Created 01-27-2017 07:23 PM
I have enabled SSL and created cert
/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-1.1.0.2.1.1.0-2/bin/tls-toolkit.sh client -c xxxxx.field.hortonworks.com -D 'CN=nifiadmin, OU=FIELD.HORTONWORKS.COM' -p 10443 -t admin -T pkcs12
Add cert to my keychain. and loaded pem in chrome
I have my initial admin identity set to
CN=nifiadmin, OU=FIELD.HORTONWORKS.COM
This is in my users.xml
<tenants> <groups/> <users> <user identifier="92f3fcec-cd4d-347d-b750-c54eb8f7d04f" identity="CN=nifiadmin, OU=FIELD.HORTONWORKS.COM"> <role name="ROLE_ADMIN"/> <user identifier="b7851c46-a903-34d5-928e-483bf61ddc17" identity="xxxxx.field.hortonworks.com"> <role name="ROLE_ADMIN"/> </users> </tenants>
When I hit the UI it says I have insufficient privileges. Any ideas?
I have deleted authorizations.xml and users.xml, restarted nifi and same issue. I have also updated the users.xml and set <role name="ROLE_ADMIN"/> for each user. I removed this spinet as well. same issue.
Created 01-27-2017 07:29 PM
There is no such thing as "roles" in Apache NiFi 1.x, I would expect that to fail start-up with those role elements.
When you receive the insufficient privileges message, what is shown in nifi-user.log? There should be a message with a user identity that was denied and we need to compare that identity to what you entered as your initial admin.
Created 01-27-2017 07:29 PM
<role>
elements are from NiFi 0.x
. As you are on 1.x
, you need to populate the authorizations.xml
file with the appropriate mappings of the user (identified by the UUID) to the specific policies which will grant them access to perform the desired behavior. If you paste the contents of your authorizations.xml file here, we can correct any issues. Specifically, to view the UI, your user needs READ on the "view the UI" policy.
Created 01-27-2017 07:32 PM
@Andy LoPresto got it. but how am I suppose to provide read access to admin if i am not able to get into UI using admin cert.
Created 01-27-2017 07:42 PM
When you set the Initial Admin Identity, NiFi does populate the roles for that user, including "view the UI", which allows you to then configure other users via the interface. Obviously there was an issue with generating your authorizations.xml, so that policy doesn't exist at this time. If you provide the authorizations.xml, we can fix it.
Created 01-27-2017 07:29 PM
There is no such thing as "roles" in Apache NiFi 1.x, I would expect that to fail start-up with those role elements.
When you receive the insufficient privileges message, what is shown in nifi-user.log? There should be a message with a user identity that was denied and we need to compare that identity to what you entered as your initial admin.
Created 01-27-2017 07:44 PM
Thank you all for responses. Great stuff. I was able to parse the nifi user log as suggested and found my cert was wrong user. I am getting proxy error now. will open another post. thank you again.
Created 01-27-2017 07:39 PM
The users.xml file you have above was not generated by NiFi. Did you manually create that?
You should not need to do that. On First start of NiFi after enabling https, NiFi will generate both the users.xml and authorizations.xml files from the configurations in the authorizers.xml file.
If the users.xml and authorizations.xml files already exist, NiFi will not modify them or re-create them during startup even if you change the configurations in the authorizers.xml file for "Initial Admin Identities" or "node identities".
In order to to have NiFi create those files over, you will need to remove or rename the current users.xml and authorizations.xml files before restarting NiFi.
Thanks,
Matt