Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Setting User Login for my Apache NiFi

avatar
Explorer

I'm just installing Apache Nifi on linux server with version 1.25 .

this is my nifi.properties :

#nifi.security=none
#nifi.security.autoreload.enabled=false
#nifi.security.autoreload.interval=10 secs
#nifi.security.keystore=
#nifi.security.keystoreType=PKCS12
#nifi.security.keystorePasswd=
#nifi.security.keyPasswd=
#nifi.security.truststore=
#nifi.security.truststoreType=PKCS12
#nifi.security.truststorePasswd=
#nifi.security.user.authorizer=
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=file-login-provider
#nifi.security.user.jws.key.rotation.period=PT1H
#nifi.security.ocsp.responder.url=
#nifi.security.ocsp.responder.certificate=

this is my users.xml :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <users>
        <!-- Add more users as needed -->
        <user identifier="ronald">
            <identity>ronald</identity>
            <!-- Replace CREDENTIAL_VALUE with the hashed password -->
            <credential>wyojiYY_R6FGaU-XZKg5K9Mai1NlZXizt_-KGyWsHBs=</credential>
        </user>
    </users>

    <groups>
        <!-- Define groups if needed -->
    </groups>

    <policies>
        <!-- Define access policies if needed -->
    </policies>
</tenants>

and this is my authorizers.xml :

    ...
    <policies>
        <!-- Define access policies -->
        <policy identifier="ronald_policy">
            <resource>/flow</resource>
            <action>read</action>
            <action>write</action>
            <action>delete</action>
            <user>ronald</user>
        </policy>
    </policies>
</authorizers>

I still got an error when starting the app :

Caused by: java.lang.Exception: The specified login identity provider 'file-login-provider' could not be found.
        at org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean.getObject(LoginIdentityProviderFactoryBean.java:131)
        at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:169)
        ... 72 common frames omitted
2024-02-20 13:18:04,241 INFO [Thread-0] org.apache.nifi.NiFi Application Server shutdown started
1 ACCEPTED SOLUTION

avatar
Super Mentor

@MvZ 

The "file-login-provider" login identity-provider has never existed in any out-of-the-box release of Apache NiFi.

If you have created or downloaded some custom implementation of this provider. You would need to consult with that author in getting it to work.
Where did you obtain this provider from and what process did you follow to add it to your NiFi installation?

The exception you have shared simply tells you that during startup NiFi is loading the nifi.properties file and the property "nifi.security.user.login.identity.provider" is configured with "file-login-provider"; however, when NiFi parsed the login-identity-providers.xml configuration file, no provider with:

<identifier>file-login-provider</identifier>

was found in that configuration file.

I can't provide any guidance on this provider as I was unable to find anything online about what I am expecting is a custom add-on provider.

The out-of-the-box available authentication providers are found in the NiFi documentation here:
Apache NiFi 1.2x versions: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication
Apache NiFi 2.x versions: https://nifi.apache.org/documentation/nifi-2.0.0-M1/html/administration-guide.html#user_authenticati...

NiFi Authentication and Authorization are two different configurations and independent configurations.
Once you have chosen how you want to handle user authentication, you then move on to setting up user authorization:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization.

For file based authorization, NiFi offers two providers:
1. Older deprecated FileAuthorizer
2. The current StandardManagedAuthorizer

These providers are configured in the NiFi authorizers.xml file.  No direct useer policies get defined in the authorizers.xml file.  The FileAuthorizer or the FileAccessPolicyProvider referenced by the StandardManagedAuthorizer will generate the initial authorizations.xml file with the initial admin user configured in the provider chosen.  You would not typically manually generate or manipulate this file. Instead you would acces your NiFi's UI using that initial admin and define additional user authorizations directly via the NiFi UI.

Here is an example of what you would have in your authorizers.xml if using the StandardManagedAuthorizer:

<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">ronald</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">ronald</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

 

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

3 REPLIES 3

avatar
Community Manager

@MvZ, Welcome to our community! To help you get the best possible answer, I have tagged our NiFi experts @MattWho @SAMSAL @cotopaul @TimothySpann who may be able to assist you further.

Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Master Guru

file-login-provider is no longer a thing, maybe do single user

 

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication

 

https://community.cloudera.com/t5/Support-Questions/Apache-NiFi-user-authentication-creation-of-mult...

nifi.security.user.login.identity.provider=single-user-provider

avatar
Super Mentor

@MvZ 

The "file-login-provider" login identity-provider has never existed in any out-of-the-box release of Apache NiFi.

If you have created or downloaded some custom implementation of this provider. You would need to consult with that author in getting it to work.
Where did you obtain this provider from and what process did you follow to add it to your NiFi installation?

The exception you have shared simply tells you that during startup NiFi is loading the nifi.properties file and the property "nifi.security.user.login.identity.provider" is configured with "file-login-provider"; however, when NiFi parsed the login-identity-providers.xml configuration file, no provider with:

<identifier>file-login-provider</identifier>

was found in that configuration file.

I can't provide any guidance on this provider as I was unable to find anything online about what I am expecting is a custom add-on provider.

The out-of-the-box available authentication providers are found in the NiFi documentation here:
Apache NiFi 1.2x versions: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication
Apache NiFi 2.x versions: https://nifi.apache.org/documentation/nifi-2.0.0-M1/html/administration-guide.html#user_authenticati...

NiFi Authentication and Authorization are two different configurations and independent configurations.
Once you have chosen how you want to handle user authentication, you then move on to setting up user authorization:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization.

For file based authorization, NiFi offers two providers:
1. Older deprecated FileAuthorizer
2. The current StandardManagedAuthorizer

These providers are configured in the NiFi authorizers.xml file.  No direct useer policies get defined in the authorizers.xml file.  The FileAuthorizer or the FileAccessPolicyProvider referenced by the StandardManagedAuthorizer will generate the initial authorizations.xml file with the initial admin user configured in the provider chosen.  You would not typically manually generate or manipulate this file. Instead you would acces your NiFi's UI using that initial admin and define additional user authorizations directly via the NiFi UI.

Here is an example of what you would have in your authorizers.xml if using the StandardManagedAuthorizer:

<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">ronald</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">ronald</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

 

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt