Support Questions

Armel316 · ‎11-12-2024

Hello,

I have deployed Apache NiFi and NiFi Registry on a Kubernetes cluster, but I am unable to retrieve the buckets in the NiFi interface. However, when I set the buckets to "public", I can see them in the "Network" tab of the browser’s developer tools.

I have been troubleshooting this issue for over a month without success. If anyone has encountered a similar situation or has any suggestions on what might be causing this, I would greatly appreciate any help or advice.

Thank you in advance for your assistance!

@MattWho

Armel316 · ‎11-19-2024

is there anyone who can help me please ?

MattWho · ‎11-19-2024

@Armel316

You used the wrong composite provider "composite-user-group-provider".
Since one of your providers is the "file-user-group-provider" (a configurable provider- meaning one you can add users and groups to via the UI), you need to use the "composite-configurable-user-group-provider".

I see in the Apache NiFi-Registry documentation that the example is wrong.
https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#composite-implementat...

    <userGroupProvider>
        <identifier>composite-configurable-user-group-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.CompositeConfigurableUserGroupProvider</class>
        <property name="Configurable User Group Provider">file-user-group-provider</property>
        <property name="User Group Provider 1">ldap-user-group-provider</property>
    </userGroupProvider>

What do you see in the nifi-registry-app.log when you try to start version control?

What is the output from:
openssl s_client -connect <nifi-registry hostname>:<port> -v
openssl s_client -connect <nifi node hostname>:<port> -v

Above can be checked to verify proper trust exists between NiFi and NiFi-Registry.

What is the exact case sensitive user identity displayed in the upper right corner of your NiFi UI for the user authenticated to NiFi that is attempting to start version control?

Does the same user Identity (case sensitive) exist in your NiFi-Registry and been assigned read, write, and delete on the bucket?

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Armel316 · ‎11-22-2024

Hello,

I've use composite configurable and i don't remember what change i've done in the nifi registry but now i'm getting this error : "2024-11-22 10:59:12,704 ERROR [NiFi Registry Web Server-20] o.s.b.w.servlet.support.ErrorPageFilter Forwarding to error page from request [/access] due to exception [Multiple UserGroupProviders claim to provide user xxx]
java.lang.IllegalStateException: Multiple UserGroupProviders claim to provide user xxx"

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<identifier>file-user-group-provider</identifier>

<class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>

<property name="Users File">./conf/users.xml</property>

</userGroupProvider>

<identifier>ldap-user-group-provider</identifier>

<class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>

<property name="Authentication Strategy">SIMPLE</property>

<property name="Manager DN">ldap_manager_dn</property>

<property name="Manager Password">ldap_manager_password</property>

<property name="TLS - Keystore">/opt/certs/registry/keystore.jks</property>

<property name="TLS - Keystore Password">supersecretkeystore</property>

<property name="TLS - Truststore">/opt/certs/registry/truststore.jks</property>

<property name="TLS - Truststore Password">supersecrettruststore</property>

<property name="Referral Strategy">FOLLOW</property>

<property name="Group Membership - Enforce Case Sensitivity">false</property>

<property name="User Search Base">ldap_user_search_base</property>

<property name="User Object Class">person</property>

<property name="User Search Scope">SUBTREE</property>

<property name="User Search Filter">ldap_user_search_filter_authorizers</property>

<property name="User Identity Attribute">sAMAccountName</property>

<property name="User Group Name Attribute">memberof</property>

<property name="Identity Strategy">USE_USERNAME</property>

<property name="Group Search Base">ldap_group_search_base</property>

<property name="Group Object Class">group</property>

<property name="Group Search Scope">ONE_LEVEL</property>

<property name="Group Search Filter">(objectClass=group)</property>

<property name="Group Member Attribute">member</property>

<property name="Group Member Attribute - Referenced User Attribute">sAMAccountName</property>

</userGroupProvider>

<identifier>composite-configurable-user-group-provider</identifier>

<class>org.apache.nifi.registry.security.authorization.CompositeConfigurableUserGroupProvider</class>

<property name="Configurable User Group Provider">file-user-group-provider</property>

<property name="User Group Provider 1">ldap-user-group-provider</property>

</userGroupProvider>

<identifier>file-access-policy-provider</identifier>

<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>

<property name="User Group Provider">composite-configurable-user-group-provider</property>

<property name="Authorizations File">./conf/authorizations.xml</property>

<property name="Initial Admin Identity">initial_admin_identity</property>

</accessPolicyProvider>

<identifier>managed-authorizer</identifier>

<class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>

<property name="Access Policy Provider">file-access-policy-provider</property>

</authorizer>

</authorizers>

MattWho · ‎11-22-2024

@Armel316

Since you only have two user group providers (ldap and file), that means that both are returning user "xxx". If the ldap-user-group-provider is returning user "xxx" you don't want to define that same user through the file-user-group-provider. What this means is that the users.xml file that the file-user-group-provider is loading users from on startup contains user "xxx".

The file-user-group-provider will ONLY generate a users.xml file if one does not already exist. If one already exist the file-user-group-provider will NOT make any modifications to an existing users.xml if you modify the provider configuration. Once a users.xml file exists, the expectation is that all future user/group modification happen via the UI.

NOTE: The users.xml does not contain any users or group being loaded by other providers in to NiFi memory.

So you have two options here:

Rename the current users.xml file so a new one is created on startup with only the 3 defined node-identities. (this is preferred method)
Manually modify the users.xml to remove all users that are being synced by the ldap-user-group-provider.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Cloudera Community

Support Questions

No available buckets after secure Nifi connected to secure Nifi registry