Support Questions

sha257 · ‎11-27-2024

Hello ,

I am trying to access Nifi in a way that all users in the AD group

memberof=CN=AG-Y-DEF-LJKGH,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net can have access to it, since it is getting quite tedious for the admin to keep adding the users one by one and assigning them policies.

My authorizers.xml looks like :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<authorizers>

    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./auth-conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 0">CN=my-nifi-0.my-nifi-headless.nifi-test.svc.cluster.local, OU=NIFI</property>
        <property name="Initial User Identity 1">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="Initial User Identity 2">cn=DEF456,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
        <property name="Initial User Identity admin">cn=DEF456,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
    </userGroupProvider>

    <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>
        <property name="Manager DN">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="Manager Password">xxxxxxx</property>
        <property name="TLS - Keystore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless..svc.cluster.local/keystore.jks</property>
        <property name="TLS - Keystore Password">xxxxx</property>
        <property name="TLS - Keystore Type">jks</property>
        <property name="TLS - Truststore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless..svc.cluster.local/truststore.jks</property>
        <property name="TLS - Truststore Password">xxxxx</property>
        <property name="TLS - Truststore Type">JKS</property>
        <property name="TLS - Client Auth">NONE</property>
        <property name="TLS - Protocol">TLS</property>
        <property name="TLS - Shutdown Gracefully">false</property>
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>
        <property name="Url">ldaps://someldap.corp1.ad1.xyz.net:636</property>
        <property name="Page Size">100</property>
        <property name="Sync Interval">30 mins</property>
        <property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="User Object Class">user</property>
        <property name="User Search Scope">SUBTREE</property>
        <property name="User Search Filter">(memberof=CN=AG-Y-DEF-LJKGH,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net)</property>
        <property name="User Identity Attribute">sAMAccountName</property>
        <property name="User Group Name Attribute">memberOf</property>
        <property name="User Group Name Attribute - Referenced Group Attribute">distinguishedName</property>
        <property name="Group Search Base">OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">SUBTREE</property>
        <property name="Group Search Filter">(|(cn=AG*)(cn=UG*))</property>
        <property name="Group Name Attribute">cn</property>
        <property name="Group Member Attribute">member</property>
        <property name="Group Member Attribute - Referenced User Attribute">distinguishedName</property>
    </userGroupProvider>

    <userGroupProvider>
        <identifier>composite-configurable-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
        <property name="Configurable User Group Provider">file-user-group-provider</property>
        <property name="User Group Provider 1">ldap-user-group-provider</property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./auth-conf/authorizations.xml</property>
        <property name="Initial Admin Identity">cn=DEF456,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 0">CN=my-nifi-0.my-nifi-headless.nifi-test.svc.cluster.local, OU=NIFI</property>
        <property name="Node Identity 1">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="Node Identity 2">cn=DEF456,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>

    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

    <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./auth-conf/authorizations.xml</property>
        <property name="Users File">./auth-conf/users.xml</property>
        <property name="Initial Admin Identity">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="Legacy Authorized Users File"></property>

    </authorizer>
</authorizers>

and my login-identity-providers-ldap.xml is

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<loginIdentityProviders>

    <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>
        <property name="Manager DN">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="Manager Password">xxxx</property>
        <property name="TLS - Keystore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.nifi-test.svc.cluster.local/keystore.jks</property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type">JKS</property>
        <property name="TLS - Truststore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.nifi-test.svc.cluster.local/truststore.jks</property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type">JKS</property>
        <property name="TLS - Client Auth">NONE</property>
        <property name="TLS - Protocol">TLS</property>
        <property name="TLS - Shutdown Gracefully">false</property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>
        <property name="Url">ldaps://someldap.corp1.ad1.xyz.net:636</property>
        <property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
        <property name="User Search Filter">(cn={0})</property>
        <property name="Identity Strategy">USE_USERNAME</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>
</loginIdentityProviders>

What am I missing in my setup?

Any help or input would be gretaly appreciated !

Thanks

sha257 · ‎11-27-2024

@MattWho : Could you please suggest on what could be missing ?

Thanks in advance!

Cloudera Community

Support Questions

Unable to login to Nifi UI via AD group