I'm trying to setup a Nifi cluster with external certifcates (used tinycerts.org) and after setup SSL and LDAP authentication and add my nodes SSL CNs to authorizations.xml via ambari, I have the following message when trying to access to nifi console:
When I remove users.xml and authorizations.xml nifi is not able to create from authorizers.xml, and create an empty ones after that the nifi instances are unable to start and shows this error:
2017-09-13 17:26:47,480 ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiSecurityConfiguration': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.apache.nifi.web.NiFiWebApiSecurityConfiguration.setX509AuthenticationProvider(org.apache.nifi.web.security.x509.X509AuthenticationProvider); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'x509AuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Cannot provide an Initial Admin Identity and a Legacy Authorized Users File
2017-09-13 17:26:47,491 ERROR [NiFi logging handler] org.apache.nifi.StdErr Shutting down...
SSL works fine with the certificates.. my authorizers.xml is the following:
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
This file lists the authority providers to use when running securely. In order
to use a specific provider it must be configured here and it's identifier
must be specified in the nifi.properties file.
The FileAuthorizer is NiFi"s provided authorizer and has the following properties:
- Authorizations File - The file where the FileAuthorizer will store policies.
- Users File - The file where the FileAuthorizer will store users and groups.
- Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
given the ability to create additional users, groups, and policies. The value of this property could be
a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
are no other users, groups, and policies defined. If this property is specified then a Legacy Authorized
Users File can not be specified.
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
so the value should be the unmapped identity.
- Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
not be specified, and this property will only be used when there are no other users, groups, and policies defined.
- Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
The name of each property must be unique, for example for a three node cluster:
"Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
so the values should be the unmapped identities (i.e. full DN from a certificate).
<property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property>
<property name="Users File">/var/lib/nifi/conf/users.xml</property>
<property name="Initial Admin Identity">cn=testuser,ou=Users,dc=nifi,dc=int</property>
<property name="Legacy Authorized Users File">/root/authorized-users.xml</property>
<!-- Provide the identity (typically a DN) of each node when clustered (see tool tip for detailed description of Node Identity). Must be specified when Ranger Nifi plugin will not be used for authorization. -->
<property name="Node Identity 1">CN=node01.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES</property>
<property name="Node Identity 2">CN=node03.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES</property>
<property name="Node Identity 3">CN=node04.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES</property>