Support Questions

Find answers, ask questions, and share your expertise

NiFi Insufficient privileges post enabling SSL

avatar
Master Guru

I have enabled SSL and created cert

/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-1.1.0.2.1.1.0-2/bin/tls-toolkit.sh client -c xxxxx.field.hortonworks.com -D 'CN=nifiadmin, OU=FIELD.HORTONWORKS.COM' -p 10443 -t admin -T pkcs12

Add cert to my keychain. and loaded pem in chrome

I have my initial admin identity set to

CN=nifiadmin, OU=FIELD.HORTONWORKS.COM

This is in my users.xml

<tenants>
    <groups/>
    <users>
        <user identifier="92f3fcec-cd4d-347d-b750-c54eb8f7d04f" identity="CN=nifiadmin, OU=FIELD.HORTONWORKS.COM">
        <role name="ROLE_ADMIN"/>
        <user identifier="b7851c46-a903-34d5-928e-483bf61ddc17" identity="xxxxx.field.hortonworks.com">
        <role name="ROLE_ADMIN"/>
    </users>
</tenants>

When I hit the UI it says I have insufficient privileges. Any ideas?

I have deleted authorizations.xml and users.xml, restarted nifi and same issue. I have also updated the users.xml and set <role name="ROLE_ADMIN"/> for each user. I removed this spinet as well. same issue.

1 ACCEPTED SOLUTION

avatar
Master Guru

There is no such thing as "roles" in Apache NiFi 1.x, I would expect that to fail start-up with those role elements.

When you receive the insufficient privileges message, what is shown in nifi-user.log? There should be a message with a user identity that was denied and we need to compare that identity to what you entered as your initial admin.

View solution in original post

6 REPLIES 6

avatar

<role> elements are from NiFi 0.x. As you are on 1.x, you need to populate the authorizations.xml file with the appropriate mappings of the user (identified by the UUID) to the specific policies which will grant them access to perform the desired behavior. If you paste the contents of your authorizations.xml file here, we can correct any issues. Specifically, to view the UI, your user needs READ on the "view the UI" policy.

avatar
Master Guru

@Andy LoPresto got it. but how am I suppose to provide read access to admin if i am not able to get into UI using admin cert.

avatar

When you set the Initial Admin Identity, NiFi does populate the roles for that user, including "view the UI", which allows you to then configure other users via the interface. Obviously there was an issue with generating your authorizations.xml, so that policy doesn't exist at this time. If you provide the authorizations.xml, we can fix it.

avatar
Master Guru

There is no such thing as "roles" in Apache NiFi 1.x, I would expect that to fail start-up with those role elements.

When you receive the insufficient privileges message, what is shown in nifi-user.log? There should be a message with a user identity that was denied and we need to compare that identity to what you entered as your initial admin.

avatar
Master Guru

Thank you all for responses. Great stuff. I was able to parse the nifi user log as suggested and found my cert was wrong user. I am getting proxy error now. will open another post. thank you again.

avatar
Master Mentor

@Sunile Manjee

The users.xml file you have above was not generated by NiFi. Did you manually create that?

You should not need to do that. On First start of NiFi after enabling https, NiFi will generate both the users.xml and authorizations.xml files from the configurations in the authorizers.xml file.

If the users.xml and authorizations.xml files already exist, NiFi will not modify them or re-create them during startup even if you change the configurations in the authorizers.xml file for "Initial Admin Identities" or "node identities".

In order to to have NiFi create those files over, you will need to remove or rename the current users.xml and authorizations.xml files before restarting NiFi.

Thanks,

Matt