Support Questions
Find answers, ask questions, and share your expertise

Nifi Server dont starts after going secure.

Nifi Server dont starts after going secure.

New Contributor

We use Nifi 1.5.0 with 'nifi-toolkit-1.5.0.3.1.0.0-564' on Windows, standalone (no cluster, we are at the beginning of the nifi-way)

After reconfiguring for SSL, following div. instruction, an testing a lot of different configs, restarting with 'clean' installation etc.; I am stalled:

  • Certs etc. are made with nifi toolkit, standalone:
    tls-toolkit.bat standalone -n localhost -C "CN=admin,OU=NIFI"
  • authorizers.xml is like this (only change):
    ...
    <property name="Initial Admin Identity">CN=admin, OU=NIFI</property>
    ...
  • keystore and truststore are in ./conf (I also tested with absolute path)
  • client cert is imported

Any Configuration like this start up and stops with some exceptions. Without "Initial Admin Identity" attribute in authorizers.xml the server starts normaly, but no one can login due to permission issues.

The nifi-user.log and nifi-bootstrap.log looks ok, but not nifi-app.log:
more or less all exceptions ends up with something like:

2018-02-07 17:06:28,110 INFO [main] o.eclipse.jetty.server.AbstractConnector Started ServerConnector@776a7ec6{SSL,[ssl, http/1.1]}{localhost:9443}
2018-02-07 17:06:28,110 INFO [main] org.eclipse.jetty.server.Server Started @31471ms
2018-02-07 17:06:28,111 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is org.springframework.beans.factory.BeanExpressionException: Expression parsing failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setX509AuthenticationProvider' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'x509AuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=admin, OU=NIFI to seed policies
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:667)
	at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:88)
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:366)
....
Caused by: ... AuthorizerCreationException: Unable to locate initial admin CN=admin, OU=NIFI to seed policies
....
....
2018-02-07 17:06:28,122 INFO [Thread-1] org.eclipse.jetty.server.session Stopped scavenging

Any hints?

Thanks a lot; .m.

4 REPLIES 4

Re: Nifi Server dont starts after going secure.

It appears that you are specifying a different DN string in your command-line invocation of the TLS Toolkit and your initial admin identity:

tls-toolkit.bat standalone -n localhost -C "CN=admin,OU=NIFI"

<property name="Initial Admin Identity">CN=admin, OU=NIFI</property>

There is a space between "admin," and "OU=NIFI" in the IAI property definition, but not in the certificate generation command. These strings need to match for NiFi to authenticate the user via client certificate/LDAP/Kerberos.

Re: Nifi Server dont starts after going secure.

New Contributor

Thanks for replying.

I tested different strings; I found a lot of issues about different writings; but it didnt solved our problems.

Other Hints?

Re: Nifi Server dont starts after going secure.

Try removing the users.xml and authorizations.xml files (back these up if you have made other changes prior to securing the application). These files are generated and populated if they are not present at application startup, which means they will be auto-generated the first time the application is run, but not re-generated automatically once they exist. Ensure your files look something like the following:

users.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c" identity="CN=alopresto, OU=Apache NiFi"/>
    </users>
</tenants>

authorizers.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">CN=alopresto, OU=Apache NiFi</property>
        <property name="Legacy Authorized Users File"></property>
    </authorizer>
</authorizers>

authorizations.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="0f4d2dd0-7c8b-39ce-8292-0e459a8dd69f" resource="/flow" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="9f665453-1e5f-36b4-8f4c-e125491c1fd2" resource="/data/process-groups/4aa66ece-015a-1000-4348-efd94f63c4df" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="38e2a10c-a75f-3b48-8954-6e5af69c837b" resource="/data/process-groups/4aa66ece-015a-1000-4348-efd94f63c4df" action="W">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="67684272-2833-32e6-954a-d33b7dfc80b2" resource="/process-groups/4aa66ece-015a-1000-4348-efd94f63c4df" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="ce02741b-adb1-37cf-a818-7d5476e49805" resource="/process-groups/4aa66ece-015a-1000-4348-efd94f63c4df" action="W">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="2148640b-305c-3c53-8a92-5111159729a1" resource="/restricted-components" action="W">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="cc00676b-e0bb-34be-8ae5-89a35dd3ebcb" resource="/tenants" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="2bf2a497-4045-37d6-8a7f-e8b2753da197" resource="/tenants" action="W">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="9abc4f3b-008c-3ad2-81d3-85410b435c2e" resource="/policies" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="f4d3b871-7144-3d22-b93d-67110a369647" resource="/policies" action="W">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="e6cdf807-d293-3c5c-8123-0b42c4370a7e" resource="/controller" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="03947efb-1e7c-3c42-90ac-ba0ebd1e64fd" resource="/controller" action="W">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="015a1025-3be1-13fc-af08-0f6bf4e9285a" resource="/provenance" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
    </policies>
</authorizations>

Re: Nifi Server dont starts after going secure.

New Contributor

thanks for your detailed answer.

It looks better know, users.xml and authorizations.xml seems to be correct (what they did not before).

Actually I have to go through 2 steps:

First I replace in nifi.properties then line "nifi.security.user.authorizer=managed-authorizer" wicth "nifi.security.user.authorizer=file-provider" and clean authorizers.xml, leaving only file-provider and userGroupProvider. After 'cleaning' Nifi (deleting then(empty) users.xml and authorizations.xml and keystore etc.) and rebuilding with nifi-toolkit, Nifi starts and populates users.xml and authorizations.xml with reasonable entries, but stops again.

Second, I undo the changes in nifi.properties and authorizers.xml and restart Nifi. It runs now stable. puh.