Support Questions

Find answers, ask questions, and share your expertise

Nifi error when integrating authen with ldap

avatar
Explorer
<userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">nifi</property>
        <property name="Initial Group Identity 1"></property>
</userGroupProvider>
<accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">nifi</property>
        <property name="Initial Admin Group"></property>
        <property name="Node Identity 1"></property>
        <property name="Node Group"></property>
</accessPolicyProvider>
 <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
 </authorizer>

As the title says, I'm getting an unexpected error when logging into nifi with the same ldap account even though I configured that account as admin in the authorizers.xml file. Bellow this my setting:

nifi.properties

nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=ldap-provider

login-identity-providers.xml

 <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">cn=admin,dc=nifi,dc=com</property>
        <property name="Manager Password">adminpassword</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://10.29.144.58:389</property>
        <property name="User Search Base">ou=users,dc=nifi,dc=local</property>
        <property name="User Search Filter">(uid={0})</property>

        <property name="Identity Strategy">USE_USERNAME</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

authorizers.xml

<userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">cn=admin,dc=nifi,dc=local</property>
        <property name="Manager Password">adminpassword</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://10.29.144.58:389</property>
        <property name="Page Size"></property>
        <property name="Sync Interval">30 mins</property>
        <property name="Group Membership - Enforce Case Sensitivity">false</property>

        <property name="User Search Base">ou=users,dc=nifi,dc=local</property>
        <property name="User Object Class">inetOrgPerson</property>
        <property name="User Search Scope">ONE_LEVEL</property>
        <property name="User Search Filter">(uid={0})</property>
        <property name="User Identity Attribute">uid</property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base"></property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">ONE_LEVEL</property>
        <property name="Group Search Filter"></property>
        <property name="Group Name Attribute"></property>
        <property name="Group Member Attribute"></property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">ldap-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">nifi</property>
        <property name="Initial Admin Group"></property>
        <property name="Node Identity 1"></property>
        <property name="Node Group"></property>
</accessPolicyProvider>
 <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
 </authorizer>

Error in nifi-app.log

Spoiler

2025-08-26 10:50:30,548 INFO [main] o.a.nifi.controller.StandardFlowService Setting Flow Controller's Node ID: 10.29.144.58:8443
2025-08-26 10:50:30,551 INFO [main] org.apache.nifi.nar.StandardNarManager Synchronizing NARs with cluster coordinator
2025-08-26 10:50:30,793 ERROR [main] org.apache.nifi.nar.StandardNarManager Failed to synchronize NARs from cluster coordinator [10.29.144.56] no local NARs found
java.lang.IllegalStateException: Error calling https://10.29.144.56:8443/nifi-api/controller/nar-manager/nars - 403 - Unable to view the controller. Contact the system administrator.
at org.apache.nifi.client.NiFiRestApiClient.getResponseBody(NiFiRestApiClient.java:111)
at org.apache.nifi.client.NiFiRestApiClient.executeEntityRequest(NiFiRestApiClient.java:81)
at org.apache.nifi.nar.NarRestApiClient.listNarSummaries(NarRestApiClient.java:70)
at org.apache.nifi.nar.StandardNarManager.listNarSummaries(StandardNarManager.java:329)
at org.apache.nifi.nar.StandardNarManager.getNarSummariesFromCoordinator(StandardNarManager.java:317)
at org.apache.nifi.nar.StandardNarManager.syncWithClusterCoordinator(StandardNarManager.java:267)
at org.apache.nifi.controller.StandardFlowService.loadFromConnectionResponse(StandardFlowService.java:909)
at org.apache.nifi.controller.StandardFlowService.load(StandardFlowService.java:465)
at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:855)
at org.apache.nifi.runtime.Application.startServer(Application.java:131)
at org.apache.nifi.runtime.Application.run(Application.java:78)
at org.apache.nifi.runtime.Application.run(Application.java:60)
at org.apache.nifi.NiFi.main(NiFi.java:42)


nifi-user.log

Spoiler
2025-08-26 16:53:20,896 ERROR [NiFi Web Server-32] o.a.nifi.web.api.config.ThrowableMapper An unexpected error has occurred: java.io.UncheckedIOException: Read Current User Entity failed. Returning Internal Server Error response.
java.io.UncheckedIOException: Read Current User Entity failed
at org.apache.nifi.web.api.FlowResource.readReplicatedCurrentUserEntity(FlowResource.java:446)
at org.apache.nifi.web.api.FlowResource.getCurrentUser(FlowResource.java:421)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189)
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:93)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:274)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:266)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:253)
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:696)
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:397)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:349)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:312)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
at org.eclipse.jetty.ee10.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1379)
at org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736)
at org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1622)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108)
at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:365)
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:101)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:125)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.apache.nifi.web.security.log.AuthenticationUserFilter.doFilterInternal(AuthenticationUserFilter.java:57)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:60)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:158)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:96)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:58)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.apache.nifi.web.security.csrf.CsrfCookieFilter.doFilterInternal(CsrfCookieFilter.java:43)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
at org.springframework.web.filter.ServletRequestPathFilter.doFilter(ServletRequestPathFilter.java:52)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74)
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebSecurityConfiguration.java:319)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278)
at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594)
at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:44)
at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:208)
at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594)
at org.eclipse.jetty.ee10.servlets.DoSFilter.doFilterChain(DoSFilter.java:462)
at org.apache.nifi.web.server.filter.DataTransferExcludedDoSFilter.doFilterChain(DataTransferExcludedDoSFilter.java:51)
at org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:317)
at org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:282)
at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594)
at org.apache.nifi.web.server.log.RequestAuthenticationFilter.doFilterInternal(RequestAuthenticationFilter.java:59)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594)
at org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1555)
at org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:823)
at org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:440)
at org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:470)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:575)
at org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:717)
at org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1071)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:181)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:151)
at org.eclipse.jetty.server.Handler$Sequence.handle(Handler.java:805)
at org.eclipse.jetty.server.Server.handle(Server.java:182)
at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:678)
at org.eclipse.jetty.util.thread.Invocable$ReadyTask.run(Invocable.java:177)
at org.eclipse.jetty.http2.server.internal.HttpStreamOverHTTP2$1.run(HttpStreamOverHTTP2.java:136)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:480)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:443)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.produce(AdaptiveExecutionStrategy.java:195)
at org.eclipse.jetty.http2.HTTP2Connection.produce(HTTP2Connection.java:210)
at org.eclipse.jetty.http2.HTTP2Connection.onFillable(HTTP2Connection.java:157)
at org.eclipse.jetty.http2.HTTP2Connection$FillableCallback.succeeded(HTTP2Connection.java:462)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
at org.eclipse.jetty.io.ssl.SslConnection$SslEndPoint.onFillable(SslConnection.java:612)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:413)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:155)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:480)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:443)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:201)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:311)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:981)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1211)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1166)
at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'Authentication': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 16]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:2596)
at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2622)
at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2630)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:830)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidToken(UTF8StreamJsonParser.java:3662)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._handleUnexpectedValue(UTF8StreamJsonParser.java:2749)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject(UTF8StreamJsonParser.java:867)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:753)
at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:5058)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4961)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3948)
at org.apache.nifi.web.api.FlowResource.readReplicatedCurrentUserEntity(FlowResource.java:444)
... 121 common frames omitted

 

2 ACCEPTED SOLUTIONS

avatar
Master Mentor

@yoonli 

That issue is unrelated to the issue here with getting your NiFi authorizer setup correctly.  Glad you were able to get that resolved. If the feedback helped you resolve that issue, please accept that solution to help others in the community.

What you are describing now is a missing authorization policy for your admin user.  When NiFi's authorizer seeds the initial policies for the "admin" user, that does not mean the admin user has been given all access.  It seeds the policies the admin user would need to access the UI and manage/modify authorizations for all users.  

The dataflow construction icon along the top of the UI are only visible to users who have been authorized on the Process Group (PG) being displayed.  When NiFi is started for the first time it has no flow.json.gz file to load, so it generates one.  That flow.json.gz will contain the root PG (NiFi default names the root PG "NiFi Flow").  Since your admin user is not authorized yet on this root PG, all the icons are greyed out.   You'll also notice in the lower left corner or the UI and in the "Operation" panel on left side of canvas that the PG displays a UUID instead of the name "NiFi Flow".

Now your admin user would have the authorization set to global manage authorization policies, so in that "Operations" panel you should see a key icon that is not greyed out.

MattWho_0-1756385972984.png

Clicking on that key will allow you admin to authorize users (including the admin user) to the authorizations  polices specific to that PG:

MattWho_1-1756386116216.png

Select the Policy from the drop down you want to modify and you'll see a list of users and/or groups already authorized (I expect your's will be blank).  After selecting the policy, you'll see an "Add users/groups to this policy" icon to the far right.

MattWho_2-1756386310990.png

Click on that and locate your admin user identity from the displayed list and click apply.

View the component - will allow and authorized user to view details and configuration of a component.  If that component is a process group, this authorization will be inherited by all components (processors, controller services, child process groups, etc) added to the canvas of that process group.  But you have the ability to set authorizations explicitly on any component directly.  So after setting this  one you should start seeing "NiFi flow" PG name.
Modify the component - will allow you to make changes.   For a PG this means making all the construct icon to become available to you along the top of the UI.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

 

 



View solution in original post

avatar
Master Mentor

@yoonli 

Did you setup your authorizers.xml with cluster recommended structure i outlined earlier:

MattWho_0-1756473491412.png

From the log shared you can see following cause for your issue:

Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate node CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN to seed policies.

What this exception tells me is that you added your node's certificate DN to the file-access-policy-provider only.   So on startup the file-access-policy-provider is attempting to seed NiFi nodes policies for that user identity, but it could not find that user identity because none of the configured user-group providers in the authorizers.xml created it.

Since this user identity derived from your node's certificate DN is not being returned by your ldap-user-group-provider,  it would need to be returned by the file-user-group-provider.

For clarity, you are logging in just fine with your user.  What is happening is your are logging into just one of yoru NiFi cluster nodes. So upon successful authentication the request to see the UI is sent to the elected cluster coordinator and replicated to all nodes in the cluster on your behalf.   This is where the node is the proxy doing this for your successfully authenticated user.   So you node is not authorized to proxy user requests.  Replicating the user requests is required so changes are made all nodes in the cluster and so one node's UI can show data from all connected nodes.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue(s) or answering your question(s), please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

11 REPLIES 11

avatar
Community Manager

@yoonli, Welcome to our community! To help you get the best possible answer, I have tagged our NiFi experts, @MattWho and @vafs, who may be able to assist you further.

Please feel free to provide any additional information or details about your query. We hope that you will find a satisfactory solution to your question.



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Contributor

Hello @yoonli

I was checking the configuration and comparing it with other threads and it looks fine to me. 

Now, I was checking that users.xml and authorizations.xml cannot already exist to be created. 

You will need to stop the NiFi and then rename those files: 

cp conf/authorizations.xml conf/authorizations.xml.backup
cp conf/users.xml conf/users.xml.backup

Then you can retry. 
Also, it will worth to check this thread as well, that contains a lot of information on this same issue: 
https://community.cloudera.com/t5/Support-Questions/Untrusted-proxy-error-Authentication-Failed-o-a-...


Regards,
Andrés Fallas
--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs-up button.

avatar
Explorer

Hi @vafs,
Before, I delete 2 files users.xml and authorization.xml. When starting nifi, it recreate. I read content file and saw that It got the nifi user and permission. But I loged in again and got the error. 

avatar
Master Mentor

@vafs 

You shared two different authorizers.xml configurations (one that uses file-user-group-provider and another that uses the ldap-user-group-provider). 

  • Which one are you using when you experience your error?
  • What version of Apache NiFi are you using?
  • Is this a multi-node NiFi cluster or Single NiFi instance?
  • Do you have an external load balance in front of your NiFi or are you accessing your NiFi instance(s) directly using the NiFi hosts assigned IP? 

While the configuration of the "ldap-provider" in the login-identity-providers.xml looks valid, the configuration in your "ldap-user-group-provider" in the authorizers.xml is not valid and is not going to return any user identities.

The ldap-user-group-provider executes every 30 mins to resync users and maybe groups (depending on configuration).  It executes independent of any outside input.  So the following configuration line is not valid:

<property name="User Search Filter">(uid={0})</property>

The above is only valid in the "ldap-provider".  The ldap-provider is triggered when a user supplies their username and password in the NiFi login prompt. "{0}" is then replaced with the username supplied at login.  No such external input is passed to the ldap-user-group-provider, thus treating this search string as a literal value.

In the ldap-user-group-provider you can leave the "User Search Filter" blank if your goal is to sync all users at ONE_LEVEL from your user search base:

ou=users,dc=nifi,dc=local

While the app.log does reveal some unauthorized request to the endpoint: https://10.29.144.56:8443/nifi-api/controller/nar-manager/nars, it it does not show the user identity that made the request.  The nifi-user.log should include that information.  The snippet you shared  from both the nifi-app.log and nifi-user.log are not from the same time window.  Additionally the snippet shared from the nifi-user.log is incomplete (often the very last "Caused by:" section in the full stack trace tells you what they initial failure was.

keep in mind that the file-access-policy-provider is responsible for creating the authorizations.xml file ONLY when it does not already exist.  When it needs to be created, it uses the file-access-policy-provider configuration to seed authorizations for an Initial Admin user identity and for your node identities (commonly retrieved from the file-user-group-provider, if a NiFi cluster setup is being used).  Post existence of the authorizations.xml file, modifications are made to this file via admin user actions from directly in the NiFi UI.

In a NiFi cluster setup the authorizer would common include the following providers:

  1. file-user-group-provider (contains only node identities derived from node certificates)
  2. ldap-user-group-provider (sync users and possibly groups)
  3. composite-configurable-user-group-provider (used to call both above providers)
  4. file-access-policy-provider (configured to use composite-configurable-user-group-provider)
  5. managed-authorizer 

There is not much other insights I can provide from the information provided.  Hopefully this guidance will lead you to the useful log output and help you correct you configuration issue.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

 

avatar
Contributor

Hi @MattWho

I think you tagged the wrong person. 
@yoonli, take a look on @MattWho update. 


Regards,
Andrés Fallas
--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs-up button.

avatar
Explorer

@MattWho I fixed the error and connect successful to nifi UI. However I have got the problem with nifi ui when login by admin user. I similar this post https://community.cloudera.com/t5/Supp

ort-Questions/Nifi-Process-Groups-and-Processors-not-authorized-after/m-p/327745
I can't select processor. Please help me. 

avatar
Master Mentor

@yoonli 

That issue is unrelated to the issue here with getting your NiFi authorizer setup correctly.  Glad you were able to get that resolved. If the feedback helped you resolve that issue, please accept that solution to help others in the community.

What you are describing now is a missing authorization policy for your admin user.  When NiFi's authorizer seeds the initial policies for the "admin" user, that does not mean the admin user has been given all access.  It seeds the policies the admin user would need to access the UI and manage/modify authorizations for all users.  

The dataflow construction icon along the top of the UI are only visible to users who have been authorized on the Process Group (PG) being displayed.  When NiFi is started for the first time it has no flow.json.gz file to load, so it generates one.  That flow.json.gz will contain the root PG (NiFi default names the root PG "NiFi Flow").  Since your admin user is not authorized yet on this root PG, all the icons are greyed out.   You'll also notice in the lower left corner or the UI and in the "Operation" panel on left side of canvas that the PG displays a UUID instead of the name "NiFi Flow".

Now your admin user would have the authorization set to global manage authorization policies, so in that "Operations" panel you should see a key icon that is not greyed out.

MattWho_0-1756385972984.png

Clicking on that key will allow you admin to authorize users (including the admin user) to the authorizations  polices specific to that PG:

MattWho_1-1756386116216.png

Select the Policy from the drop down you want to modify and you'll see a list of users and/or groups already authorized (I expect your's will be blank).  After selecting the policy, you'll see an "Add users/groups to this policy" icon to the far right.

MattWho_2-1756386310990.png

Click on that and locate your admin user identity from the displayed list and click apply.

View the component - will allow and authorized user to view details and configuration of a component.  If that component is a process group, this authorization will be inherited by all components (processors, controller services, child process groups, etc) added to the canvas of that process group.  But you have the ability to set authorizations explicitly on any component directly.  So after setting this  one you should start seeing "NiFi flow" PG name.
Modify the component - will allow you to make changes.   For a PG this means making all the construct icon to become available to you along the top of the UI.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

 

 



avatar
Explorer

thank you so much @MattWho 

avatar
Explorer

@MattWho I want to ask one more question. I applied above config for my cluster 3 node. and can't log in due to untrust proxy error. 

2025-08-29 10:38:45,421 INFO [NiFi Web Server-33] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.29.144.58 [<cn=nifi,ou=users,dc=baoviet,dc=local><CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN>] GET https://10.29.144.56:8443/nifi-api/flow/current-user
2025-08-29 10:38:45,422 WARN [NiFi Web Server-33] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.29.144.58 GET https://10.29.144.56:8443/nifi-api/flow/current-user [Untrusted proxy CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN]

I added <property name="Node Identity 1">CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN</property> to authorizes.xml and delete file user.xml and authorization.xml. When restart nifi, I got the error: 

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation
        at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:206)
        at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:133)
        at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1896)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getObjectForBeanInstance(AbstractAutowireCapableBeanFactory.java:1316)
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:349)
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
        at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:254)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1745)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1628)
        at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.resolveMethodArguments(AutowiredAnnotationBeanPostProcessor.java:888)
        ... 75 common frames omitted
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate node CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN to seed policies.
        at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:254)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.apache.nifi.authorization.AccessPolicyProviderInvocationHandler.invoke(AccessPolicyProviderInvocationHandler.java:54)
        at jdk.proxy3/jdk.proxy3.$Proxy62.onConfigured(Unknown Source)
        at org.apache.nifi.authorization.AuthorizerFactoryBean.loadProviderProperties(AuthorizerFactoryBean.java:189)
        at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:159)
        at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:63)
        at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:200)
        ... 84 common frames omitted