Support Questions

Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Want to Use SSL i.e., Organization Provided Certs for New NiFi Cluster Users

Contributor

Hello, I have a 3 node NiFi Cluster up and running.  The Initial Admin User is able now to successfully log into the NiFi cluster.  

 

I would now like to add new users to the NiFi cluster and SSL i.e., signed PKI certs for each user as the basis for these users to gain access to NiFi.

 

I do not want to use LDAP, I am in an environment that will require use of PKI certs for access to NiFi.

 

Can someone provide a prescriptive set of steps I can follow to successfully use PKI certs/SSL as a means of providing access to new NiFi cluster users and specifically, how do I add new users?

 

I would think the process of creating new users and using SSL would be explained explicitly.  

 

Can someone help me with this?

 

VR,

 

Dave

3 ACCEPTED SOLUTIONS

Mentor

@davehkd 

Your corporate PKI certs are just certs signed by your corporate signing authority.  So really nothing needs to change in the configuration of your NiFi.  However, you will need to add your corporate signing authorities public certificate to the truststore.jks used by your NiFi.

When you access the NiFi UI a mutual TLS exchange occurs.  You client (browser) initiates the connection with a client Hello to which the server will respond with a server Hello.  In that server hello a list of certificate authorities (comes from CAs in the NiFi truststore) will be provided to back to the client.   This tells the client that it will only accept a client certificate signed by one of those authorities.  If the client (your browser) has a pki certificate loaded that was signed by one of those trusted authorities, that client certificate can be used to complete the mutual TLS exchange.  Much more happens in the Mutual TLS client server handshake, but i'll just stick to the certificate specifics here.

NiFi does nothing out of spec when it comes to certificates and NiFi has nothing to do with creating users.  You can create your own self signed certificates created via command line tools, use a public signing authority to create signed certificates, or in your case use your corporate signing authority to create certificates.  A java keystore is nothing more than a container that can hold 1 too many certificates.

Only requirement NiFi has with regards to the keystore it that it contains only 1 PrivateKeyEntry (private cert).  The truststore (just another keystore) can contain 1 too many trustedCertEntries (public certs) and often contains many public intermediate and root CAs.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

Mentor

@davehkd  It is difficult for me t say where your configuration has gone wrong with what has been shared
I would need to see your authorizers.xml.  

I see in your output mention of the SingleUserAuthorizer.  This authorizer does not support defining additional user for assigning policies.

What do you have configured in your nifi.properties for these configuration lines:

nifi.security.user.authorizer
nifi.security.user.login.identity.provider

If either of these is using the "single-user-provider/authorizer", it is expected that you will not see users in the UI.

You'll need to use an authorizer that supports multi user setup like the https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#standardmanagedauthorizer.


since you are using user certificates for handling your user authentication. the nifi.security.user.login.identity.provider configuration property should be blank.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

Mentor

@davehkd 

1. You can't have multiple providers in the authorizers.xml.  You'll ned to comment out the "singleUserAuthorizer".
2. Your "managed authorizer is not correct, you are missing the class:

 

<authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

 

3. Your file-access-policy-providers configuration looks good here.
4. Your file-user-group-provider configuration is not correct, you are missing the line that defines where the users.xml file is to be created:

 

<userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">CN=ec2-user</property>
        <property name="Initial User Identity 2">CN=nifi1, OU=NIFI</property>
        <property name="Initial User Identity 3">CN=nifi2, OU=NIFI</property>
        <property name="Initial User Identity 4">CN=nifi3, OU=NIFI</property>
</userGroupProvider>

 

 

Make sure that in your nifi.properties file, you have configured NiFi to use the managed authorizer:

nifi.security.user.authorizer=managed-authorizer


Make sure that in your nifi.properties, you do NOT have the following property configured to use the single-user-provider:

nifi.security.user.login.identity.provider=

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

 



 

View solution in original post

20 REPLIES 20

Mentor

@davehkd 

Your corporate PKI certs are just certs signed by your corporate signing authority.  So really nothing needs to change in the configuration of your NiFi.  However, you will need to add your corporate signing authorities public certificate to the truststore.jks used by your NiFi.

When you access the NiFi UI a mutual TLS exchange occurs.  You client (browser) initiates the connection with a client Hello to which the server will respond with a server Hello.  In that server hello a list of certificate authorities (comes from CAs in the NiFi truststore) will be provided to back to the client.   This tells the client that it will only accept a client certificate signed by one of those authorities.  If the client (your browser) has a pki certificate loaded that was signed by one of those trusted authorities, that client certificate can be used to complete the mutual TLS exchange.  Much more happens in the Mutual TLS client server handshake, but i'll just stick to the certificate specifics here.

NiFi does nothing out of spec when it comes to certificates and NiFi has nothing to do with creating users.  You can create your own self signed certificates created via command line tools, use a public signing authority to create signed certificates, or in your case use your corporate signing authority to create certificates.  A java keystore is nothing more than a container that can hold 1 too many certificates.

Only requirement NiFi has with regards to the keystore it that it contains only 1 PrivateKeyEntry (private cert).  The truststore (just another keystore) can contain 1 too many trustedCertEntries (public certs) and often contains many public intermediate and root CAs.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

Contributor

Thanks for the reply Matt.

 

I followed the instructions per:  https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-provided-certificat...

 

Specifically, I followed the instructions for:  Creating and Securing a NiFi Cluster with the TLS Toolkit.

Per Step 1, I ran the optional command to execute all steps together using the the toolkit pattern syntax:

./bin/tls-toolkit.sh standalone - n 'node[1-3].nifi' -C 'CN=ec2-user' -c 'ca.nifi'

 

Per step 9, I updated the authorizers.xml file, in the <userGroupProvider> section, I added the line 

<property name="Initial User Identity 1">CN=ec2-user</property>

In the <accessPolicyProvider> section, I updated the file as described.  Regarding the Initial Admin Identity, I updated the file as follows:

<property name="Initial Admin Identity">CN=ec2-user</property>

 

I copied the authorizers.xml file to all 3 nodes.

 

After starting nifi on all 3 nodes, I then access the GUI and select the imported certificate i.e., CN=ec2-user.p12 which I successfully imported, and I can successfully access the GUI.  

 

I see that on the upper right of the GUI screen, the the user is indicated as CN=ec2-user.  But, when I access the menu on the upper right of the screen, I do not receive the users option.

 

Can you help me determine why this option isn't available?   I am unclear, having followed the instructions per the walkthrough, why this 

 

 

Contributor

To add:  At step 13, per the walkthrough i.e., NiFi Cluster Using NiFi CA, as described, I stopped each of the nifi instances, i then deleted the authorizations.xml and users.xml file from each node in the nifi/conf directory, and then restarted each node.

 

And, then I logged onto the NiFi GUI, and still I do not see the users option in the menu...

 

i.e., I apparently do not have a a running cluster with permisisons....

 

Please help

Contributor

Matt, I found this ticket:  NIFI 1.14: User policy is not showing on the GUI.  This is exactly the issue I am having.

I see that you recommended that he:  verify the configuration in the authorizers.xml file, remove the existing users.xml and authorizations.xml file and restart NiFi.

 

I took these steps several times and still the "Users" option does not appear in the menu.

Contributor

An update:  So, after starting NiFi, i reviewed the logs in the nifi-user.log file.  

This is what was output:

...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/access/kerberos

...NiFi AuthenticationFilter Authentication Success [CN=ec2-user]  xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/access/kerberos

...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/access/oidc/exchange

...NiFi AuthenticationFilter Authentication Success [CN=ec2-user]  xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/access/oidc/exchange

...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/token/expiration

...NiFi AuthenticationFilter Authentication Success [CN=ec2-user]  xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/token/expiration

 

WARN [NiFi Web Server-37] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:  Access token not found.  Returning Conflict responmse...

 

 

 

Contributor

Another update:

 

I looked in the authorizations.xml file and see that the user ec2-user has the following authorizations:

 

flow  action "R"

data/process-groups/ action "R"

data/process-groups action "W"

process-groups action "R"

process-groups action "W"

restricted-components "W"

tenants actions "R" and "W"

policies actions "R" and "W"

controller actions "R" and "W"

 

 

 

Contributor

I changed the name of the nifi user from ec2-user to nifi thinking that perhaps the - was causing an issue.

 

Specifically, I generated the client certificate keystore from the client certificate and key using the following command:

openssl pkcs12 -export -out CN=nifi.p12 -inkey client.key -in client.pem

 

I then logged into the nifi gui and selected the certificate i.e., CN=nifi.p12.  And no luck, the users option is not available on the global menu.

 

Here is output from the nifi-users.log

 

2023-04-12 07:08:50,575 INFO [main] o.a.n.a.single.user.SingleUserAuthorizer Initializing Authorizer
2023-04-12 07:08:50,644 INFO [main] o.a.n.a.FileUserGroupProvider Creating new users file at /home/ec2-user/nifi/./conf/users.xml
2023-04-12 07:08:50,663 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Wed Apr 12 07:08:50 UTC 2023
2023-04-12 07:08:50,663 INFO [main] o.a.n.a.FileAccessPolicyProvider Creating new authorizations file at /home/ec2-user/nifi/./conf/authorizations.xml
2023-04-12 07:08:50,667 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi1, OU=NIFI (raw node identity CN=nifi1, OU=NIFI)
2023-04-12 07:08:50,667 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi3, OU=NIFI (raw node identity CN=nifi3, OU=NIFI)
2023-04-12 07:08:50,667 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi2, OU=NIFI (raw node identity CN=nifi2, OU=NIFI)
2023-04-12 07:08:51,201 INFO [main] o.a.n.a.FileAccessPolicyProvider Populating authorizations for Initial Admin: CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US
2023-04-12 07:08:51,211 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Wed Apr 12 07:08:51 UTC 2023
2023-04-12 07:08:51,213 INFO [main] o.a.n.a.single.user.SingleUserAuthorizer Configuring Authorizer
2023-04-12 07:13:20,075 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] POST https://nifi1:9443/nifi-api/access/kerberos
2023-04-12 07:13:20,083 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 POST https://nifi1:9443/nifi-api/access/kerberos
2023-04-12 07:13:20,358 INFO [NiFi Web Server-9589] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] POST https://nifi1:9443/nifi-api/access/oidc/exchange
2023-04-12 07:13:20,358 INFO [NiFi Web Server-9589] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 POST https://nifi1:9443/nifi-api/access/oidc/exchange
2023-04-12 07:13:20,383 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] GET https://nifi1:9443/nifi-api/access/token/expiration
2023-04-12 07:13:20,383 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 GET https://nifi1:9443/nifi-api/access/token/expiration
2023-04-12 07:13:20,440 WARN [NiFi Web Server-9579] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Access Token not found. Returning Conflict response.
java.lang.IllegalStateException: Access Token not found
at org.apache.nifi.web.api.AccessResource.getAccessTokenExpiration(AccessResource.java:459)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:134)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:177)
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:81)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234)
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684)
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:311)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1459)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1656)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:352)
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.apache.nifi.web.security.log.AuthenticationUserFilter.doFilterInternal(AuthenticationUserFilter.java:57)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:132)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:487)
at org.apache.nifi.web.server.filter.DataTransferExcludedDoSFilter.doFilterChain(DataTransferExcludedDoSFilter.java:51)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:336)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:301)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
at org.apache.nifi.web.server.log.RequestAuthenticationFilter.doFilterInternal(RequestAuthenticationFilter.java:59)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:772)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191)
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
at java.lang.Thread.run(Thread.java:750)
2023-04-12 07:13:20,453 INFO [NiFi Web Server-9589] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] GET https://nifi1:9443/nifi-api/flow/current-user
2023-04-12 07:13:20,454 INFO [NiFi Web Server-9589] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 GET https://nifi1:9443/nifi-api/flow/current-user
2023-04-12 07:13:21,189 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.10 [<CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US><CN=nifi1, OU=HR, O=snyderinc, L=Ashburn, ST=Virginia, C=US>] GET https://nifi1:9443/nifi-api/flow/current-user
2023-04-12 07:13:21,193 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.10 GET https://nifi1:9443/nifi-api/flow/current-user
2023-04-12 07:13:21,656 INFO [NiFi Web Server-9584] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] GET https://nifi1:9443/nifi-api/access/config
2023-04-12 07:13:21,656 INFO [NiFi Web Server-9584] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 GET https://nifi1:9443/nifi-api/access/config
2023-04-12 07:13:21,657 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] GET https://nifi1:9443/nifi-api/flow/client-id
2023-04-12 07:13:21,657 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 GET https://nifi1:9443/nifi-api/flow/client-id

 

Mentor

@davehkd  It is difficult for me t say where your configuration has gone wrong with what has been shared
I would need to see your authorizers.xml.  

I see in your output mention of the SingleUserAuthorizer.  This authorizer does not support defining additional user for assigning policies.

What do you have configured in your nifi.properties for these configuration lines:

nifi.security.user.authorizer
nifi.security.user.login.identity.provider

If either of these is using the "single-user-provider/authorizer", it is expected that you will not see users in the UI.

You'll need to use an authorizer that supports multi user setup like the https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#standardmanagedauthorizer.


since you are using user certificates for handling your user authentication. the nifi.security.user.login.identity.provider configuration property should be blank.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

Contributor

Thanks so much for your response Matt!

 

 

nifi.security.user.authorizer=single-user-authorizer

nifi.security.user.login.identity.provider=single-user-provider

 

I think I'm close.

 

I'll set to blank:  nifi.security.user.login.identity.provider

 

I'll read the link you provided but I assume that the nifi.security.user.authorizer needs to be set to the initial admin identity...

 

Thanks again for your input!

 

 

 

Contributor

Matt...how do i specify the Initial Admin identity as the authorizer?

Contributor

here is what I added to the authorizers.xml file:

 

<userGroupProvider>

 

<property name="Initial User Identity 1">CN=ec2-user</property>

<property name="Initial User Identity 2">CN=nifi1, OU=NIFI</property>

<property name="Initial User Identity 3">CN=nifi2, OU=NIFI</property>

<property name="Initial User Identity 4">CN=nifi3, OU=NIFI</property>

 

<accessPolicyProvider>

 

<property name="Initial Admin Identity">CN=ec2-user</property>

<property name="Node Identity 1">CN=nifi1, OU=NIFI</property>

<property name="Node Identity 2">CN=nifi2, OU=NIFI</property>

<property name="Node Identity 3">CN=nifi3, OU=NIFI</property>

 

 

Mentor

@davehkd 
That is an incomplete authorizers.xml and thus not valid.

 

Matt

Contributor

i only posted what I had changed Matt...sorry...

 

i'll add the entire file in a moment....thanks for taking a look

 

Contributor

Here are the complete contents of the authorizers.xml file Matt.  Thanks for taking a look! And, thanks in advance for any guidance/recommendations!

 

------------------------------------------------------------------------------

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"??

 

<authorizers>

 

<userGroupProvider>

  <identifer>file-user-group-provider</identifier>

  <class>org.apache.nifi.authorization.FileUserGroupProvider</class>

  <property name="Initial User Identity 1">CN=ec2-user</property>

  <property name="Initial User Identity 2">CN=nifi1, OU=NIFI</property>

  <property name="Initial User Identity 3">CN=nifi2, OU=NIFI</property>

  <property name="Initial User Identity 4">CN=nifi3, OU=NIFI</property>

</userGroupProvider>

 

<accessPolicyProvider>

  <identifier>file-access-policy-provider</identifier?

  <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>

  <property name="User Group Provider">file-user-group-provider</property>

  <property name="Authorizations File">./conf/authorizations.xml</property>

  <property name="Initial Admin Identity">CN=ec2-user</property>

  <property name="Legacy Authorized Users File"></property>

  <property name="Node Identity 1">CN=nifi1, OU=NIFI</property>

  <property name="Node Identity 2">CN=nifi2, OU=NIFI</property>

  <property name="Node Identity 3">CN=nifi3, OU=NIFI</property>

</accessPolicyProvider>

 

<authorizer>

  <identifier>managed-authorizer</identifier>

  <property name="Access Policy Provider">file-access-policy-provider</property>

</authorizer>

 

<authorizer>

  <identity>single-user-authorizer</identifier>

  <class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class>

</authorizer>

</authorizer>

 

 

 

 

 

Mentor

@davehkd 

1. You can't have multiple providers in the authorizers.xml.  You'll ned to comment out the "singleUserAuthorizer".
2. Your "managed authorizer is not correct, you are missing the class:

 

<authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

 

3. Your file-access-policy-providers configuration looks good here.
4. Your file-user-group-provider configuration is not correct, you are missing the line that defines where the users.xml file is to be created:

 

<userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">CN=ec2-user</property>
        <property name="Initial User Identity 2">CN=nifi1, OU=NIFI</property>
        <property name="Initial User Identity 3">CN=nifi2, OU=NIFI</property>
        <property name="Initial User Identity 4">CN=nifi3, OU=NIFI</property>
</userGroupProvider>

 

 

Make sure that in your nifi.properties file, you have configured NiFi to use the managed authorizer:

nifi.security.user.authorizer=managed-authorizer


Make sure that in your nifi.properties, you do NOT have the following property configured to use the single-user-provider:

nifi.security.user.login.identity.provider=

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

 



 

Mentor

@davehkd 

The "Initial Admin Identity" is defined in the file-access-policy provider in the authorizers.xml.

This provider is executed during startup of the application startup and creates an authorizations.xml file where it we set a pre-defined set of NiFi Resource Identifiers (NiFi policies) needed for NiFi administration by  the Initial Admin Identity and set NiFi Resource Identifiers needed by the NiFI nodes defined in "Node Identity <num>".

The file-access-policy-provider has a dependency on a user-group-provider.  This dependency exists because NiFi Resource Identifiers (NiFi Policies) can't be set for any user/client identity strings that are not provided by one of the user-group-providers NiFi offers.  In your case, it appears you are using the file-user-group-provider, which means the nodes and initial admin must be added as "Initial user identity <num>" in that provider.  The file-user-group-provider is responsible for creating the users.xml.

IMPORTANT: These providers will only generate a users.xml and authorizations.xml file if they do NOT already exist.  Expectation is that once created, additional users and setting of additional policies occurs from within the UI.  So configuration changes to these providers will have no impact on already existing users.xmll and authorizations.xml.  So if mistakes where made in configuration resulting in missing needed content in these files, they need to removed after making your config changes so new can be generated.


If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

 

Contributor

Correction to contents:

 

<authorizer>

  <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>

  <identifier>managed-authorizer</identifier>

  <property name="Access Policy Provider">file-access-policy-provider</property>

</authorizer>

 

Contributor

Matt - 

 

You are a gem and a genius!  

I was finally able to access the Users and Policy menu options.

 

A tremendous and heartfelt THANK YOU!

 

Can I send a note of thanks to anyone at Cloudera for the amazing help you provided me!

 

VR,

 

Dave

 

 

 

Mentor

@davehkd 
Thank you for the awesome feedback.  Glad i could help you.

It would be great if you could go through this back and forth exchange and accept all the responses I provided that helped you.  I noticed you accepted your own response.  🙂

Matt

Contributor

will do

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.