Member since
09-27-2024
21
Posts
9
Kudos Received
1
Solution
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 1018 | 10-01-2024 05:42 AM |
04-10-2025
12:50 AM
Hello @MattWho , I have checked all of it that you had mentioned above . I am resending details of settings , xmls and properties from both Nifi and Registry again ( apologies for the spam ), as I am unable to pinpoint again on what must be missing . Like you mentioned , I had also checked the case sensitivity of the user logged in to Nifi and Registry and they both are lower case - abc123 Here are most of the details : Nifi users.xml : <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups>
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec" name="memberof=CN=AG-X-XYZ-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net">
<user identifier="8cb0d156-0193-1000-f1d3-58b578d23034"/>
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="8ccd5a2b-0193-1000-4ab1-a90c6292086f"/>
<user identifier="8cccdcb8-0193-1000-c8ca-fc550eb2368e"/>
<user identifier="8ccd3e00-0193-1000-f318-d02a5817402c"/>
<user identifier="8cccbea3-0193-1000-7d5a-790b03ecaa72"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="8ccb756b-0193-1000-36c1-676c733ee3f4"/>
<user identifier="8ccd0338-0193-1000-5e4e-bc0ad2bf0cc5"/>
<user identifier="8ccd920f-0193-1000-95fc-afd6e39bd27c"/>
</group>
</groups>
<users>
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71" identity="CN=my-nifi-0.my-nifi-headless.nifi-server.svc.cluster.local, OU=NIFI"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c" identity="abc123"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7" identity="CN=DEF456,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net"/>
<user identifier="8cb0d156-0193-1000-f1d3-58b578d23034" identity="xxxx"/>
<user identifier="8ccb756b-0193-1000-36c1-676c733ee3f4" identity="xxxxx"/>
<user identifier="8cccbea3-0193-1000-7d5a-790b03ecaa72" identity="xxxxx"/>
<user identifier="8cccdcb8-0193-1000-c8ca-fc550eb2368e" identity="xxxxx"/>
<user identifier="8ccd0338-0193-1000-5e4e-bc0ad2bf0cc5" identity="xxxxx"/>
<user identifier="8ccd3e00-0193-1000-f318-d02a5817402c" identity="xxxx"/>
<user identifier="8ccd5a2b-0193-1000-4ab1-a90c6292086f" identity="xxxx"/>
<user identifier="8ccd920f-0193-1000-95fc-afd6e39bd27c" identity="xxxx"/>
</users>
</tenants> Nifi authorizations.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="8cb0d156-0193-1000-f1d3-58b578d23034"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7"/>
</policy>
<policy identifier="7c6a8bf7-f3b9-3358-93fa-6fc92946faf0" resource="/data/process-groups/6f07a80f-74d5-4afb-af54-33ce83614c77" action="R">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7"/>
</policy>
<policy identifier="bc9687e9-e400-3faf-a6bc-7c1b832fc5da" resource="/data/process-groups/6f07a80f-74d5-4afb-af54-33ce83614c77" action="W">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7"/>
</policy>
<policy identifier="d20889de-aa8b-3dcc-af5b-c74f2c25b312" resource="/process-groups/6f07a80f-74d5-4afb-af54-33ce83614c77" action="R">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="02b1a385-2009-3e03-a6d7-75932f74ada6" resource="/process-groups/6f07a80f-74d5-4afb-af54-33ce83614c77" action="W">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="8cb0d156-0193-1000-f1d3-58b578d23034"/>
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="8cb0d156-0193-1000-f1d3-58b578d23034"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="8cb0d156-0193-1000-f1d3-58b578d23034"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="8cb0d156-0193-1000-f1d3-58b578d23034"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<user identifier="8cb0d156-0193-1000-f1d3-58b578d23034"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="8cb0d156-0193-1000-f1d3-58b578d23034"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="8cb0d156-0193-1000-f1d3-58b578d23034"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7"/>
</policy>
<policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="8cb0d156-0193-1000-f1d3-58b578d23034"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7"/>
</policy>
<policy identifier="146d0981-0196-1000-dc6e-268a25ba7981" resource="/system" action="R">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="146e2f51-0196-1000-06fe-a958f1c51bd8" resource="/operation/process-groups/6f07a80f-74d5-4afb-af54-33ce83614c77" action="W">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="146e8d91-0196-1000-0a8b-4bdc21fa740e" resource="/provenance-data/process-groups/6f07a80f-74d5-4afb-af54-33ce83614c77" action="R">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="146ee2a6-0196-1000-aff9-e35ac785ee2d" resource="/policies/process-groups/6f07a80f-74d5-4afb-af54-33ce83614c77" action="R">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="146f051f-0196-1000-e187-583ca921ef04" resource="/policies/process-groups/6f07a80f-74d5-4afb-af54-33ce83614c77" action="W">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="1474e76d-0196-1000-7cf9-4e32bc935836" resource="/site-to-site" action="R">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7"/>
</policy>
<policy identifier="151f93c6-0196-1000-8780-1704f131b085" resource="/policies/process-groups/8cc5b2d7-0193-1000-36d4-f55e83a2fdae" action="W"/>
<policy identifier="1a81dafe-0196-1000-0758-350e8775bb16" resource="/process-groups/8cc5b2d7-0193-1000-36d4-f55e83a2fdae" action="R">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="1a82349c-0196-1000-af5b-1921a344af72" resource="/process-groups/8cc5b2d7-0193-1000-36d4-f55e83a2fdae" action="W">
<group identifier="8cb5071f-0193-1000-db62-10da8b6cddec"/>
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="1a8267d3-0196-1000-347a-f914bff2136f" resource="/operation/process-groups/8cc5b2d7-0193-1000-36d4-f55e83a2fdae" action="W">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="1a8564c1-0196-1000-2461-0571b2f24d7c" resource="/counters" action="R"/>
</policies>
</authorizations> Nifi Properties : # Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Core Properties #
nifi.flow.configuration.file=../data/flow.xml.gz
nifi.flow.configuration.archive.enabled=true
nifi.flow.configuration.archive.dir=../data/archive/
nifi.flow.configuration.archive.max.time=30 days
nifi.flow.configuration.archive.max.storage=500 MB
nifi.flow.configuration.archive.max.count=
nifi.flowcontroller.autoResumeState=true
nifi.flowcontroller.graceful.shutdown.period=10 sec
nifi.flowservice.writedelay.interval=500 ms
nifi.administrative.yield.duration=30 sec
# If a component has no work to do (is "bored"), how long should we wait before checking again for work?
nifi.bored.yield.duration=10 millis
nifi.authorizer.configuration.file=./conf/authorizers.xml
nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml
nifi.templates.directory=../data/templates
nifi.ui.banner.text=my-nifi-0
nifi.ui.autorefresh.interval=30 sec
nifi.nar.library.directory=./lib
nifi.nar.library.directory.custom=
nifi.nar.library.autoload.directory=./extensions
nifi.nar.working.directory=./work/nar/
nifi.documentation.working.directory=./work/docs/components
####################
# State Management #
####################
nifi.state.management.configuration.file=./conf/state-management.xml
# The ID of the local state provider
nifi.state.management.provider.local=local-provider
# The ID of the cluster-wide state provider. This will be ignored if NiFi is not clustered but must be populated if running in a cluster.
nifi.state.management.provider.cluster=zk-provider
# Specifies whether or not this instance of NiFi should run an embedded ZooKeeper server
nifi.state.management.embedded.zookeeper.start=false
# Properties file that provides the ZooKeeper properties to use if <nifi.state.management.embedded.zookeeper.start> is set to true
nifi.state.management.embedded.zookeeper.properties=./conf/zookeeper.properties
# H2 Settings
nifi.database.directory=../data/database_repository
nifi.h2.url.append=;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE
# FlowFile Repository
nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository
nifi.flowfile.repository.directory=../flowfile_repository
nifi.flowfile.repository.partitions=256
nifi.flowfile.repository.checkpoint.interval=2 mins
nifi.flowfile.repository.always.sync=false
nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager
nifi.queue.swap.threshold=20000
nifi.swap.in.period=5 sec
nifi.swap.in.threads=1
nifi.swap.out.period=5 sec
nifi.swap.out.threads=4
# Content Repository
nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository
nifi.content.claim.max.appendable.size=1 MB
nifi.content.claim.max.flow.files=100
nifi.content.repository.directory.default=../content_repository
nifi.content.repository.archive.max.retention.period=3 days
nifi.content.repository.archive.max.usage.percentage=85%
nifi.content.repository.archive.enabled=true
nifi.content.repository.always.sync=false
nifi.content.viewer.url=/nifi-content-viewer/
# Provenance Repository Properties
nifi.provenance.repository.implementation=org.apache.nifi.provenance.WriteAheadProvenanceRepository
nifi.provenance.repository.debug.frequency=1000000
nifi.provenance.repository.encryption.key.provider.implementation=
nifi.provenance.repository.encryption.key.provider.location=
nifi.provenance.repository.encryption.key.id=
nifi.provenance.repository.encryption.key=
# Persistent Provenance Repository Properties
nifi.provenance.repository.directory.default=../provenance_repository
nifi.provenance.repository.max.storage.time=10 days
nifi.provenance.repository.max.storage.size=8 GB
nifi.provenance.repository.rollover.time=30 secs
nifi.provenance.repository.rollover.size=100 MB
nifi.provenance.repository.query.threads=2
nifi.provenance.repository.index.threads=2
nifi.provenance.repository.compress.on.rollover=true
nifi.provenance.repository.always.sync=false
nifi.provenance.repository.journal.count=16
# Comma-separated list of fields. Fields that are not indexed will not be searchable. Valid fields are:
# EventType, FlowFileUUID, Filename, TransitURI, ProcessorID, AlternateIdentifierURI, Relationship, Details
nifi.provenance.repository.indexed.fields=EventType, FlowFileUUID, Filename, ProcessorID, Relationship
# FlowFile Attributes that should be indexed and made searchable. Some examples to consider are filename, uuid, mime.type
nifi.provenance.repository.indexed.attributes=
# Large values for the shard size will result in more Java heap usage when searching the Provenance Repository
# but should provide better performance
nifi.provenance.repository.index.shard.size=500 MB
# Indicates the maximum length that a FlowFile attribute can be when retrieving a Provenance Event from
# the repository. If the length of any attribute exceeds this value, it will be truncated when the event is retrieved.
nifi.provenance.repository.max.attribute.length=65536
# Volatile Provenance Respository Properties
nifi.provenance.repository.buffer.size=100000
# Component Status Repository
nifi.components.status.repository.implementation=org.apache.nifi.controller.status.history.VolatileComponentStatusRepository
nifi.components.status.repository.buffer.size=1440
nifi.components.status.snapshot.frequency=1 min
# Site to Site properties
nifi.remote.input.host=my-nifi-0.my-nifi-headless.nifi-server.svc.cluster.local
nifi.remote.input.secure=true
nifi.remote.input.socket.port=10000
nifi.remote.input.http.enabled=true
nifi.remote.input.http.transaction.ttl=30 sec
nifi.remote.contents.cache.expiration=30 secs
# web properties #
nifi.web.war.directory=./lib
nifi.web.proxy.host=my-nifi-nifi-server.xyzshift.dev02.xyz.se:443
nifi.web.https.port=8443
nifi.web.http.host=my-nifi-0.my-nifi-headless.nifi-server.svc.cluster.local
nifi.web.http.network.interface.default=eth0
nifi.web.https.host=
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
# nifi.web.proxy.context.path=
# security properties #
nifi.sensitive.props.key=xxxxxxxxxxxxxxxxxxxxxx
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=
nifi.security.keystore=/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.nifi-server.svc.cluster.local/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=xxxxxxxxxxx
nifi.security.keyPasswd=xxxxxxxxxxx
nifi.security.truststore=/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.nifi-server.svc.cluster.local/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=xxxxxxxxxxx
proxiedEntity=CN=DEF456,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=ldap-provider
nifi.security.needClientAuth=
# Apache Knox SSO Properties #
nifi.security.user.knox.url=
nifi.security.user.knox.publicKey=
nifi.security.user.knox.cookieName=hadoop-jwt
nifi.security.user.knox.audiences=
# Identity Mapping Properties #
# These properties allow normalizing user identities such that identities coming from different identity providers
# (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. The following example demonstrates normalizing
# DNs from certificates and principals from Kerberos into a common identity string:
#
# nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$
# nifi.security.identity.mapping.value.dn=$1@$2
# nifi.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$
# nifi.security.identity.mapping.value.kerb=$1@$2
# cluster common properties (all nodes must have same values) #
nifi.cluster.protocol.heartbeat.interval=5 sec
nifi.cluster.protocol.is.secure=true
# cluster node properties (only configure for cluster nodes) #
nifi.cluster.is.node=false
nifi.cluster.node.address=my-nifi-0.my-nifi-headless.nifi-server.svc.cluster.local
nifi.cluster.node.protocol.port=6007
nifi.cluster.node.protocol.threads=10
nifi.cluster.node.protocol.max.threads=50
nifi.cluster.node.event.history.size=25
nifi.cluster.node.connection.timeout=5 sec
nifi.cluster.node.read.timeout=5 sec
nifi.cluster.node.max.concurrent.requests=100
nifi.cluster.firewall.file=
nifi.cluster.flow.election.max.wait.time=1 mins
nifi.cluster.flow.election.max.candidates=
# zookeeper properties, used for cluster management #
nifi.zookeeper.client.ensembleTracker=false
nifi.zookeeper.connect.string=:2181
nifi.zookeeper.connect.timeout=3 secs
nifi.zookeeper.session.timeout=3 secs
nifi.zookeeper.root.node=/nifi
# Zookeeper properties for the authentication scheme used when creating acls on znodes used for cluster management
# Values supported for nifi.zookeeper.auth.type are "default", which will apply world/anyone rights on znodes
# and "sasl" which will give rights to the sasl/kerberos identity used to authenticate the nifi node
# The identity is determined using the value in nifi.kerberos.service.principal and the removeHostFromPrincipal
# and removeRealmFromPrincipal values (which should align with the kerberos.removeHostFromPrincipal and kerberos.removeRealmFromPrincipal
# values configured on the zookeeper server).
nifi.zookeeper.auth.type=
nifi.zookeeper.kerberos.removeHostFromPrincipal=
nifi.zookeeper.kerberos.removeRealmFromPrincipal=
# kerberos #
nifi.kerberos.krb5.file=/etc/hadoop/krb5.conf
# kerberos service principal #
nifi.kerberos.service.principal=
nifi.kerberos.service.keytab.location=
# kerberos spnego principal #
nifi.kerberos.spnego.principal=
nifi.kerberos.spnego.keytab.location=
nifi.kerberos.spnego.authentication.expiration=12 hours
# external properties files for variable registry
# supports a comma delimited list of file locations
nifi.variable.registry.properties=
nifi.security.identity.mapping.pattern.dn=^cn=(.*?),ou=(Solid Users|Service Users),ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net$
nifi.security.identity.mapping.transform.dn=LOWER
nifi.security.identity.mapping.value.dn=$1
nifi.web.http.network.interface.lo=lo Registry Clients from Nifi : SSL context service activated : Updated Nifi Registry users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71" identity="CN=my-nifi-0.my-nifi-headless.nifi-server.svc.cluster.local, OU=NIFI"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234" identity="CN=localhost, OU=NIFI"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c" identity="abc123"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7" identity="CN=DEF456,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net"/>
</users>
</tenants> Updated Nifi Registry authorizations.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="ac587f43-6e1c-3890-81fd-83b4df2e678e" resource="/swagger" action="D">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="d59a54f7-6dd6-34ad-a279-a26ffdb9eef8" resource="/proxy" action="R">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="2f62b1f7-e822-3d04-b041-b21b3327fc05"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="9d182b11-ebe3-3a7a-8731-98ce6d6e44fd" resource="/buckets" action="R">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="2f62b1f7-e822-3d04-b041-b21b3327fc05"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="dfbf3c51-fdec-3328-b169-3b54eb033147" resource="/buckets" action="W">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="2f62b1f7-e822-3d04-b041-b21b3327fc05"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="0eaa47b9-e409-304e-8682-30d1b0d86d05" resource="/swagger" action="R">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="cf4d8390-5ac7-3ff0-82ce-a274b5f88b21" resource="/swagger" action="W">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="2f62b1f7-e822-3d04-b041-b21b3327fc05"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="2f62b1f7-e822-3d04-b041-b21b3327fc05"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="01b87cb5-c0b6-342d-b108-d8bc03ab5cde" resource="/policies" action="D">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="2f62b1f7-e822-3d04-b041-b21b3327fc05"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="2dbc92a2-b091-3616-8e88-5078b9103b04" resource="/tenants" action="D">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="2f62b1f7-e822-3d04-b041-b21b3327fc05"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="2f62b1f7-e822-3d04-b041-b21b3327fc05"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="2f62b1f7-e822-3d04-b041-b21b3327fc05"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="3ee4703f-94ca-33c2-8060-17f5d313f560" resource="/actuator" action="D">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="05b96464-9ec8-312a-8459-67812a8b48c1" resource="/buckets" action="D">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="2f62b1f7-e822-3d04-b041-b21b3327fc05"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="2f62b1f7-e822-3d04-b041-b21b3327fc05"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="6dbdbffd-8a7d-32e1-ba3e-f600e6c69791" resource="/proxy" action="D">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="2f62b1f7-e822-3d04-b041-b21b3327fc05"/>
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="2fd3fcf5-b10f-33fa-8d8e-b262fa34815e" resource="/actuator" action="R">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="2f470357-e82c-38ee-8062-ab6388d6ec75" resource="/actuator" action="W">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="ae834d5f-a5c8-4d44-bdbf-e65c1882d627" resource="/buckets/9e750378-dd63-4a18-912d-79094dfc81e0" action="R">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="4215ba55-dc93-41ad-b145-2921b3575131" resource="/buckets/9e750378-dd63-4a18-912d-79094dfc81e0" action="D">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
<policy identifier="63c36b1f-48db-4fa8-a480-e9e87eafc4a3" resource="/buckets/9e750378-dd63-4a18-912d-79094dfc81e0" action="W">
<user identifier="63542e71-d360-309e-bbca-29a1f8484f71"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/>
</policy>
</policies>
</authorizations> Nifi Registry properties # Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# web properties #
nifi.registry.web.war.directory=./lib
nifi.registry.web.http.host=
nifi.registry.web.http.port=
nifi.registry.web.https.host=0.0.0.0
nifi.registry.web.https.port=18443
nifi.registry.web.jetty.working.directory=./work/jetty
nifi.registry.web.jetty.threads=200
nifi.registry.web.should.send.server.version=true
# security properties #
nifi.registry.security.keystore=/opt/nifi-registry/nifi-registry-current/conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=xxxxxx
nifi.registry.security.keyPasswd=xxxxxx
nifi.registry.security.truststore=/opt/nifi-registry/nifi-registry-current/conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=xxxxxxx
nifi.registry.security.needClientAuth=false
nifi.registry.security.authorizers.configuration.file=conf/authorizers.xml
nifi.registry.security.authorizer=managed-authorizer
nifi.registry.security.identity.providers.configuration.file=conf/identity-providers.xml
nifi.registry.security.identity.provider=ldap-identity-provider
# sensitive property protection properties #
# nifi.registry.sensitive.props.additional.keys=
# providers properties #
nifi.registry.providers.configuration.file=./conf/providers.xml
# registry alias properties #
nifi.registry.registry.alias.configuration.file=./conf/registry-aliases.xml
# extensions working dir #
nifi.registry.extensions.working.directory=./work/extensions
# legacy database properties, used to migrate data from original DB to new DB below
# NOTE: Users upgrading from 0.1.0 should leave these populated, but new installs after 0.1.0 should leave these empty
nifi.registry.db.directory=
nifi.registry.db.url.append=
# database properties
nifi.registry.db.url=jdbc:h2:./database/nifi-registry-primary;AUTOCOMMIT=OFF;DB_CLOSE_ON_EXIT=FALSE;LOCK_MODE=3;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE
nifi.registry.db.driver.class=org.h2.Driver
nifi.registry.db.driver.directory=
nifi.registry.db.username=nifireg
nifi.registry.db.password=nifireg
nifi.registry.db.maxConnections=5
nifi.registry.db.sql.debug=false
# extension directories #
# Each property beginning with "nifi.registry.extension.dir." will be treated as location for an extension,
# and a class loader will be created for each location, with the system class loader as the parent
#
#nifi.registry.extension.dir.1=/path/to/extension1
#nifi.registry.extension.dir.2=/path/to/extension2
nifi.registry.extension.dir.aws=./ext/aws/lib
# Identity Mapping Properties #
# These properties allow normalizing user identities such that identities coming from different identity providers
# (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. The following example demonstrates normalizing
# DNs from certificates and principals from Kerberos into a common identity string:
#
# nifi.registry.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$
# nifi.registry.security.identity.mapping.value.dn=$1@$2
# nifi.registry.security.identity.mapping.transform.dn=NONE
# nifi.registry.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$
# nifi.registry.security.identity.mapping.value.kerb=$1@$2
# nifi.registry.security.identity.mapping.transform.kerb=UPPER
# Group Mapping Properties #
# These properties allow normalizing group names coming from external sources like LDAP. The following example
# lowercases any group name.
#
# nifi.registry.security.group.mapping.pattern.anygroup=^(.*)$
# nifi.registry.security.group.mapping.value.anygroup=$1
# nifi.registry.security.group.mapping.transform.anygroup=LOWER
# kerberos properties #
nifi.registry.kerberos.krb5.file=
nifi.registry.kerberos.spnego.principal=
nifi.registry.kerberos.spnego.keytab.location=
nifi.registry.kerberos.spnego.authentication.expiration=12 hours
# OIDC #
nifi.registry.security.user.oidc.discovery.url=
nifi.registry.security.user.oidc.connect.timeout=
nifi.registry.security.user.oidc.read.timeout=
nifi.registry.security.user.oidc.client.id=
nifi.registry.security.user.oidc.client.secret=
nifi.registry.security.user.oidc.preferred.jwsalgorithm=
# revision management #
# This feature should remain disabled until a future NiFi release that supports the revision API changes
nifi.registry.revisions.enabled=false
nifi.registry.security.identity.mapping.pattern.dn=^cn=(.*?),ou=(Solid Users|Service Users),ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net$
nifi.registry.security.identity.mapping.transform.dn=LOWER
nifi.registry.security.identity.mapping.value.dn=$1 Nifi registry authorizers.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!--
This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use when running securely. In order
to use a specific authorizer it must be configured here and its identifier must be specified in the nifi-registry.properties file.
If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider and an userGroupProvider.
This file allows for configuration of them, but they must be configured in order:
...
all userGroupProviders
all accessPolicyProviders
all Authorizers
...
-->
<authorizers>
<!--
The FileUserGroupProvider will provide support for managing users and groups which is backed by a file
on the local file system.
- Users File - The file where the FileUserGroupProvider will store users and groups.
- Initial User Identity [unique key] - The identity of a users and systems to seed the Users File. The name of
each property must be unique, for example: "Initial User Identity A", "Initial User Identity B",
"Initial User Identity C" or "Initial User Identity 1", "Initial User Identity 2", "Initial User Identity 3"
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the user identities,
so the values should be the unmapped identities (i.e. full DN from a certificate).
-->
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Initial User Identity 1">CN=DEF456,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Initial User Identity 2">cn=ABC123,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
<property name="Initial User Identity 3">CN=my-nifi-0.my-nifi-headless.nifi-server.svc.cluster.local, OU=NIFI</property>
<property name="Initial User Identity 4">CN=localhost, OU=NIFI</property>
<property name="Initial User Identity admin">cn=ABC123,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
</userGroupProvider>
<!--
The DatabaseUserGroupProvider will provide support for managing users and groups in a relational database. The framework
will provide a database connection to this provider using the same database information from nifi-registry.properties.
- Initial User Identity [unique key] - Same as the Initial User Identity in the FileUserGroupProvider
-->
<!-- To enable the database-user-group-provider remove 2 lines. This is 1 of 2.
<userGroupProvider>
<identifier>database-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.database.DatabaseUserGroupProvider</class>
<property name="Initial User Identity 1"></property>
</userGroupProvider>
To enable the database-user-group-provider remove 2 lines. This is 2 of 2. -->
<!--
The LdapUserGroupProvider will retrieve users and groups from an LDAP server. The users and groups
are not configurable.
'Authentication Strategy' - How the connection to the LDAP server is authenticated. Possible
values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
'Manager DN' - The DN of the manager that is used to bind to the LDAP server to search for users.
'Manager Password' - The password of the manager that is used to bind to the LDAP server to
search for users.
'TLS - Keystore' - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
'TLS - Keystore Password' - Password for the Keystore that is used when connecting to LDAP
using LDAPS or START_TLS.
'TLS - Keystore Type' - Type of the Keystore that is used when connecting to LDAP using
LDAPS or START_TLS (i.e. JKS or PKCS12).
'TLS - Truststore' - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
'TLS - Truststore Password' - Password for the Truststore that is used when connecting to
LDAP using LDAPS or START_TLS.
'TLS - Truststore Type' - Type of the Truststore that is used when connecting to LDAP using
LDAPS or START_TLS (i.e. JKS or PKCS12).
'TLS - Client Auth' - Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
Possible values are REQUIRED, WANT, NONE.
'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS,
TLSv1.1, TLSv1.2, etc).
'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut down gracefully
before the target context is closed. Defaults to false.
'Referral Strategy' - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
'Read Timeout' - Duration of read timeout. (i.e. 10 secs).
'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
'Page Size' - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
'Sync Interval' - Duration of time between syncing users and groups. (i.e. 30 mins).
'Group Membership - Enforce Case Sensitivity' - Sets whether group membership decisions are case sensitive. When a user or group
is inferred (by not specifying or user or group search base or user identity attribute or group name attribute) case sensitivity
is enforced since the value to use for the user identity or group name would be ambiguous. Defaults to false.
'User Search Base' - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
'User Object Class' - Object class for identifying users (i.e. person). Required if searching users.
'User Search Scope' - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
'User Search Filter' - Filter for searching for users against the 'User Search Base' (i.e. (memberof=cn=team1,ou=groups,o=nifi) ). Optional.
'User Identity Attribute' - Attribute to use to extract user identity (i.e. cn). Optional. If not set, the entire DN is used.
'User Group Name Attribute' - Attribute to use to define group membership (i.e. memberof). Optional. If not set
group membership will not be calculated through the users. Will rely on group membership being defined
through 'Group Member Attribute' if set. The value of this property is the name of the attribute in the user ldap entry that
associates them with a group. The value of that user attribute could be a dn or group name for instance. What value is expected
is configured in the 'User Group Name Attribute - Referenced Group Attribute'.
'User Group Name Attribute - Referenced Group Attribute' - If blank, the value of the attribute defined in 'User Group Name Attribute'
is expected to be the full dn of the group. If not blank, this property will define the attribute of the group ldap entry that
the value of the attribute defined in 'User Group Name Attribute' is referencing (i.e. name). Use of this property requires that
'Group Search Base' is also configured.
'Group Search Base' - Base DN for searching for groups (i.e. ou=groups,o=nifi). Required to search groups.
'Group Object Class' - Object class for identifying groups (i.e. groupOfNames). Required if searching groups.
'Group Search Scope' - Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.
'Group Search Filter' - Filter for searching for groups against the 'Group Search Base'. Optional.
'Group Name Attribute' - Attribute to use to extract group name (i.e. cn). Optional. If not set, the entire DN is used.
'Group Member Attribute' - Attribute to use to define group membership (i.e. member). Optional. If not set
group membership will not be calculated through the groups. Will rely on group membership being defined
through 'User Group Name Attribute' if set. The value of this property is the name of the attribute in the group ldap entry that
associates them with a user. The value of that group attribute could be a dn or memberUid for instance. What value is expected
is configured in the 'Group Member Attribute - Referenced User Attribute'. (i.e. member: cn=User 1,ou=users,o=nifi-registry vs. memberUid: user1)
'Group Member Attribute - Referenced User Attribute' - If blank, the value of the attribute defined in 'Group Member Attribute'
is expected to be the full dn of the user. If not blank, this property will define the attribute of the user ldap entry that
the value of the attribute defined in 'Group Member Attribute' is referencing (i.e. uid). Use of this property requires that
'User Search Base' is also configured. (i.e. member: cn=User 1,ou=users,o=nifi-registry vs. memberUid: user1)
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the user identities.
Group names are not mapped.
-->
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">LDAPS</property>
<property name="Manager DN">CN=DEF456,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Manager Password">xxxxx</property>
<property name="TLS - Keystore">/opt/nifi-registry/nifi-registry-current/conf/keystore.jks</property>
<property name="TLS - Keystore Password">xxxxxx</property>
<property name="TLS - Keystore Type">jks</property>
<property name="TLS - Truststore">/opt/nifi-registry/nifi-registry-current/conf/truststore.jks</property>
<property name="TLS - Truststore Password">xxxxxx</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">NONE</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">false</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://coredcs-v3-prd.corp1.ad1.xyz.net:636</property>
<property name="Page Size"></property>
<property name="Sync Interval">2 mins</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>
<property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(memberof=CN=AG-X-XYZ-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net)</property>
<property name="User Identity Attribute">cn</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(objectClass=group)</property>
<property name="Group Name Attribute"></property>
<property name="Group Member Attribute"></property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<!--
The ShellUserGroupProvider provides support for retrieving users and groups by way of shell commands
on systems that support `sh`. Implementations available for Linux and Mac OS, and are selected by the
provider based on the system property `os.name`.
'Refresh Delay' - duration to wait between subsequent refreshes. Default is '5 mins'.
'Exclude Groups' - regular expression used to exclude groups. Default is '', which means no groups are excluded.
'Exclude Users' - regular expression used to exclude users. Default is '', which means no users are excluded.
'Command Timeout' - amount of time to wait while executing a command before timing out
-->
<!-- To enable the shell-user-group-provider remove 2 lines. This is 1 of 2.
<userGroupProvider>
<identifier>shell-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.shell.ShellUserGroupProvider</class>
<property name="Refresh Delay">5 mins</property>
<property name="Exclude Groups"></property>
<property name="Exclude Users"></property>
<property name="Command Timeout">60 seconds</property>
</userGroupProvider>
To enable the shell-user-group-provider remove 2 lines. This is 2 of 2. -->
<!--
The CompositeUserGroupProvider will provide support for retrieving users and groups from multiple sources.
- User Group Provider [unique key] - The identifier of user group providers to load from. The name of
each property must be unique, for example: "User Group Provider A", "User Group Provider B",
"User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
NOTE: Any identity mapping rules specified in nifi-registry.properties are not applied in this implementation. This
behavior would need to be applied by the base implementation.
-->
<userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class>
<property name="User Group Provider 1">file-user-group-provider</property>
<property name="User Group Provider 2">ldap-user-group-provider</property>
</userGroupProvider>
<!--
The CompositeConfigurableUserGroupProvider will provide support for retrieving users and groups from multiple sources.
Additionally, a single configurable user group provider is required. Users from the configurable user group provider
are configurable, however users loaded from one of the User Group Provider [unique key] will not be.
- Configurable User Group Provider - A configurable user group provider.
- User Group Provider [unique key] - The identifier of user group providers to load from. The name of
each property must be unique, for example: "User Group Provider A", "User Group Provider B",
"User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
NOTE: Any identity mapping rules specified in nifi-registry.properties are not applied in this implementation. This
behavior would need to be applied by the base implementation.
-->
<!-- To enable the composite-configurable-user-group-provider remove 2 lines. This is 1 of 2.
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1"></property>
</userGroupProvider>
To enable the composite-configurable-user-group-provider remove 2 lines. This is 2 of 2. -->
<!--
The FileAccessPolicyProvider will provide support for managing access policies which is backed by a file
on the local file system.
- User Group Provider - The identifier for an User Group Provider defined above that will be used to access
users and groups for use in the managed access policies.
- Authorizations File - The file where the FileAccessPolicyProvider will store policies.
- Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
given the ability to create additional users, groups, and policies. The value of this property could be
a DN when using certificates or LDAP. This property will only be used when there
are no other policies defined.
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the initial admin identity,
so the value should be the unmapped identity. This identity must be found in the configured User Group Provider.
- NiFi Identity [unique key] - The identity of a NiFi node that will have access to this NiFi Registry and will be able
to act as a proxy on behalf of a NiFi Registry end user. A property should be created for the identity of every NiFi
node that needs to access this NiFi Registry. The name of each property must be unique, for example for three
NiFi clients:
"NiFi Identity A", "NiFi Identity B", "NiFi Identity C" or "NiFi Identity 1", "NiFi Identity 2", "NiFi Identity 3"
NOTE: Any identity mapping rules specified in nifi-registry.properties will also be applied to the nifi identities,
so the values should be the unmapped identities (i.e. full DN from a certificate). This identity must be found
in the configured User Group Provider.
- NiFi Group Name - The name of the group, whose members are NiFi instance/node identities,
that will have access to this NiFi Registry and will be able to act as a proxy on behalf of a NiFi Registry end user.
The members of this group will be granted permission to proxy user requests, as well as read any bucket to perform synchronization checks.
-->
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">cn=ABC123,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
<property name="Nifi Identity 1">CN=DEF456,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Nifi Identity 2">cn=ABC123,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
<property name="Nifi Identity 3">CN=my-nifi-0.my-nifi-headless.nifi-server.svc.cluster.local, OU=NIFI</property>
<property name="Nifi Identity 4">CN=localhost, OU=NIFI</property>
<property name="NiFi Group Name"/>
</accessPolicyProvider>
<!--
The DatabaseAccessPolicyProvider will provide support for managing access policies in a relational database. The
framework will provide a database connection to this provider using the same database information from nifi-registry.properties.
- User Group Provider - Same as User Group Provider in the FileAccessPolicyProvider
- Initial Admin Identity - Same as Initial Admin Identity in the FileAccessPolicyProvider
- NiFi Identity [unique key] - Same as NiFi Identity in the FileAccessPolicyProvider
- NiFi Group Name - Same as NiFi Group Name in the FileAccessPolicyProvider
-->
<!-- To enable the database-access-policy-provider remove 2 lines. This is 1 of 2.
<accessPolicyProvider>
<identifier>database-access-policy-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.database.DatabaseAccessPolicyProvider</class>
<property name="User Group Provider">database-user-group-provider</property>
<property name="Initial Admin Identity"></property>
<property name="NiFi Identity 1"></property>
<property name="NiFi Group Name"></property>
</accessPolicyProvider>
To enable the database-access-policy-provider remove 2 lines. This is 2 of 2. -->
<!--
The StandardManagedAuthorizer. This authorizer implementation must be configured with the
Access Policy Provider which it will use to access and manage users, groups, and policies.
These users, groups, and policies will be used to make all access decisions during authorization
requests.
- Access Policy Provider - The identifier for an Access Policy Provider defined above.
-->
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers> Bucket policy screenshot The one redacted with yellow is user abc123 Thanks
... View more
04-09-2025
01:14 AM
Hello @MattWho , I have the StandardSSLContext Service defined as mentioned and I am unable to pinpoint where exactly I might be lacking the setup . Do you mind if I send you my properties , users.xml , authorizations.xml and authorizers.xml for both Nifi and Registry for you to review ? I would really appreciate your help and time on this. Thanks in advance !
... View more
04-08-2025
12:59 AM
Hello @MattWho , Here are some changes and details that I would like to mention after your above answer. 1. In this screenshot , the second user is the user that I am logged in as - let's say the user is abc123. and I do see in my authorizations.xml that this user has the correct permissions assigned to the bucket policy : $ cat users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c" identity="abc123"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7" identity="CN=DEF456,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net"/>
</users>
</tenants>
$ cat authorizations.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="3ee4703f-94ca-33c2-8060-17f5d313f560" resource="/actuator" action="D">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="6dbdbffd-8a7d-32e1-ba3e-f600e6c69791" resource="/proxy" action="D">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="01b87cb5-c0b6-342d-b108-d8bc03ab5cde" resource="/policies" action="D">
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="dfbf3c51-fdec-3328-b169-3b54eb033147" resource="/buckets" action="W">
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="d59a54f7-6dd6-34ad-a279-a26ffdb9eef8" resource="/proxy" action="R">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="2f470357-e82c-38ee-8062-ab6388d6ec75" resource="/actuator" action="W">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="05b96464-9ec8-312a-8459-67812a8b48c1" resource="/buckets" action="D">
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="2fd3fcf5-b10f-33fa-8d8e-b262fa34815e" resource="/actuator" action="R">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="cf4d8390-5ac7-3ff0-82ce-a274b5f88b21" resource="/swagger" action="W">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="2dbc92a2-b091-3616-8e88-5078b9103b04" resource="/tenants" action="D">
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="9d182b11-ebe3-3a7a-8731-98ce6d6e44fd" resource="/buckets" action="R">
<user identifier="1f645d41-2d46-37fc-83a1-adce75c00913"/>
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="0eaa47b9-e409-304e-8682-30d1b0d86d05" resource="/swagger" action="R">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="ac587f43-6e1c-3890-81fd-83b4df2e678e" resource="/swagger" action="D">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="8c131406-609c-4a52-b4bf-d25687dd5085" resource="/buckets/087b5af2-4e50-4eb9-abc5-6f99cd0af51b" action="W">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="522d7a96-b401-4ea7-a70b-4d2fbd76a83d" resource="/buckets/087b5af2-4e50-4eb9-abc5-6f99cd0af51b" action="D">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="4b8c71d6-6d4a-43ee-b893-13239fea0876" resource="/buckets/087b5af2-4e50-4eb9-abc5-6f99cd0af51b" action="R">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
</policy>
<policy identifier="c7ed56c5-36ad-4a3d-9c07-d47ef2589867" resource="/buckets/9e750378-dd63-4a18-912d-79094dfc81e0" action="R">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7"/>
</policy>
<policy identifier="de95d93c-78d3-4697-b833-cee96771dbfd" resource="/buckets/9e750378-dd63-4a18-912d-79094dfc81e0" action="W">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7"/>
</policy>
<policy identifier="7bde6e0b-3b04-4748-b864-87b04e5b41c3" resource="/buckets/9e750378-dd63-4a18-912d-79094dfc81e0" action="D">
<user identifier="71b266f5-7764-3ff5-a812-80112278b50c"/>
<user identifier="702372cd-05d0-3378-98eb-2c263cb0dbb7"/>
</policy>
</policies>
</authorizations> 2. Checked the Nifi user as well to ensure case sensitivity and it is the same user i.e. abc123. Even after this I am getting the same error 😞 Is there something else I might need to check or verify ? Thanks for all you help and suggestions on this topic , in advance.
... View more
04-07-2025
12:12 AM
Hello @MattWho , Thank you for your response . My Nifi Registry and Nifi Versions are as follows : Nifi - 1.26.0 Nifi Registry - 1.27.0 The bucket I have is publicly visible : and I am still not able to make any commits to it . The user that I am logged in with in my Nifi Registry also has these privliges : and I am not sure why I still can't make any changes or commits. and here are the permissions for the same user for Nifi Could you please help me identify what exactly I might be missing ? Thanks!
... View more
04-04-2025
06:48 AM
Hello , After importing flows from my Registry in Nifi , while I try to commit Local changes , I get this below error: The logs for Nifi show the following : Caused by: org.apache.nifi.registry.flow.FlowRegistryException: Error creating snapshot:
at org.apache.nifi.registry.flow.NifiRegistryFlowRegistryClient.registerFlowSnapshot(NifiRegistryFlowRegistryClient.java:263)
at org.apache.nifi.registry.flow.StandardFlowRegistryClientNode.lambda$registerFlowSnapshot$7(StandardFlowRegistryClientNode.java:254)
at org.apache.nifi.registry.flow.StandardFlowRegistryClientNode.execute(StandardFlowRegistryClientNode.java:289)
at org.apache.nifi.registry.flow.StandardFlowRegistryClientNode.registerFlowSnapshot(StandardFlowRegistryClientNode.java:254)
at org.apache.nifi.web.StandardNiFiServiceFacade.registerVersionedFlowSnapshot(StandardNiFiServiceFacade.java:5306)
... 142 common frames omitted
Caused by: org.apache.nifi.registry.client.NiFiRegistryException: Error creating snapshot:
at org.apache.nifi.registry.client.impl.AbstractJerseyClient.executeAction(AbstractJerseyClient.java:117)
at org.apache.nifi.registry.client.impl.JerseyFlowSnapshotClient.create(JerseyFlowSnapshotClient.java:74)
at org.apache.nifi.registry.client.impl.JerseyFlowSnapshotClient.create(JerseyFlowSnapshotClient.java:55)
at org.apache.nifi.registry.flow.NifiRegistryFlowRegistryClient.registerFlowSnapshot(NifiRegistryFlowRegistryClient.java:248)
... 146 common frames omitted
Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
at org.glassfish.jersey.client.JerseyInvocation.convertToException(JerseyInvocation.java:942)
at org.glassfish.jersey.client.JerseyInvocation.translate(JerseyInvocation.java:755)
at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$1(JerseyInvocation.java:675)
at org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:697)
at org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocation.java:691)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:205)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:390)
at org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:691)
at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:674)
at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:450)
at org.glassfish.jersey.client.JerseyInvocation$Builder.post(JerseyInvocation.java:351)
at org.apache.nifi.registry.client.impl.JerseyFlowSnapshotClient.lambda$create$0(JerseyFlowSnapshotClient.java:81)
at org.apache.nifi.registry.client.impl.AbstractJerseyClient.executeAction(AbstractJerseyClient.java:103)
... 149 common frames omitted Not sure what is missing . Please let me know what information is needed so that it can make the issue more clear. Thanks!
... View more
Labels:
- Labels:
-
Apache NiFi
-
NiFi Registry
12-09-2024
12:36 PM
1 Kudo
Thanks again @MattWho . I tried to incorporate the same , and the error still exists . Additionally , I dont see much on the Debug logs , even after I have enabled it to get more info on that . What kind of information could I provide you in regards to Ldap search and I can try to gather this information ? Thanks
... View more
12-09-2024
12:04 AM
Hello @MattWho , Yes , I have set my page size as 500 . Please find my ldap-user-group-provider config below : <userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">LDAPS</property>
<property name="Manager DN">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Manager Password">xxxx</property>
<property name="TLS - Keystore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.default.svc.cluster.local/keystore.jks</property>
<property name="TLS - Keystore Password">xxxx</property>
<property name="TLS - Keystore Type">jks</property>
<property name="TLS - Truststore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.default.svc.cluster.local/truststore.jks</property>
<property name="TLS - Truststore Password">xxxx</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">NONE</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">false</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://someldap.corp1.ad1.xyz.net:636</property>
<property name="Page Size">500</property>
<property name="Sync Interval">30 mins</property>
<property name="User Search Base"></property>
<property name="User Object Class">person</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(objectClass=*)</property>
<property name="User Identity Attribute">sAMAccountName</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(|(member=*)(uniqueMember=*))</property>
<property name="Group Name Attribute">sAMAccountName</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider> Leading me to the error Caused by: org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0 │
│ app-log ]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0 │
│ app-log ]; remaining name 'CN=xxxx,OU=LocalWorkstationAdministrators,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net' │
│ app-log at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:212) │
│ app-log at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:824) │
│ app-log at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:807) │
│ app-log at org.springframework.ldap.core.LdapTemplate.lookup(LdapTemplate.java:848) │
│ app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider$3.doMapFromContext(LdapUserGroupProvider.java:620) │
│ app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider$3.doMapFromContext(LdapUserGroupProvider.java:570) │
│ app-log at org.springframework.ldap.core.support.AbstractContextMapper.mapFromContext(AbstractContextMapper.java:43) │
│ app-log at org.springframework.ldap.core.ContextMapperCallbackHandler.getObjectFromNameClassPair(ContextMapperCallbackHandler.java:69) │
│ app-log at org.springframework.ldap.core.CollectingNameClassPairCallbackHandler.handleNameClassPair(CollectingNameClassPairCallbackHandler.java:50) │
│ app-log at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:371) │
│ app-log at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:332) │
│ app-log at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:633) │
│ app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider.load(LdapUserGroupProvider.java:570) │
│ app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider.onConfigured(LdapUserGroupProvider.java:386) │
│ app-log at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) │
│ app-log at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) │
│ app-log at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) │
│ app-log at java.base/java.lang.reflect.Method.invoke(Unknown Source) │
│ app-log at org.apache.nifi.authorization.UserGroupProviderInvocationHandler.invoke(UserGroupProviderInvocationHandler.java:38) │
│ app-log at com.sun.proxy.$Proxy81.onConfigured(Unknown Source) │
│ app-log at org.apache.nifi.authorization.AuthorizerFactoryBean.loadProviderProperties(AuthorizerFactoryBean.java:199) │
│ app-log at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:168) │
│ app-log at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:72) │
│ app-log at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:169) │
│ app-log ... 107 common frames omitted Is there something else that I am missing here ?
... View more
12-06-2024
02:39 AM
1 Kudo
Hello @MattWho , Thank you for your response . I have made the changes as you suggested , however I see the below Debug message each time : 2024-12-06 10:07:02,187 DEBUG [main] o.a.n.ldap.tenants.LdapUserGroupProvider Group member attribute [member] does not exist for [AG-RANDOMADMIN]. This may be due to misconfiguration or the group may not have any members. Ignoring group membership. I do see that this group does not have any memebers at all . Is there a way I can filter out or ignore the groups that do not have any members at all ? The only other change I did was to change <property name="Group Search Filter">(|(cn=AG*)(cn=UG*))</property> to <property name="Group Search Filter">(|(member=*)(uniqueMember=*))</property> to do this filtering out , but Nifi service keeps dying after throwing some of these exceptions : app-log 2024-12-06 10:28:47,557 INFO [main] o.a.nifi.properties.NiFiPropertiesLoader Loading Application Properties [/opt/nifi/nifi-current/./conf/nifi.properties]
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:214)
app-log at org.springframework.aop.framework.autoproxy.BeanFactoryAdvisorRetrievalHelper.findAdvisorBeans(BeanFactoryAdvisorRetrievalHelper.java:91)
app-log at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findCandidateAdvisors(AbstractAdvisorAutoProxyCreator.java:111)
app-log at org.springframework.aop.aspectj.annotation.AnnotationAwareAspectJAutoProxyCreator.findCandidateAdvisors(AnnotationAwareAspectJAutoProxyCreator.java:92)
app-log at org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator.shouldSkip(AspectJAwareAdvisorAutoProxyCreator.java:101)
app-log at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessBeforeInstantiation(AbstractAutoProxyCreator.java:255)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInstantiation(AbstractAutowireCapableBeanFactory.java:1160)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.resolveBeforeInstantiation(AbstractAutowireCapableBeanFactory.java:1135)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:531)
app-log ... 48 common frames omitted
app-log Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]; remaining name 'CN=XYZ1234,OU=DummyAdministrators,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net'
app-log at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:794)
app-log at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:220)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1372)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1222)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:336)
app-log at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:334)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:209)
app-log at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:401)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1352)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1195)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getSingletonFactoryBeanForTypeCheck(AbstractAutowireCapableBeanFactory.java:1027)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryBean(AbstractAutowireCapableBeanFactory.java:907)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.isTypeMatch(AbstractBeanFactory.java:638)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.doGetBeanNamesForType(DefaultListableBeanFactory.java:583)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:550)
app-log at org.springframework.beans.factory.BeanFactoryUtils.beanNamesForTypeIncludingAncestors(BeanFactoryUtils.java:265)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:1557)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1354)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1311)
app-log at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:904)
app-log at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:781)
app-log ... 74 common frames omitted
app-log Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]; remaining name 'CN=XYZ1234,OU=DummyAdministrators,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net'
app-log at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:176)
app-log at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:101)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1899)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getObjectForBeanInstance(AbstractAutowireCapableBeanFactory.java:1284)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:346)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:209)
app-log at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:276)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1391)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1311)
app-log at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:904)
app-log at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:781)
app-log ... 97 common frames omitted
app-log Caused by: org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]; remaining name 'CN=XYZ1234,OU=DummyAdministrators,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net'
app-log at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:212)
app-log at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:824)
app-log at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:807)
app-log at org.springframework.ldap.core.LdapTemplate.lookup(LdapTemplate.java:848)
app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider$3.doMapFromContext(LdapUserGroupProvider.java:620)
app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider$3.doMapFromContext(LdapUserGroupProvider.java:570)
app-log at org.springframework.ldap.core.support.AbstractContextMapper.mapFromContext(AbstractContextMapper.java:43)
app-log at org.springframework.ldap.core.ContextMapperCallbackHandler.getObjectFromNameClassPair(ContextMapperCallbackHandler.java:69)
app-log at org.springframework.ldap.core.CollectingNameClassPairCallbackHandler.handleNameClassPair(CollectingNameClassPairCallbackHandler.java:50)
app-log at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:371)
app-log at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:332)
app-log at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:633)
app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider.load(LdapUserGroupProvider.java:570)
app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider.onConfigured(LdapUserGroupProvider.java:386)
app-log at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
app-log at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
app-log at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
app-log at java.base/java.lang.reflect.Method.invoke(Unknown Source)
app-log at org.apache.nifi.authorization.UserGroupProviderInvocationHandler.invoke(UserGroupProviderInvocationHandler.java:38)
app-log at com.sun.proxy.$Proxy81.onConfigured(Unknown Source)
app-log at org.apache.nifi.authorization.AuthorizerFactoryBean.loadProviderProperties(AuthorizerFactoryBean.java:199)
app-log at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:168)
app-log at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:72)
app-log at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:169)
app-log ... 107 common frames omitted
app-log Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]
app-log at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
app-log at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
app-log at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
app-log at java.naming/com.sun.jndi.ldap.LdapCtx.c_lookup(Unknown Source)
app-log at java.naming/com.sun.jndi.toolkit.ctx.ComponentContext.p_lookup(Unknown Source)
app-log at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeContext.lookup(Unknown Source)
app-log at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeContext.lookup(Unknown Source)
app-log at java.naming/javax.naming.InitialContext.lookup(Unknown Source)
app-log at java.base/jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
app-log at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
app-log at java.base/java.lang.reflect.Method.invoke(Unknown Source)
app-log at org.springframework.ldap.core.support.SingleContextSource$NonClosingDirContextInvocationHandler.invoke(SingleContextSource.java:197)
app-log at com.sun.proxy.$Proxy84.lookup(Unknown Source)
app-log at org.springframework.ldap.core.LdapTemplate$10.executeWithContext(LdapTemplate.java:850)
app-log at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:821)
app-log ... 129 common frames omitted
app-log 2024-12-06 10:29:48,297 INFO [Thread-0] org.apache.nifi.NiFi Application Server shutdown started
bootstrap-log 2024-12-06 10:29:48,296 ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiConfiguration': BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
bootstrap-log 2024-12-06 10:29:48,296 ERROR [NiFi logging handler] org.apache.nifi.StdErr ]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
bootstrap-log 2024-12-06 10:29:48,296 ERROR [NiFi logging handler] org.apache.nifi.StdErr ]; remaining name 'CN=XYZ1234,OU=DummyAdministrators,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net'
bootstrap-log 2024-12-06 10:29:48,296 ERROR [NiFi logging handler] org.apache.nifi.StdErr Shutting down...
user-log 2024-12-06 10:29:48,077 ERROR [main] o.a.n.a.AuthorizerFactoryBean User Group Provider [composite-configurable-user-group-provider] destruction failed
user-log java.lang.NullPointerException: null
user-log at org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider.preDestruction(CompositeConfigurableUserGroupProvider.java:244)
user-log at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
user-log at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
user-log at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
user-log at java.base/java.lang.reflect.Method.invoke(Unknown Source)
user-log at org.apache.nifi.authorization.UserGroupProviderInvocationHandler.invoke(UserGroupProviderInvocationHandler.java:38)
user-log at com.sun.proxy.$Proxy80.preDestruction(Unknown Source)
user-log at org.apache.nifi.authorization.AuthorizerFactoryBean.lambda$destroy$2(AuthorizerFactoryBean.java:566)
user-log at java.base/java.util.HashMap.forEach(Unknown Source)
user-log at org.apache.nifi.authorization.AuthorizerFactoryBean.destroy(AuthorizerFactoryBean.java:564)
user-log at org.springframework.beans.factory.support.DisposableBeanAdapter.destroy(DisposableBeanAdapter.java:213)
user-log at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroyBean(DefaultSingletonBeanRegistry.java:587)
user-log at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroySingleton(DefaultSingletonBeanRegistry.java:559)
user-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.destroySingleton(DefaultListableBeanFactory.java:1163)
user-log at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroySingletons(DefaultSingletonBeanRegistry.java:520)
user-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.destroySingletons(DefaultListableBeanFactory.java:1156)
user-log at org.springframework.context.support.AbstractApplicationContext.destroyBeans(AbstractApplicationContext.java:1123)
user-log at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:604)
user-log at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:399)
user-log at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:278)
user-log at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:103)
user-log at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:1073)
user-log at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:572)
user-log at org.eclipse.jetty.server.handler.ContextHandler.contextInitialized(ContextHandler.java:1002)
user-log at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:765)
user-log at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:379)
user-log at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1449)
user-log at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1414)
user-log at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:916)
user-log at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:288)
user-log at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524)
user-log at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
user-log at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
user-log at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
user-log at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
user-log at org.eclipse.jetty.server.handler.gzip.GzipHandler.doStart(GzipHandler.java:426)
user-log at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
user-log at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
user-log at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
user-log at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
user-log at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
user-log at org.eclipse.jetty.server.Server.start(Server.java:423)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
user-log at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
user-log at org.eclipse.jetty.server.Server.doStart(Server.java:387)
user-log at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
user-log at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:818)
user-log at org.apache.nifi.NiFi.<init>(NiFi.java:172)
user-log at org.apache.nifi.NiFi.<init>(NiFi.java:83)
user-log at org.apache.nifi.NiFi.main(NiFi.java:332)
bootstrap-log 2024-12-06 10:29:49,275 INFO [main] org.apache.nifi.bootstrap.RunNiFi NiFi never started. Will not restart NiFi
... View more
12-04-2024
12:38 PM
1 Kudo
Hi @MattWho , Thank you for your reply . Here is the ldap-user-group-provider from my authorizers.xml <userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">LDAPS</property>
<property name="Manager DN">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Manager Password">xxxx</property>
<property name="TLS - Keystore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.default.svc.cluster.local/keystore.jks</property>
<property name="TLS - Keystore Password">xxxx</property>
<property name="TLS - Keystore Type">jks</property>
<property name="TLS - Truststore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.default.svc.cluster.local/truststore.jks</property>
<property name="TLS - Truststore Password">xxx</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">NONE</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">false</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://someldap.corp1.ad1.xyz.net:636</property>
<property name="Page Size"></property>
<property name="Sync Interval">2 mins</property>
<property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(memberOf=CN=AG-X-SAMPLE-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net)</property>
<property name="User Identity Attribute">cn</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(|(cn=AG*)(cn=UG*))</property>
<property name="Group Name Attribute"></property>
<property name="Group Member Attribute"></property>
<property name="Group Member Attribute - Referenced User Attribute">distinguishedName</property>
</userGroupProvider> and here is the sample from my ldapsearch : 21:27 $ ldapsearch -x -H ldaps://someldap.corp1.ad1.xyz.net:636 -D "CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net" -w "xxxxx" -b "OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net" "(memberOf=CN=AG-X-SAMPLE-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net)"
# extended LDIF
#
# LDAPv3
# base <OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net> with scope subtree
# filter: (memberOf=CN=AG-X-SAMPLE-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net)
# requesting: ALL
#
# W0YZ1, Solid Users, User Accounts, corp1.ad1.xyz.net
dn: CN=W0YZ1,OU=Solid Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: W0YZ1
sn: Jones
c: XY
l: Earth
title: Developer, Platform
givenName: Jack
distinguishedName: CN=W0YZ1,OU=Solid Users,OU=User Accounts,DC=corp1,DC=ad1,D
C=xyz,DC=net
instanceType: 4
displayName: Jones, Jack
uSNCreated: 123456
memberOf: CN=YG-COI-EMPL-PRD,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net
memberOf: CN=AG-X-123456-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net
memberOf: CN=AG-X-789101-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net
memberOf: CN=AG-X-111213-AGENT,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net
memberOf: CN=AG-X-131516-AGENT,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net
memberOf: CN=AG-X-171819-AGENT,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net
sAMAccountName: W0YZ1
mail: Jack.Jones@xyz.se Please let me know in case you need additional information from me. Thanks in advance for all you help !
... View more
12-04-2024
05:58 AM
Hi , My Nifi loads all the AD groups from my LDAP server , but it doensn't load any member information of it . As per the image , one can see that the Members list is empty. How is it possible to get the users in the group too ? I can add it manually , but I would like the ldap to be able to retrieve the users as per the group.
... View more
Labels:
- Labels:
-
Apache NiFi