like this:

"cn=user.bind,ou=USERS,ou=CLOUDERA,dc=lab,dc=local"

What could be wrong for not being able to access?

bbahamondes · ‎06-14-2022

Hi @yagoaparecidoti,

Seems due to the configs NiFi is just using the identity instead of the complete DN. Without having more information you could try the following:

1. Change the initial admin identity to "user.bind"

2. Save and stop nifi

3. Remove the current users.xml and authorizations.xml from /var/lib/nifi

4. Start NiFi.

It should recreate the users.xml and authorizations.xml files, please note that any customizations will be lost and will need to be recreated.

MattWho · ‎06-14-2022

@yagoaparecidoti

NiFi will treat the identity strings "user.bind" and "cn=user.bind,ou=USERS,ou=CLOUDERA,dc=lab,dc=local" as two different users.

The identity string being passed to NiFi configured authorizer post successful authentication in yoru current configuration is "user.bind". However, it appears you have configured your initial admin configured in the authorizers.xml configuration file as "cn=user.bind,ou=USERS,ou=CLOUDERA,dc=lab,dc=local" which resulted in admin policies being initially setup in the authorizations.xml and users.xml files as this string.

Now within the login-identity-providers.xml file you have your ldap-provider configured which is handling your authentication. One of the configurable properties in that ldap-provider can be configured two ways:

<property name="Identity Strategy">USE_USERNAME</property>

<property name="Identity Strategy">USE_DN</property>

USE_USERNAME setting will pass whatever string was entered in the username login window to the authorizer if authentication was successful.
USE_DN setting will pass the users DN (post any matching identity mapping pattern modification) to the authorizer.

So you are either using the USE_USERNAME option or you have a identity mapping pattern configured in your nifi.properties file that is matching on the full DN returned by USE_DN and trimming just the "user.bind" from that DN before being passed to the Authorizer.

Example:
nifi.security.identity.mapping.pattern.dn=^cn=(.*?),ou=(.*?),ou=(.*?),dc=lab,dc=(.*?)$
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.transform.dn=LOWER

Above PATTERN would match "cn=user.bind,ou=USERS,ou=CLOUDERA,dc=lab,dc=local"
and only capture group one ($1) "user.bind" VALUE would be returnedin all LOWERCASE (TRANSFORM).

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

One other important thing to keep in mind here. The file-access-policy and file-user-group-providers in the authorizers.xml file will ONLY build the authorizations.xml and users.xml files if they do NOT already exist. So if you edit the configured initial admin string, what is already configured in those files will not get modified and that configuration change will have not affect. If you remove the existing users.xml and authorizations.xml files before restarting your NiFi if you decide to change your Initial Admin identity string, then on restart a new users.xml and authorizations.xml will be created with your change.

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

yagoaparecidoti · ‎06-14-2022

hi, @bbahamondes / @MattWho

in the configuration "nifi.initial.admin.identity" in nifi, I left only the user "user.bind", stopped nifi, deleted the files "authorizations.xml" and "users.xml" and started nifi

I don't know if it worked, but it's not giving the permission error anymore, but it's giving connection error on port 8080 when I try to login

PS: in the configuration "Login Identity Provider: Default LDAP Identity Strategy" in the nifi is configured "USE_USERNAME"

PS: when I try to login with a different user it returns the permission error:

"Unknown user with identity 'user'. Contact the system administrator."

yagoaparecidoti · ‎06-14-2022

@MattWho / @bbahamondes

I made alternate stops of the nifi nodes and with that I was able to access the nifi and configure the policies.

Thank you for your help.

MattWho · ‎06-16-2022

@yagoaparecidoti
Authentication is one piece of being able to access NiFi's UI.
While the file-user-group-provider and file-access-policy-provider facilitate the automatic creation of the initial admin user identity and setting of Admin needed policies for that user, It is the responsibility of that admin to add additional users to NiFi and add that user to authorization policies. The initial admin user would accomplish this directly form within the NiFi UI.

Global menu in upper right corner --> users (add additional user identities here for which you want to setup authorizations)
Global menu in upper right corner --> Policies (add users you have added to select NiFi controller policies)
From canvas --> operate panel on left side --> key icon to add policies for specific components added to canvas

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#config-users-access-policies

Thank you,

Matt

DianaTorres · ‎06-27-2022

@yagoaparecidoti Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
Community Guidelines
How to use the forum

Support Questions

NIFI - Unknown user with identity 'user'. Contact the system administrator.