start.sh calls secure.sh (for secure installations), which would appear to always update the authorizers.xml file with the INITIAL_ADMIN_IDENTITY env var value[1] - have you set that env var in your deployment, if not, I'm guessing that's why it's being removed from the file you're injecting (i.e. the start script is overwriting the value in your file with a blank value).
[1] https://github.com/apache/nifi-registry/blob/main/nifi-registry-docker-maven/dockermaven/sh/secure.sh#L56 --- *Chris Sampson* IT Consultant chris.samp...@naimuri.com <https://www.naimuri.com/> On Fri, 5 Mar 2021 at 14:37, Sim, Yoosuk <yoosuk....@bell.ca.invalid> wrote: > Hello dev, > > I have observed an odd behavior that I do not know the exact cause or > solutions to. > Currently, I am setting up NiFi and NiFi-Registry docker containers, > deployed to OpenShift, to work with LDAP. Both containers were modified to > allow files to have Group 0 ownership. > NiFi worked as expected, and I intended to replicate the setup on > NiFi-Registry. NiFi-Registry had other ideas, apparently. > > The first sign was that when I first logged in with my username, which was > set as Initial Admin Identity, it would authenticate me but would not grant > me any power other than view. When checking logs, it shows that my username > was indeed authenticated, complete with my group information, but it would > complain that I was not given any permission to access the material and > therefore forbidden. I added debug flags to ldap-related classes into > logback.xml and observed more. It shows that a set of usernames, including > my own, was indeed imported, along with the groups users belong to. Still, > it would not recognize me as the Initial Admin Identity. I then checked my > authorizers.xml and realized there was no value entry for Initial Admin > Identity. > > At this point, I thought I made a dumb mistake of not having put any value > in there. Just to be sure, I double checked my configmap that supplied the > authorizers.xml, and the story started to become weird. Turns out, I did > supply the correct authorizers.xml, complete with the Initial Admin > Identity with my username on it. The said file does get populated as > expected into the conf/authorizers.xml. But when ../scripts/start.sh is > ran, at some point in time, the Initial Admin Identity disappears. Even > more a boggle, that's apparently the only value that gets blanked out: > every other settings were left intact that way I had supplied them. > > So I am confused. Why is my NiFi-Registry deleting a value at Initial > Admin Identity specifically, and what can I do to stop this and make it > identity the username as the admin? Attached is the authorizers.xml file. > Please let me know if you need more information. > > Cheers, > > Tony Sim > > conf/authorizers.xml (edited) : > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <authorizers> > <userGroupProvider> > <identifier>ldap-user-group-provider</identifier> > > <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class> > <property name="Authentication Strategy">SIMPLE</property> > > <property name="Manager DN">cn=manager,ou=My > Users,ou=Mygroup,ou=Bigger > Group,dc=company,dc=name,dc=thingie,dc=ca</property> > <property name="Manager Password">some password</property> > > <property name="Referral Strategy">FOLLOW</property> > <property name="Connect Timeout">10 secs</property> > <property name="Read Timeout">10 secs</property> > > <property name="Url">ldaps://xxx.xxx.xxx.xxx</property> > <property name="Page Size"></property> > <property name="Sync Interval">30 mins</property> > <property name="Group Membership - Enforce Case > Sensitivity">false</property> > > <property name="User Search Base"> ou=Mygroup,ou=Bigger > Group,dc=company,dc=name,dc=thingie,dc=ca </property> > <property name="User Object Class">person</property> > <property name="User Search Scope">SUBTREE</property> > <property name="User Search Filter">(|(memberOf=CN=Specific Group > 1,OU=More Groups, ,ou=Bigger > Group,dc=company,dc=name,dc=thingie,dc=ca)(memberOf= CN=Specific Group > 2,OU=More Groups, ,ou=Bigger > Group,dc=company,dc=name,dc=thingie,dc=ca))</property> > <property name="User Identity Attribute">CN</property> > <property name="User Group Name Attribute">memberOf</property> > <property name="User Group Name Attribute - Referenced Group > Attribute"></property> > > <property name="Group Search Base"> OU=More Groups, ,ou=Bigger > Group,dc=company,dc=name,dc=thingie,dc=ca </property> > <property name="Group Object Class">group</property> > <property name="Group Search Scope">SUBTREE</property> > <property name="Group Search Filter">(cn=Specific > Group*)</property> > <property name="Group Name Attribute">CN</property> > <property name="Group Member Attribute">member</property> > <property name="Group Member Attribute - Referenced User > Attribute"></property> > </userGroupProvider> > > <accessPolicyProvider> > <identifier>file-access-policy-provider</identifier> > > <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> > <property name="User Group > Provider">ldap-user-group-provider</property> > <property name="Authorizations > File">./conf/authorizations.xml</property> > <property name="Initial Admin Identity">myusername</property> > <!-this value gets blanked out on the file after the ../scripts/start.sh --> > <!--<property name="NiFi Group Name"></property>--> > > <property name="NiFi Identity 1"></property> > </accessPolicyProvider> > > <authorizer> > <identifier>managed-authorizer</identifier> > > <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> > <property name="Access Policy > Provider">file-access-policy-provider</property> > </authorizer> > > </authorizers> >
