My apologizes, the only thing that seemed to change was that we are able to add users in the UI now.  The question is how to get the correct  Nifi node certificate Identities for both our dev-nifi and our production-nifi to set as users? when I run openssl s_client -connect dev-nifi.example.com:443 -showcerts I get a wildcard CN for both  *.example.com before the leaf certificate in the chain. So, I feel like we might be missing something in the setup, or we have it configured wrong. Is the registry expecting something else for the nifi node? We are still unable to load buckets from both; I am logging into the Nifi instances as my group user 'lynott'  ... View more

@MattWho    Thank you for your quick response, I have read over the above and will do my best to answer your questions, as the initial set up was done prior to me taking on the project. I have Updated the Authorizer.xml and removed 'employee' as the initial admin from the file-user-group-provider In the identity-providers.xml <property name="Identity Strategy">USE_USERNAME</property> was already set correctly I changed the class in the authorizers.xml for the composite-user-group-provider identity to org.apache.nifi.registry.security.authorization.CompositeConfigurableUserGroupProvider and made sure the file-access-policy-provider used the correct User group provider the UUID in the authorizations.xml were already there when I began taking over the work on this project and I am going to assume they were added when the registry service was first started. When accessing the Registry UI I do indeed see my user in the upper right hand corner. Following these steps provided members of the Nifi admin group to be able to add a user in the UI. I think where I may be going wrong here is the Nifi node certificate Identities. I added <property name="Nifi identity 1">CN=dev-nifi.example.com</property> to both the file-user-group-provider and the file-access-policy-provider. I think this may be an issue with how I am setting the Identity here perhaps, I also tried in the UI. I do now see three UUIDs in the Authorization.xml/users.xml after restarting the Nifi-registry.service on the EC2 instance; one for the 'employee' one for the group and one I am assuming is for the Nifi identity.  ... View more

Adding those files with the sensitive information removed Authorizers.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Initial User Identity 1">employee</property> </userGroupProvider> <userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">LDAPS</property> <property name="Manager DN">CN=nifildap,OU=ServiceAccounts,OU=COMPANYUsers,DC=corp,DC=company,DC=com</property> <property name="Manager Password">MANAGER_PASS</property> <property name="TLS - Keystore">./conf/ldap_keystore.jks</property> <property name="TLS - Keystore Password">KEYSTORE_PASSWORD</property> <property name="TLS - Keystore Type">jks</property> <property name="TLS - Truststore">./conf/ldap_truststore.jks</property> <property name="TLS - Truststore Password">TRUSTSTORE_PASSWORD</property> <property name="TLS - Truststore Type">jks</property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol">TLSv1.2</property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldaps://dc1.corp.company.com:636</property> <property name="Page Size"></property> <property name="Sync Interval">30 mins</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base"></property> <property name="User Object Class"></property> <property name="User Search Scope">SUBTREE</property> <property name="User Search Filter"></property> <property name="User Identity Attribute">cn</property> <property name="User Group Name Attribute"></property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Group Search Base">OU=COMPANYGroups,DC=corp,DC=company,DC=com</property> <property name="Group Object Class">group</property> <property name="Group Search Scope">ONE_LEVEL</property> <property name="Group Search Filter">((cn=nifi-admins))</property> <property name="Group Name Attribute">cn</property> <property name="Group Member Attribute">member</property> <property name="Group Member Attribute - Referenced User Attribute"></property> </userGroupProvider> <userGroupProvider> <identifier>composite-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class> <property name="Configurable User Group Provider">file-user-group-provider</property> <property name="User Group Provider 1">ldap-user-group-provider</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> <property name="User Group Provider">composite-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">employee</property> <property name="NiFi Group Name"></property> <!--<property name="NiFi Identity 1"></property>--> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers> users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309" identity="employee"/> </users> </tenants> Authorizations.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizations> <policies> <policy identifier="2dbc92a2-b091-3616-8e88-5078b9103b04" resource="/tenants" action="D"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="2fd3fcf5-b10f-33fa-8d8e-b262fa34815e" resource="/actuator" action="R"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="01b87cb5-c0b6-342d-b108-d8bc03ab5cde" resource="/policies" action="D"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="cf4d8390-5ac7-3ff0-82ce-a274b5f88b21" resource="/swagger" action="W"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="0eaa47b9-e409-304e-8682-30d1b0d86d05" resource="/swagger" action="R"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="ac587f43-6e1c-3890-81fd-83b4df2e678e" resource="/swagger" action="D"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="d59a54f7-6dd6-34ad-a279-a26ffdb9eef8" resource="/proxy" action="R"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="9d182b11-ebe3-3a7a-8731-98ce6d6e44fd" resource="/buckets" action="R"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="dfbf3c51-fdec-3328-b169-3b54eb033147" resource="/buckets" action="W"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="05b96464-9ec8-312a-8459-67812a8b48c1" resource="/buckets" action="D"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="2f470357-e82c-38ee-8062-ab6388d6ec75" resource="/actuator" action="W"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="3ee4703f-94ca-33c2-8060-17f5d313f560" resource="/actuator" action="D"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="6dbdbffd-8a7d-32e1-ba3e-f600e6c69791" resource="/proxy" action="D"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="9db54cd5-07b7-49e4-9b22-010a0af52309"/> </policy> <policy identifier="ce2bf41b-96e7-497e-86bc-661e71066a25" resource="/buckets/9ebee5c0-88ef-435a-bce3-4ca448a4cc5a" action="D"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> </policy> <policy identifier="d86fd825-1771-4935-9010-acc1f2d41a4c" resource="/buckets/9ebee5c0-88ef-435a-bce3-4ca448a4cc5a" action="R"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> </policy> <policy identifier="9fe582c5-5bc5-4783-ac58-d30f3dccd85c" resource="/buckets/9ebee5c0-88ef-435a-bce3-4ca448a4cc5a" action="W"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> </policy> <policy identifier="bc8e4c75-a893-4d85-892e-f0e6796f1abc" resource="/buckets/3eb5b85d-005b-43cd-8591-5d577bb31ca1" action="W"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="b495b01c-b1bc-33ec-ac0a-eb1f7fd572c8"/> </policy> <policy identifier="c192ea08-6584-44da-8400-354ab90649ed" resource="/buckets/3eb5b85d-005b-43cd-8591-5d577bb31ca1" action="R"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="b495b01c-b1bc-33ec-ac0a-eb1f7fd572c8"/> </policy> <policy identifier="cd42e4c9-212d-4fdf-9d0f-767cc2c20b89" resource="/buckets/3eb5b85d-005b-43cd-8591-5d577bb31ca1" action="D"> <group identifier="8c295cae-a773-4d6a-98cd-eef47d0b8189"/> <user identifier="b495b01c-b1bc-33ec-ac0a-eb1f7fd572c8"/> </policy> </policies> </authorizations> nifi-registry.properies # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # web properties # nifi.registry.web.war.directory=./lib nifi.registry.web.http.host= nifi.registry.web.http.port= nifi.registry.web.https.host=0.0.0.0 nifi.registry.web.https.port=18443 nifi.registry.web.https.application.protocols=http/1.1 nifi.registry.web.jetty.working.directory=./work/jetty nifi.registry.web.jetty.threads=200 nifi.registry.web.should.send.server.version=true # security properties # nifi.registry.security.keystore=./conf/keystore.p12 nifi.registry.security.keystoreType=PKCS12 nifi.registry.security.keystorePasswd=KEYSTORE_PASSWORD nifi.registry.security.keyPasswd=KEY_PASSWORD nifi.registry.security.truststore=./conf/truststore.p12 nifi.registry.security.truststoreType=PKCS12 nifi.registry.security.truststorePasswd=TRUSTSTORE_PASSWORD nifi.registry.security.needClientAuth=false nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml nifi.registry.security.authorizer=managed-authorizer nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml nifi.registry.security.identity.provider=ldap-identity-provider # sensitive property protection properties # # nifi.registry.sensitive.props.additional.keys= # providers properties # nifi.registry.providers.configuration.file=./conf/providers.xml # registry alias properties # nifi.registry.registry.alias.configuration.file=./conf/registry-aliases.xml # extensions working dir # nifi.registry.extensions.working.directory=./work/extensions # legacy database properties, used to migrate data from original DB to new DB below # NOTE: Users upgrading from 0.1.0 should leave these populated, but new installs after 0.1.0 should leave these empty nifi.registry.db.directory= nifi.registry.db.url.append= # database properties nifi.registry.db.url=jdbc:h2:./database/nifi-registry-primary;AUTOCOMMIT=OFF;DB_CLOSE_ON_EXIT=FALSE;LOCK_MODE=3;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE nifi.registry.db.driver.class=org.h2.Driver nifi.registry.db.driver.directory= nifi.registry.db.username=nifireg nifi.registry.db.password=nifireg nifi.registry.db.maxConnections=5 nifi.registry.db.sql.debug=false # extension directories # # Each property beginning with "nifi.registry.extension.dir." will be treated as location for an extension, # and a class loader will be created for each location, with the system class loader as the parent # #nifi.registry.extension.dir.1=/path/to/extension1 #nifi.registry.extension.dir.2=/path/to/extension2 nifi.registry.extension.dir.aws=./ext/aws/lib # Identity Mapping Properties # # These properties allow normalizing user identities such that identities coming from different identity providers # (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. The following example demonstrates normalizing # DNs from certificates and principals from Kerberos into a common identity string: # # nifi.registry.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ # nifi.registry.security.identity.mapping.value.dn=$1@$2 # nifi.registry.security.identity.mapping.transform.dn=NONE # nifi.registry.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$ # nifi.registry.security.identity.mapping.value.kerb=$1@$2 # nifi.registry.security.identity.mapping.transform.kerb=UPPER # Group Mapping Properties # # These properties allow normalizing group names coming from external sources like LDAP. The following example # lowercases any group name. # # nifi.registry.security.group.mapping.pattern.anygroup=^(.*)$ # nifi.registry.security.group.mapping.value.anygroup=$1 # nifi.registry.security.group.mapping.transform.anygroup=LOWER # kerberos properties # nifi.registry.kerberos.krb5.file= nifi.registry.kerberos.spnego.principal= nifi.registry.kerberos.spnego.keytab.location= nifi.registry.kerberos.spnego.authentication.expiration=12 hours # OIDC # nifi.registry.security.user.oidc.discovery.url= nifi.registry.security.user.oidc.connect.timeout= nifi.registry.security.user.oidc.read.timeout= nifi.registry.security.user.oidc.client.id= nifi.registry.security.user.oidc.client.secret= nifi.registry.security.user.oidc.preferred.jwsalgorithm= # revision management # # This feature should remain disabled until a future NiFi release that supports the revision API changes nifi.registry.revisions.enabled=false   ... View more

Hello Matt, thank you for your response. I had followed the steps here Re: NIfi and Nifi Registry Integration - Cloudera Community that you posted previously. openssl s_client -connect nifi.example.com:443 -showcerts # copied the certificate chain into nifi-1.28.0.chain.crt as a nifi-cert already existed in the registries truststore keytool -import -alias nifi-1.28-crt -keystore conf/truststore.p12 -file nifi-1.28.chain.crt -storepass $STORE_PASS systemctl restart nifi-registry.service The error referenced in the above post had already been resolved, just wanted to share what all we have done and tried.  The main issue now is that even though we have buckets in the registry, when we click to start version control on a processor group it says there are no buckets available. We also have the issue of no nifi-registry users being able to add a user for the nifi instances.  ... View more