Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Nifi Failed authorization

avatar
Contributor

Hi All,

 

I get the following issue when logging in to nifi UI , user success login but UI not showing NIFI Menu :
2021-09-01 13:24:02,942 INFO [NiFi Web Server-1911] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cdpadmindev@DOMAIN], groups[] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.

 

I'm using cloudera private base with kerberos and AD

The NIFI configuration is still the default, is there anything that needs to be changed?

 

Thanks

 

WB

16 REPLIES 16

avatar
Contributor

hi @MattWho  , this is my authorizer.xml , for now i still cannot get authorize within group

<authorizers>

<userGroupProvider>
<identifier>cm-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CMUserGroupProvider</class>
<property name="Knox Nodes Properties Location">/var/run/cloudera-scm-agent/process/1546339525-nifi-NIFI_NODE/knox-conf/knox-gateway.properties</property>
<property name="NiFi Registry Nodes Properties Location">/var/run/cloudera-scm-agent/process/1546339525-nifi-NIFI_NODE/nifiregistry-conf/peer.properties</property>
<property name="NiFi Group">nifi</property>
<property name="Infer Unqualified Hostnames">false</property>
<property name="NiFi Nodes Properties Location">/var/run/cloudera-scm-agent/process/1546339525-nifi-NIFI_NODE/nifinode-conf/peer.properties</property>
</userGroupProvider><userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
<property name="User Group Provider 1">ldap-user-group-provider</property>
<property name="User Group Provider 2">cm-user-group-provider</property>
</userGroupProvider><userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Connect Timeout">10 secs</property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="User Identity Attribute">cn</property>
<property name="Group Name Attribute">cn</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="Group Object Class">group</property>
<property name="Url">ldap://msad.local.co:389</property>
<property name="TLS - Keystore Type"></property>
<property name="User Search Base">OU=DEVELOPER,DC=msad,DC=local,DC=co</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Group Search Base"></property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
<property name="Group Member Attribute"></property>
<property name="TLS - Keystore"></property>
<property name="TLS - Truststore"></property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property encryption="aes/gcm/256" name="Manager Password">Yf41</property>
<property name="User Group Name Attribute"></property>
<property name="TLS - Truststore Password"></property>
<property name="User Object Class">user</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Page Size"></property>
<property name="Read Timeout">10 secs</property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Sync Interval">30 mins</property>
<property name="Manager DN">CN=CDP Admin,OU=DEVELOPER,DC=msad,DC=local,DC=co</property>
<property name="User Search Filter"></property>
<property name="TLS - Truststore Type"></property>
<property name="Group Search Filter"></property>
</userGroupProvider>

 

<authorizer>
<identifier>ranger-provider</identifier>
<class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class>
<classpath>/var/run/cloudera-scm-agent/process/1546339525-nifi-NIFI_NODE/hadoop-conf</classpath>
<property name="Ranger Security Config Path">/var/run/cloudera-scm-agent/process/1546339525-nifi-NIFI_NODE/ranger-nifi-security.xml</property>
<property name="User Group Provider">composite-user-group-provider</property>
<property name="Ranger Admin Identity">host_ranger</property>
<property name="Ranger Service Type">nifi</property>
<property name="Ranger Audit Config Path">/var/run/cloudera-scm-agent/process/1546339525-nifi-NIFI_NODE/ranger-nifi-audit.xml</property>
<property name="Ranger Application Id">Cluster1_nifi</property>
<property name="Ranger Kerberos Enabled">true</property>
</authorizer>

</authorizers>

avatar
Super Mentor

@wbivp 

The exception form the logs you shared is telling you that the ldap-user-group-provider is failing to connect to the configured ldap server using the manager DN and Manager password that has been configured.  So first thing you need to do is validate, re-enter, and test your manager DN and password from command line to make sure they work from the NiFi host.  Any need to engage with your ldap team.

Here is your ldap-user-group-provider (I re-order the properties to make it easier to read:

<userGroupProvider>

	<identifier>ldap-user-group-provider</identifier>
	<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
	<property name="Authentication Strategy">SIMPLE</property>

	<property name="Manager DN">CN=CDP Admin,OU=DEVELOPER,DC=msad,DC=local,DC=co</property>
	<property encryption="aes/gcm/256" name="Manager Password">Yf41</property>

	<property name="TLS - Keystore"></property>
	<property name="TLS - Keystore Password"></property>
	<property name="TLS - Keystore Type"></property>
	<property name="TLS - Truststore"></property>
	<property name="TLS - Truststore Password"></property>
	<property name="TLS - Truststore Type"></property>
	<property name="TLS - Client Auth"></property>
	<property name="TLS - Protocol"></property>
	<property name="TLS - Shutdown Gracefully"></property>

	<property name="Referral Strategy">FOLLOW</property>
	<property name="Connect Timeout">10 secs</property>
	<property name="Read Timeout">10 secs</property>

	<property name="Url">ldap://msad.local.co:389</property>
	<property name="Page Size"></property>
	<property name="Sync Interval">30 mins</property>
	<property name="Group Membership - Enforce Case Sensitivity">false</property>

	<property name="User Search Base">OU=DEVELOPER,DC=msad,DC=local,DC=co</property>
	<property name="User Object Class">user</property>
	<property name="User Search Scope">ONE_LEVEL</property>
	<property name="User Search Filter"></property>
	<property name="User Identity Attribute">cn</property>
	<property name="User Group Name Attribute"></property>
	<property name="User Group Name Attribute - Referenced Group Attribute"></property>

	<property name="Group Search Base"></property>
	<property name="Group Object Class">group</property>
	<property name="Group Search Scope">ONE_LEVEL</property>
	<property name="Group Search Filter"></property>
	<property name="Group Name Attribute">cn</property>
	<property name="Group Member Attribute"></property>
	<property name="Group Member Attribute - Referenced User Attribute"></property>

</userGroupProvider>

Now unrelated to your Manager credentials issue, I see some other configuration issues:
1. "Page Size" <-- I aways recommend that users set this to 500 (this allows NiFi to request return in multiple pages of 500.  If unset, NiFi expects a single return and for large returns the LDAP server likely has a max for how many returns it will provide in a single page).
2. Within the "User" properties I see:
- "User Search Scope"  <-- Are all users being synced actually at same level as configured "Search Base"?  Maybe use "SUBTREE" instead.
- "User Group Name Attribute"  <--  With this unset, only users strings from the ldap "cn" attribute will be synced since there is no ldap attribute provided which identifies which groups this user belongs to.  This property tells NiFi which ldap user entry attribute contains the groups that the returned user  is a member of.
- "User Group Name Attribute - Referenced Group Attribute". <-- by default this uses ldap "DN" attribute
3. Within the "Group" properties I see:
- "Group Search Base" <--  With this set to blank a group based sync is not performed.  So with out "User Group Name Attribute" set in the "User" section and no Group sync being executed, NiFi will not get any group strings returned.
- "Group Name Attribute" - Set to CN, which tells NiFi to use the value assigned to the ldap "cn" group entry attribute to as the group identity string in NiFi (but since other properties i mentioned are not set, none will be added to NiFi).
- "Group Member Attribute" <-- If you were to determine user/group associations via a group sync this would need to be set so that NiFi knows which ldap group entry attribute defines which user are a member to each group returned by the group sync.

So....
Step1 : Address the manager DN and/or Manager password issue blocking the provider from being able to successfully connect to your ldap.
Step 2: Fix the user and group sync sections so that NiFi can determine property what user and groups to sync and how to determine the associations between those groups.  This requires knowledge of your LDAP/AD user and group entries in your LDAP/AD.  I can't help you further here without an sample ldapsearch output for a user and a group from your ldap that you are trying to use for authorization in NiFi.

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider


Please be sure to login and click "Accept as Solution" on all responses the assisted you within this query.

Thank you,

Matt

avatar
Community Manager

@wbivp, Has any of the replies helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Contributor

Hi @MattWho 

 

this is the sample from ldapsearch :
distinguishedName: CN=wbivp,OU=DEVELOPER,DC=msad,DC=local,DC=co
memberOf: CN=cdpconsultant,OU=Groups,OU=DEVELOPER,DC=msad,DC=local,DC=co

 

my username wbivp , with group cdpconsultant

 

from this information, please advise to fill in the configuration required by NIFI

avatar
Contributor

Hi All,

 

if there is an example for NIFI User Group with ranger configuration it is very helpful

avatar
Super Mentor

@wbivp 

 

I created a community article long ago that details the Ranger based "NiFi Resource Identifier" policy strings you would use in Ranger to provide various levels of authorization within NiFi.

https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/2465...

For example, it you want to grant access so that users can access and create components within a PG:

/process-groups/<uuid of PG> 
Grant Read and Write for your "group" and/or "user" to allow them to view configurations and added components (processors, controller services, child PGs, etc...) within this PG
/data/process-groups/<uuid of PG>
Granting Read and Write for your "group" and/or "user" to allow user to view and delete content (flowfiles) queued within connection within this PG.

Keep in mind that child PGs will inherit the access granted to the parent PG unless explicit policies have been set on the child PG.

Hope this helps,

Matt

avatar
Super Mentor

@wbivp 

Without full ldapsearch output for a user and group, I'd have to make some guesses and assumption with regards to your specific setup, but it looks like you are using AD so here is a configuration you may want to try:

	<property name="User Search Base">OU=DEVELOPER,DC=msad,DC=local,DC=co</property>
	<property name="User Object Class">user</property>
	<property name="User Search Scope">SUBTREE</property>
	<property name="User Search Filter"></property>
	<property name="User Identity Attribute">sAMAccountName</property>
	<property name="User Group Name Attribute">memberOf</property>
	<property name="User Group Name Attribute - Referenced Group Attribute">distinquishedName</property>

	<property name="Group Search Base">OU=Groups,OU=DEVELOPER,DC=msad,DC=local,DC=co</property>
	<property name="Group Object Class">group</property>
	<property name="Group Search Scope">SUBTREE</property>
	<property name="Group Search Filter"></property>
	<property name="Group Name Attribute">cn</property>
	<property name="Group Member Attribute">member</property>
	<property name="Group Member Attribute - Referenced User Attribute">distinquishedName</property>

 

Another thing you should do is enable DEBUG on the ldap-user-group-provider class.  With DEBUG, this provider will output to the nifi-app.log the list of user and groups strings that are being synced from your AD and also show the associations discovered between them.

 

Adding this logger involves editing the contents of the NiFi's logback.xml file.  Scroll down in the logback.xml until you start seeing lines that start with "<logger..../>" and insert the following new line:

<logger name="org.apache.nifi.ldap.tenants.LdapUserGroupProvider" level="DEBUG"/>

 

Those user and groups strings are absolute and case sensitive.  So they must identically exist with Ranger when they get associated to policies you setup.

 

If the strings logged in the nifi-app.log do not match what you have in Ranger exactly, you'll need to adjust your configuration until they do.  If the strings don't match but can be manipulated to match using java regular expressions, take a look at the user and group mapping pattern [1] capabilities that can be configured in the nifi.properties file (there are different properties for manipulting identity/user strings and group strings.  These mappings are evaluated against the strings returned by the providers in the authorizers.xml and returned by the login providers before they are used to check authorization.  What is output to the log would be post any mapping being applied.

[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties

Hope this helps,

Matt