Support Questions

Find answers, ask questions, and share your expertise

Unable to access Nifi Registry UI

avatar
Explorer

Hello . 

I get the error message saying :

 

nifi-registry 2024-10-02 08:08:58,582 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2024-10-02 08:08:58,581 INFO [NiFi Registry Web Server-37] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[cef567], groups[] does not have permission to access the requested resource. Unable to view users/user groups. Ret │
│ urning Forbidden response.                                                                                                                                                                                                                                                                                                       │
│ nifi-registry 2024-10-02 08:08:58,651 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2024-10-02 08:08:58,650 INFO [NiFi Registry Web Server-52] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[cef567], groups[] does not have permission to access the requested resource. Unable to view users/user groups. Ret │
│ urning Forbidden response.                                                                                                                                                                                                                                                                                                       │
│ nifi-registry 2024-10-02 08:09:01,545 INFO [NiFi logging handler] org.apache.nifi.registry.

 

After I set the ldap functionality to use my Nifi Registry . 

Below are the details of my current setup :

authorizers.xml -

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!--
    This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use when running securely. In order
    to use a specific authorizer it must be configured here and its identifier must be specified in the nifi-registry.properties file.
    If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider and an userGroupProvider.
    This file allows for configuration of them, but they must be configured in order:

    ...
    all userGroupProviders
    all accessPolicyProviders
    all Authorizers
    ...
-->
<authorizers>
  <!--
        The FileUserGroupProvider will provide support for managing users and groups which is backed by a file
        on the local file system.

        - Users File - The file where the FileUserGroupProvider will store users and groups.

        - Initial User Identity [unique key] - The identity of a users and systems to seed the Users File. The name of
            each property must be unique, for example: "Initial User Identity A", "Initial User Identity B",
            "Initial User Identity C" or "Initial User Identity 1", "Initial User Identity 2", "Initial User Identity 3"

            NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the user identities,
            so the values should be the unmapped identities (i.e. full DN from a certificate).
    -->
  <userGroupProvider>
    <identifier>file-user-group-provider</identifier>
    <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
    <property name="Users File">./conf/users.xml</property>
    <property name="Initial User Identity 1">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="Initial User Identity admin">cn=CEF567,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
  </userGroupProvider>
  <!--
        The DatabaseUserGroupProvider will provide support for managing users and groups in a relational database. The framework
        will provide a database connection to this provider using the same database information from nifi-registry.properties.

        - Initial User Identity [unique key] - Same as the Initial User Identity in the FileUserGroupProvider
    -->
  <!-- To enable the database-user-group-provider remove 2 lines. This is 1 of 2.
    <userGroupProvider>
        <identifier>database-user-group-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.database.DatabaseUserGroupProvider</class>
        <property name="Initial User Identity 1"></property>
    </userGroupProvider>
    To enable the database-user-group-provider remove 2 lines. This is 2 of 2. -->
  <!--
        The LdapUserGroupProvider will retrieve users and groups from an LDAP server. The users and groups
        are not configurable.

        'Authentication Strategy' - How the connection to the LDAP server is authenticated. Possible
            values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.

        'Manager DN' - The DN of the manager that is used to bind to the LDAP server to search for users.
        'Manager Password' - The password of the manager that is used to bind to the LDAP server to
            search for users.

        'TLS - Keystore' - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
        'TLS - Keystore Password' - Password for the Keystore that is used when connecting to LDAP
            using LDAPS or START_TLS.
        'TLS - Keystore Type' - Type of the Keystore that is used when connecting to LDAP using
            LDAPS or START_TLS (i.e. JKS or PKCS12).
        'TLS - Truststore' - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
        'TLS - Truststore Password' - Password for the Truststore that is used when connecting to
            LDAP using LDAPS or START_TLS.
        'TLS - Truststore Type' - Type of the Truststore that is used when connecting to LDAP using
            LDAPS or START_TLS (i.e. JKS or PKCS12).
        'TLS - Client Auth' - Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
            Possible values are REQUIRED, WANT, NONE.
        'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS,
            TLSv1.1, TLSv1.2, etc).
        'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut down gracefully
            before the target context is closed. Defaults to false.

        'Referral Strategy' - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
        'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
        'Read Timeout' - Duration of read timeout. (i.e. 10 secs).

        'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
        'Page Size' - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
        'Sync Interval' - Duration of time between syncing users and groups. (i.e. 30 mins).
        'Group Membership - Enforce Case Sensitivity' - Sets whether group membership decisions are case sensitive. When a user or group
            is inferred (by not specifying or user or group search base or user identity attribute or group name attribute) case sensitivity
            is enforced since the value to use for the user identity or group name would be ambiguous. Defaults to false.

        'User Search Base' - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
        'User Object Class' - Object class for identifying users (i.e. person). Required if searching users.
        'User Search Scope' - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
        'User Search Filter' - Filter for searching for users against the 'User Search Base' (i.e. (memberof=cn=team1,ou=groups,o=nifi) ). Optional.
        'User Identity Attribute' - Attribute to use to extract user identity (i.e. cn). Optional. If not set, the entire DN is used.
        'User Group Name Attribute' - Attribute to use to define group membership (i.e. memberof). Optional. If not set
            group membership will not be calculated through the users. Will rely on group membership being defined
            through 'Group Member Attribute' if set. The value of this property is the name of the attribute in the user ldap entry that
            associates them with a group. The value of that user attribute could be a dn or group name for instance. What value is expected
            is configured in the 'User Group Name Attribute - Referenced Group Attribute'.
        'User Group Name Attribute - Referenced Group Attribute' - If blank, the value of the attribute defined in 'User Group Name Attribute'
            is expected to be the full dn of the group. If not blank, this property will define the attribute of the group ldap entry that
            the value of the attribute defined in 'User Group Name Attribute' is referencing (i.e. name). Use of this property requires that
            'Group Search Base' is also configured.

        'Group Search Base' - Base DN for searching for groups (i.e. ou=groups,o=nifi). Required to search groups.
        'Group Object Class' - Object class for identifying groups (i.e. groupOfNames). Required if searching groups.
        'Group Search Scope' - Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.
        'Group Search Filter' - Filter for searching for groups against the 'Group Search Base'. Optional.
        'Group Name Attribute' - Attribute to use to extract group name (i.e. cn). Optional. If not set, the entire DN is used.
        'Group Member Attribute' - Attribute to use to define group membership (i.e. member). Optional. If not set
            group membership will not be calculated through the groups. Will rely on group membership being defined
            through 'User Group Name Attribute' if set. The value of this property is the name of the attribute in the group ldap entry that
            associates them with a user. The value of that group attribute could be a dn or memberUid for instance. What value is expected
            is configured in the 'Group Member Attribute - Referenced User Attribute'. (i.e. member: cn=User 1,ou=users,o=nifi-registry vs. memberUid: user1)
        'Group Member Attribute - Referenced User Attribute' - If blank, the value of the attribute defined in 'Group Member Attribute'
            is expected to be the full dn of the user. If not blank, this property will define the attribute of the user ldap entry that
            the value of the attribute defined in 'Group Member Attribute' is referencing (i.e. uid). Use of this property requires that
            'User Search Base' is also configured. (i.e. member: cn=User 1,ou=users,o=nifi-registry vs. memberUid: user1)

        NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the user identities.
            Group names are not mapped.
    -->
  <userGroupProvider>
    <identifier>ldap-user-group-provider</identifier>
    <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
    <property name="Authentication Strategy">LDAPS</property>
    <property name="Manager DN">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="Manager Password">xxx</property>
    <property name="TLS - Keystore">/opt/nifi-registry/nifi-registry-current/conf/keystore.jks</property>
    <property name="TLS - Keystore Password">xxx</property>
    <property name="TLS - Keystore Type">jks</property>
    <property name="TLS - Truststore">/opt/nifi-registry/nifi-registry-current/conf/truststore.jks</property>
    <property name="TLS - Truststore Password">xxx</property>
    <property name="TLS - Truststore Type">JKS</property>
    <property name="TLS - Client Auth">NONE</property>
    <property name="TLS - Protocol">TLS</property>
    <property name="TLS - Shutdown Gracefully">false</property>
    <property name="Referral Strategy">FOLLOW</property>
    <property name="Connect Timeout">10 secs</property>
    <property name="Read Timeout">10 secs</property>
    <property name="Url">ldaps://example-v3-prd.corp1.ad1.xyz.net:636</property>
    <property name="Page Size"/>
    <property name="Sync Interval">30 mins</property>
    <property name="Group Membership - Enforce Case Sensitivity">false</property>
    <property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="User Object Class">person</property>
    <property name="User Search Scope">ONE_LEVEL</property>
    <property name="User Search Filter">(memberof=CN=AB-C-DEF-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net)</property>
    <property name="User Identity Attribute"/>
    <property name="User Group Name Attribute"/>
    <property name="User Group Name Attribute - Referenced Group Attribute"/>
    <property name="Group Search Base"/>
    <property name="Group Object Class">group</property>
    <property name="Group Search Scope">ONE_LEVEL</property>
    <property name="Group Search Filter"/>
    <property name="Group Name Attribute"/>
    <property name="Group Member Attribute"/>
    <property name="Group Member Attribute - Referenced User Attribute"/>
  </userGroupProvider>
  <!--
        The ShellUserGroupProvider provides support for retrieving users and groups by way of shell commands
        on systems that support `sh`.  Implementations available for Linux and Mac OS, and are selected by the
        provider based on the system property `os.name`.

        'Refresh Delay' - duration to wait between subsequent refreshes.  Default is '5 mins'.
        'Exclude Groups' - regular expression used to exclude groups.  Default is '', which means no groups are excluded.
        'Exclude Users' - regular expression used to exclude users.  Default is '', which means no users are excluded.
        'Command Timeout' - amount of time to wait while executing a command before timing out
    -->
  <!-- To enable the shell-user-group-provider remove 2 lines. This is 1 of 2.
    <userGroupProvider>
        <identifier>shell-user-group-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.shell.ShellUserGroupProvider</class>
        <property name="Refresh Delay">5 mins</property>
        <property name="Exclude Groups"></property>
        <property name="Exclude Users"></property>
        <property name="Command Timeout">60 seconds</property>
    </userGroupProvider>
    To enable the shell-user-group-provider remove 2 lines. This is 2 of 2. -->
  <!--
        The CompositeUserGroupProvider will provide support for retrieving users and groups from multiple sources.

        - User Group Provider [unique key] - The identifier of user group providers to load from. The name of
            each property must be unique, for example: "User Group Provider A", "User Group Provider B",
            "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"

            NOTE: Any identity mapping rules specified in nifi-registry.properties are not applied in this implementation. This
            behavior would need to be applied by the base implementation.
    -->
  <userGroupProvider>
    <identifier>composite-user-group-provider</identifier>
    <class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class>
    <property name="User Group Provider 1">ldap-user-group-provider</property>
  </userGroupProvider>
  <!--
        The CompositeConfigurableUserGroupProvider will provide support for retrieving users and groups from multiple sources.
        Additionally, a single configurable user group provider is required. Users from the configurable user group provider
        are configurable, however users loaded from one of the User Group Provider [unique key] will not be.

        - Configurable User Group Provider - A configurable user group provider.

        - User Group Provider [unique key] - The identifier of user group providers to load from. The name of
            each property must be unique, for example: "User Group Provider A", "User Group Provider B",
            "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"

            NOTE: Any identity mapping rules specified in nifi-registry.properties are not applied in this implementation. This
            behavior would need to be applied by the base implementation.
    -->
  <!-- To enable the composite-configurable-user-group-provider remove 2 lines. This is 1 of 2.
    <userGroupProvider>
        <identifier>composite-configurable-user-group-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.CompositeConfigurableUserGroupProvider</class>
        <property name="Configurable User Group Provider">file-user-group-provider</property>
        <property name="User Group Provider 1"></property>
    </userGroupProvider>
    To enable the composite-configurable-user-group-provider remove 2 lines. This is 2 of 2. -->
  <!--
        The FileAccessPolicyProvider will provide support for managing access policies which is backed by a file
        on the local file system.

        - User Group Provider - The identifier for an User Group Provider defined above that will be used to access
            users and groups for use in the managed access policies.

        - Authorizations File - The file where the FileAccessPolicyProvider will store policies.

        - Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
            given the ability to create additional users, groups, and policies. The value of this property could be
            a DN when using certificates or LDAP. This property will only be used when there
            are no other policies defined.

            NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the initial admin identity,
            so the value should be the unmapped identity. This identity must be found in the configured User Group Provider.

        - NiFi Identity [unique key] - The identity of a NiFi node that will have access to this NiFi Registry and will be able
            to act as a proxy on behalf of a NiFi Registry end user. A property should be created for the identity of every NiFi
            node that needs to access this NiFi Registry. The name of each property must be unique, for example for three
            NiFi clients:
            "NiFi Identity A", "NiFi Identity B", "NiFi Identity C" or "NiFi Identity 1", "NiFi Identity 2", "NiFi Identity 3"

            NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the nifi identities,
            so the values should be the unmapped identities (i.e. full DN from a certificate). This identity must be found
            in the configured User Group Provider.

        - NiFi Group Name - The name of the group, whose members are NiFi instance/node identities,
            that will have access to this NiFi Registry and will be able to act as a proxy on behalf of a NiFi Registry end user.
            The members of this group will be granted permission to proxy user requests, as well as read any bucket to perform synchronization checks.
    -->
  <accessPolicyProvider>
    <identifier>file-access-policy-provider</identifier>
    <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
    <property name="User Group Provider">file-user-group-provider</property>
    <property name="Authorizations File">./conf/authorizations.xml</property>
    <property name="Initial Admin Identity">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="Nifi Identity 1">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="Nifi Identity">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="NiFi Group Name"/>
    <!--<property name="NiFi Identity 1"></property>-->
  </accessPolicyProvider>
  <!--
        The DatabaseAccessPolicyProvider will provide support for managing access policies in a relational database. The
        framework will provide a database connection to this provider using the same database information from nifi-registry.properties.

        - User Group Provider - Same as User Group Provider in the FileAccessPolicyProvider

        - Initial Admin Identity - Same as Initial Admin Identity in the FileAccessPolicyProvider

        - NiFi Identity [unique key] - Same as NiFi Identity in the FileAccessPolicyProvider

        - NiFi Group Name - Same as NiFi Group Name in the FileAccessPolicyProvider
    -->
  <!-- To enable the database-access-policy-provider remove 2 lines. This is 1 of 2.
    <accessPolicyProvider>
        <identifier>database-access-policy-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.database.DatabaseAccessPolicyProvider</class>
        <property name="User Group Provider">database-user-group-provider</property>
        <property name="Initial Admin Identity"></property>
        <property name="NiFi Identity 1"></property>
        <property name="NiFi Group Name"></property>
    </accessPolicyProvider>
    To enable the database-access-policy-provider remove 2 lines. This is 2 of 2. -->
  <!--
        The StandardManagedAuthorizer. This authorizer implementation must be configured with the
        Access Policy Provider which it will use to access and manage users, groups, and policies.
        These users, groups, and policies will be used to make all access decisions during authorization
        requests.

        - Access Policy Provider - The identifier for an Access Policy Provider defined above.
    -->
  <authorizer>
    <identifier>managed-authorizer</identifier>
    <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
    <property name="Access Policy Provider">file-access-policy-provider</property>
  </authorizer>
</authorizers>

 

users.xml :

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="71b266f5-7764-3ff5-a812-80112278b50c" identity="cef567"/>
        <user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7" identity="CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net"/>
    </users>
</tenants>

 

identiry-providers.xml

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
  ~ Licensed to the Apache Software Foundation (ASF) under one or more
  ~ contributor license agreements.  See the NOTICE file distributed with
  ~ this work for additional information regarding copyright ownership.
  ~ The ASF licenses this file to You under the Apache License, Version 2.0
  ~ (the "License"); you may not use this file except in compliance with
  ~ the License.  You may obtain a copy of the License at
  ~
  ~     http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an "AS IS" BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  -->
<!--
    This file lists the identity providers to use when running securely. In order
    to use a specific provider it must be configured here and its identifier
    must be specified in the nifi-registry.properties file.
-->
<identityProviders>
    <!--
        Identity Provider for users logging in with username/password against an LDAP server.

        'Authentication Strategy' - How the connection to the LDAP server is authenticated. Possible
            values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.

        'Manager DN' - The DN of the manager that is used to bind to the LDAP server to search for users.
        'Manager Password' - The password of the manager that is used to bind to the LDAP server to
            search for users.

        'TLS - Keystore' - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
        'TLS - Keystore Password' - Password for the Keystore that is used when connecting to LDAP
            using LDAPS or START_TLS.
        'TLS - Keystore Type' - Type of the Keystore that is used when connecting to LDAP using
            LDAPS or START_TLS (i.e. JKS or PKCS12).
        'TLS - Truststore' - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
        'TLS - Truststore Password' - Password for the Truststore that is used when connecting to
            LDAP using LDAPS or START_TLS.
        'TLS - Truststore Type' - Type of the Truststore that is used when connecting to LDAP using
            LDAPS or START_TLS (i.e. JKS or PKCS12).
        'TLS - Client Auth' - Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
            Possible values are REQUIRED, WANT, NONE.
        'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS,
            TLSv1.1, TLSv1.2, etc).
        'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut down gracefully
            before the target context is closed. Defaults to false.

        'Referral Strategy' - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
        'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
        'Read Timeout' - Duration of read timeout. (i.e. 10 secs).

        'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
        'User Search Base' - Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).
        'User Search Filter' - Filter for searching for users against the 'User Search Base'.
            (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.

        'Identity Strategy' - Strategy to identify users. Possible values are USE_DN and USE_USERNAME.
            The default functionality if this property is missing is USE_DN in order to retain
            backward compatibility. USE_DN will use the full DN of the user entry if possible.
            USE_USERNAME will use the username the user logged in with.
        'Authentication Expiration' - The duration of how long the user authentication is valid
            for. If the user never logs out, they will be required to log back in following
            this duration.
    -->
    <provider>
        <identifier>ldap-identity-provider</identifier>
        <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
        <property name="Authentication Strategy">LDAPS</property>

        <property name="Manager DN">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="Manager Password">xxxx</property>

        <property name="TLS - Keystore">/opt/nifi-registry/nifi-registry-current/conf/keystore.jks</property>
        <property name="TLS - Keystore Password">xxx</property>
        <property name="TLS - Keystore Type">jks</property>
        <property name="TLS - Truststore">/opt/nifi-registry/nifi-registry-current/conf/truststore.jks</property>
        <property name="TLS - Truststore Password">xxxx</property>
        <property name="TLS - Truststore Type">JKS</property>
        <property name="TLS - Client Auth">NONE</property>
        <property name="TLS - Protocol">TLS</property>
        <property name="TLS - Shutdown Gracefully">false</property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldaps://example-v3-prd.corp1.ad1.xyz.net:636</property>
        <property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="User Search Filter">(cn={0})</property>

        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

    <!--
        Identity Provider for users logging in with username/password against a Kerberos KDC server.

        'Default Realm' - Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG).
        'Authentication Expiration' - The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.
    -->
    <!-- To enable the kerberos-identity-provider remove 2 lines. This is 1 of 2.
    <provider>
        <identifier>kerberos-identity-provider</identifier>
        <class>org.apache.nifi.registry.web.security.authentication.kerberos.KerberosIdentityProvider</class>
        <property name="Default Realm">NIFI.APACHE.ORG</property>
        <property name="Authentication Expiration">12 hours</property>
        <property name="Enable Debug">false</property>
    </provider>
    To enable the kerberos-provider remove 2 lines. This is 2 of 2. -->
</identityProviders>

 

and my nifi-registry.properties :

 

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# web properties #
nifi.registry.web.war.directory=./lib
nifi.registry.web.http.host=
nifi.registry.web.http.port=
nifi.registry.web.https.host=localhost
nifi.registry.web.https.port=18443
nifi.registry.web.jetty.working.directory=./work/jetty
nifi.registry.web.jetty.threads=200
nifi.registry.web.should.send.server.version=true

# security properties #

nifi.registry.security.keystore=/opt/nifi-registry/nifi-registry-current/conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=xxx
nifi.registry.security.keyPasswd=xxx
nifi.registry.security.truststore=/opt/nifi-registry/nifi-registry-current/conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=xxx
nifi.registry.security.needClientAuth=false
nifi.registry.security.authorizers.configuration.file=conf/authorizers.xml
nifi.registry.security.authorizer=managed-authorizer
nifi.registry.security.identity.providers.configuration.file=conf/identity-providers.xml
nifi.registry.security.identity.provider=ldap-identity-provider

# sensitive property protection properties #
# nifi.registry.sensitive.props.additional.keys=

# providers properties #
nifi.registry.providers.configuration.file=./conf/providers.xml

# registry alias properties #
nifi.registry.registry.alias.configuration.file=./conf/registry-aliases.xml

# extensions working dir #
nifi.registry.extensions.working.directory=./work/extensions

# legacy database properties, used to migrate data from original DB to new DB below
# NOTE: Users upgrading from 0.1.0 should leave these populated, but new installs after 0.1.0 should leave these empty
nifi.registry.db.directory=
nifi.registry.db.url.append=

# database properties
nifi.registry.db.url=jdbc:h2:./database/nifi-registry-primary;AUTOCOMMIT=OFF;DB_CLOSE_ON_EXIT=FALSE;LOCK_MODE=3;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE
nifi.registry.db.driver.class=org.h2.Driver
nifi.registry.db.driver.directory=
nifi.registry.db.username=nifireg
nifi.registry.db.password=nifireg
nifi.registry.db.maxConnections=5
nifi.registry.db.sql.debug=false

# extension directories #
# Each property beginning with "nifi.registry.extension.dir." will be treated as location for an extension,
# and a class loader will be created for each location, with the system class loader as the parent
#
#nifi.registry.extension.dir.1=/path/to/extension1
#nifi.registry.extension.dir.2=/path/to/extension2

nifi.registry.extension.dir.aws=./ext/aws/lib

# Identity Mapping Properties #
# These properties allow normalizing user identities such that identities coming from different identity providers
# (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. The following example demonstrates normalizing
# DNs from certificates and principals from Kerberos into a common identity string:
#
# nifi.registry.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$
# nifi.registry.security.identity.mapping.value.dn=$1@$2
# nifi.registry.security.identity.mapping.transform.dn=NONE

# nifi.registry.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$
# nifi.registry.security.identity.mapping.value.kerb=$1@$2
# nifi.registry.security.identity.mapping.transform.kerb=UPPER

# Group Mapping Properties #
# These properties allow normalizing group names coming from external sources like LDAP. The following example
# lowercases any group name.
#
# nifi.registry.security.group.mapping.pattern.anygroup=^(.*)$
# nifi.registry.security.group.mapping.value.anygroup=$1
# nifi.registry.security.group.mapping.transform.anygroup=LOWER


# kerberos properties #
nifi.registry.kerberos.krb5.file=
nifi.registry.kerberos.spnego.principal=
nifi.registry.kerberos.spnego.keytab.location=
nifi.registry.kerberos.spnego.authentication.expiration=12 hours

# OIDC #
nifi.registry.security.user.oidc.discovery.url=
nifi.registry.security.user.oidc.connect.timeout=
nifi.registry.security.user.oidc.read.timeout=
nifi.registry.security.user.oidc.client.id=
nifi.registry.security.user.oidc.client.secret=
nifi.registry.security.user.oidc.preferred.jwsalgorithm=

# revision management #
# This feature should remain disabled until a future NiFi release that supports the revision API changes
nifi.registry.revisions.enabled=false
nifi.registry.security.identity.mapping.pattern.dn=^cn=(.*?),ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net$
nifi.registry.security.identity.mapping.transform.dn=LOWER
nifi.registry.security.identity.mapping.value.dn=$1

 

This is the first time I am accessing the UI , so i am not sure if there is any additional permission that i would need to grant. 

Any help would be appreciated. 

Thanks in advance!

2 ACCEPTED SOLUTIONS

avatar
Master Mentor

@sha257 

There is a lot shared here and I see numerous configuration issues and have some questions.

---->  authorizers.xml  <----

It is easiest to read the authroizers.xml from bottom up (the bottom of the config file will have the authorizer:

  <authorizer>
    <identifier>managed-authorizer</identifier>
    <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
    <property name="Access Policy Provider">file-access-policy-provider</property>
  </authorizer>
</authorizers>

You can see the authorizer above is loading policies from the "file-access-policy provider", so we scroll up to find that:

<accessPolicyProvider>
    <identifier>file-access-policy-provider</identifier>
    <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
    <property name="User Group Provider">file-user-group-provider</property>
    <property name="Authorizations File">./conf/authorizations.xml</property>
    <property name="Initial Admin Identity">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="Nifi Identity 1">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="Nifi Identity">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="NiFi Group Name"/>
    <!--<property name="NiFi Identity 1"></property>-->
  </accessPolicyProvider>

*** This provider will create the authorizations.xml file ONLY if it does not already exist. ***
Here we see you have configured your "Initial Admin Identity" with the full DN for your user.  This full DN string will be used for setting up the required authorizations for this user Identity to be able to access NiFi and perform administrative tasks (setup new user authorizations, remove access, setup admin level configurations, etc.). Keep in mind that user identities are case sensitive in NiFi.   We can also see what provider is being used to provide the current list of user and group identities upon which policies can be set.
Here we see it is configured to use "file-user-group-provider".
Question: Why do you have the same NiFi host certificate DN configured twice in NiFi Identity and NiFi Identity 1?

Now we scroll up to the file-user-group-provider:

<userGroupProvider>
    <identifier>file-user-group-provider</identifier>
    <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
    <property name="Users File">./conf/users.xml</property>
    <property name="Initial User Identity 1">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="Initial User Identity admin">cn=CEF567,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
  </userGroupProvider>

*** This provider will create the users.xml file ONLY if it does not already exist. ***
This is one of several providers that can provide initial user identity strings and group identity strings to the configured policy provider for setting up access policies.  Here we also see that you used the DN for your "initial user identity admin".  

While your authorizers.xml has a composite-user-group-provider and ldap-user-group-provider also configured, they are not being used since there is not configuration path to them from the authorizer.

Question:  Does your LDAP contain entries for your NiFi hosts (not common)?  If it does not you will still need the file-user-group-provider to provide those host user identities.

Let's assume you need both "file-user-group-provider" and "ldap-user-group-provider".
Your authorizers.xml would need to have this structure:

Managed-authorizer (configured to use file-access-policy-provider) ---> file-access-policy-provider (configured to use composite-configurable-user-group-provider) ---> composite-configurable-user-group-provider (configured to use both configurable provider: file-user-group-provider and user group provider: ldap-user-group-provider).   Then you need both file-user-group-provider and ldap-user-group-provider configured.

*** Note: You can NOT have multiple user group providers return the same user-identity or group identity strings.  So you'll need to remove the initial admin user from the file-user-group-provider if that admin identity is now going to be returned by the ldap-user-group-provider.

Now when it comes to the configuration of your ldap-user-group-provider, that is difficult for me to help with without sample ldap entries for a user and group.  But I'll try to comment on what you shared:

<userGroupProvider>
    <identifier>ldap-user-group-provider</identifier>
    <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
    <property name="Authentication Strategy">LDAPS</property>
    <property name="Manager DN">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="Manager Password">xxx</property>
    <property name="TLS - Keystore">/opt/nifi-registry/nifi-registry-current/conf/keystore.jks</property>
    <property name="TLS - Keystore Password">xxx</property>
    <property name="TLS - Keystore Type">jks</property>
    <property name="TLS - Truststore">/opt/nifi-registry/nifi-registry-current/conf/truststore.jks</property>
    <property name="TLS - Truststore Password">xxx</property>
    <property name="TLS - Truststore Type">JKS</property>
    <property name="TLS - Client Auth">NONE</property>
    <property name="TLS - Protocol">TLS</property>
    <property name="TLS - Shutdown Gracefully">false</property>
    <property name="Referral Strategy">FOLLOW</property>
    <property name="Connect Timeout">10 secs</property>
    <property name="Read Timeout">10 secs</property>
    <property name="Url">ldaps://example-v3-prd.corp1.ad1.xyz.net:636</property>
    <property name="Page Size"/>
    <property name="Sync Interval">30 mins</property>
    <property name="Group Membership - Enforce Case Sensitivity">false</property>
    <property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="User Object Class">person</property>
    <property name="User Search Scope">ONE_LEVEL</property>
    <property name="User Search Filter">(memberof=CN=AB-C-DEF-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net)</property>
    <property name="User Identity Attribute"/>
    <property name="User Group Name Attribute"/>
    <property name="User Group Name Attribute - Referenced Group Attribute"/>
    <property name="Group Search Base"/>
    <property name="Group Object Class">group</property>
    <property name="Group Search Scope">ONE_LEVEL</property>
    <property name="Group Search Filter"/>
    <property name="Group Name Attribute"/>
    <property name="Group Member Attribute"/>
    <property name="Group Member Attribute - Referenced User Attribute"/>
  </userGroupProvider>

Based on the full DN you configured in the file-user-group-provider, your configuration above is not going to return this user:

cn=CEF567,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net

This is because you have  "User Search Base = OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net" and "User Search Scope = ONE_LEVEL".  Your user resides at a SUBTREE level under OU=Solid Users", so the User Search scope needs to be SUBTREE instead.  

I see that you did not set the User Identity Attribute: this is typically set to the user identity you want to use for the returned user ldap entries.   For AD this is typically "sAMAccountName" and for LDAP, it is commonly "cn".

Based on your configuration, you are trying to return all AD/LDAP users that are a memberOf one specific group DN.  I would recommend also setting the "Group Name Attribute to "cn", so that that string is used as the group identity in NiFi rather then the full group DN.

I'll stop here since this is a lot just related to the authorizers.xml file configuration.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

avatar
Master Mentor

@sha257 

In your ldap-identity-provider located in the login-providers.xml file:

    <provider>
        <identifier>ldap-identity-provider</identifier>
        <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
        <property name="Authentication Strategy">LDAPS</property>

        <property name="Manager DN">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="Manager Password">xxxx</property>

        <property name="TLS - Keystore">/opt/nifi-registry/nifi-registry-current/conf/keystore.jks</property>
        <property name="TLS - Keystore Password">xxx</property>
        <property name="TLS - Keystore Type">jks</property>
        <property name="TLS - Truststore">/opt/nifi-registry/nifi-registry-current/conf/truststore.jks</property>
        <property name="TLS - Truststore Password">xxxx</property>
        <property name="TLS - Truststore Type">JKS</property>
        <property name="TLS - Client Auth">NONE</property>
        <property name="TLS - Protocol">TLS</property>
        <property name="TLS - Shutdown Gracefully">false</property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldaps://example-v3-prd.corp1.ad1.xyz.net:636</property>
        <property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="User Search Filter">(cn={0})</property>

        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

I would change "Identity Strategy" from "USE_DN" to "USE_USERNAME".  

At the NiFi login you are logging in with your ldap CN user string.  That user string gets substituted in place of the "{0}" in the "User Search Filter.  
So you'll want that same string entered at login to be your user identity.  This will allow your user to map correctly with the user identity returned by your ldap-user-group-provider.

In the file-access-policy-provider you'll want to set the "Initial Admin Identity" to the username you login with rather then the full DN.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

5 REPLIES 5

avatar
Explorer

Hey @MattWho : Could you please guide me on this ?
thanks in advance!

avatar
Master Mentor

@sha257 

There is a lot shared here and I see numerous configuration issues and have some questions.

---->  authorizers.xml  <----

It is easiest to read the authroizers.xml from bottom up (the bottom of the config file will have the authorizer:

  <authorizer>
    <identifier>managed-authorizer</identifier>
    <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
    <property name="Access Policy Provider">file-access-policy-provider</property>
  </authorizer>
</authorizers>

You can see the authorizer above is loading policies from the "file-access-policy provider", so we scroll up to find that:

<accessPolicyProvider>
    <identifier>file-access-policy-provider</identifier>
    <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
    <property name="User Group Provider">file-user-group-provider</property>
    <property name="Authorizations File">./conf/authorizations.xml</property>
    <property name="Initial Admin Identity">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="Nifi Identity 1">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="Nifi Identity">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="NiFi Group Name"/>
    <!--<property name="NiFi Identity 1"></property>-->
  </accessPolicyProvider>

*** This provider will create the authorizations.xml file ONLY if it does not already exist. ***
Here we see you have configured your "Initial Admin Identity" with the full DN for your user.  This full DN string will be used for setting up the required authorizations for this user Identity to be able to access NiFi and perform administrative tasks (setup new user authorizations, remove access, setup admin level configurations, etc.). Keep in mind that user identities are case sensitive in NiFi.   We can also see what provider is being used to provide the current list of user and group identities upon which policies can be set.
Here we see it is configured to use "file-user-group-provider".
Question: Why do you have the same NiFi host certificate DN configured twice in NiFi Identity and NiFi Identity 1?

Now we scroll up to the file-user-group-provider:

<userGroupProvider>
    <identifier>file-user-group-provider</identifier>
    <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
    <property name="Users File">./conf/users.xml</property>
    <property name="Initial User Identity 1">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="Initial User Identity admin">cn=CEF567,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
  </userGroupProvider>

*** This provider will create the users.xml file ONLY if it does not already exist. ***
This is one of several providers that can provide initial user identity strings and group identity strings to the configured policy provider for setting up access policies.  Here we also see that you used the DN for your "initial user identity admin".  

While your authorizers.xml has a composite-user-group-provider and ldap-user-group-provider also configured, they are not being used since there is not configuration path to them from the authorizer.

Question:  Does your LDAP contain entries for your NiFi hosts (not common)?  If it does not you will still need the file-user-group-provider to provide those host user identities.

Let's assume you need both "file-user-group-provider" and "ldap-user-group-provider".
Your authorizers.xml would need to have this structure:

Managed-authorizer (configured to use file-access-policy-provider) ---> file-access-policy-provider (configured to use composite-configurable-user-group-provider) ---> composite-configurable-user-group-provider (configured to use both configurable provider: file-user-group-provider and user group provider: ldap-user-group-provider).   Then you need both file-user-group-provider and ldap-user-group-provider configured.

*** Note: You can NOT have multiple user group providers return the same user-identity or group identity strings.  So you'll need to remove the initial admin user from the file-user-group-provider if that admin identity is now going to be returned by the ldap-user-group-provider.

Now when it comes to the configuration of your ldap-user-group-provider, that is difficult for me to help with without sample ldap entries for a user and group.  But I'll try to comment on what you shared:

<userGroupProvider>
    <identifier>ldap-user-group-provider</identifier>
    <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
    <property name="Authentication Strategy">LDAPS</property>
    <property name="Manager DN">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="Manager Password">xxx</property>
    <property name="TLS - Keystore">/opt/nifi-registry/nifi-registry-current/conf/keystore.jks</property>
    <property name="TLS - Keystore Password">xxx</property>
    <property name="TLS - Keystore Type">jks</property>
    <property name="TLS - Truststore">/opt/nifi-registry/nifi-registry-current/conf/truststore.jks</property>
    <property name="TLS - Truststore Password">xxx</property>
    <property name="TLS - Truststore Type">JKS</property>
    <property name="TLS - Client Auth">NONE</property>
    <property name="TLS - Protocol">TLS</property>
    <property name="TLS - Shutdown Gracefully">false</property>
    <property name="Referral Strategy">FOLLOW</property>
    <property name="Connect Timeout">10 secs</property>
    <property name="Read Timeout">10 secs</property>
    <property name="Url">ldaps://example-v3-prd.corp1.ad1.xyz.net:636</property>
    <property name="Page Size"/>
    <property name="Sync Interval">30 mins</property>
    <property name="Group Membership - Enforce Case Sensitivity">false</property>
    <property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
    <property name="User Object Class">person</property>
    <property name="User Search Scope">ONE_LEVEL</property>
    <property name="User Search Filter">(memberof=CN=AB-C-DEF-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net)</property>
    <property name="User Identity Attribute"/>
    <property name="User Group Name Attribute"/>
    <property name="User Group Name Attribute - Referenced Group Attribute"/>
    <property name="Group Search Base"/>
    <property name="Group Object Class">group</property>
    <property name="Group Search Scope">ONE_LEVEL</property>
    <property name="Group Search Filter"/>
    <property name="Group Name Attribute"/>
    <property name="Group Member Attribute"/>
    <property name="Group Member Attribute - Referenced User Attribute"/>
  </userGroupProvider>

Based on the full DN you configured in the file-user-group-provider, your configuration above is not going to return this user:

cn=CEF567,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net

This is because you have  "User Search Base = OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net" and "User Search Scope = ONE_LEVEL".  Your user resides at a SUBTREE level under OU=Solid Users", so the User Search scope needs to be SUBTREE instead.  

I see that you did not set the User Identity Attribute: this is typically set to the user identity you want to use for the returned user ldap entries.   For AD this is typically "sAMAccountName" and for LDAP, it is commonly "cn".

Based on your configuration, you are trying to return all AD/LDAP users that are a memberOf one specific group DN.  I would recommend also setting the "Group Name Attribute to "cn", so that that string is used as the group identity in NiFi rather then the full group DN.

I'll stop here since this is a lot just related to the authorizers.xml file configuration.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
Master Mentor

@sha257 

In your ldap-identity-provider located in the login-providers.xml file:

    <provider>
        <identifier>ldap-identity-provider</identifier>
        <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
        <property name="Authentication Strategy">LDAPS</property>

        <property name="Manager DN">CN=ABC1234,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="Manager Password">xxxx</property>

        <property name="TLS - Keystore">/opt/nifi-registry/nifi-registry-current/conf/keystore.jks</property>
        <property name="TLS - Keystore Password">xxx</property>
        <property name="TLS - Keystore Type">jks</property>
        <property name="TLS - Truststore">/opt/nifi-registry/nifi-registry-current/conf/truststore.jks</property>
        <property name="TLS - Truststore Password">xxxx</property>
        <property name="TLS - Truststore Type">JKS</property>
        <property name="TLS - Client Auth">NONE</property>
        <property name="TLS - Protocol">TLS</property>
        <property name="TLS - Shutdown Gracefully">false</property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldaps://example-v3-prd.corp1.ad1.xyz.net:636</property>
        <property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="User Search Filter">(cn={0})</property>

        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

I would change "Identity Strategy" from "USE_DN" to "USE_USERNAME".  

At the NiFi login you are logging in with your ldap CN user string.  That user string gets substituted in place of the "{0}" in the "User Search Filter.  
So you'll want that same string entered at login to be your user identity.  This will allow your user to map correctly with the user identity returned by your ldap-user-group-provider.

In the file-access-policy-provider you'll want to set the "Initial Admin Identity" to the username you login with rather then the full DN.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
Explorer

Thank you very much @MattWho 🙂

avatar
Explorer

@MattWho : Sorry that I missed replying to your questions early , I have made sure to fix the authorizers.xml and now I am able to access the registry UI . 

 

Thanks for all you detailed resposnes and suggestions.