Support Questions

Sanaz_janbakhsh · ‎07-07-2017

Hi,

I followed the following post :

https://community.hortonworks.com/questions/61159/getting-untrusted-proxy-message-while-trying-to-se...

I have a questions, Is the policy in the authorizations.xml file is right? if now, how it should be?

authorizers.xml :

<identifier>file-provider</identifier> <class>org.apache.nifi.authorization.FileAuthorizer

</class>

<property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property>

<property name="Users File">/var/lib/nifi/conf/users.xml</property>

<property name="Initial Admin Identity">CN=TTTTT, OU=TTT</property>

<property name="Node Identity 1">CN=XXXXXX OU=XXXXX</property>

</authorizer> </authorizers>

Users.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

</users> </tenants>

authorizations.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

</authorizations>

MattWho · ‎07-07-2017

@Sanaz Janbakhsh

The users.xml and authorizations.xml files are generated on initial startup of a secured NiFi instance using the configurations specified in the authorizers.xml file. Once these two files exist, any changes made in the authorizers.xml file will not be made to these existing files. The expectation is that the NiFi UI is used at that point to add additional users and set additional authorizations.

So if the initial authorizers.xml file had incorrect entries, the users.xml and authorizations.xml files created will not be correct. You will need to remove these two files and restart so that new users.xml and authorizations.xml files are created based on a correct configuration in the authorizers.xml.

The users.xml and authorizations.xml files outputs you shared above are not correct.

Neither is your authorizers.xml.

Your authorizers.xml file should look something like this:

<authorizers>


	<authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property>
        <property name="Users File">/var/lib/nifi/conf/users.xml</property>
        <property name="Initial Admin Identity">CN=admin, OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>

	<property name="Node Identity 1">CN=nifinode1, OU=NIFI</property>
	<property name="Node Identity 2">CN=nifinode2, OU=NIFI</property>
	<property name="Node Identity 3">CN=nifinode3, OU=NIFI</property>

        </authorizer>

</authorizers>

Each node in your cluster must have its own entry. You must specify an Initial Admin Identity. This will be the only user who can access your NiFi initially. The will given the authorizations needed to add additional users and assign policies for those new users.

Using above example, your users.xml file that is generated should look like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="38e35829-435d-3be4-83b6-784cb560e855" identity="CN=admin, OU=NIFI"/>
        <user identifier="22f1b808-a02d-3344-93c1-c944af6b5686" identity="CN=nifinode1, OU=NIFI"/>
        <user identifier="ea71911e-b2f3-3975-a459-50c9f8e905d1" identity="CN=nifinode2, OU=NIFI"/>
        <user identifier="e63552bb-6e32-346d-8b9d-d82ef1616ce9" identity="CN=nifinode3, OU=NIFI"/>
    </users>
</tenants>

And your authorizations.xml that is generated should look like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="ba421219-28f1-3918-bc27-bf5533cb847e" resource="/flow" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="b56e3b5c-a458-3088-a4a6-30c9ad7ea69d" resource="/data/process-groups/f459ab3e-015c-1000-6a96-d0fd4c9da94c" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
            <user identifier="22f1b808-a02d-3344-93c1-c944af6b5686"/>
            <user identifier="ea71911e-b2f3-3975-a459-50c9f8e905d1"/>
            <user identifier="e63552bb-6e32-346d-8b9d-d82ef1616ce9"/>
        </policy>
        <policy identifier="78c6edfa-7c8a-398e-8ffa-716820b5040b" resource="/data/process-groups/f459ab3e-015c-1000-6a96-d0fd4c9da94c" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
            <user identifier="22f1b808-a02d-3344-93c1-c944af6b5686"/>
            <user identifier="ea71911e-b2f3-3975-a459-50c9f8e905d1"/>
            <user identifier="e63552bb-6e32-346d-8b9d-d82ef1616ce9"/>
        </policy>
        <policy identifier="b817348f-f27b-3b42-8b8c-040977436b45" resource="/process-groups/f459ab3e-015c-1000-6a96-d0fd4c9da94c" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="dd8ad42a-4266-3646-a804-f612245edbe3" resource="/process-groups/f459ab3e-015c-1000-6a96-d0fd4c9da94c" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="efd76cc8-fd81-3cd1-bf21-3065661848bd" resource="/restricted-components" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="c2f680ff-bec3-336b-8ed2-512321cc7162" resource="/tenants" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="d3840ff8-f56e-3d2c-8361-bab5cf498107" resource="/tenants" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="ff398473-528d-3393-85bc-cd6810f47d72" resource="/policies" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="a55e48e9-691f-3052-ae92-77fffb2858d6" resource="/policies" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="56f51845-8783-3a14-b22c-9971bf232b17" resource="/controller" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="ef41b898-79b8-3782-b01a-e54e5bf20661" resource="/controller" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="19b83f2b-967e-35d5-8091-f4abc877877b" resource="/proxy" action="W">
            <user identifier="22f1b808-a02d-3344-93c1-c944af6b5686"/>
            <user identifier="ea71911e-b2f3-3975-a459-50c9f8e905d1"/>
            <user identifier="e63552bb-6e32-346d-8b9d-d82ef1616ce9"/>
        </policy>
    </policies>
</authorizations>

Of course all the UUIDs that are generated will be different.

Thanks,

Matt

*** If you found this answer addressed your question please mark it as accepted.

View solution in original post

MattWho · ‎07-07-2017

@Sanaz Janbakhsh

The users.xml and authorizations.xml files are generated on initial startup of a secured NiFi instance using the configurations specified in the authorizers.xml file. Once these two files exist, any changes made in the authorizers.xml file will not be made to these existing files. The expectation is that the NiFi UI is used at that point to add additional users and set additional authorizations.

So if the initial authorizers.xml file had incorrect entries, the users.xml and authorizations.xml files created will not be correct. You will need to remove these two files and restart so that new users.xml and authorizations.xml files are created based on a correct configuration in the authorizers.xml.

The users.xml and authorizations.xml files outputs you shared above are not correct.

Neither is your authorizers.xml.

Your authorizers.xml file should look something like this:

<authorizers>


	<authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property>
        <property name="Users File">/var/lib/nifi/conf/users.xml</property>
        <property name="Initial Admin Identity">CN=admin, OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>

	<property name="Node Identity 1">CN=nifinode1, OU=NIFI</property>
	<property name="Node Identity 2">CN=nifinode2, OU=NIFI</property>
	<property name="Node Identity 3">CN=nifinode3, OU=NIFI</property>

        </authorizer>

</authorizers>

Each node in your cluster must have its own entry. You must specify an Initial Admin Identity. This will be the only user who can access your NiFi initially. The will given the authorizations needed to add additional users and assign policies for those new users.

Using above example, your users.xml file that is generated should look like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="38e35829-435d-3be4-83b6-784cb560e855" identity="CN=admin, OU=NIFI"/>
        <user identifier="22f1b808-a02d-3344-93c1-c944af6b5686" identity="CN=nifinode1, OU=NIFI"/>
        <user identifier="ea71911e-b2f3-3975-a459-50c9f8e905d1" identity="CN=nifinode2, OU=NIFI"/>
        <user identifier="e63552bb-6e32-346d-8b9d-d82ef1616ce9" identity="CN=nifinode3, OU=NIFI"/>
    </users>
</tenants>

And your authorizations.xml that is generated should look like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="ba421219-28f1-3918-bc27-bf5533cb847e" resource="/flow" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="b56e3b5c-a458-3088-a4a6-30c9ad7ea69d" resource="/data/process-groups/f459ab3e-015c-1000-6a96-d0fd4c9da94c" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
            <user identifier="22f1b808-a02d-3344-93c1-c944af6b5686"/>
            <user identifier="ea71911e-b2f3-3975-a459-50c9f8e905d1"/>
            <user identifier="e63552bb-6e32-346d-8b9d-d82ef1616ce9"/>
        </policy>
        <policy identifier="78c6edfa-7c8a-398e-8ffa-716820b5040b" resource="/data/process-groups/f459ab3e-015c-1000-6a96-d0fd4c9da94c" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
            <user identifier="22f1b808-a02d-3344-93c1-c944af6b5686"/>
            <user identifier="ea71911e-b2f3-3975-a459-50c9f8e905d1"/>
            <user identifier="e63552bb-6e32-346d-8b9d-d82ef1616ce9"/>
        </policy>
        <policy identifier="b817348f-f27b-3b42-8b8c-040977436b45" resource="/process-groups/f459ab3e-015c-1000-6a96-d0fd4c9da94c" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="dd8ad42a-4266-3646-a804-f612245edbe3" resource="/process-groups/f459ab3e-015c-1000-6a96-d0fd4c9da94c" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="efd76cc8-fd81-3cd1-bf21-3065661848bd" resource="/restricted-components" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="c2f680ff-bec3-336b-8ed2-512321cc7162" resource="/tenants" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="d3840ff8-f56e-3d2c-8361-bab5cf498107" resource="/tenants" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="ff398473-528d-3393-85bc-cd6810f47d72" resource="/policies" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="a55e48e9-691f-3052-ae92-77fffb2858d6" resource="/policies" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="56f51845-8783-3a14-b22c-9971bf232b17" resource="/controller" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="ef41b898-79b8-3782-b01a-e54e5bf20661" resource="/controller" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>
        <policy identifier="19b83f2b-967e-35d5-8091-f4abc877877b" resource="/proxy" action="W">
            <user identifier="22f1b808-a02d-3344-93c1-c944af6b5686"/>
            <user identifier="ea71911e-b2f3-3975-a459-50c9f8e905d1"/>
            <user identifier="e63552bb-6e32-346d-8b9d-d82ef1616ce9"/>
        </policy>
    </policies>
</authorizations>

Of course all the UUIDs that are generated will be different.

Thanks,

Matt

*** If you found this answer addressed your question please mark it as accepted.

MattWho · ‎07-07-2017

@Sanaz Janbakhsh

We should try to avoid creating a new "Answer" for every correspondence here.

I am not clear on what you mean by "blank page"?

Have you tried clearing your browser cache?

What do you see in your NiFi's nifi-user.log when you try to access the https web address for your iFi instance? https://<nifinodename><secureport>/nifi Thanks,

Matt

Sanaz_janbakhsh · ‎07-07-2017

Hi Matt,

I deleted users.xml and authorizations.xml and stop and started nifi again, the file has been generated.

The error is gone but I get the blank page now. No errors in the logs too.

SJ.

Sanaz_janbakhsh · ‎07-07-2017

Ma

tt,

For your reference, I attached the new files.

SJ

Sanaz_janbakhsh · ‎07-07-2017

Hi Matt,

It was a browser issue 🙂 Thanks it is fixed now.

Sanaz

MattWho · ‎07-07-2017

@Sanaz Janbakhsh

Good to hear, can you mark the original answer I posted as accepted to close out this thread?

Thanks,

Matt

Cloudera Community

Support Questions

NiFi-HDF3.0 Untrusted proxy