I'll review this closely once again when I get back to this system tonight
- thanks very much for your reply, Isha.
I also feel I need to look more closely in nifi.properties, at values I
have set for keys nifi.security.identity.mapping.[value, transform,
pattern].CN1
I noticed some odd behavior and suspect it is a reflection of an issue I
have not set properly in my configuration:
The first time I started my 2.0 instance with my Initial Admin Identity
defined as shown, the UI in my browser actually presented me with a list
(of one) Personal cert to select from - the cert for admin2. I was in a
happy place: *finally*, nifi and the browser appeared to be in synch for
the Subject name in the cert.
I selected this cert, but then was crushed by the rejection mentioned above:
Unable to view the user interface. Contact the system administrator.
Insufficient Permissions home
I restarted nifi so I could "tail -f" nifi-app.log.
After restart, I once again tried to hit my NiFi URL.
This time though, the browser failed to present the admin2 cert for
selection. Shouldn't it have still presented that to me in the browser fro
my selection?
Do you have any thoughts why this behavior is occurring?
Would you say it is it advisable to manually create by hand an
authorizations.xml file should I continue to experience Insufficient
Permissions problems? I recall reading that users.xml and
authorizations.xml - if absent at initial startup - should be created by
nifi from info in authorizers.xml. But this Insufficient Permissions makes
me suspect something is missing from authorizations.
Jim
On Wed, Apr 24, 2024 at 5:33 AM Isha Lamboo <isha.lam...@virtualsciences.nl>
wrote:
> Hi James,
>
>
>
> Have you changed these settings in authorizers.xml since you first started
> NiFi? If so, you may need to delete users.xml and authorizations.xml.
>
> A new admin user will not be created if those files already exist.
>
>
>
> Otherwise, the trickiest part is usually that the user DN needs to match *
> *exactly** with that specified. Capitals and whitespace matter. Since you
> are getting insufficient permissions instead of unknown user, I don’t think
> that’s your problem here. Still, it may be worth checking for a mismatch in
> the initial admin identity vs initial user identity vs certificate.
>
>
>
> Regards,
>
>
>
> Isha
>
>
>
> *Van:* James McMahon <jsmcmah...@gmail.com>
> *Verzonden:* woensdag 24 april 2024 02:14
> *Aan:* users <users@nifi.apache.org>
> *Onderwerp:* Insufficient permissions on initial start up (NiFi 2.0)
>
>
>
> I am trying to start my new NiFi 2.0 installation. I have a user admin2
> that has a cert. The nifi server also has a cert. Both are signed by the
> same CA.
>
>
>
> At start up in my browser I am denied due to insufficient privileges:
>
>
>
> Unable to view the user interface. Contact the system administrator.
>
> Insufficient Permissions home
>
>
>
>
>
> My authorizors.xml has been configured as follows:
>
> <authorizers>
> <userGroupProvider>
> <identifier>file-user-group-provider</identifier>
> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
> <property name="Users
> File">/opt/nifi/config_resources/users.xml</property>
> <property name="Legacy Authorized Users File"></property>
> <property name="Initial User Identity 1">C = US, ST = Virginia, L
> = Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property>
> </userGroupProvider>
> <accessPolicyProvider>
> <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> <property name="User Group
> Provider">file-user-group-provider</property>
> <property name="Authorizations
> File">/opt/nifi/config_resources/authorizations.xml</property>
> <property name="Initial Admin Identity">C = US, ST = Virginia, L =
> Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property>
> <property name="Legacy Authorized Users File"></property>
> <property name="Node Identity 1"></property>
> </accessPolicyProvider>
> <authorizer>
> <identifier>managed-authorizer</identifier>
>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
> <property name="Access Policy
> Provider">file-access-policy-provider</property>
> </authorizer>
> </authorizers>
>
>
>
> I read that at start up, authorizations.xml and users.xml would be created
> by NiFi - those files are not to be hand jammed.
>
>
>
> So how do I actually get in with my admin2 user?
>
> What have I overlooked on this magical mystery tour?
>
>
>
>
>
