Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Nifi Registry Authorisation - Use Username Only

Highlighted

Nifi Registry Authorisation - Use Username Only

New Contributor

Hi,

I have configured a Nifi registry instance to use:

When I log onto the registry instance, I am prompted to add my Client certificate (which I do), and I can then log in using username/password. I successfully log in using the Initial Admin User, defined in the Authorizor, and the respective password.

However, there are some issues - sometimes the login page does not show up (and instead shows an empty nifi registry page) and other times I am able to log in, but I am not able to access the administrator page.

Within the logs, I can see errors such as:

2019-06-28 18:18:06,942 INFO [NiFi Registry Web Server-16] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[DC=*****], groups[] does not have permission to access the requested resource. Unknown user with identity 'DC=*****'. Returning Forbidden response.

(where **** is the LDAP DN as defined by the SSL certificate)

I do not want to carry out authentication using the SSL certificates, instead I expect that the user would always be prompted to enter the username/password, and be able to log in. The identity used would be as specified by the authorizers file. I have specified this using the following property within nifi-registry.properties:

nifi.registry.security.needClientAuth=false

This is my authorizers.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">username</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">username</property>
        <property name="NiFi Identity 1"></property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

How can I make sure that only the username/password is used for authentication/authorisation?