Support Questions

@GKHN_ 

Welcome to the Cloudera Community.

You shared numerous configurations and I see numerous configuration issues.

Lets start with Authentication and Authorization basics before diving in to the configuration issues.

Authentication and authorization are two separate processes.  First you need to successfully authenticate your user.   At the end of a successful authentication you will have a user identity string (case sensitive) that NiFi uses to identify your authenticated user and it is the user string that is passed to the NiFi authorizer to determine what policies have been granted to that specific user identity string. 

You appear to be using the ldap-provider (I assume your nifi.properties has been properly configured to use it and you are being presented with the NiFi login screen).   I see you have it configured to take your sAMAccountName value as your username at the login window; however; I also see that you have it configured to use the full DN (USE_DN) for your user that is returned by yoru ldap as your user identity string upon successful  authentication.  I don't think that is what you want here, so I recommend changing from "USE_DN" to "USE_USERNAME" which will pass your username entered in the login window to the authorizer upon successful authentication.

Now when we look at the authorizer you shared, you'll want to read it from the bottom up stating with the authorizer (managed-authorizer in your configuration).  Within the "managed-authorizer" authorizer, you are configured to used the "file-access-policy-provider", so you should scroll up until you find the "file-access-policy-provider".

<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=NAME SURNAME,OU=CompanyUsers,OU=Company,DC=company,DC=entp</property>

<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider>

I see you have configured what i assume is your user's full DN (hopefully matching case sensitive with what you see in the upper right corner of the NiFi UI and as seen in the nifi-user.log).   This provider will generate the authorizations.xml file ONLY if it does not already exist. So if you make any changes to this provider those changes will not be made to an existing authorizations.xml file. So you'll need to remove this file until you have your setup working for your initial admin to gain access to NiFi.  This provider's job is to seed initial policies for your admin user and the nifi nodes in NiFi cluster setup.  But in order to seed those policies NiFi needs to know about the configured user identity (DN you set currently).  To do that the file-access-policy-provider is configured with a "user-group-provider" which we can see you have set to the "file-access-policy-provider".

<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
</userGroupProvider>

We can see in this provider, you have not configured any initial user identities, So NiFi is not going to be able to find the user identity based on the DN set in the file-access-policy-provider in order to seed those initial admin needed policies.  The file-user-group-provider will ONLY generate a users.xml file if one does not already exist.  So modification to this provider will not make changes to an existing users.xml file.

I also see that you have added and configured the "ldap-user-group-provider" in your authorizers, but as you can see from above their is no configured dependency from the authorizer to this user group provider, so it is not being used even though it is configured in the authorizers.xml file.  In order for it to be used it must be called by another provider.  In your case this would mean adding maybe the "composite-configurable-user-group-provider". This provider allows you reference multiple provider (1 configurable provider like the file-user-group-provider and 1 or more non configurable providers like the ldap-user-group-provider".  ( A configurable provider is one that allows you to manually define additional user or group identities directly from within the NiFi UI).

Even though your "ldap-user-group-provider" is not being used by yoru authorizer currently, it has several configuration issues.

<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>

<property name="Manager DN">LDAP_USER</property>
<property name="Manager Password">Password1</property>

<property name="TLS - Keystore">/home/nifi/nifi/nifi-2.4.0/conf/srt.pfx</property>
<property name="TLS - Keystore Password">Password</property>
<property name="TLS - Keystore Type">JKS</property>
<property name="TLS - Truststore">/home/nifi/nifi/nifi-2.4.0/conf/gbkeystore.jks</property>
<property name="TLS - Truststore Password">Password</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol">TLSv1.2</property>
<property name="TLS - Shutdown Gracefully"></property>

<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>

<property name="Url">ldap://ldap.entp:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">30 mins</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>

<property name="User Search Base">OU=CompanyUsers,OU=Company,DC=company,DC=entp</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(sAMAccountName={0})</property>
<property name="User Identity Attribute"></property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>

<property name="Identity Strategy">USE_USERNAME</property>
<property name="Group Search Base"></property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>

Lets start with the face that the following is not even a property in this provider (It only exists in the ldap-provider found in the login-identity-providers.xml configuration file:

<property name="Identity Strategy">USE_USERNAME</property>

While the following property exist in both the ldap-user-group-provider aand teh ldap-provider, its configuration in the ldap-user-group-provider is incorrect:

<property name="User Search Filter">(sAMAccountName={0})</property>

The "{0}" when used in the ldap-provider with the login-identity-providers.xml  will substitute in the username provided at login.  The ldap-user-group-provider is syncing users without any external input so this would be treated as a literal a result in no ldap returns.  Typically you would use filters here just like you would with ldapsearch to limited the number of user returned (for example filter only user that are members of specific ldap groups).

I also see you have group search partial configured, but have no Group Search Base configured.  You also have no "user identity Attribute" configured which tells NiFi which ldap field contains the user identity NiFi will then use.  This might be where you put "sAMAccountName".

I recommend going back to the NiFi admin guide and looking at the example configuration found below the StandardManagedAuthorizer section.

The fact that you stated you added user and set policies via the NiFi UI, tells me at some point in time you had a different configuration then shared above that resulted in your initial admin gaining access.   Always remember that NiFi is case sensitive and the users identity (whether it is the username entered  in login window or the user's full DN) must match exactly with the user identity you are authorizing against the various policies.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

@GKHN_ 

As I described in my first response, Authentication and Authorization are two different processes.  

So it sounds like from your comment that authentication is working fine for both your users and authorization is failing for your non admin user.  So issue is within the authorization phase.

I assume both of your users are authenticating via ldap?
In your ldap-provider in the login-identity-providers.xml you have the "Identity Strategy" set to  "USE_DN".   With this setting you the users full ldap DN will be used as the user identity string after successful authentication.  This means that entire DN is being passed to the authorizer to lookup if that full dn has been authorized to the requested end-point NiFi policy.

I see you have your initial admin identity manually defined in the file-user-group-provider and the file-access-policy provider:
CN=NIFIUSER,OU=Userpro,OU=CUsers,OU=Company,DC=company,DC=entp

So when you login via ldap with this user's ldap username and ldap password, the user's entire DN is being passed to the authorizer and the file-access-policy provider has setup all admin related NiFi policies for this initial admin user identity.

I also see from the shared authorizers.xml that the only user-group-provider the "file-access-policy provider" is configured to use is the "file-user-group-provider".  The file-user-group-provider requires the admin user to manually add additional user identities manually from the with the NiFi UI (Remember that with your current ldap-provider login provider, all your ldap user identities are going to be full DNs).
As the admin user, go to the NiFi global menu and select "USERS":

From the NiFi Users UI, select the "+" to add a new user:

Then enter the full DN for your second user (Case sensitive).

unless you have added any groups, your list of groups will be blank.

Now that you have added this second user identity, you'll need to start authorizing that user identities for the various policy they need.  In order to access the NiFi UI, all users must be authorized to "view the user interface".  From the same NiFi Global menu mentioned above, select "Policies" this time.  Then from the "Access Policies" UI that appears, select "view the user interface" from the policy list pull-down.

Then click on the icon to the right that looks like a person with a "+".  Find the user identity you just added and check the box and click the "Add" button.

Now this user can access the NIFi UI.
There are other policies this user will need before they can start building dataflows on the UI.  NiFi allows for very granular authorizations.   But at the minimum the user will need to be authorized on the process group in which they will build their dataflows.  Not all policies are defined from  the "Access Policies" UI in the global menu. the component level policies are define directly via the individual component (keep an eye out for the "key" icon) 

From the "Operation" panel directly on the NiFi canvas you can set policies on the currently selected component:

Above I have selected my root Process Group (PG). If you click the key icon you will see all the access policies that users can be authorized for.  You'll need to select each one by one your user will need and add the user to them.

Above will allow you to setup access for your additional users using the file-user-group-provider you have configured in your authorizers.xml.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt