Thanks Chris Sampson for the solution. That indeed solved the issue. That said,
shouldn't this be seen as a bug? If the configuration is set correctly, then
even without the environment variable, I would think it should work. May I make
a Issue/PR on this?
Cheers,
Yoosuk Sim
P.S. For some reason, I didn't get the reply on my email client and only
realized I had a reply when visiting the mailing list archive. Hope this
doesn't break the flow.
From: Sim, Yoosuk
Sent: March-05-21 9:36 AM
To: 'dev@nifi.apache.org' <dev@nifi.apache.org>
Subject: Weird behavior while setting up NiFi-Registry with LDAP
Hello dev,
I have observed an odd behavior that I do not know the exact cause or solutions
to.
Currently, I am setting up NiFi and NiFi-Registry docker containers, deployed
to OpenShift, to work with LDAP. Both containers were modified to allow files
to have Group 0 ownership.
NiFi worked as expected, and I intended to replicate the setup on
NiFi-Registry. NiFi-Registry had other ideas, apparently.
The first sign was that when I first logged in with my username, which was set
as Initial Admin Identity, it would authenticate me but would not grant me any
power other than view. When checking logs, it shows that my username was indeed
authenticated, complete with my group information, but it would complain that I
was not given any permission to access the material and therefore forbidden. I
added debug flags to ldap-related classes into logback.xml and observed more.
It shows that a set of usernames, including my own, was indeed imported, along
with the groups users belong to. Still, it would not recognize me as the
Initial Admin Identity. I then checked my authorizers.xml and realized there
was no value entry for Initial Admin Identity.
At this point, I thought I made a dumb mistake of not having put any value in
there. Just to be sure, I double checked my configmap that supplied the
authorizers.xml, and the story started to become weird. Turns out, I did supply
the correct authorizers.xml, complete with the Initial Admin Identity with my
username on it. The said file does get populated as expected into the
conf/authorizers.xml. But when ../scripts/start.sh is ran, at some point in
time, the Initial Admin Identity disappears. Even more a boggle, that's
apparently the only value that gets blanked out: every other settings were left
intact that way I had supplied them.
So I am confused. Why is my NiFi-Registry deleting a value at Initial Admin
Identity specifically, and what can I do to stop this and make it identity the
username as the admin? Attached is the authorizers.xml file. Please let me know
if you need more information.
Cheers,
Tony Sim
conf/authorizers.xml (edited) :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">cn=manager,ou=My Users,ou=Mygroup,ou=Bigger
Group,dc=company,dc=name,dc=thingie,dc=ca</property>
<property name="Manager Password">some password</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://xxx.xxx.xxx.xxx</property>
<property name="Page Size"></property>
<property name="Sync Interval">30 mins</property>
<property name="Group Membership - Enforce Case
Sensitivity">false</property>
<property name="User Search Base"> ou=Mygroup,ou=Bigger
Group,dc=company,dc=name,dc=thingie,dc=ca </property>
<property name="User Object Class">person</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(|(memberOf=CN=Specific Group
1,OU=More Groups, ,ou=Bigger
Group,dc=company,dc=name,dc=thingie,dc=ca)(memberOf= CN=Specific Group
2,OU=More Groups, ,ou=Bigger
Group,dc=company,dc=name,dc=thingie,dc=ca))</property>
<property name="User Identity Attribute">CN</property>
<property name="User Group Name Attribute">memberOf</property>
<property name="User Group Name Attribute - Referenced Group
Attribute"></property>
<property name="Group Search Base"> OU=More Groups, ,ou=Bigger
Group,dc=company,dc=name,dc=thingie,dc=ca </property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">SUBTREE</property>
<property name="Group Search Filter">(cn=Specific Group*)</property>
<property name="Group Name Attribute">CN</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User
Attribute"></property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
<property name="User Group Provider">ldap-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">myusername</property> <!-this
value gets blanked out on the file after the ../scripts/start.sh -->
<!--<property name="NiFi Group Name"></property>-->
<property name="NiFi Identity 1"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
