Support Questions

Find answers, ask questions, and share your expertise

Nifi Failed authorization

avatar
Contributor

Hi All,

 

I get the following issue when logging in to nifi UI , user success login but UI not showing NIFI Menu :
2021-09-01 13:24:02,942 INFO [NiFi Web Server-1911] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cdpadmindev@DOMAIN], groups[] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.

 

I'm using cloudera private base with kerberos and AD

The NIFI configuration is still the default, is there anything that needs to be changed?

 

Thanks

 

WB

16 REPLIES 16

avatar
Master Collaborator

avatar
Contributor

Hi @Scharan 
thanks for your response, we already have the policy in ranger by default :

wbivp_0-1630479549445.png

 

and i already assign our user and group to this policy , but still failed authorization

 

avatar
Master Mentor

@wbivp 

Is the exact user string you see in the nifi-user.log the same (case sensitive)  as what is set in Ranger?
is this user string authorized for the /flow policy?

Thank you,

Matt

avatar
Master Mentor

@wbivp 

The nifi-user.log output you shared indicates that the user string "cdpadmindev@DOMAIN" has not been authorized to against the NiFi /flow resource identifier (View the user interface). 

The authorizers.xml configuration file controls how user and/or group based authorizations are setup and managed.  So first things is what is configured in that file?

Is it using a file based authorizer or external Ranger based authorizer?
Is it using any user group providers?
Did you configure and initial admin identity?  if so, does that initial admin identity string exactly match your user string from the nifi-user.log you shared?

If using the file based authorizer, you should have in the authorizers.xml both the "file-user-group-provider" and the "file-access-policy-provider".   These providers are used to create the users.xml and authorizations.xml file on startup if they do NOT already exist.  so even if you do have the initial admin set correctly, if NiFi was started previously before the user string was set, you would have existing users.xml and authorizations.xml files without this user and the required admin policies set.  (remove these files and restart NiFi so they are generated again).

If using Ranger as your authorizer, you need to make sure that the user string exactly as you see in the nifi-user.log exists as a user in Ranger and the the NiFi service plugin in ranger is setup and has the correct NiFi resource identifier policies authorized for that user.  Here is a reference article on those Ranger based NiFi policies:
https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/2465...

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

avatar
Contributor

Hi @MattWho 

We using ranger authorizer , user string exactly same with nifi-user.log and ranger user 

below authorizers.xml content :

<authorizers>

<userGroupProvider>
<identifier>cm-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CMUserGroupProvider</class>
<property name="Knox Nodes Properties Location">/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/knox-conf/knox-gateway.properties</property>
<property name="NiFi Registry Nodes Properties Location">/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/nifiregistry-conf/peer.properties</property>
<property name="NiFi Group">nifi</property>
<property name="Infer Unqualified Hostnames">false</property>
<property name="NiFi Nodes Properties Location">/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/nifinode-conf/peer.properties</property>
</userGroupProvider><userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="User Group Provider 1">cm-user-group-provider</property>
<property name="Configurable User Group Provider">file-user-group-provider</property>
</userGroupProvider><userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Initial User Identity 1">wahyu.budiman</property>
<property name="Users File">/var/lib/nifi/users.xml</property>
</userGroupProvider>

 

<authorizer>
<identifier>ranger-provider</identifier>
<class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class>
<classpath>/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/hadoop-conf</classpath>
<property name="Ranger Security Config Path">/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/ranger-nifi-security.xml</property>
<property name="User Group Provider">composite-configurable-user-group-provider</property>
<property name="Ranger Admin Identity">rangerhostname</property>
<property name="Ranger Service Type">nifi</property>
<property name="Ranger Audit Config Path">/var/run/cloudera-scm-agent/process/1546339122-nifi-NIFI_NODE/ranger-nifi-audit.xml</property>
<property name="Ranger Application Id">Cluster1_nifi</property>
<property name="Ranger Kerberos Enabled">true</property>
</authorizer>

avatar
Contributor

Hi @MattWho 

 

Our Nifi using ranger authorizers , after we set ranger nifi policy (/flow , /proxies , etc) to my username, i can login and access web UI , the next question about group authorization, because other user with same group still cannot acces web UI 

 

below the log :
2021-09-02 10:57:45,166 INFO [NiFi Web Server-424] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifihostname:8443/nifi-api/flow/current-user (source ip: )
2021-09-02 10:57:45,169 INFO [NiFi Web Server-424] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for test.username
2021-09-02 10:57:45,172 INFO [NiFi Web Server-424] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[test.username], groups[] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.

 

Thanks ,

WahyuB

avatar
Master Mentor

@wbivp 

Within Ranger you can authorizer users and/or groups to the policies you define.
The Ranger plugin with the NiFi service runs in the background within NiFi that connects with Ranger to download the latest set of policies.

What is provided by Ranger is simply user(s) A, B, C strings and/or group(s) X, Y, Z strings are authorized read and/or write to NiFi Resource Identifier(s).  There is nothin in what is downloaded from Ranger that will tell NiFi as the client what users belong to group(s) X, Y, or Z.   This means that NiFi itself needs to be aware of these associations.

This is why in the nifi-user.log you see the following:

 

o.a.n.w.a.c.AccessDeniedExceptionMapper identity[test.username], groups[] does ...

 

 This log line tells us that NiFi is unaware of any groups the the authenticated user string "test.username" is a member.  If NiFi was aware the "groups[]" in this log line would show a comma separated list of all these group strings.

NiFi offers numerous user-group-providers that can be added to the authorizers.xml that allow these associations between user and groups to be set.  Your authorizers.xml file shared contains the "cm-user-group-provider" (only used to assign NiFi node hostnames to a group string "nifi") and the "file-user-group-provider" [1] which gives users a way of manually adding group strings and associating users to that group directly from the NiFi UI.

So with your current setup, you would login as your authorized user, go to the NiFi Global Menu, and then select "users".  This will open the NiFi Users UI where you should see your initial admin user which you defined in your file-user-group-provider.  You would need to click on the 

MattWho_0-1630601184771.png

icon to add additional users and groups manually.  Adding users and groups here has nothing to do with authentication. You are using this Ui to establish user to group associations.  So I would start by creating a new group.  The Identity string used must match case sensitive the exact group string as seen in Ranger.
Then you can start adding your user strings (must match user strings case sensitive as seen in Ranger)
As you add users you will be able to select the group(s) you added as those that user should be associated with.

MattWho_1-1630601469834.png

 

Using above as an example, NiFi would then associate user string "JoeSmith" with group string "admins".

To see what other user-group-providers exist within your NiFi version, you should look at the "Admin Guide" found under help within your NiFi's embedded documentation access via the UI.

A very commonly used user-group-provider is the "ldap-user-group-provider" [2] which can be used to sync user and groups strings from LDAP/AD and establish the associations between them based on what is in LDAP/AD.

[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#fileusergroupprovider
[2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider

 

If you found these responses assisted with your query, please take a moment to login and click on "Accept as Solution" below each post.

 

Thank you,

Matt

avatar
Contributor

Hi @MattWho 

 

I try your suggestion to setup "ldap-user-group-provider" , and now nifi service cannot start ,

this is the error message , do you have an example of the required parameters ?

Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setAnonymousAuthenticationProvider' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'anonymousAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563]

 

avatar
Master Mentor

@wbivp 

When NiFi is configured to use the ldap-user-group-provider, it must be able to successfully execute that provider during startup to generate a list of users and groups within NiFi.

The exception points that that provider being unable to execute successfully.
The exception in the logs shows:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563]

This points at an authentication issue when trying to communicate with your ldap server.
(misconfiguration int the provider, bad Manager or Manager password provided)

From the NiFi host can you make run a ldapsearch query against your ldap server using all the same configured values from your provider?

Without your authorizers.xml file, it would be difficult for me to point out any other misconfigurations if present.

If you found the provided response(s) assisted with your query, please take a moment to login and click on "Accept as Solution" below each solution that helped you.

Thank you,

Matt