Created 05-22-2023 03:35 AM
Hello Team,
I have configured apache Nifi and integrated with LDAP, now when i try to login it gives below error.
-->
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=***********,OU=Groups,OU=*********,OU=********,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
<property name="Manager Password">**********</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://****************:389</property>
<property name="User Search Base">OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
<property name="User Search Filter">sAMAccountName={0}</property>
<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
=======
my conf/authorizers.xml
=====
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">CN=Mohit Kumar,OU=FM-Users,OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=Mohit Kumar,OU=FM-Users,OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
=======
ldapsearch shows this user
# filter: sAMAccountName=mohit.kumar
# requesting: ALL
#
# Mohit Kumar, FM-Users, Managed services, CORP.SA.ZAIN.COM
dn: CN=Mohit Kumar,OU=FM-Users,OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM
Please help me to fix this issue.
Created on 05-23-2023 12:00 AM - edited 05-23-2023 12:02 AM
Hi @cotopaul @SAMSAL @MattWho @steven-matison
Kindly help me to fix the issue.
user logs are below.
2023-05-23 02:52:25,863 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Tue May 23 02:52:25 EDT 2023
2023-05-23 02:52:25,864 INFO [main] o.a.n.a.FileAccessPolicyProvider Creating new authorizations file at /var/nifi/./conf/authorizations.xml
2023-05-23 02:52:26,254 INFO [main] o.a.n.a.FileAccessPolicyProvider Populating authorizations for Initial Admin: CN=mohit.kumar,OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM
2023-05-23 02:52:26,260 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Tue May 23 02:52:26 EDT 2023
2023-05-23 02:52:26,263 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Tue May 23 02:52:26 EDT 2023
2023-05-23 02:52:26,268 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Tue May 23 02:52:26 EDT 2023
2023-05-23 02:52:43,772 INFO [NiFi Web Server-24] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 192.168.32.206 [<anonymous>] GET https://10.*.*.*:9443/nifi-api/flow/current-user
2023-05-23 02:52:43,776 INFO [NiFi Web Server-24] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [anonymous] 192.168.32.206 GET https://10.*.*.*:9443/nifi-api/flow/current-user
2023-05-23 02:52:43,891 INFO [NiFi Web Server-24] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], groups[none] does not have permission to access the requested resource. Unknown user with identity 'anonymous'. Returning Unauthorized response.
2023-05-23 02:53:37,220 INFO [NiFi Web Server-21] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[mohit.kumar], groups[] does not have permission to access the requested resource. Unknown user with identity 'mohit.kumar'. Returning Forbidden response.
Created 05-23-2023 01:21 AM
@mks27,
To be really honest, when it comes to login and certificates, I am in no position to provide an input, as I never got to fully understand how they work 😞
While you are waiting for a better answer, from somebody with far more experience and knowledge as me, I would try the following:
- Assuming that you configured LDAP authentication, I assume that you have the User and Policies Menu in your NiFi Menu (top Right).
- Now, based on your error, I see that you are using the user mohit.kumar and you have no privileges to do anything.
- What I would suggest is to login with the user which was provided as Initial Admin Identity and provide your user (mohit.kumar) with all the necessary roles to perform the action you are trying to perform.
See: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity
Have a look here as well: https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap/comment-page-1/
Created 09-14-2023 09:51 AM
@mks27
I am reading through this post and see multiple conflicting output shared from you which imply config changes were applied between updates added to this post.
First you need to understand that NiFi authentication and NiFi authorization are two totally separate processes. After successful authentication is successful the user identity string is evaluated against any configured Identity mapping patterns configured in the nifi.properties file. IF a java regex mapping pattern matches against the user identity string returned during authentication, the configured associated identity mapping value is applied. At this point the user identity string is passed off to the configured authorizer configured in NiFi to verify that the user is authorized for the request endpoint being accessed. The authorizer must be aware of all user identity strings and those user must be authorized to the resource before a user will be authorized. It is IMPORTANT to understand that NiFi is case sensitive (Identity bob and BOB would be treated as two different users).
Your initial query you stated that the NiFi UI shows successful authentication, but indicates that authorization was then not successful. We know this because it returned a user identity (determined during authentication) and then reported that user was not known to your NiFi during authorization verification.
Unknown user with identity 'cn=Mohit Kumar,ou=FM-Users,ou=Managed services,dc=CORP,dc=SA,dc=ZAIN,dc=COM'. Contact the system administrator.
In your same post you shared the DN from your ldapsearch response as:
CN=Mohit Kumar,OU=FM-Users,OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM
As we can see these do not match. Regardless of above, what NiFi received in response to your authentication request from your ldap is what is displayed in the NiFiUI.
Now, in a later post you shared the nifi-user.log output below:
023-05-23 02:53:37,220 INFO [NiFi Web Server-21] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[mohit.kumar], groups[] does not have permission to access the requested resource. Unknown user with identity 'mohit.kumar'. Returning Forbidden response.
This log line implies that a user was successfully authenticated with a user identity of "mohit.kumar". This is not same user as shared in the initial post. My guess here us that changed your ldap-provider from using:
<property name="Identity Strategy">USE_DN</property>
to:
<property name="Identity Strategy">USE_USERNAME</property>
The "USE_USERNAME" is more commonly used. Upon successful authentication, the username entered at the NiFi login prompt is used as the user identity rather than the DN returned by ldap.
Or you setup some Identity.mapping.pattern that matched in your full DN, extracted just the CN and set it to all lowercase?
NiFi authorization is handled by the authorizers.xml NiFi configuration file.
In your authorizers.xml you have the "Managed authorizer" which has a configured dependency on the "File-Access-Policy-Provider" which itself has a configured dependency on "File-User-Group-Provider".
The File-User-Group-Provider is responsible for building the users.xml file and populating it with a few initial entries. This provider will ONLY generate a users.xml file if it does NOT already exist. So any edits to this configuration after the users.xml file already exists will not be reflected in this file. I see you have configured this provider to create the following user identity:
<property name="Initial User Identity 1">CN=Mohit Kumar,OU=FM-Users,OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
This Identity matches neither Identity mentioned earlier that resulted from successful authentication (remember that NiFi is case sensitive).
I would recommend changing this to the following and deleting the users.xml so it gets recreated:
<property name="Initial User Identity 1">mohit.kumar</property>
Make sure you are also use "USE_USERNAME" in your ldap-provider.
The File-Access-Policy-Provider is responsible for building the authorizations.xml file only if it does not already exist. Within this provider you defined who your initial admin user identity should be. When building the authorizations.xml file for the first time, this initial admin user identity will be granted the authorization needed to act as an administrator.
<property name="Initial Admin Identity">CN=Mohit Kumar,OU=FM-Users,OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
This should be changed to below and current authorizations.xml (not authorizers.xml) must be deleted so it can be rebuild based on new initial admin:
<property name="Initial Admin Identity">mohit.kumar</property>
Now restart your NiFi and login using "mohit.kumar" in the NiFi login window. I should note that I am assuming here that "mohit.kumar" is your users sAMAccountName value in your LDAP entry.
If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 09-14-2023 06:53 AM
I am having a more fundamental issue on configuring LDAP in NiFi and it seems you are farther ahead.
1. How were you able to generated an encrypted password for this line
<property name="Manager Password">**********</property>
2. Why did you use "SIMPLE" option. By default, config file refers to "START_TLS"
3. Does this line have to use LDAP lingo as I merely put in my user name as the one administering the NiFi server.
I'll really appreciate your help on these questions
<property name="Manager DN">CN=***********,OU=Groups,OU=*********,OU=********,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
Created 09-14-2023 11:10 AM
@LKB
You would get better traction/feedback if you start your own community question. Your query is not very related to issue in this post.
As far as the one question related to this post about encrypted manager password, @mks27 simply masked it by using "***" in his post. NiFi does not replace actual password with * when encrypting sensitive passwords.
The NiFi Encrypt-Config Toolkit can be used to encrypt passwords used in various NiFi configuration files:
https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#encrypt_config_tool
Thank you,
Matt
Created 09-14-2023 08:23 AM
You are authenticated as:
cn=Mohit Kumar,ou=FM-Users,ou=Managed services,dc=CORP,dc=SA,dc=ZAIN,dc=COM'
But your policies are for:
CN=Mohit Kumar,OU=FM-Users,OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM
You can try to set the initial admin as the user that is authenticated (note the case sensitive):
cn=Mohit Kumar,ou=FM-Users,ou=Managed services,dc=CORP,dc=SA,dc=ZAIN,dc=COM
Stop Nifi, and delete users.xml and authorizations.xml files.
Start Nifi and share the results by trying to log in again.