I have configured a Nifi registry instance to use:
When I log onto the registry instance, I am prompted to add my Client certificate (which I do), and I can then log in using username/password. I successfully log in using the Initial Admin User, defined in the Authorizor, and the respective password.
However, there are some issues - sometimes the login page does not show up (and instead shows an empty nifi registry page) and other times I am able to log in, but I am not able to access the administrator page.
Within the logs, I can see errors such as:
2019-06-28 18:18:06,942 INFO [NiFi Registry Web Server-16] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[DC=*****], groups does not have permission to access the requested resource. Unknown user with identity 'DC=*****'. Returning Forbidden response.
(where **** is the LDAP DN as defined by the SSL certificate)
I do not want to carry out authentication using the SSL certificates, instead I expect that the user would always be prompted to enter the username/password, and be able to log in. The identity used would be as specified by the authorizers file. I have specified this using the following property within nifi-registry.properties:
This is my authorizers.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Initial User Identity 1">username</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">username</property> <property name="NiFi Identity 1"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers>
How can I make sure that only the username/password is used for authentication/authorisation?