will do ... View more

Matt -    You are a gem and a genius!   I was finally able to access the Users and Policy menu options.   A tremendous and heartfelt THANK YOU!   Can I send a note of thanks to anyone at Cloudera for the amazing help you provided me!   VR,   Dave       ... View more

Correction to contents:   <authorizer>   <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>   <identifier>managed-authorizer</identifier>   <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer>   ... View more

Here are the complete contents of the authorizers.xml file Matt.  Thanks for taking a look! And, thanks in advance for any guidance/recommendations!   ------------------------------------------------------------------------------     <?xml version="1.0" encoding="UTF-8" standalone="yes"??   <authorizers>   <userGroupProvider>   <identifer>file-user-group-provider</identifier>   <class>org.apache.nifi.authorization.FileUserGroupProvider</class>   <property name="Initial User Identity 1">CN=ec2-user</property>   <property name="Initial User Identity 2">CN=nifi1, OU=NIFI</property>   <property name="Initial User Identity 3">CN=nifi2, OU=NIFI</property>   <property name="Initial User Identity 4">CN=nifi3, OU=NIFI</property> </userGroupProvider>   <accessPolicyProvider>   <identifier>file-access-policy-provider</identifier?   <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>   <property name="User Group Provider">file-user-group-provider</property>   <property name="Authorizations File">./conf/authorizations.xml</property>   <property name="Initial Admin Identity">CN=ec2-user</property>   <property name="Legacy Authorized Users File"></property>   <property name="Node Identity 1">CN=nifi1, OU=NIFI</property>   <property name="Node Identity 2">CN=nifi2, OU=NIFI</property>   <property name="Node Identity 3">CN=nifi3, OU=NIFI</property> </accessPolicyProvider>   <authorizer>   <identifier>managed-authorizer</identifier>   <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer>   <authorizer>   <identity>single-user-authorizer</identifier>   <class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class> </authorizer> </authorizer>           ... View more

i only posted what I had changed Matt...sorry...   i'll add the entire file in a moment....thanks for taking a look   ... View more

here is what I added to the authorizers.xml file:   <userGroupProvider>   <property name="Initial User Identity 1">CN=ec2-user</property> <property name="Initial User Identity 2">CN=nifi1, OU=NIFI</property> <property name="Initial User Identity 3">CN=nifi2, OU=NIFI</property> <property name="Initial User Identity 4">CN=nifi3, OU=NIFI</property>   <accessPolicyProvider>   <property name="Initial Admin Identity">CN=ec2-user</property> <property name="Node Identity 1">CN=nifi1, OU=NIFI</property> <property name="Node Identity 2">CN=nifi2, OU=NIFI</property> <property name="Node Identity 3">CN=nifi3, OU=NIFI</property>     ... View more

Matt...how do i specify the Initial Admin identity as the authorizer? ... View more

Thanks so much for your response Matt!     nifi.security.user.authorizer=single-user-authorizer nifi.security.user.login.identity.provider=single-user-provider   I think I'm close.   I'll set to blank:  nifi.security.user.login.identity.provider   I'll read the link you provided but I assume that the nifi.security.user.authorizer needs to be set to the initial admin identity...   Thanks again for your input!       ... View more

I changed the name of the nifi user from ec2-user to nifi thinking that perhaps the - was causing an issue.   Specifically, I generated the client certificate keystore from the client certificate and key using the following command: openssl pkcs12 -export -out CN=nifi.p12 -inkey client.key -in client.pem   I then logged into the nifi gui and selected the certificate i.e., CN=nifi.p12.  And no luck, the users option is not available on the global menu.   Here is output from the nifi-users.log   2023-04-12 07:08:50,575 INFO [main] o.a.n.a.single.user.SingleUserAuthorizer Initializing Authorizer 2023-04-12 07:08:50,644 INFO [main] o.a.n.a.FileUserGroupProvider Creating new users file at /home/ec2-user/nifi/./conf/users.xml 2023-04-12 07:08:50,663 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Wed Apr 12 07:08:50 UTC 2023 2023-04-12 07:08:50,663 INFO [main] o.a.n.a.FileAccessPolicyProvider Creating new authorizations file at /home/ec2-user/nifi/./conf/authorizations.xml 2023-04-12 07:08:50,667 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi1, OU=NIFI (raw node identity CN=nifi1, OU=NIFI) 2023-04-12 07:08:50,667 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi3, OU=NIFI (raw node identity CN=nifi3, OU=NIFI) 2023-04-12 07:08:50,667 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi2, OU=NIFI (raw node identity CN=nifi2, OU=NIFI) 2023-04-12 07:08:51,201 INFO [main] o.a.n.a.FileAccessPolicyProvider Populating authorizations for Initial Admin: CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US 2023-04-12 07:08:51,211 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Wed Apr 12 07:08:51 UTC 2023 2023-04-12 07:08:51,213 INFO [main] o.a.n.a.single.user.SingleUserAuthorizer Configuring Authorizer 2023-04-12 07:13:20,075 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] POST https://nifi1:9443/nifi-api/access/kerberos 2023-04-12 07:13:20,083 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 POST https://nifi1:9443/nifi-api/access/kerberos 2023-04-12 07:13:20,358 INFO [NiFi Web Server-9589] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] POST https://nifi1:9443/nifi-api/access/oidc/exchange 2023-04-12 07:13:20,358 INFO [NiFi Web Server-9589] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 POST https://nifi1:9443/nifi-api/access/oidc/exchange 2023-04-12 07:13:20,383 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] GET https://nifi1:9443/nifi-api/access/token/expiration 2023-04-12 07:13:20,383 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 GET https://nifi1:9443/nifi-api/access/token/expiration 2023-04-12 07:13:20,440 WARN [NiFi Web Server-9579] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Access Token not found. Returning Conflict response. java.lang.IllegalStateException: Access Token not found at org.apache.nifi.web.api.AccessResource.getAccessTokenExpiration(AccessResource.java:459) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:134) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:177) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:81) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) at org.glassfish.jersey.internal.Errors.process(Errors.java:292) at org.glassfish.jersey.internal.Errors.process(Errors.java:274) at org.glassfish.jersey.internal.Errors.process(Errors.java:244) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684) at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394) at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:311) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205) at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1459) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1656) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:352) at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) at org.apache.nifi.web.security.log.AuthenticationUserFilter.doFilterInternal(AuthenticationUserFilter.java:57) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) at org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:132) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94) at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) at org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:487) at org.apache.nifi.web.server.filter.DataTransferExcludedDoSFilter.doFilterChain(DataTransferExcludedDoSFilter.java:51) at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:336) at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:301) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) at org.apache.nifi.web.server.log.RequestAuthenticationFilter.doFilterInternal(RequestAuthenticationFilter.java:59) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146) at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:772) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191) at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.Server.handle(Server.java:516) at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410) at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) at java.lang.Thread.run(Thread.java:750) 2023-04-12 07:13:20,453 INFO [NiFi Web Server-9589] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] GET https://nifi1:9443/nifi-api/flow/current-user 2023-04-12 07:13:20,454 INFO [NiFi Web Server-9589] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 GET https://nifi1:9443/nifi-api/flow/current-user 2023-04-12 07:13:21,189 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.10 [<CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US><CN=nifi1, OU=HR, O=snyderinc, L=Ashburn, ST=Virginia, C=US>] GET https://nifi1:9443/nifi-api/flow/current-user 2023-04-12 07:13:21,193 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.10 GET https://nifi1:9443/nifi-api/flow/current-user 2023-04-12 07:13:21,656 INFO [NiFi Web Server-9584] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] GET https://nifi1:9443/nifi-api/access/config 2023-04-12 07:13:21,656 INFO [NiFi Web Server-9584] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 GET https://nifi1:9443/nifi-api/access/config 2023-04-12 07:13:21,657 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.0.1.155 [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] GET https://nifi1:9443/nifi-api/flow/client-id 2023-04-12 07:13:21,657 INFO [NiFi Web Server-9579] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=nifi, OU=NIFI, O=snyderinc, L=Ashburn, ST=Virginia, C=US] 10.0.1.155 GET https://nifi1:9443/nifi-api/flow/client-id   ... View more

Another update:   I looked in the authorizations.xml file and see that the user ec2-user has the following authorizations:   flow  action "R" data/process-groups/ action "R" data/process-groups action "W" process-groups action "R" process-groups action "W" restricted-components "W" tenants actions "R" and "W" policies actions "R" and "W" controller actions "R" and "W"       ... View more