Support Questions

Chakr · ‎05-25-2021

I have configured a 3 node nifi cluster and I have my authorizers.xml file is as below on all the 3 nodes

```

<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
<property name="Initial Admin Identity">CN=chakri, OU=NIFI</property>
<property name="Legacy Authorized Users File"></property>

<property name="Node Identity 1">CN=nifi-1,OU=NIFI</property>
<property name="Node Identity 2">CN=nifi-2,OU=NIFI</property>
<property name="Node Identity 3">CN=nifi-3,OU=NIFI</property>
</authorizer>
</authorizers>

```

<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=chakri, OU=NIFI</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">CN=nifi-1,OU=NIFI</property>
<property name="Node Identity 2">CN=nifi-2,OU=NIFI</property>
<property name="Node Identity 3">CN=nifi-3,OU=NIFI</property>
<property name="Node Group"></property>
</accessPolicyProvider>

```

<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>

<property name="Initial User Identity 1">CN=chakri, OU=NIFI</property>
<property name="Initial User Identity 2">CN=nifi-1,OU=NIFI</property>
<property name="Initial User Identity 3">CN=nifi-2,OU=NIFI</property>
<property name="Initial User Identity 4">CN=nifi-3,OU=NIFI</property>
</userGroupProvider>

```

if i try to access the ui a message is displayed as below
Unknown user with identity 'CN=chakri, OU=NIFI'. Contact the system administrator.

I also flound a log from nifi-user.log as below
2021-05-25 09:33:08,980 INFO [NiFi Web Server-18] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=chakri, OU=NIFI], groups[] does not have permission to access the requested resource. Unknown user with identity 'CN=chakri, OU=NIFI'. Returning Forbidden response.

MattWho · ‎06-07-2021

@Chakr

So first thing to check is proper configuration of your Authorizers.xml file.

The order in which the sections are added is very important.
The file is loaded from top down, so you can NOT have a section refer to another section that is not yet loaded. And you users need to be loaded/created before the authorizations can be loaded/created.

So your authorizers.xml file structure should look like this:

<authorizers>
     <userGroupProvider>
          <identifier>file-user-group-provider</identifier>
          <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
          <property name="Users File">./conf/users.xml</property>
          <property name="Legacy Authorized Users File"></property>
          <property name="Initial User Identity 1">CN=chakri, OU=NIFI</property>
          <property name="Initial User Identity 2">CN=nifi-1,OU=NIFI</property>
          <property name="Initial User Identity 3">CN=nifi-2,OU=NIFI</property>
          <property name="Initial User Identity 4">CN=nifi-3,OU=NIFI</property>
     </userGroupProvider>

     <accessPolicyProvider>
          <identifier>file-access-policy-provider</identifier>
          <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
          <property name="User Group Provider">file-user-group-provider</property>
          <property name="Authorizations File">./conf/authorizations.xml</property>
          <property name="Initial Admin Identity">CN=chakri, OU=NIFI</property>
          <property name="Legacy Authorized Users File"></property>
          <property name="Node Identity 1">CN=nifi-1,OU=NIFI</property>
          <property name="Node Identity 2">CN=nifi-2,OU=NIFI</property>
          <property name="Node Identity 3">CN=nifi-3,OU=NIFI</property>
          <property name="Node Group"></property>
     </accessPolicyProvider>

     <authorizer>
          <identifier>managed-authorizer</identifier>
          <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
          <property name="Access Policy Provider">file-access-policy-provider</property>
     </authorizer>
</authorizers>

Note: Changed your authorizer to the newer "StandardManagedAuthorizer".

On NiFi startup the "file-user-group-provider" will create the users.xml file only if it does NOT already exist and seed it with all four configured "Initial User Identity" strings. These strings (case sensitive) will each be assigned a UUID.

On NIFi Startup the "file-access-policy-provider" will create the authorizations.xml file only if it does NOT already exist and seed it with relevant policies needed initially for your admin user and your nodes based off the UUIDs create for each user identity generated by the first provider.

The the Authorizer is loaded which reads in the users and authorizations from the users.xml and authorizations.xml files that are now created.

You should do the following:
1. Edit your authorizers.xml to match above structure above.
2. In your nifi.properties file, make sure following property is set correctly as:

nifi.security.user.authorizer=managed-authorizer

3. Remove/rename current users.xml and authorizations.xml files.

4. Start NiFi

You should not be able to successfully access your NiFi's UI.

If you fin this addresses your query, please take a moment to login and click "Accept" on this solution.
Thank you,
Matt