Support Questions

sunil_neurgaonk · ‎05-09-2017

I have installed and built the latest version of Nifi from - https://www.apache.org/dyn/closer.lua?path=/nifi/1.1.2/nifi-1.1.2-source-release.zip

Here is my nifi.properties file - ( I am only including the lines of code which I have changed)

# web properties #
nifi.web.https.port=9090

# security properties #
nifi.security.keystore=D:/certs/admin.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=secret
nifi.security.keyPasswd=secret
nifi.security.truststore=D:/certs/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=password12345
nifi.security.needClientAuth=
nifi.security.user.authorizer=file-provider
nifi.security.user.login.identity.provider=ldap-provider

# Identity Mapping Properties #
nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$
nifi.security.identity.mapping.value.dn=$1@$2

Here is my login-identity-providers.xml file -

<provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">cn=admin,dc=example,dc=com</property>
        <property name="Manager Password">secret</property>
	
        <property name="TLS - Keystore">D:/certs/admin.jks</property>
        <property name="TLS - Keystore Password">secret</property>
        <property name="TLS - Keystore Type">JKS</property>
        <property name="TLS - Truststore">D:/certs/truststore.jks</property>
        <property name="TLS - Truststore Password">password12345</property>
        <property name="TLS - Truststore Type">JKS</property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol">TLS</property>
        <property name="TLS - Shutdown Gracefully"></property>
       	
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

	<property name="Url">ldap://localhost:10389</property>
        <property name="User Search Base">dc=example,dc=com</property>
        <property name="User Search Filter">(cn=*)</property>
	
        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

Here is my authorizers.xml file -

<authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">cn=admin,dc=example,dc=com</property>
        <property name="Legacy Authorized Users File"></property>

        <!-- Provide the identity (typically a DN) of each node when clustered, see above description of Node Identity.
        <property name="Node Identity 1"></property>
        <property name="Node Identity 2"></property>
        -->
    </authorizer>

Here is my authorizations.xml file - ( which I think got created automatically )

<authorizations>
    <policies>
        <policy identifier="d6ac5ac9-ebba-39a4-9cf1-82512024f54e" resource="/flow" action="R">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="0491115d-1370-3150-bda1-b508f76cf46e" resource="/data/process-groups/235cdab7-015b-1000-230b-5ddc1ccd163a" action="R">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="9d0e4654-f454-32de-beeb-87fe18b9b620" resource="/data/process-groups/235cdab7-015b-1000-230b-5ddc1ccd163a" action="W">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="95c78216-6f30-3047-aa66-b257aab05585" resource="/process-groups/235cdab7-015b-1000-230b-5ddc1ccd163a" action="R">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="c53bfe10-cfb0-38ac-a872-78804dfb9b37" resource="/process-groups/235cdab7-015b-1000-230b-5ddc1ccd163a" action="W">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="2af89f82-dba7-32d3-8152-19b5cacb8990" resource="/restricted-components" action="W">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="9e3268eb-e878-3b65-a876-c5d04553dd57" resource="/tenants" action="R">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="76dbbe39-170c-3093-a722-2990fb518d7c" resource="/tenants" action="W">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="8718dde6-5b40-3caa-a890-63c870df2a9e" resource="/policies" action="R">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="c59895a4-abf8-3696-96ef-a5fce1f7412d" resource="/policies" action="W">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="b7aa3a14-7211-389b-9642-36007222cdae" resource="/controller" action="R">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
        <policy identifier="1d2c6d76-87f6-3650-ab79-8c8eb359c66e" resource="/controller" action="W">
            <user identifier="99412284-acd9-3945-931b-362691f189ff"/>
        </policy>
    </policies>
</authorization

Here is my users.xml file - ( which was created automatically as well )

<tenants>
    <groups/>
    <users>
        <user identifier="99412284-acd9-3945-931b-362691f189ff" identity="cn=admin,dc=example,dc=org"/>
    </users>
</tenants>

Here is my nifi-user.log file -

2017-05-09 15:40:46,110 INFO [main] o.a.nifi.authorization.FileAuthorizer Authorizations file loaded at Tue May 09 15:40:46 IST 2017

2017-05-09 15:41:46,300 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6IkxkYXBQcm92aWRlciIsImF1ZCI6IkxkYXBQcm92aWRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwia2lkIjoxLCJleHAiOjE0OTQzNjU0OTksImlhdCI6MTQ5NDMyMjI5OX0.ZdIEUokAW4eH6rAuo3aQyjGmhbzkUU4sr6Xp0TyBkKg) GET https://localhost:9090/nifi-api/flow/current-user (source ip: 127.0.0.1)

2017-05-09 15:41:46,967 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for admin

2017-05-09 15:41:47,024 INFO [NiFi Web Server-18] o.a.n.w.a.c.AccessDeniedExceptionMapper admin does not have permission to access the requested resource. Returning Forbidden response.

2017-05-09 15:41:57,247 INFO [NiFi Web Server-17] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1hZG1pbixkYz1leGFtcGxlLGRjPWNvbSIsImlzcyI6IkxkYXBQcm92aWRlciIsImF1ZCI6IkxkYXBQcm92aWRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwia2lkIjozMywiZXhwIjoxNDk0MzY3OTE1LCJpYXQiOjE0OTQzMjQ3MTZ9.4GhlxE7JQYJ31hbITmD9Hu4cXo9nCfmsBdlMM3HKimY) GET https://localhost:9090/nifi-api/flow/current-user (source ip: 127.0.0.1)

2017-05-09 15:41:57,249 INFO [NiFi Web Server-17] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=admin,dc=example,dc=com

2017-05-09 15:41:57,250 INFO [NiFi Web Server-17] o.a.n.w.a.c.AccessDeniedExceptionMapper cn=admin,dc=example,dc=com does not have permission to access the requested resource. Returning Forbidden response.

I am using LDAP local server from Apache Directory Studio. Here is how I have configured the user on LDAP - (These are the contents of the LDIF file)

dn: cn=admin,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: dmin
cn: admin
sn: admin
userPassword:: e1NTSEF9elczck83ZFVhZHpyRzF1UTlrRHVGRkJ6Tm5sQTNPbzdpbnpqQkE9P
 Q==

I am facing a problem with the Authorization.

MattWho · ‎05-09-2017

@Sunil Neurgaonkar

It looks like you manually created your users.xml file rather then letting NiFi create it for you. Or you originally had teh initial admin identity configured as "cn=admin,dc=example, dc=org". Once the users.xml and authorizations.xml files are created the first time, changes to NiFi config files will not trigger any updates to these files.

NiFi is trying to authorize your user "cn=admin,dc=example,dc=com"; however, this user does not exist in yoru users.xml file, so you are seeing the following error:

2017-05-0915:41:57,250 INFO [NiFiWebServer-17] o.a.n.w.a.c.AccessDeniedExceptionMapper cn=admin,dc=example,dc=com does not have permission to access the requested resource.ReturningForbidden response.

A close look at your users.xml file provided above shows your user as:

<useridentifier="99412284-acd9-3945-931b-362691f189ff"identity="cn=admin,dc=example,dc=org"/>

Their is a mismatch between your ldap user DN and the DN of the user in the users.xml file.

dc=com vs dc=org.

You can simply manually correct this mismatch in the users.xml file and restart NiFi to fix your authorization issue.

Thanks,

Matt

View solution in original post

MattWho · ‎05-24-2017

@Sunil Neurgaonkar

Where the details I provided able to assist you in getting your authorization setup for your users?

Can you please mark the answer accepted if it adddressed your original question.

Thanks,

Matt

Cloudera Community

Support Questions

Nifi not authorising the user