Support Questions

Find answers, ask questions, and share your expertise

Nifi not authorising the user

avatar

I have installed and built the latest version of Nifi from - https://www.apache.org/dyn/closer.lua?path=/nifi/1.1.2/nifi-1.1.2-source-release.zip

Here is my nifi.properties file - ( I am only including the lines of code which I have changed)

# web properties #
nifi.web.https.port=9090

# security properties #
nifi.security.keystore=D:/certs/admin.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=secret
nifi.security.keyPasswd=secret
nifi.security.truststore=D:/certs/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=password12345
nifi.security.needClientAuth=
nifi.security.user.authorizer=file-provider
nifi.security.user.login.identity.provider=ldap-provider

# Identity Mapping Properties #
nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$
nifi.security.identity.mapping.value.dn=$1@$2

Here is my login-identity-providers.xml file -

<provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">cn=admin,dc=example,dc=com</property>
        <property name="Manager Password">secret</property>
	
        <property name="TLS - Keystore">D:/certs/admin.jks</property>
        <property name="TLS - Keystore Password">secret</property>
        <property name="TLS - Keystore Type">JKS</property>
        <property name="TLS - Truststore">D:/certs/truststore.jks</property>
        <property name="TLS - Truststore Password">password12345</property>
        <property name="TLS - Truststore Type">JKS</property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol">TLS</property>
        <property name="TLS - Shutdown Gracefully"></property>
       	
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

	<property name="Url">ldap://localhost:10389</property>
        <property name="User Search Base">dc=example,dc=com</property>
        <property name="User Search Filter">(cn=*)</property>
	
        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

Here is my authorizers.xml file -

<authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">cn=admin,dc=example,dc=com</property>
        <property name="Legacy Authorized Users File"></property>

        <!-- Provide the identity (typically a DN) of each node when clustered, see above description of Node Identity.
        <property name="Node Identity 1"></property>
        <property name="Node Identity 2"></property>
        -->
    </authorizer>

Here is my authorizations.xml file - ( which I think got created automatically )

<authorizations>
    <policies>
        <policy identifier="d6ac5ac9-ebba-39a4-9cf1-82512024f54e" resource="/flow" action="R">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="0491115d-1370-3150-bda1-b508f76cf46e" resource="/data/process-groups/235cdab7-015b-1000-230b-5ddc1ccd163a" action="R">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="9d0e4654-f454-32de-beeb-87fe18b9b620" resource="/data/process-groups/235cdab7-015b-1000-230b-5ddc1ccd163a" action="W">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="95c78216-6f30-3047-aa66-b257aab05585" resource="/process-groups/235cdab7-015b-1000-230b-5ddc1ccd163a" action="R">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="c53bfe10-cfb0-38ac-a872-78804dfb9b37" resource="/process-groups/235cdab7-015b-1000-230b-5ddc1ccd163a" action="W">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="2af89f82-dba7-32d3-8152-19b5cacb8990" resource="/restricted-components" action="W">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="9e3268eb-e878-3b65-a876-c5d04553dd57" resource="/tenants" action="R">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="76dbbe39-170c-3093-a722-2990fb518d7c" resource="/tenants" action="W">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="8718dde6-5b40-3caa-a890-63c870df2a9e" resource="/policies" action="R">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="c59895a4-abf8-3696-96ef-a5fce1f7412d" resource="/policies" action="W">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="b7aa3a14-7211-389b-9642-36007222cdae" resource="/controller" action="R">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="1d2c6d76-87f6-3650-ab79-8c8eb359c66e" resource="/controller" action="W">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
    </policies>
</authorization 

Here is my users.xml file - ( which was created automatically as well )

<tenants>
    <groups/>
    <users>
        <user identifier="99412284-acd9-3945-931b-362691f189ff" identity="cn=admin,dc=example,dc=org"/>
    </users>
</tenants>

Here is my nifi-user.log file -

2017-05-09 15:40:46,110 INFO [main] o.a.nifi.authorization.FileAuthorizer Authorizations file loaded at Tue May 09 15:40:46 IST 2017

2017-05-09 15:41:46,300 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6IkxkYXBQcm92aWRlciIsImF1ZCI6IkxkYXBQcm92aWRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwia2lkIjoxLCJleHAiOjE0OTQzNjU0OTksImlhdCI6MTQ5NDMyMjI5OX0.ZdIEUokAW4eH6rAuo3aQyjGmhbzkUU4sr6Xp0TyBkKg) GET https://localhost:9090/nifi-api/flow/current-user (source ip: 127.0.0.1)

2017-05-09 15:41:46,967 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for admin

2017-05-09 15:41:47,024 INFO [NiFi Web Server-18] o.a.n.w.a.c.AccessDeniedExceptionMapper admin does not have permission to access the requested resource. Returning Forbidden response.

2017-05-09 15:41:57,247 INFO [NiFi Web Server-17] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1hZG1pbixkYz1leGFtcGxlLGRjPWNvbSIsImlzcyI6IkxkYXBQcm92aWRlciIsImF1ZCI6IkxkYXBQcm92aWRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwia2lkIjozMywiZXhwIjoxNDk0MzY3OTE1LCJpYXQiOjE0OTQzMjQ3MTZ9.4GhlxE7JQYJ31hbITmD9Hu4cXo9nCfmsBdlMM3HKimY) GET https://localhost:9090/nifi-api/flow/current-user (source ip: 127.0.0.1)

2017-05-09 15:41:57,249 INFO [NiFi Web Server-17] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=admin,dc=example,dc=com

2017-05-09 15:41:57,250 INFO [NiFi Web Server-17] o.a.n.w.a.c.AccessDeniedExceptionMapper cn=admin,dc=example,dc=com does not have permission to access the requested resource. Returning Forbidden response.

I am using LDAP local server from Apache Directory Studio. Here is how I have configured the user on LDAP - (These are the contents of the LDIF file)

dn: cn=admin,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: dmin
cn: admin
sn: admin
userPassword:: e1NTSEF9elczck83ZFVhZHpyRzF1UTlrRHVGRkJ6Tm5sQTNPbzdpbnpqQkE9P
 Q==


I am facing a problem with the Authorization.

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Sunil Neurgaonkar

It looks like you manually created your users.xml file rather then letting NiFi create it for you. Or you originally had teh initial admin identity configured as "cn=admin,dc=example, dc=org". Once the users.xml and authorizations.xml files are created the first time, changes to NiFi config files will not trigger any updates to these files.

NiFi is trying to authorize your user "cn=admin,dc=example,dc=com"; however, this user does not exist in yoru users.xml file, so you are seeing the following error:

2017-05-0915:41:57,250 INFO [NiFiWebServer-17] o.a.n.w.a.c.AccessDeniedExceptionMapper cn=admin,dc=example,dc=com does not have permission to access the requested resource.ReturningForbidden response.

A close look at your users.xml file provided above shows your user as:

<useridentifier="99412284-acd9-3945-931b-362691f189ff"identity="cn=admin,dc=example,dc=org"/>

Their is a mismatch between your ldap user DN and the DN of the user in the users.xml file.

dc=com vs dc=org.

You can simply manually correct this mismatch in the users.xml file and restart NiFi to fix your authorization issue.

Thanks,

Matt

View solution in original post

10 REPLIES 10

avatar
Master Mentor

@Sunil Neurgaonkar

It looks like you manually created your users.xml file rather then letting NiFi create it for you. Or you originally had teh initial admin identity configured as "cn=admin,dc=example, dc=org". Once the users.xml and authorizations.xml files are created the first time, changes to NiFi config files will not trigger any updates to these files.

NiFi is trying to authorize your user "cn=admin,dc=example,dc=com"; however, this user does not exist in yoru users.xml file, so you are seeing the following error:

2017-05-0915:41:57,250 INFO [NiFiWebServer-17] o.a.n.w.a.c.AccessDeniedExceptionMapper cn=admin,dc=example,dc=com does not have permission to access the requested resource.ReturningForbidden response.

A close look at your users.xml file provided above shows your user as:

<useridentifier="99412284-acd9-3945-931b-362691f189ff"identity="cn=admin,dc=example,dc=org"/>

Their is a mismatch between your ldap user DN and the DN of the user in the users.xml file.

dc=com vs dc=org.

You can simply manually correct this mismatch in the users.xml file and restart NiFi to fix your authorization issue.

Thanks,

Matt

avatar
Master Mentor

@Sunil Neurgaonkar

As a side note: No need to configure any of the TLS properties in your login-identity-providers.xml file. Since your authentication strategy is set to "SIMPLE", those property are all ignored and only the Manger DN and password are being used to connect to your LDAP.

avatar

@Matt Clarke Okay. I have solved it. My new users.xml looks like this -

<tenants>
    <groups/>
    <users>
        <user identifier="18ebdbd8-c906-390c-964c-ccda45bcee14" identity="cn=admin,dc=example,dc=com"/>
        <user identifier="ed31ca3a-015b-1000-bb81-15fa225ef185" identity="cn=guest1,dc=example,dc=com"/>
    </users>
</tenants>

Now I am getting another error. I logged into the Nifi with the Initial User Identity (which is admin) and I created a new User and added the same user to the LDAP server. But when I am trying to login via the new user, its showing an error.

avatar
Master Mentor

@Sunil Neurgaonkar

You should avoid hand editing the users.xml file. Let NiFi do that for you to avoid typos.

Can you share what that new error is you are seeing?

Thanks,

Matt

avatar
Master Mentor

What policies did you authorize the new user for?

A user will not be able to load the canvas if they don't at least have the "view the user interface" global access policies assigned to them.

Thanks,

Matt

avatar

@Matt Clarke That issue is solved as well. 😄

Now its running error free!! But I still wanted to ask one thing about the policies.

Is there a way we can give users limited access to the processor and processor groups.

For example, there are 2 users

1) TEST1

2) TEST2

TEST1 should be able to view/modify only the Processor, Template and Label options from the top menu.

TEST2 should be able to view/modify only the Process Group, Remote Process Group, Template and Label options from the top menu.

Is there a way I can achieve it?

avatar
Master Mentor

@Sunil Neurgaonkar

There are Global access policies and Component level access policies.

The component level access policies are set against components (processors, input ports, output ports, Remote Process groups, etc...). There are no access policies for the icons in the tool bar used to create dataflows.

Component level access policies can be assigned to process groups and sub process groups, or they can be assigned to specific components (processors, labels, input ports, output ports, Remote Process groups, etc...)

If I am understanding you correctly, you want to control which dataflow building tools specific users have access to. correct? If so, that level of control does not exist.

The assumption is that the admin user assigns different users the ability to view/modify only those users assigned process groups. Once they have modify on a process group, they will be able to use all the icons in the dataflow building toll bar to construct their dataflow. The only acception to that are components marked as restricted (this includes some processors and controller services) which would require the user to have been granted the global access policy to "access restricted components".

The implementation of such granular control would be challenging to implement without significant changes in NiFi.

Take the following template example: - Templates can contain process groups, sub-process groups, and controller services. What would the expect behavior be if a user tried to instantiate such a template on to the canvas? Fail all together because it contains components user (TEST1) is not authorized to create?

Once a dataflow is created you can set component level access policies very granularly against specific components rather then against the process group they reside in. While this granular access control would limit a user to being able to view/modify the specific component, the user would not be able to add new components to the process group.

Thanks,

Matt

avatar
Master Mentor

@Sunil Neurgaonkar

As I explained there are two levels of policies, global (controls global feature access (controller settings, provenance queries, user management, etc..) and component level access policies (controls level of user access to components added to canvas)

15357-screen-shot-2017-05-12-at-81758-am.png

Global policies include the following:

15358-screen-shot-2017-05-12-at-83036-am.png

Component level access policies include:

15359-screen-shot-2017-05-12-at-83204-am.png

By default components inherit the policies of the parent process group they are created in.

Thanks,

Matt

If you found this answer helpful to your original question, please accept the answer.

avatar

@Matt Clarke Okay. I understand. We are ready to make those significant changes. But can you guide us a little so that we are able to find a path and then follow it?

Also, do you have any inputs on this? https://community.hortonworks.com/questions/102567/multiple-nifi-flows-in-one-nifi.html