I still cannot access my own NiFi 2.0 instance. I continue to get this
rejection:
Insufficient Permissions
- home
Unable to view the user interface. Contact the system administrator.
The canvas flashes for an instant when I try to hit my secure URL, but is
immediately replaced with this rejection message.
There is no error or warning in nifi-app.log
Has anyone experienced a similar problem?
Here is my authorizers.xml:
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users
File">/opt/nifi/config_resources/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">C = US, ST = Virginia, L =
Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group
Provider">file-user-group-provider</property>
<property name="Authorizations
File">/opt/nifi/config_resources/authorizations.xml</property>
<property name="Initial Admin Identity">C = US, ST = Virginia, L =
Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
Here is my authorizations.xml (nifi creates at first startup):
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
resource="/flow" action="R">
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/>
</policy>
<policy identifier="ae1ef91b-11d8-38a4-9d8a-33e7ee25d65e"
resource="/data/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e"
action="R">
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/>
</policy>
<policy identifier="818d3b60-f65b-3d67-960e-f7e7aea0f6cc"
resource="/data/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e"
action="W">
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/>
</policy>
<policy identifier="6e49aea6-93bd-3a2a-a0d6-b5afb4581b4f"
resource="/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" action="R">
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/>
</policy>
<policy identifier="3755b3ac-380b-3c02-83a6-10c3870f377a"
resource="/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" action="W">
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
resource="/restricted-components" action="W">
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
resource="/tenants" action="R">
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
resource="/tenants" action="W">
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
resource="/policies" action="R">
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
resource="/policies" action="W">
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
resource="/controller" action="R">
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
resource="/controller" action="W">
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/>
</policy>
</policies>
</authorizations>
Here is my users.xml (nifi creates at first startup):
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834" identity="C
= US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2"/>
</users>
</tenants>
On Wed, Apr 24, 2024 at 8:21 AM James McMahon <jsmcmah...@gmail.com> wrote:
> I'll review this closely once again when I get back to this system tonight
> - thanks very much for your reply, Isha.
>
> I also feel I need to look more closely in nifi.properties, at values I
> have set for keys nifi.security.identity.mapping.[value, transform,
> pattern].CN1
>
> I noticed some odd behavior and suspect it is a reflection of an issue I
> have not set properly in my configuration:
> The first time I started my 2.0 instance with my Initial Admin Identity
> defined as shown, the UI in my browser actually presented me with a list
> (of one) Personal cert to select from - the cert for admin2. I was in a
> happy place: *finally*, nifi and the browser appeared to be in synch for
> the Subject name in the cert.
>
> I selected this cert, but then was crushed by the rejection mentioned
> above:
> Unable to view the user interface. Contact the system administrator.
> Insufficient Permissions home
>
> I restarted nifi so I could "tail -f" nifi-app.log.
> After restart, I once again tried to hit my NiFi URL.
> This time though, the browser failed to present the admin2 cert for
> selection. Shouldn't it have still presented that to me in the browser fro
> my selection?
> Do you have any thoughts why this behavior is occurring?
>
> Would you say it is it advisable to manually create by hand an
> authorizations.xml file should I continue to experience Insufficient
> Permissions problems? I recall reading that users.xml and
> authorizations.xml - if absent at initial startup - should be created by
> nifi from info in authorizers.xml. But this Insufficient Permissions makes
> me suspect something is missing from authorizations.
>
> Jim
>
> On Wed, Apr 24, 2024 at 5:33 AM Isha Lamboo <
> isha.lam...@virtualsciences.nl> wrote:
>
>> Hi James,
>>
>>
>>
>> Have you changed these settings in authorizers.xml since you first
>> started NiFi? If so, you may need to delete users.xml and
>> authorizations.xml.
>>
>> A new admin user will not be created if those files already exist.
>>
>>
>>
>> Otherwise, the trickiest part is usually that the user DN needs to match *
>> *exactly** with that specified. Capitals and whitespace matter. Since
>> you are getting insufficient permissions instead of unknown user, I don’t
>> think that’s your problem here. Still, it may be worth checking for a
>> mismatch in the initial admin identity vs initial user identity vs
>> certificate.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Isha
>>
>>
>>
>> *Van:* James McMahon <jsmcmah...@gmail.com>
>> *Verzonden:* woensdag 24 april 2024 02:14
>> *Aan:* users <users@nifi.apache.org>
>> *Onderwerp:* Insufficient permissions on initial start up (NiFi 2.0)
>>
>>
>>
>> I am trying to start my new NiFi 2.0 installation. I have a user admin2
>> that has a cert. The nifi server also has a cert. Both are signed by the
>> same CA.
>>
>>
>>
>> At start up in my browser I am denied due to insufficient privileges:
>>
>>
>>
>> Unable to view the user interface. Contact the system administrator.
>>
>> Insufficient Permissions home
>>
>>
>>
>>
>>
>> My authorizors.xml has been configured as follows:
>>
>> <authorizers>
>> <userGroupProvider>
>> <identifier>file-user-group-provider</identifier>
>> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>> <property name="Users
>> File">/opt/nifi/config_resources/users.xml</property>
>> <property name="Legacy Authorized Users File"></property>
>> <property name="Initial User Identity 1">C = US, ST = Virginia, L
>> = Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property>
>> </userGroupProvider>
>> <accessPolicyProvider>
>> <identifier>file-access-policy-provider</identifier>
>>
>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>> <property name="User Group
>> Provider">file-user-group-provider</property>
>> <property name="Authorizations
>> File">/opt/nifi/config_resources/authorizations.xml</property>
>> <property name="Initial Admin Identity">C = US, ST = Virginia, L
>> = Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property>
>> <property name="Legacy Authorized Users File"></property>
>> <property name="Node Identity 1"></property>
>> </accessPolicyProvider>
>> <authorizer>
>> <identifier>managed-authorizer</identifier>
>>
>> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
>> <property name="Access Policy
>> Provider">file-access-policy-provider</property>
>> </authorizer>
>> </authorizers>
>>
>>
>>
>> I read that at start up, authorizations.xml and users.xml would be
>> created by NiFi - those files are not to be hand jammed.
>>
>>
>>
>> So how do I actually get in with my admin2 user?
>>
>> What have I overlooked on this magical mystery tour?
>>
>>
>>
>>
>>
>
