Support Questions

Find answers, ask questions, and share your expertise

NiFi Authorization Problem

avatar
Contributor

I have a fresh install of NiFi and am trying to enable TLS certificate based security for initial admin login and am getting the following error after successful authentication (see nifi-user.log snippet below)

"Unable to perform the desired action due to insufficient permissions. Contact the system administrator."

Here if snippets of relevant configuration defined in the nifi-properties file:

# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=0.0.0.0
nifi.web.https.port=8443
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200

# security properties #

nifi.security.keystore=/apps/nifi/certs/server.pfx
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=Test
nifi.security.keyPasswd=
nifi.security.truststore=/apps/nifi/certs/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=Test
nifi.security.needClientAuth=true
nifi.security.user.authorizer=file-provider
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

Here is the configuration of the authorizers.xml file:

    <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">CN=Browser Client,OU=GUI,O="Test Inc "</property>
        <property name="Legacy Authorized Users File"></property>
    </authorizer>

Here is the output from the nifi-user.log file:

2016-10-26 21:19:38,469 INFO [main] o.a.nifi.authorization.FileAuthorizer Authorizations file loaded at Wed Oct 26 21:19:38 UTC 2016
2016-10-26 21:20:35,238 INFO [NiFi Web Server-18] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.
2016-10-26 21:20:35,252 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=Browser Client, OU=GUI, O="Test Inc ") GET https://localhost:8443/nifi-api/flow/current-user (source ip: 127.0.0.1)
2016-10-26 21:20:35,253 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=Browser Client, OU=GUI, O="Test Inc "
2016-10-26 21:20:35,266 INFO [NiFi Web Server-18] o.a.n.w.a.c.AccessDeniedExceptionMapper CN=Browser Client, OU=GUI, O="Test Inc " does not have permission to access the requested resource. Returning Forbidden response.
1 ACCEPTED SOLUTION

avatar
Master Guru

The problem is a whitespace issue...

If you look at your log you can see "CN=BrowserClient, OU=GUI, O="Test Inc "" with a space before the OU.

If you look at the Initial Admin and users.xml there is no space "CN=Browser Client,OU=GUI,O="Test Inc " so its not lining up.

You can fix this by stopping NiFi, updating authorizers.xml so the Initial Admin has the exact value from the logs, and then deleting users.xml and authorizations.xml, and restart.

View solution in original post

8 REPLIES 8

avatar

Hi, the setup looks ok at first glance. If you made some changes over several NiFi restarts, can you try deleting users.xml and authorizations.xml files and start up NiFi again? These should get regenerated and Initial Admin user added.

avatar
Contributor

Hello Andrew, thanks for your suggestion, followed your suggestion but no luck, still the same problem.

avatar
Master Guru

what version of NIFI are you running? Can you update to a newer one?

I recommend you use http://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.0.1/index.html

What user are you running as?

avatar
Contributor

users.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade" identity="CN=Browser Client,OU=GUI,O="Test Inc ""/>
    </users>
</tenants>

authorizations.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="73374e81-e8b7-3b0c-969a-613a4075be39" resource="/flow" action="R">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="8aec400c-8546-3cba-a2a5-c0ae267f7ba4" resource="/data/process-groups/021ba659-0158-1000-c2a3-c5666d9e00cb" action="R">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="a32dd30f-8225-37fb-805f-c57feb9b845e" resource="/data/process-groups/021ba659-0158-1000-c2a3-c5666d9e00cb" action="W">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="132721c5-fdd0-330c-a3ab-3f2d6b17fa88" resource="/process-groups/021ba659-0158-1000-c2a3-c5666d9e00cb" action="R">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="657eb4e4-91ca-3f88-97a3-6454dd3fc9d6" resource="/process-groups/021ba659-0158-1000-c2a3-c5666d9e00cb" action="W">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="7a28fc07-3e1c-3cd0-bf07-aaac0bf33c0a" resource="/tenants" action="R">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="71444cf0-a0e8-3efe-8669-6a49e9524d61" resource="/tenants" action="W">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="cc8f957c-8248-35bb-ac24-a399b544ea53" resource="/policies" action="R">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="fe68321a-85cb-3fd9-86e0-32a6684d9101" resource="/policies" action="W">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="7781460d-3a59-3bf3-88d4-78ac4e839e7e" resource="/controller" action="R">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="4b0b79aa-db0f-3672-b38b-27b4b7c07f59" resource="/controller" action="W">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
    </policies>
</authorizations>

avatar
Master Guru

Does the user running NIFI have permissions to those files?

From the source code:

// If Kerberos Service Principal and keytab location not configured, throws exception
if (!properties.isKerberosSpnegoSupportEnabled() || kerberosService == null) {
throw new IllegalStateException("Kerberos ticket login not supported by this NiFi.");

https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nif...

See:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#kerberos_login_identity_provid...

Initial Admin Identity (New NiFi Instance)

If you are setting up a secured NiFi instance for the first time, you must manually designate an “Initial Admin Identity” in the authorizers.xml file. This initial admin user is granted access to the UI and given the ability to create additional users, groups, and policies. The value of this property could be a DN (when using certificates or LDAP) or a Kerberos principal. If you are the NiFi administrator, add yourself as the “Initial Admin Identity”.

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup

Do you have Kerberos?

avatar
Contributor

Tim, thanks for your feedback, I'm using the latest version of NiFi and no, I am not using Kerberos

avatar
Master Guru

The problem is a whitespace issue...

If you look at your log you can see "CN=BrowserClient, OU=GUI, O="Test Inc "" with a space before the OU.

If you look at the Initial Admin and users.xml there is no space "CN=Browser Client,OU=GUI,O="Test Inc " so its not lining up.

You can fix this by stopping NiFi, updating authorizers.xml so the Initial Admin has the exact value from the logs, and then deleting users.xml and authorizations.xml, and restart.

avatar
Contributor

Yay, it works Bryan, nice catch. Thanks for your help. Thanks Andrew and Tim as well. Smacking myself in the back of the head as well 🙂