@Geoffrey Shelton Okot /proxy is also tested earlier. Anonymous users is already set to false . [root@ip- ~]# cat /etc/nifi/3.0.1.1-5/0/authorizers.xml|grep -i anon <property name="Allow Anonymous">false</property> [root@ip-10-248-13-199 ~]# [root@ip- ~]# cat /usr/hdf/current/nifi/conf/nifi.properties |grep -i login nifi.login.identity.provider.configuration.file=/usr/hdf/current/nifi/conf/login-identity-providers.xml nifi.security.user.login.identity.provider=ldap-provider [root@ip- ~]# Can you suggest, from where anonymous user is coming? Is it from Ranger policy(LDAP) or is it a default user in Nifi ? ... View more

@Jobin George Can you please suggest how to remove anonymous user by getting default login to Nifi UI. I can login Nifi UI with my LDAP user but Nifi is also accessible with anonymous user without password. I wanted to disable it. In ranger policy if I remove {user} from user section then I cannot login Nifi UI with LDAP user and also it doesn't get default login with anonymous. Please suggest. Brief description is mentioned on below link. https://community.hortonworks.com/questions/142667/how-to-give-permissions-to-users-to-access-nifi-ui.html?childToView=145984#answer-145984 ... View more

@Geoffrey Shelton Okot Thank you for the clearing the doubt. But /var/lib/nifi/conf/users.xml and /var/lib/nifi/conf/authorizations.xml files are not created as well. Can you please suggest what exactly need to do to create them. Also can you please suggest that, is it possible to remove the anonymous default login ? Am I searching in right direction, because I have tried multiple ways but still I do not get the expected result. Anything I'm missing in configurations? ... View more

@Geoffrey Shelton Okot @Pierre Villard @Matt Clarke @Jonas Straub @Yolanda M. Davis Complete setup scenario: In a cluster ( HDF 3.0.1 - Ambari, Nifi, zookeeper, Ranger, DB - Mysql ), all componants are running fine. Nifi UI is configured with HTTPS but do not get successful login page in Nifi UI. (To configure Nifi UI with HTTPS - converted keystore.jks file into pks12 format and loaded the pks12 file into browser) Ranger is integrated with LDAP successfully. Ranger UI is accessible through LDAP users. Copied Nifi's keystore and trustore file from Nifi server to Ranger server to build the trust between them. (copied at /usr/hdf/current/ranger-admin/conf) Then Ranger Policy is created and added LDAP users in it. Also given Read and Write permissions to added LDAP users in Ranger policy. Note: Ranger UI is not on HTTPS Now there is one issue. If I add some LDAP users in the Ranger policy then I cannot access Nifi UI. I got 'insuffecient permissions and unable to access the page' kind of errors. Logs shows authentication is success for LDAP users but authorization is failed. Getting below error as per screenshot. But If I gave {users} in user's section of Ranger Policy, then I can login Nifi UI with my LDAP user. Also Nifi UI can be accessible by anonymous user. I dont know from where anonymous user is coming. But If I remove {user} from user section then I cannot login with LDAP user as well as anonymous user. As per some blogs, I found it could be the related from authorizations.xml and users.xml files. But those files are missing from Nifi servers. How to create/generate those files ? Nifi Config. nifi.security.user.login.identity.provider ldap-provider Template for login-identity-providers.xml <provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Identity Strategy">USE_USERNAME</property> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">CN=zxc_oi,OU=fox,DC=abc,DC=com</property> <property name="Manager Password">xxx</property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://ldap.abc.com:389</property> <property name="User Search Base">DC=abc,DC=com</property> <property name="User Search Filter">sAMAccountName={0}</property> <property name="Authentication Expiration">12 hours</property> </provider> Please suggest, How I can remove anonymous user by getting logged in Nifi UI. I have gone through below links and some others as well. https://community.hortonworks.com/articles/60001/hdf-20-integrating-secured-nifi-with-secured-range.html https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap/comment-page-1/#comment-1114 If any more details is required, please let us know. ... View more

@Geoffrey Shelton Okot @Matt Clark Below files are not in Nifi's conf folder. authorizations.xml users.xml Those files are not found anywhere on the system. Do we need those files ? If yes then how to generate/create both .xml files ? Also as per https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap/comment-page-1/ user's should have specific permissions to access the nifi. I have full permissions to the users but still I'm getting the same permission issue. What could be the issue? ... View more

Hello @Geoffrey Shelton Okot Do you find anything related to this issue? ... View more

/data/log/nifi/nifi-user.log <em>==> /data/log/nifi/nifi-user.log <== 2017-10-30 06:11:54,514 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty 2017-10-30 06:11:55,605 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty 2017-10-30 06:11:55,652 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty 2017-10-30 06:13:06,886 INFO [NiFi Web Server-22] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response. 2017-10-30 06:13:07,135 INFO [NiFi Web Server-94] o.a.n.w.a.c.AccessDeniedExceptionMapper anonymous does not have permission to access the requested resource. Unable to view the user interface. Returning Unauthorized response. 2017-10-30 06:14:03,287 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhcGxlLG91PU1VTV9NdW1iYWkgSW5kaWEsb3U9QXNpYSxvdT1QZW9wbGUgYW5kIFdvcmtzdGF0aW9ucyxkYz1tb3Jua) GET https://10.248.13.199:9091/nifi-api/flow/current-user (source ip: 10.90.18.237) 2017-10-30 06:14:03,290 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=Danny Leo,ou=Asia,ou=People and Workstations,dc=ex,dc=com 2017-10-30 06:14:03,293 INFO [NiFi Web Server-20] o.a.n.w.a.c.AccessDeniedExceptionMapper cn=Danny Leo,ou=People,ou=Asia,ou=People and Workstations,dc=ex,dc=com does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.<br></em> I have followed multiple links to resolve this issue. https://community.hortonworks.com/articles/60001/hdf-20-integrating-secured-nifi-with-secured-range.html https://community.hortonworks.com/articles/57980/hdf-20-apache-nifi-integration-with-apache-ambarir.html https://community.hortonworks.com/articles/61729/nifi-identity-conversion.html ... View more

@Geoffrey Shelton Okot I am not using Kerberos. I dont know from where kerberos entries are coming in logs. Nifi is already configured with SSL. Also I have created policies in Ranger. Please check below screenshot. I have added users in all above policies. Template for login-identity-providers.xml <provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Identity Strategy">USE_USERNAME</property> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">CN=hadoop_prd_ad_user,OU=Service Accounts,OU=Hadoop,OU=Servers and Services,DC=ex,DC=com</property> <property name="Manager Password">xxx</property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://ldap.ex.com:389</property> <property name="User Search Base">DC=ex,DC=com</property> <property name="User Search Filter">sAMAccountName={0}</property> <property name="Authentication Expiration">12 hours</property> </provider> nifi.security.user.login.identity.provider=ldap-provider In the Ranger UI your parameter Nifi Resource Identifier I have removed * from policy. authorizers.xml <authorizer> <identifier>ranger-provider</identifier> <class>org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer</class> <property name="Ranger Audit Config Path">/usr/hdf/current/nifi/conf/ranger-nifi-audit.xml</property> <property name="Ranger Security Config Path">/usr/hdf/current/nifi/conf/ranger-nifi-security.xml</property> <property name="Ranger Service Type">nifi</property> <property name="Ranger Application Id">nifi</property> <property name="Allow Anonymous">false</property> <property name="Ranger Admin Identity"></property> <property name="Ranger Kerberos Enabled">false</property> Still my issue is not get resolved. How it is automatically gets logged in with anonymous? ... View more

@Geoffrey Shelton Okot have you succeeded in giving your Nifi users UI access through ranger? Ans> yes In Ranger policy, when I give {user} in select user tab I can login with LDAP users. Please check screenshot. Also when I hit the Nifi UI (https://nifihost:9091/nifi) automatically it gets logged in with anonymous user. I do not get login page, but there is option to do login. As per attached screenshot. My question is, I wanted to remove this default anonymous login. Please suggest, where I can do changes in configurations. Also, In Ranger Policy if I remove {user} from select user tab and give specific LDAP users then I cannot login Nifi UI. Even it doesn't login with anonymous. I get below in logs <em>==> /data/log/nifi/nifi-user.log <== 2017-10-30 06:11:54,514 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty 2017-10-30 06:11:55,605 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty 2017-10-30 06:11:55,652 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty 2017-10-30 06:13:06,886 INFO [NiFi Web Server-22] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response. 2017-10-30 06:13:07,135 INFO [NiFi Web Server-94] o.a.n.w.a.c.AccessDeniedExceptionMapper anonymous does not have permission to access the requested resource. Unable to view the user interface. Returning Unauthorized response. 2017-10-30 06:14:03,287 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhcGxlLG91PU1VTV9NdW1iYWkgSW5kaWEsb3U9QXNpYSxvdT1QZW9wbGUgYW5kIFdvcmtzdGF0aW9ucyxkYz1tb3Jua) GET https://10.248.13.199:9091/nifi-api/flow/current-user (source ip: 10.90.18.237) 2017-10-30 06:14:03,290 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=Danny Leo,ou=Asia,ou=People and Workstations,dc=ex,dc=com 2017-10-30 06:14:03,293 INFO [NiFi Web Server-20] o.a.n.w.a.c.AccessDeniedExceptionMapper cn=Danny Leo,ou=People,ou=Asia,ou=People and Workstations,dc=ex,dc=com does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.<br></em> It seems I have authorizations/permissions issue. Can you please suggest where I'm missing the configurations. Thanks, Suraj ... View more

@Geoffrey Shelton Okot @vperiasamy I have made the required changes as per the given links. How to remove anonymous user by getting default login. I ahve not given anonymous user in ranger policy. ... View more