Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

NiFi Registry: policies aren't inherited from group to user

NiFi Registry: policies aren't inherited from group to user

New Contributor

Greetings, and thanks for great work!

 

We're trying to setup the secured NiFi Registry. Logins are synchronized from AD, while policies are stored in authorizers.xml. We've created a bunch of users in NiFi and added them to the "Administration" group, then copied users.xml to NiFi Registry and (from the initial admin identity) activated all policies on this group, including user management. However, members of this group still aren't able to add users themselves. Is this a bug, or some misconfiguration on our side?

 

upd: looks like the problem is deeper. We've added another user (through the initial admin identity) with explicitly added "user access". However, he is still not able to create new users and/or manage existing ones. What should we check, then?

 

upd2: after writing the previous text, I've refreshed the NiFi Registry page, and "Add user" button became active. Magic...

2 REPLIES 2
Highlighted

Re: NiFi Registry: policies aren't inherited from group to user

Master Guru

@kv_bagrov 

 

NiFi and NiFi-Registry user authorization is case sensitive.  User authentication is handled first and upon successful authentication the resulting user string returned during authentication is evaluated against any configured identity mappings configured in nifi-registry.properties file.  If a mapping pattern matches the subsequent configured mapping value and transform is applied and that result is what is passed on for user authorization.

So if authentication results in user string "bob", that would be treated as a different user if the authorizer contains "Bob".

 

Not having access to nifi-registry.properties, identity-providers.xml, and authorizers.xml files makes diagnosing the exact issue difficult.

 

Other important things to understand:
1. The only configuration file that is reprocessed regularly while NiFi or NiFi-Registry is already running is the logback.xml.   So if you modify the users.xml or authorizations.xml files and do not restart the service, those changes will not take affect.
2. The users.xml and authorizations.xml files are only created by the authorizers.xml providers if they do NOT already exist.  The authorizers.xml providers will not update/modify pre-existing files on startup.  This is by design to prevent unintentional adding of users back in to the service that may have been removed through the UI on restart.  The expectation is that once setup initially, all future local user additions are handled via the UI.   So changing the configured "initial admin identity" in either the file-user-group-provider or file-access-providers will have no affect on modifying your preexisting files.

3. If you have been accessing multiple NiFi-Registries from the same browser or have multiple tabs open connecting to the same NiFi-Registry within your browser, try clearing your browser cache and logging in again.

 

 

Hope this helps,

Matt

Highlighted

Re: NiFi Registry: policies aren't inherited from group to user

Community Manager

@kv_bagrov Can you confirm that this issue is resolved? If so please respond with the solution. You can then use the Accept as Solution button to mark that reply appropriately. This will assist others who may face a similar situation. 

Screen Shot 2019-08-06 at 1.54.47 PM.png

 

 


Cy Jervis, Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:
Community Guidelines
How to use the forum
Don't have an account?
Coming from Hortonworks? Activate your account here