Support Questions

Find answers, ask questions, and share your expertise

Nifi authorization error for initial admin

avatar
New Contributor

I have completed the ldap set up for Nifi. After restarting I am able to authenticate with the initial admin but rather than being directed to the canvas, I am taking back to the /nifi/login page. The page says "Success" with a logout and home link and a message below that says "You are already logged in". Clicking the Home link takes me back to the same page.

After enabling debugging here is the messages I see in the nifi-users.log file:

2018-01-25 15:50:56,006 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null

2018-01-25 15:50:56,007 DEBUG [NiFi Web Server-20] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.

2018-01-25 15:50:56,007 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null

2018-01-25 15:50:56,007 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1lNzgzMTV0LG91PVVzZXJzLG91PUFjY291bnRzLGRjPWludGVybmFsLGRjPXNsbWJhbmssZGM9bmV0IiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZTc4MzE1dCIsImtpZCI6NCwiZXhwIjoxNTE2OTU2NjU0LCJpYXQiOjE1MTY5MTM0NTR9.a8f8h-Jv2_2qo-0kr9KTCTGFKW3SMeuN772RcUPLZLM) GET https://s617985dc2vl485.internal.redacted.net:9091/nifi-api/flow/current-user (source ip: 10.0.108.100)

2018-01-25 15:50:56,010 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=e78315t,ou=Users,ou=Accounts,dc=internal,dc=redacted,dc=net

2018-01-25 15:50:56,013 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: cn=e78315t,ou=Users,ou=Accounts,dc=internal,dc=redacted,dc=net

2018-01-25 15:50:56,013 DEBUG [NiFi Web Server-20] o.a.n.w.s.a.NiFiAnonymousUserFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'cn=e78315t,ou=Users,ou=Accounts,dc=internal,dc=redacted,dc=net'

2018-01-25 15:50:56,138 DEBUG [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null

2018-01-25 15:50:56,138 DEBUG [NiFi Web Server-21] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.

2018-01-25 15:50:56,138 DEBUG [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null

2018-01-25 15:50:56,138 DEBUG [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null

2018-01-25 15:50:56,139 DEBUG [NiFi Web Server-21] o.a.n.w.s.a.NiFiAnonymousUserFilter Populated SecurityContextHolder with anonymous token: 'anonymous'

2018-01-25 15:50:56,141 INFO [NiFi Web Server-21] o.a.n.w.a.c.AccessDeniedExceptionMapper anonymous does not have permission to access the requested resource. Unknown user with identity 'anonymous'. Returning Unauthorized response.

2018-01-25 15:50:56,145 DEBUG [NiFi Web Server-21] o.a.n.w.a.c.AccessDeniedExceptionMapper 

org.apache.nifi.authorization.AccessDeniedException: Unknown user with identity 'anonymous'.

	at org.apache.nifi.web.api.FlowResource.authorizeFlow(FlowResource.java:229)

	at org.apache.nifi.web.api.FlowResource.getCurrentUser(FlowResource.java:315)

	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

I have validated this specific dn as valid in the users.xml and authorizations.xml file. Does anyone have any idea where I need to look?

Thanks

6 REPLIES 6

avatar
Master Mentor
@Chad Ewing

Is this a NiFi Cluster?

Do you have an external load-balancer sitting in front of your NiFi URL? If so you need to make sure you have enable sticky sessions. A Token is only good for the node from which it was issued. So If subsequent requests to a load-balanced URL go to a different node the token your browser presents will not be known to that node.

Thank you,

Matt

avatar
New Contributor

@Matt Clarke

Thank you for your response. No this is not a cluster and and there is no load balancer. Is there a way to debug if the token is having problems being generated?

Thanks again,

Chad

avatar
Master Mentor
@Chad Ewing

You could use curl to verify that the access token nifi rest-api end-point is returning a token to you.

# curl 'https://<nifihostname>:<port>/nifi-api/access/token' --data 'username=<username>&password=<password>' -k

This should return a long string of characters which is your token.

Once you know above works, you can use the following to store a retrieved token in to a variable for easier use in subsequent curl rest-api calls:

# token="$(curl 'https://<nifihostname>:<port>/nifi-api/access/token' --data 'username=<username>&password=<password>' -k)"

That token can then be used in subsequent calls to the rest-api as follows:

# curl 'https://<nifihostname>:<port>/nifi-api/flow/current-user' -H "Authorization: Bearer $token" -k

The above for example would return JSON output like:

{"identity":"<username or DN>","anonymous":false,"provenancePermissions":{"canRead":false,"canWrite":false},"countersPermissions":{"canRead":false,"canWrite":false},"tenantsPermissions":{"canRead":true,"canWrite":true},"controllerPermissions":{"canRead":true,"canWrite":true},"policiesPermissions":{"canRead":true,"canWrite":true},"systemPermissions":{"canRead":false,"canWrite":false},"restrictedComponentsPermissions":{"canRead":false,"canWrite":true}}

With your browser, the exchange is not much different.

When you login, you are hitting that same endpoint to get a JWT token.

Your browser stores that token for subsequent requests sent to the same NiFi (such as loading the flow/canvas).

When the token arrives in the subsequent requests it is checked against the server side equivalent for that token which will be stores in the "nifi-user-keys.h2.db". This can be found in the NiFi database repository directory.

So make sure this file exists, is owned by same user running NiFi process, and you have not run out of disk space.

If the token looks good and user authentication is valid for the resource being requested, you'll get a response.

The login-identity-providers.xml file configuration for your ldap-provider dictates how long these tokens remain good for. Default expiration is 12 hours at which time the client will need to get a new token.

Thank you,

Matt

avatar
New Contributor

@Matt Clarke You nailed it! I was having a permissions problem with the nifi-user-keys-h2.db file. I corrected that and it working perfectly! Thank you so much!

avatar
Master Mentor

@Chad Ewing

Awesome, Glad to hear I was able to help. Please Take a moment to click "accept" below the answer to close out this thread.

avatar

Hi Matt,

@Matt Clarke


I am facing similar issue in my ambari cluster, which has only one node for now.

This is a kerberos enabled cluster with realm name MASTER, and I have added a principal for nifi as nifiadmin@MASTER.

I am enabling SSL and I am able to login to the SSL enabled nifi. But there I am facing the below issue

"

An unexpected error has occurred

javax.net.ssl.SSLPeerUnverifiedException: Hostname master not verified: certificate: sha256/OeYwuYhOAaTVnMMLvGSCJZU= DN: CN=nifiadmin@MASTER, OU=NIFI, O=SELF, L=CN, ST=TN, C=IN subjectAltNames: []

"

So I have tried the above steps mentioned by you here,


1. curl 'https://<nifihostname>:<port>/nifi-api/access/token' --data 'username=<username>&password=<password>' -k

Gave me string of characters as mentioned by you.

2. token="$(curl 'https://<nifihostname>:<port>/nifi-api/access/token' --data 'username=<username>&password=<password>' -k)"

This was also successful.

3. curl 'https://<nifihostname>:<port>/nifi-api/flow/current-user' -H "Authorization: Bearer $token" -k

Here it failed saying the below:

javax.net.ssl.SSLPeerUnverifiedException: Hostname master not verified: certificate: sha256/OeYwuYhOAaTVnMMLvGSCJZU= DN: CN=nifiadmin@MASTER, OU=NIFI, O=SELF, L=CN, ST=TN, C=IN subjectAltNames: []


Could you please help me to sort this out...


Thanks in advance,

Sarath.