Support Questions

Find answers, ask questions, and share your expertise

NiFi access denied

avatar
New Contributor

Hi, I have some issues after initial setup and securing NiFi.

I have setup a CentOS6 (including java) machine with hostname nifi.domeinbram.nl.

I downloaded NiFi and the tls toolkit and extracted them to /opt. I ran nifi.sh install and startedt the nifi service. After the initial setup of NiFi 1.1.2 I can access the UI on port 8080/nifi fine.

I then used the tls-toolkit for securing NiFi:

./tls-toolkit.sh standalone -n 'nifi.domeinbram.nl' -C 'CN=admin' -o keys/

I then copied the new nifi.properties, keystore.jks and truststore.jks to /opt/nifi/conf/.

I imported the CN=admin.p12 into my browser and pasted the password in the CN=admin.password file and was successfully imported.

In the authorizers.xml I added CN=admin as Initial Admin Identity and CN=nifi.domeinbram.nl as Node Idenity 1.

I then restarted the nifi service but I get an access denied message.

---------------------------

authorizers.xml

    <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">CN=admin</property>
        <property name="Legacy Authorized Users File"></property>

        <!-- Provide the identity (typically a DN) of each node when clustered, see above description of Node Identity.
        <property name="Node Identity 1"></property>-->
        <property name="Node Identity 1">CN=nifi.domeinbram.nl</property>
        
    </authorizer>

---------------------------

users.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c" identity="cn=admin"/>
    </users>
</tenants>

---------------------------

authorizations.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="fae5e3fa-eadf-3a72-bf76-d41db5fe3466" resource="/flow" action="R">
            <user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
        </policy>
        <policy identifier="18ca28ba-fda1-307d-9933-3f9ba9df87c8" resource="/restricted-components" action="W">
            <user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
        </policy>
        <policy identifier="d16181ab-64b4-373d-962f-37ec6dfea690" resource="/tenants" action="R">
            <user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
        </policy>
        <policy identifier="e1c46fdb-3a7a-3bbc-b5c3-a5105b95f45a" resource="/tenants" action="W">
            <user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
        </policy>
        <policy identifier="efd80e78-a828-3db0-af33-ee4f6016cdcb" resource="/policies" action="R">
            <user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
        </policy>
        <policy identifier="adb5c9f4-46e7-3805-b928-2c9baeebaa4e" resource="/policies" action="W">
            <user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
        </policy>
        <policy identifier="2bd33257-04ce-36ac-b4d8-265e4e3802af" resource="/controller" action="R">
            <user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
        </policy>
        <policy identifier="168c06df-f12d-3c7f-94c6-ac5600837140" resource="/controller" action="W">
            <user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
        </policy>
    </policies>
</authorizations>

---------------------------

Hope someone can help me out... doing something wrong :).

Kind regards,

Bram

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Bram Klinkenberg

The first thing that seems out of place to me is that in the following two lines the user DN is "CN=admin":

./tls-toolkit.sh standalone -n 'nifi.domeinbram.nl' -C 'CN=admin' -o keys/

and 

<propertyname="Initial Admin Identity">CN=admin</property>

However, your users.xml file shows a DN of "cn=admin":

<useridentifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"identity="cn=admin"/>

They must match exactly or it is treated as a different identity.

If you tail the nifi-user.log while you you try to access the UI, you will see lines output for authentication and authorization. You will see in that log the exact DN being passed to the authorizer. Is it mixed case or all lower case? The DN shown in the nifi-user.log must match exactly with what is in the users.xml file

NiFi only generates the users.xml and authorizations.xml files on first startup when NiFi is secured. Subsequent changes to the authorizers.xml file will not trigger any changes/updates to pre-existing users.xml and/or authorizations.xml files.

In your case since you are just getting started and you have no other users yet to worry about, you can simply delete these files and restart. NiFi will re-create them since they do not exist based on the current settings in the authorizers.xml file.

In your case, you could also just manually edit the users.xml file since it appears to be a very simple change.

Thanks,

Matt

View solution in original post

3 REPLIES 3

avatar
Master Mentor

@Bram Klinkenberg

The first thing that seems out of place to me is that in the following two lines the user DN is "CN=admin":

./tls-toolkit.sh standalone -n 'nifi.domeinbram.nl' -C 'CN=admin' -o keys/

and 

<propertyname="Initial Admin Identity">CN=admin</property>

However, your users.xml file shows a DN of "cn=admin":

<useridentifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"identity="cn=admin"/>

They must match exactly or it is treated as a different identity.

If you tail the nifi-user.log while you you try to access the UI, you will see lines output for authentication and authorization. You will see in that log the exact DN being passed to the authorizer. Is it mixed case or all lower case? The DN shown in the nifi-user.log must match exactly with what is in the users.xml file

NiFi only generates the users.xml and authorizations.xml files on first startup when NiFi is secured. Subsequent changes to the authorizers.xml file will not trigger any changes/updates to pre-existing users.xml and/or authorizations.xml files.

In your case since you are just getting started and you have no other users yet to worry about, you can simply delete these files and restart. NiFi will re-create them since they do not exist based on the current settings in the authorizers.xml file.

In your case, you could also just manually edit the users.xml file since it appears to be a very simple change.

Thanks,

Matt

avatar
New Contributor

Pfffffff...... staring and cursing at my monitor for 2 days hahaha.... thanks! works fine now!

avatar
Master Mentor

@Bram Klinkenberg

Glad to hear it is resolved. If this answer provided what you needed to resolve your issue, please accept the answer.

Thank you, Matt