Support Questions

Find answers, ask questions, and share your expertise

Nifi UI forbidden

avatar
Rising Star

Hi,

Recently i enabled SSL for my nifi cluster, genearted certificates and then trying to access from browser. but am getting fallowing exception.capture.png

1 ACCEPTED SOLUTION

avatar
Rising Star

Hi@jpercivall

i already address intial admin in my authorizations.xml file as specified in document.

<authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.FileAuthorizer</class>

<property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property>

<property name="Users File">/var/lib/nifi/conf/users.xml</property>

<property name="Initial Admin Identity">CN=nifiadmin,OU=hortonworks</property>

<property name="Legacy Authorized Users File"></property>

but still facing same issue

View solution in original post

10 REPLIES 10

avatar

The user that corresponds to the cert you are using doesn't have access to the UI. An admin has to add the user to the "view the UI" policy first.

You can read more about the Multi-tenant authorization in the NiFi docs: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#UI-with-multi-tenant-authorization

avatar
Rising Star

Hi@jpercivall

i already address intial admin in my authorizations.xml file as specified in document.

<authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.FileAuthorizer</class>

<property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property>

<property name="Users File">/var/lib/nifi/conf/users.xml</property>

<property name="Initial Admin Identity">CN=nifiadmin,OU=hortonworks</property>

<property name="Legacy Authorized Users File"></property>

but still facing same issue

avatar
Rising Star

any thoughts in this issue?

avatar
Rising Star

thanks @mclark

As per i remember i already checked authorization,xml, that contains polices for UUID. but am not sure weather it has access R access to /polices ... will check that by tomorrow let u guys know.

avatar
Rising Star

There should probably be a space between the comma and OU of your initial admin identity.

E.g. CN=nifiadmin, OU=hortonworks

avatar
Rising Star

@brosander

. pleaswplease check fallowing immages am fallowing exactly same way including spaces too.c1.png

avatar
Rising Star

c2.png second immage

avatar
Rising Star

brosander.

thanks or your help brosander. its working now, isssue with white space as like u mentioned. thanks for help

avatar
Master Mentor

@vnandigam

There are two parts to successfully accessing the NiFi UI, Authentication and Authorization. Since you are getting the insufficient permissions screen, you have successfully authenticated.

First you should confirm the DN pattern of this user that has successfully authenticated. If you tail the nifi-user.log while you access your NiFi's UI, you will see a line similar to the following:

2016-10-03 11:47:15,134 INFO [NiFi Web Server-65795] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=nifiadmin,OU=hortonworks

Examine the DN presented. Does it match exactly what you had in your "Initial Admin Identity" property you set?

Next you will want to confirm that this user was properly added to the users.xml file:

<user identifier="9d7b4fe2-8e8b-30a5-8e2a-f6a6a18addfa" identity="CN=nifiadmin,OU=hortonworks"/>

The user if it exists will be assigned a UUID (The above UUID is just an example and yours will be different.)

Next, verify this user was given the ability to "view the user interface" by examining the authorizations.xml file.

Within this file you would expect to see the user's UUID above assigned to one or more policies.

In order to even see the UI, users must have the "R" to the "/flow" policy:

<policy identifier="6a57bf03-2a93-39d0-87dd-e3aa30f0cd4d" resource="/flow" action="R">
            <user identifier="9d7b4fe2-8e8b-30a5-8e2a-f6a6a18addfa"/>
</policy>

In order to be able to add users to additional access policies, the user would also need "R" and "W" to the "/policies" policy (You can think of this as the Global Admin policy):

<policy identifier="9a3a1c92-fa10-3f9d-b2f7-5cd56cd2ca00" resource="/policies" action="R">
            <user identifier="9d7b4fe2-8e8b-30a5-8e2a-f6a6a18addfa"/>
</policy>
<policy identifier="1ff611dd-1536-31f5-a610-64e192e4c43c" resource="/policies" action="W">
            <user identifier="9d7b4fe2-8e8b-30a5-8e2a-f6a6a18addfa"/>
</policy>

If you user has both of the above, you should be able to access the UI and use the interface to grant additional users access and add additional levels of access for yourself and/or any user you added.

The following policies are what gives a user the ability to create, modify, and delete new users and/or groups:

<policy identifier="dee16f9e-1f09-37ee-806b-e372f1051816" resource="/tenants" action="R">
            <user identifier="9d7b4fe2-8e8b-30a5-8e2a-f6a6a18addfa"/>
</policy>
<policy identifier="69839728-eaf3-345d-849f-e2790cf236ab" resource="/tenants" action="W">
            <user identifier="9d7b4fe2-8e8b-30a5-8e2a-f6a6a18addfa"/>
</policy>

If you find that your authorizations.xml file was empty (Had no policies set in it), it is likely your NiFi had been started previous to you setting the "Initial Admin Identity" property. This Property ONLY works the first time NiFi is started. If the authorizations.xml file was already generated, it will not be re-generated or updated on later starts of NiFi. To correct this, you can delete the authorizations.xml file and restart your NiFi. Since it does not exist this time, the "Initial Admin Identity" user will be created this time.

***Note, if other users already have granted authorizations in this file, those will be lost and will need to be re-created. Only delete the authorizations.xml file if wishing to start over from scratch.

Thanks,

Matt