Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Not able to view Nifi UI

Labels:
avatar
author-rank mtnjira
Explorer

Created ‎03-13-2017 06:09 PM

getting this exception on UI:

Unable to perform the desired action due to insufficient permissions. Contact the system administrator.

As i have configured nifi.properties.

initial-user.identity.

ldap settings even then not able to login.

10,843 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎03-14-2017 02:46 PM

@matthew N

Any time you see the following:

Unable to perform the desired action due to insufficient permissions. Contact the system administrator.

You are having an authorization issue and not an authentication issue.

If you look tail your nifi-app.log while you try to login again, you will see two lines output. One will state successful authentication.

2017-03-14 14:36:43,402 INFO [NiFi Web Server-5418] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<cn=Matt,ou=People,dc=sme,dc=nifi><CN=nifi-11.openstacklocal, OU=SME, O=NIFI, L=Baltimore, ST=MD, C=US><CN=nifi-13.openstacklocal, OU=SME, O=HWX, L=Baltimore, ST=MD, C=US>) GET https://nifi-11.openstacklocal:9091/nifi-api/flow/config (source ip: x.x.x.x)
2017-03-14 14:36:43,402 INFO [NiFi Web Server-5418] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=Matt,ou=People,dc=sme,dc=nifi

Then you will see a line that contains the above response.

You need to make sure that the DN shown in this log matches exactly with what you had configured for your "Initial Admin Identity". You entry in LDAP may have uppercase CN, OU, ..., but in your nifi use log you may see lower case cn=, ou, ...

It must match what is in the user.log.

You can also take a look in the users.xml file that NiFi generates to make sure your user exists. It will have a UUID assigned to your user.

Take that UUID and check which resources that UUID has been granted access to in the authorizations.xml file.

For an ADMIN user, you will need at a minimum:

/flow

/controller

/policies

/tenants

Thanks,

Matt

View solution in original post

9,094 Views
8 REPLIES 8

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎03-13-2017 06:32 PM - edited ‎08-18-2019 05:29 AM

@matthew N

Accessing the NiFi UI requires to things to be successful:

1. User Authentication: You appear to be using LDAP to handle this part.

2. User Authorization: By default NiFi uses its internal file based authorizer (Configured in authorizers.xml)

If an authenticated user lacks sufficient authorization to access a NiFi resource, you will see the "Unable to perform the desired action due to insufficient permissions. Contact the system administrator." response from NiFi.

In order for an authenticated user to see the NiFi UI, they must at a minimum be granted the "view the user interface" access policy. Whichever user was configured as your "Initial admin Identity" will need to access the UI and add additional users and access policies for those users.

13602-screen-shot-2017-03-13-at-22739-pm.png

Also keep in mind that NiFi generates the users.xml and authorizations.xml files only once the first time your NiFi is started securely. If you update who your initial admin identity is later, it will not get updated if these files already exist. If this is the first time setting up a new system, simply delete the users.xml and authorizations.xml files and restart NiFi. They will then be created again based on the current configurations in the authorizers.xml.

Before updating your initial admin identity in the authorizers.xml file, I suggest looking in your nifi-user.log to versify the exact string being passed to the authorizer. It must match exactly since it is case sensitive and spaces also count as valid characters. (for example: CN= is not the same as cn=) The string you see output in the nifi-user.log is what will be passed to the authorizer.

Thanks,

Matt

9,094 Views

avatar
author-rank mtnjira
Explorer

Created ‎03-14-2017 11:23 AM

Hi Matt C,

Now getting login promt but not able to login and it gives me a message mentioned below

Access Denied

  • log out
  • home

Unable to perform the desired action due to insufficient permissions. Contact the system administrator.

Thanks

Matt N

9,094 Views
0 Kudos

avatar
author-rank mtnjira
Explorer

Created ‎03-14-2017 12:21 PM

Hi Matt,

Just want to update you on the below issue as we are getting exception in the logs that

Unknown user with identity 'employeenumber= ....

so seems like it is not picking the user provided in the authorised.xml as we are following the suggested way by deleting the user.xml and authorizations.xml before starting nifi.

Appreciate for any further advice.

Thanks

Matt

9,094 Views
0 Kudos

avatar
author-rank mtnjira
Explorer

Created ‎03-14-2017 10:18 AM

Thanks for the reply Matt.

But the the issue is we have diffrent CN,Ou parameter for Ldap and the certificate we are using have diffrent CN and ou etc entries.

so i have installed the certificate in browser and got the parameters of my certificate in my user.logs but i have tried working with those parameter as suggested by you but still getting the same exception on ui .

Unable to perform the desired action due to insufficient permissions. Contact the system administrator

Not sure where i am wrong now.

Please suggest .

Thanks

Matt

9,094 Views
0 Kudos

avatar
author-rank mtnjira
Explorer

Created ‎03-14-2017 11:08 AM

Hi Matt C,

Now getting login promt but not able to login and it gives me a message mentioned below

Access Denied
  • log out
  • home

Unable to perform the desired action due to insufficient permissions. Contact the system administrator.

Thanks

Matt N

9,094 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎03-14-2017 02:46 PM

@matthew N

Any time you see the following:

Unable to perform the desired action due to insufficient permissions. Contact the system administrator.

You are having an authorization issue and not an authentication issue.

If you look tail your nifi-app.log while you try to login again, you will see two lines output. One will state successful authentication.

2017-03-14 14:36:43,402 INFO [NiFi Web Server-5418] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<cn=Matt,ou=People,dc=sme,dc=nifi><CN=nifi-11.openstacklocal, OU=SME, O=NIFI, L=Baltimore, ST=MD, C=US><CN=nifi-13.openstacklocal, OU=SME, O=HWX, L=Baltimore, ST=MD, C=US>) GET https://nifi-11.openstacklocal:9091/nifi-api/flow/config (source ip: x.x.x.x)
2017-03-14 14:36:43,402 INFO [NiFi Web Server-5418] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=Matt,ou=People,dc=sme,dc=nifi

Then you will see a line that contains the above response.

You need to make sure that the DN shown in this log matches exactly with what you had configured for your "Initial Admin Identity". You entry in LDAP may have uppercase CN, OU, ..., but in your nifi use log you may see lower case cn=, ou, ...

It must match what is in the user.log.

You can also take a look in the users.xml file that NiFi generates to make sure your user exists. It will have a UUID assigned to your user.

Take that UUID and check which resources that UUID has been granted access to in the authorizations.xml file.

For an ADMIN user, you will need at a minimum:

/flow

/controller

/policies

/tenants

Thanks,

Matt

9,095 Views

avatar
author-rank Ronman
Explorer

Created ‎09-15-2021 03:11 PM

Hello Matt- really appreciate how active you are in this community, I see your helpful answers everywhere.

 

I'm getting the same error as the OP, I was wondering if you could help.

When I cat users.xml my user is there (CN,DC are capitalized in the cert itself and in the log, but lowercase in the file)

When I check authorizations.xml, my user id is given access to everything I need I believe:

  <policies>
        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
            <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
        </policy>
        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
            <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
        </policy>
        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
            <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
        </policy>
        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
            <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
        </policy>
        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
            <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
        </policy>
        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
            <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
        </policy>
        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
            <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
        </policy>
        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
            <user identifier="b54195a2-7067-3bf3-a33b-f09e6c3caafe"/>
        </policy>
    </policies>

So I don't know what else may be causing this. Let me know if you see anything. 

6,670 Views
0 Kudos

avatar
author-rank VidyaSargur author-rank
Community Manager

Created ‎09-15-2021 11:15 PM

@Ronman as this is an older post, you would have a better chance of receiving a resolution by starting a new thread. This will also be an opportunity to provide details specific to your environment that could aid others in assisting you with a more accurate answer to your question. You can link this thread as a reference in your new post.


Regards,

Vidya Sargur,
Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
6,659 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements