Support Questions

Matt, I found this ticket:  NIFI 1.14: User policy is not showing on the GUI.  This is exactly the issue I am having.

I see that you recommended that he:  verify the configuration in the authorizers.xml file, remove the existing users.xml and authorizations.xml file and restart NiFi.

I took these steps several times and still the "Users" option does not appear in the menu.

An update:  So, after starting NiFi, i reviewed the logs in the nifi-user.log file.  

This is what was output:

...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/access/kerberos

...NiFi AuthenticationFilter Authentication Success [CN=ec2-user]  xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/access/kerberos

...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/access/oidc/exchange

...NiFi AuthenticationFilter Authentication Success [CN=ec2-user]  xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/access/oidc/exchange

...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/token/expiration

...NiFi AuthenticationFilter Authentication Success [CN=ec2-user]  xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/token/expiration

WARN [NiFi Web Server-37] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:  Access token not found.  Returning Conflict responmse...

Another update:

I looked in the authorizations.xml file and see that the user ec2-user has the following authorizations:

flow  action "R"

data/process-groups/ action "R"

data/process-groups action "W"

process-groups action "R"

process-groups action "W"

restricted-components "W"

tenants actions "R" and "W"

policies actions "R" and "W"

controller actions "R" and "W"

I changed the name of the nifi user from ec2-user to nifi thinking that perhaps the - was causing an issue.

Specifically, I generated the client certificate keystore from the client certificate and key using the following command:

openssl pkcs12 -export -out CN=nifi.p12 -inkey client.key -in client.pem

I then logged into the nifi gui and selected the certificate i.e., CN=nifi.p12.  And no luck, the users option is not available on the global menu.

Here is output from the nifi-users.log

2023-04-12 07:08:50,575 INFO [main] o.a.n.a.single.user.SingleUserAuthorizer Initializing Authorizer
2023-04-12 07:08:50,644 INFO [main] o.a.n.a.FileUserGroupProvider Creating new users file at /home/ec2-user/nifi/./conf/users.xml
2023-04-12 07:08:50,663 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Wed Apr 12 07:08:50 UTC 2023
2023-04-12 07:08:50,663 INFO [main] o.a.n.a.FileAccessPolicyProvider Creating new authorizations file at /home/ec2-user/nifi/./conf/authorizations.xml
2023-04-12 07:08:50,667 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi1, OU=NIFI (raw node identity CN=nifi1, OU=NIFI)
2023-04-12 07:08:50,667 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi3, OU=NIFI (raw node identity CN=nifi3, OU=NIFI)
2023-04-12 07:08:50,667 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi2, OU=NIFI (raw node identity CN=nifi2, OU=NIFI)
2023-04-12 07:08:51,201 INFO [main] o.a.n.a.FileAccessPolicyProvider Populating authorizations for Initial Admin: CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US
2023-04-12 07:08:51,211 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Wed Apr 12 07:08:51 UTC 2023
2023-04-12 07:08:51,213 INFO [main] o.a.n.a.single.user.SingleUserAuthorizer Configuring Authorizer
2023-04-12 07:13:20,075 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] POST https://nifi1:9443/nifi-api/access/kerberos
2023-04-12 07:13:20,083 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 POST https://nifi1:9443/nifi-api/access/kerberos
2023-04-12 07:13:20,358 INFO [NiFi Web Server-9589] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] POST https://nifi1:9443/nifi-api/access/oidc/exchange
2023-04-12 07:13:20,358 INFO [NiFi Web Server-9589] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 POST https://nifi1:9443/nifi-api/access/oidc/exchange
2023-04-12 07:13:20,383 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] GET https://nifi1:9443/nifi-api/access/token/expiration
2023-04-12 07:13:20,383 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 GET https://nifi1:9443/nifi-api/access/token/expiration
2023-04-12 07:13:20,440 WARN [NiFi Web Server-9579] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Access Token not found. Returning Conflict response.
java.lang.IllegalStateException: Access Token not found
at org.apache.nifi.web.api.AccessResource.getAccessTokenExpiration(AccessResource.java:459)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:134)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:177)
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:81)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234)
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684)
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:311)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1459)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1656)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:352)
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.apache.nifi.web.security.log.AuthenticationUserFilter.doFilterInternal(AuthenticationUserFilter.java:57)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:132)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:487)
at org.apache.nifi.web.server.filter.DataTransferExcludedDoSFilter.doFilterChain(DataTransferExcludedDoSFilter.java:51)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:336)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:301)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
at org.apache.nifi.web.server.log.RequestAuthenticationFilter.doFilterInternal(RequestAuthenticationFilter.java:59)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:772)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191)
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
at java.lang.Thread.run(Thread.java:750)
2023-04-12 07:13:20,453 INFO [NiFi Web Server-9589] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] GET https://nifi1:9443/nifi-api/flow/current-user
2023-04-12 07:13:20,454 INFO [NiFi Web Server-9589] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 GET https://nifi1:9443/nifi-api/flow/current-user
2023-04-12 07:13:21,189 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.10 [<CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US><CN=nifi1, OU=HR, O=snyderinc, L=Ashburn, ST=Virginia, C=US>] GET https://nifi1:9443/nifi-api/flow/current-user
2023-04-12 07:13:21,193 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.10 GET https://nifi1:9443/nifi-api/flow/current-user
2023-04-12 07:13:21,656 INFO [NiFi Web Server-9584] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] GET https://nifi1:9443/nifi-api/access/config
2023-04-12 07:13:21,656 INFO [NiFi Web Server-9584] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 GET https://nifi1:9443/nifi-api/access/config
2023-04-12 07:13:21,657 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] GET https://nifi1:9443/nifi-api/flow/client-id
2023-04-12 07:13:21,657 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 GET https://nifi1:9443/nifi-api/flow/client-id