Support Questions

Find answers, ask questions, and share your expertise

NiFi: Unknown user with identity 'admin'. Contact the system administrator.

avatar
Explorer

I get error "Unknown user with identity 'admin'. Contact the system administrator." with login.

I installed nifi 1.7.1 and nifi-toolkit 1.7.1...

But, It occurs error message.

nifi-user.log is :

2018-08-02 01:17:44,001 INFO [NiFi Web Server-22] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[admin], groups[] does not have permission to access the requested resource. Unknown user with identity 'admin'. Returning Forbidden response.


2018-08-02 01:19:13,176 INFO [NiFi Web Server-70] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://localhost:9443/nifi-api/flow/current-user (source ip: xxx.xxx.xx.xx)


2018-08-02 01:19:13,178 INFO [NiFi Web Server-70] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for admin


login-identity-providers.xml:

authorizers.xml:

<authorizer>

<identifier>file-provider</identifier>

<class>org.apache.nifi.authorization.FileAuthorizer</class>

<property name="Authorizations File">./conf/authorizations.xml</property>

<property name="Users File">./conf/users.xml</property>

<property name="Initial Admin Identity">admin</property>

<property name="Legacy Authorized Users File"></property>

<property name="Node Identity 1">CN=admin,OU=NIFI</property>

</authorizer>

login-identity-providers.xml :

<provider>

<identifier>ldap-provider</identifier>

<class>org.apache.nifi.ldap.LdapProvider</class>

<property name="Authentication Strategy">SIMPLE</property>

<property name="Manager DN">CN=admin,OU=NIFI,DC=evidnet,DC=com</property>

<property name="Manager Password">evidnet</property>

<property name="TLS - Keystore"></property>

<property name="TLS - Keystore Password"></property>

<property name="TLS - Keystore Type"></property>

<property name="TLS - Truststore"></property>

<property name="TLS - Truststore Password"></property>

<property name="TLS - Truststore Type"></property>

<property name="TLS - Client Auth"></property>

<property name="TLS - Protocol"></property>

<property name="TLS - Shutdown Gracefully"></property>

<property name="Referral Strategy">IGNORE</property>

<property name="Connect Timeout">10 secs</property>

<property name="Read Timeout">10 secs</property>

<property name="Url">ldap://localhost:389</property>

<property name="User Search Base">OU=NIFI,DC=evidnet,DC=com</property>

<property name="User Search Filter">cn={0}</property>

<property name="Identity Strategy">USE_USERNAME</property>

<property name="Authentication Expiration">2 hours</property>

</provider>

4 REPLIES 4

avatar
Expert Contributor
@Seongmin Park

It looks like you are trying to enable LDAP auth in Nifi.

Were you able to access NiFi UI with certificates before enabling ldap authentication?

Could you update the values of the below properties from nifi.properties file :

nifi.login.identity.provider.configuration.file
nifi.security.user.login.identity.provider

Also, are you using AD or OpenLDAP as your LDAP implementation ?

avatar
Master Mentor
@Seongmin Park

-

The log is telling you that authentication for your login user "admin" was successful; however, the authorization for that user was not.

-

There is nothing that stands out to me in your basic authorizers.xml file configuration. So my thought here is that this is not the original configuration of the authorizers.xml file.

The file-provider is used to initially generate the users.xml and authorizations.xml files. Once these files exist they will not be re-generated or modified if you later make changes to this configuration xml. Basically if the users.xml and authorizations.xml files already exist, the file-provider will do nothing.

-

I suggest taking a look at what is currently in your users.xml and authorizations.xml files. My guess here is that you will find that a user entry does not exist for "admin" in the users.xml file.

-

If you remove or rename these two files and restart your NiFi instance, the authorization will build new versions of these files based on the current configuration in your authorizers.xml file.

-

Thank you,

Matt

-

If you found this Answer addressed your original question, please take a moment to login and click "Accept" below the answer.

avatar
Rising Star

Hi @krajguru

I have the same issue, I was able to login through certificate "CN=Adminstrator, OU=NIFI", but when I switched to ldap I got an error "Unknown user with identity 'CN=Adminstrator, OU=NIFI'. Contact the system administrator."

Noting that I created user on Nifi called admin to use it with ldap and changed the configuration of "Initial User Identity" to admin and login identity provider as attached.

Can you help ?

Thanks

screenshot-2018-12-26-at-132734.png

avatar
Master Mentor

@Yahya Najjar

Changing the value for "Initial Admin Identity" in your authorizers.xml after NiFi had already been started previously with a different value will not work.

-

On NiFi startup, the authorizer looks to see if the following files defined in your authorizers.xml already exist:

<property name="Authorizations File">/<some path>/authorizations.xml</property><property name="Users File">/<some path>/users.xml</property>

If they do exist, they will be used for authorization and new versions of these files will not be generated.

-

Even though you changed the "Initial Admin Identity" property value, it will result in any change being made to the above files.

Since your existing setup already works with your original user certificate, I would suggest authenticating to your NiFi with that certificate and then adding your new user "admin" via the users UI from within the NiFi interface.

-

You can always delete/rename the existing "users.xml" and "authorizations.xml" files so that new copies are generated on startup, but keep in mind that you will lose and authorizations you may have manually added through the NiFi interface.

Another option is to manually edit the "users.xml" file and change the original user based on your user certificate value to the new "admin" value. A restart would be needed for this change to be read in by NiFi.

-

Thank you,

Matt

-

If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.