@davehkd  Thank you for the awesome feedback.  Glad i could help you. It would be great if you could go through this back and forth exchange and accept all the responses I provided that helped you.  I noticed you accepted your own response.  🙂 Matt ... View more

@niclyx  I think you are diverging form the original query asked in this community question which has an accepted solution. When it comes to a mutual TLS exchange/handshake, this is not something NiFi created or has made any modification to.  There are many different resources on the web to learn about MutualTLS and how it works.  NiFi only cares that the TLS handshake was successful and if no other method of authentication was setup, it received a clientAuth certificate from which it will use the full DN as the identity for the authenticated user. I recommend starting a new community questions if you have new questions. Matt ... View more

@Manika  The single-user-provider used by NiFi out of the box does not support multiple users.  It simply sets up a single user to access the secured NiFi suing the out of the box NiFi setup.  Only the very first time NiFi is launched with this setup will the generated username and password be output in the nifi-app.log.  You can use the following command to change that username and password: $ ./bin/nifi.sh set-single-user-credentials <username> <password> This single user username and password has full access to everything, so NiFi does not expose "policies" as setting up additional users is not possible.   NiFi provides no other provider for local users.  NiFi historically has left user management as an external dependency.  In order tp support multiple users with and various level of authorization, you will need to switch to using a different authorizer and authentication method. Switching to another authentication method will require you establish an external means for user authentication.  NiFi has numerous supported methods (User certificate, LDAP, Kerberos, etc.) https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication Once you have selected the method you will use to authenticate your users that is not the "single-user-provider", you need to change your authorizer from "single-user-authorizer" to "standard-managed-authorizer": https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#standardmanagedauthorizer   If you found that any of the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt ... View more

@davehkd  The "Initial Admin Identity" is defined in the file-access-policy provider in the authorizers.xml. This provider is executed during startup of the application startup and creates an authorizations.xml file where it we set a pre-defined set of NiFi Resource Identifiers (NiFi policies) needed for NiFi administration by  the Initial Admin Identity and set NiFi Resource Identifiers needed by the NiFI nodes defined in "Node Identity <num>". The file-access-policy-provider has a dependency on a user-group-provider.  This dependency exists because NiFi Resource Identifiers (NiFi Policies) can't be set for any user/client identity strings that are not provided by one of the user-group-providers NiFi offers.  In your case, it appears you are using the file-user-group-provider, which means the nodes and initial admin must be added as "Initial user identity <num>" in that provider.  The file-user-group-provider is responsible for creating the users.xml. IMPORTANT: These providers will only generate a users.xml and authorizations.xml file if they do NOT already exist.  Expectation is that once created, additional users and setting of additional policies occurs from within the UI.  So configuration changes to these providers will have no impact on already existing users.xmll and authorizations.xml.  So if mistakes where made in configuration resulting in missing needed content in these files, they need to removed after making your config changes so new can be generated. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt   ... View more

@davehkd  That is an incomplete authorizers.xml and thus not valid.   Matt ... View more

@apmmahesh  I see one issue with your shared authorizers.xml configuration. The file loads the various providers from the top down, so it is VERY important that if a provider has a dependency on another provider that the provider it is dependent on is loaded first. So in your authorizers.xml has the following loading order: file-access-policy-provider --> file-user-grouo-provider --> managed-authorizer The problem here is that the file-access-policy provider is dependent on the file-user-group-provider which has not been loaded yet. so it will not set default policies correctly when generating the authorizations.xml file. Move the file-access-policy-provider between fie-user-group-provider (top of authorizers.xml) and managed-authorizer (bottom of authorizers.xml).   Second issue is that you have properties "Initial Admin Identity 1" and "Initial Admin Identity 2"  properties in your file-access-policy-provider.  These are not real properties. You can only specify one "Initial Admin Identity" in the file-access-policy-provider.  These unexpected property names would just be ignored. Third issue is that you need to not only specify your "Initial Admin Identity" in the file-access-policy-provider, but also need to make sure that the same user identity string is being defined in the "file-user-group-provider as another "initial User Identity <num>".  NiFi can't seed policies for a user Identity it does know about. Also keep in mind that changes to authorizers.xml file-access-policy-provider and file-access-policy-provider configuration will not result in modification of existing users.xml and authorizations.xml files.  You'll need to remove these so that new are created on startup of NiFi.   Now if you can already login with your "CN=Admin, OU=NiFi" certificate and at time of that setup the users.xml and authorizations.xml was created correctly, you can use this admin user to access "users" from global menu in NiFi and add your additional user "xyz123" and then set policies you want user xyz123 to have.   If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt ... View more