Hello Lourdes It is extremely hard to find someone to respond meaningfully to questions related to a NiFi release that is so many years back. There have been thousands of JIRAs to fix/improve/change the way such components behave. If you can please get updated to something more recent I think you'll find getting help from the community easier.
Thanks On Mon, Nov 6, 2023 at 6:58 AM Lourdes Ursela Carmen Kuskanto <lourdes.u.c.kuska...@astrapay.com.invalid> wrote: > Dear NiFi Developer Team, > > I want to enable SSO login in NiFi version 1.4 in my Compute Engine in GCP > using OIDC. I want to allowed all user from my Azure Active Directory group > that i have made before to be able to login to NiFi using their account as > registered. But i can't seem to make it work. > > I have followed this step : > https://github.com/benkelly/NiFi-Authentication-with-Azure-Active-Directory-Setup-Guide > > This is my configuration: > > nifi.properties > > # Core Properties # > nifi.flow.configuration.file=./conf/flow.xml.gz > nifi.flow.configuration.archive.enabled=true > nifi.flow.configuration.archive.dir=./conf/archive/ > nifi.flow.configuration.archive.max.time=30 days > nifi.flow.configuration.archive.max.storage=500 MB > nifi.flow.configuration.archive.max.count= > nifi.flowcontroller.autoResumeState=true > nifi.flowcontroller.graceful.shutdown.period=10 sec > nifi.flowservice.writedelay.interval=500 ms > nifi.administrative.yield.duration=30 sec > # If a component has no work to do (is "bored"), how long should we wait > before checking again for work? > nifi.bored.yield.duration=10 millis > nifi.queue.backpressure.count=10000 > nifi.queue.backpressure.size=1 GB > > nifi.authorizer.configuration.file=./conf/authorizers.xml > > nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml > nifi.templates.directory=./conf/templates > nifi.ui.banner.text= > nifi.ui.autorefresh.interval=30 sec > nifi.nar.library.directory=./lib > nifi.nar.library.autoload.directory=./extensions > nifi.nar.working.directory=./work/nar/ > nifi.documentation.working.directory=./work/docs/components > > #################### > # State Management # > #################### > nifi.state.management.configuration.file=./conf/state-management.xml > # The ID of the local state provider > nifi.state.management.provider.local=local-provider > # The ID of the cluster-wide state provider. This will be ignored if NiFi > is not clustered but must be populat> > nifi.state.management.provider.cluster=zk-provider > # Specifies whether or not this instance of NiFi should run an embedded > ZooKeeper server > nifi.state.management.embedded.zookeeper.start=false > # Properties file that provides the ZooKeeper properties to use if > <nifi.state.management.embedded.zookeeper.s> > > nifi.state.management.embedded.zookeeper.properties=./conf/zookeeper.properties > > > # H2 Settings > nifi.database.directory=./database_repository > nifi.h2.url.append=;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE > > # FlowFile Repository > > nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository > > nifi.flowfile.repository.wal.implementation=org.apache.nifi.wali.SequentialAccessWriteAheadLog > nifi.flowfile.repository.directory=./flowfile_repository > nifi.flowfile.repository.checkpoint.interval=20 secs > nifi.flowfile.repository.always.sync=false > nifi.flowfile.repository.encryption.key.provider.implementation= > nifi.flowfile.repository.encryption.key.provider.location= > nifi.flowfile.repository.encryption.key.provider.password= > nifi.flowfile.repository.encryption.key.id= > nifi.flowfile.repository.encryption.key= > nifi.flowfile.repository.retain.orphaned.flowfiles=true > > > nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager > nifi.queue.swap.threshold=20000 > > # Content Repository > > nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository > nifi.content.claim.max.appendable.size=1 MB > nifi.content.repository.directory.default=./content_repository > nifi.content.repository.archive.max.retention.period=7 days > nifi.content.repository.archive.max.usage.percentage=50% > nifi.content.repository.archive.enabled=true > nifi.content.repository.always.sync=false > nifi.content.viewer.url=../nifi-content-viewer/ > nifi.content.repository.encryption.key.provider.implementation= > nifi.content.repository.encryption.key.provider.location= > nifi.content.repository.encryption.key.provider.password= > nifi.content.repository.encryption.key.id= > nifi.content.repository.encryption.key= > > # Provenance Repository Properties > > nifi.provenance.repository.implementation=org.apache.nifi.provenance.WriteAheadProvenanceRepository > nifi.provenance.repository.encryption.key.provider.implementation= > nifi.provenance.repository.encryption.key.provider.location= > nifi.provenance.repository.encryption.key.provider.password= > nifi.provenance.repository.encryption.key.id= > nifi.provenance.repository.encryption.key= > > # Persistent Provenance Repository Properties > nifi.provenance.repository.directory.default=./provenance_repository > nifi.provenance.repository.max.storage.time=30 days > nifi.provenance.repository.max.storage.size=10 GB > nifi.provenance.repository.rollover.time=10 mins > nifi.provenance.repository.rollover.size=100 MB > nifi.provenance.repository.query.threads=2 > nifi.provenance.repository.index.threads=2 > nifi.provenance.repository.compress.on.rollover=true > nifi.provenance.repository.always.sync=false > > # Comma-separated list of fields. Fields that are not indexed will not be > searchable. Valid fields are: > # EventType, FlowFileUUID, Filename, TransitURI, ProcessorID, > AlternateIdentifierURI, Relationship, Details > nifi.provenance.repository.indexed.fields=EventType, FlowFileUUID, > Filename, ProcessorID, Relationship > # FlowFile Attributes that should be indexed and made searchable. Some > examples to consider are filename, uui> > nifi.provenance.repository.indexed.attributes= > # Large values for the shard size will result in more Java heap usage when > searching the Provenance Repository > # but should provide better performance > nifi.provenance.repository.index.shard.size=500 MB > # Indicates the maximum length that a FlowFile attribute can be when > retrieving a Provenance Event from > # the repository. If the length of any attribute exceeds this value, it > will be truncated when the event is re> > nifi.provenance.repository.max.attribute.length=65536 > nifi.provenance.repository.concurrent.merge.threads=2 > > > # Volatile Provenance Respository Properties > nifi.provenance.repository.buffer.size=100000 > > # Component and Node Status History Repository > > nifi.components.status.repository.implementation=org.apache.nifi.controller.status.history.VolatileComponentSt> > > # Volatile Status History Repository Properties > nifi.components.status.repository.buffer.size=1440 > nifi.components.status.snapshot.frequency=1 min > > # QuestDB Status History Repository Properties > nifi.status.repository.questdb.persist.node.days=14 > nifi.status.repository.questdb.persist.component.days=3 > nifi.status.repository.questdb.persist.location=./status_repository > > # Site to Site properties > nifi.remote.input.host= > nifi.remote.input.secure=true > nifi.remote.input.socket.port= > nifi.remote.input.http.enabled=true > nifi.remote.input.http.transaction.ttl=30 sec > nifi.remote.contents.cache.expiration=30 secs > > # web properties # > ############################################# > > # For security, NiFi will present the UI on 127.0.0.1 and only be > accessible through this loopback interface. > # Be aware that changing these properties may affect how your instance can > be accessed without any restriction. > # We recommend configuring HTTPS instead. The administrators guide > provides instructions on how to do this. > > ############################################# > nifi.web.https.host=<IP> > nifi.web.https.port=<my port> > nifi.web.https.network.interface.default= > nifi.web.jetty.working.directory=./work/jetty > nifi.web.jetty.threads=200 > nifi.web.max.header.size=16 KB > nifi.web.proxy.context.path= > nifi.web.proxy.host=<proxy IP> > nifi.web.max.content.size= > nifi.web.max.requests.per.second=30000 > nifi.web.request.timeout=60 secs > nifi.web.request.ip.whitelist= > nifi.web.should.send.server.version=true > > # Include or Exclude TLS Cipher Suites for HTTPS > nifi.web.https.ciphersuites.include= > nifi.web.https.ciphersuites.exclude= > > # security properties # > nifi.sensitive.props.key=<key> > nifi.sensitive.props.key.protected= > nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256 > nifi.sensitive.props.provider=BC > nifi.sensitive.props.additional.keys= > > nifi.security.autoreload.enabled=false > nifi.security.autoreload.interval=10 secs > nifi.security.keystore=./conf/keystore.p12 > nifi.security.keystoreType=PKCS12 > nifi.security.keystorePasswd=<key store> > nifi.security.keyPasswd=<key pass> > nifi.security.truststore=./conf/truststore.p12 > nifi.security.truststoreType=PKCS12 > nifi.security.truststorePasswd=<pass> > nifi.security.user.authorizer=managed-authorizer > nifi.security.allow.anonymous.authentication=false > > # OpenId Connect SSO Properties # > nifi.initial.admin.identity=ad...@astrapay.com > nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/<my > client ID>/v> > nifi.security.user.oidc.connect.timeout=5 secs > nifi.security.user.oidc.read.timeout=5 secs > nifi.security.user.oidc.client.id=<my client ID> > nifi.security.user.oidc.client.secret=<my client secret> > #nifi.security.user.oidc.use.jwks.endpoint=true > nifi.security.user.oidc.preferred.jwsalgorithm= > nifi.security.user.oidc.additional.scopes=profile, email, openid > nifi.security.user.oidc.claim.identifying.user=upn > nifi.security.user.oidc.redirect.uri=https:// > <IP:port>/nifi-api/access/oidc/callback > nifi.security.user.oidc.enabled=true > # cluster common properties (all nodes must have same values) # > nifi.cluster.protocol.heartbeat.interval=5 sec > nifi.cluster.protocol.heartbeat.missable.max=8 > nifi.cluster.protocol.is.secure=false > > # cluster node properties (only configure for cluster nodes) # > nifi.cluster.is.node=false > nifi.cluster.node.address= > nifi.cluster.node.protocol.port= > nifi.cluster.node.protocol.threads=10 > nifi.cluster.node.protocol.max.threads=50 > nifi.cluster.node.event.history.size=25 > nifi.cluster.node.connection.timeout=5 sec > nifi.cluster.node.read.timeout=5 sec > nifi.cluster.node.max.concurrent.requests=100 > nifi.cluster.firewall.file= > nifi.cluster.flow.election.max.wait.time=5 mins > nifi.cluster.flow.election.max.candidates= > > # cluster load balancing properties # > nifi.cluster.load.balance.host= > nifi.cluster.load.balance.port=6342 > nifi.cluster.load.balance.connections.per.node=1 > nifi.cluster.load.balance.max.thread.count=8 > nifi.cluster.load.balance.comms.timeout=30 sec > > # zookeeper properties, used for cluster management # > nifi.zookeeper.connect.string= > nifi.zookeeper.connect.timeout=10 secs > nifi.zookeeper.session.timeout=10 secs > nifi.zookeeper.root.node=/nifi > nifi.zookeeper.client.secure=false > nifi.zookeeper.security.keystore= > nifi.zookeeper.security.keystoreType= > nifi.zookeeper.security.keystorePasswd= > nifi.zookeeper.security.truststore= > nifi.zookeeper.security.truststoreType= > nifi.zookeeper.security.truststorePasswd= > > # Zookeeper properties for the authentication scheme used when creating > acls on znodes used for cluster manage> > # Values supported for nifi.zookeeper.auth.type are "default", which will > apply world/anyone rights on znodes > # and "sasl" which will give rights to the sasl/kerberos identity used to > authenticate the nifi node > # The identity is determined using the value in > nifi.kerberos.service.principal and the removeHostFromPrincipal > # and removeRealmFromPrincipal values (which should align with the > kerberos.removeHostFromPrincipal and kerber> > # values configured on the zookeeper server). > nifi.zookeeper.auth.type= > nifi.zookeeper.kerberos.removeHostFromPrincipal= > nifi.zookeeper.kerberos.removeRealmFromPrincipal= > > # kerberos # > nifi.kerberos.krb5.file= > > # kerberos service principal # > nifi.kerberos.service.principal= > nifi.kerberos.service.keytab.location= > > # kerberos spnego principal # > nifi.kerberos.spnego.principal= > nifi.kerberos.spnego.keytab.location= > nifi.kerberos.spnego.authentication.expiration=12 hours > > # external properties files for variable registry > # supports a comma delimited list of file locations > nifi.variable.registry.properties= > # analytics properties # > nifi.analytics.predict.enabled=false > nifi.analytics.predict.interval=3 mins > nifi.analytics.query.interval=5 mins > > nifi.analytics.connection.model.implementation=org.apache.nifi.controller.status.analytics.models.OrdinaryLeas> > nifi.analytics.connection.model.score.name=rSquared > nifi.analytics.connection.model.score.threshold=.90 > > # runtime monitoring properties > nifi.monitor.long.running.task.schedule= > nifi.monitor.long.running.task.threshold= > > authorizer.xml > > <authorizers> > <userGroupProvider> > <identifier>file-user-group-provider</identifier> > <class>org.apache.nifi.authorization.FileUserGroupProvider</class> > <property name="Users File">./conf/users.xml</property> > <property name="Initial User Identity 1">email admin</property> > <property name="Legacy Authorized Users File"></property> > </userGroupProvider> > > <userGroupProvider> > <identifier>aad-user-group-provider</identifier> > > <class>org.apache.nifi.authorization.azure.AzureGraphUserGroupProvider</class> > <property name="Refresh Delay">5 mins</property> > <property name="Authority Endpoint"> > https://login.microsoftonline.com</property> > <property name="Directory ID">directory ID</property> > <property name="Application ID">client ID</property> > <property name="Client Secret">client secret</property> > <property name="Group Filter Substring">NiFi-AAD</property> > <property name="Page Size">100</property> > <property name="Claim for Username">email</property> > </userGroupProvider> > > <userGroupProvider> > <identifier>composite-configurable-user-group-provider</identifier> > > <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class> > <property name="Configurable User Group > Provider">file-user-group-provider</property> > <property name="User Group Provider > 1">aad-user-group-provider</property> > </userGroupProvider> > > <accessPolicyProvider> > <identifier>composite-configurable-user-group-provider</identifier> > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > <property name="User Group > Provider">file-access-policy-provider</property> > <property name="Authorizations > File">./conf/authorizations.xml</property> > <property name="Initial Admin Identity">email admin</property> > <property name="Legacy Authorized Users File"></property> > <property name="Node Identity 1"></property> > </accessPolicyProvider> > > <authorizer> > <identifier>managed-authorizer</identifier> > > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> > <property name="Access Policy > Provider">file-access-policy-provider</property> > </authorizer> > </authorizers> > > When i start my NiFi in SSH, i got this error instead: > > 2023-11-02 04:37:15,839 ERROR [main] global CoreHttpProvider[send] - > 220Graph service exception Error code: Authorization_RequestDenied > > 2023-11-02 04:37:15,840 ERROR [main] global CoreHttpProvider[send] - > 220Error message: Insufficient privileges to complete the operation. > > 2023-11-02 04:37:15,841 ERROR [main] global CoreHttpProvider[send] - 220 > > 2023-11-02 04:37:15,842 ERROR [main] global CoreHttpProvider[send] - > 220GET > https://graph.microsoft.com/v1.0/groups?%24select=displayName&%24top=100 > > 2023-11-02 04:37:15,842 ERROR [main] global CoreHttpProvider[send] - > 220SdkVersion : graph-java/v2.10.0 > > 2023-11-02 04:37:15,843 ERROR [main] global CoreHttpProvider[send] - > 220Authorization : [PII_REDACTED] > > 2023-11-02 04:37:15,843 ERROR [main] global CoreHttpProvider[send] - 220 > > 2023-11-02 04:37:15,844 ERROR [main] global CoreHttpProvider[send] - 220 > > 2023-11-02 04:37:15,845 ERROR [main] global CoreHttpProvider[send] - > 220403 : Forbidden > > 2023-11-02 04:37:15,845 ERROR [main] global CoreHttpProvider[send] - 220[…] > > 2023-11-02 04:37:15,846 ERROR [main] global CoreHttpProvider[send] - 220 > > 2023-11-02 04:37:15,847 ERROR [main] global CoreHttpProvider[send] - > 220[Some information was truncated for brevity, enable debug logging for > more details] > > 2023-11-02 04:37:15,847 ERROR [main] global Throwable detail: > com.microsoft.graph.http.GraphServiceException: Error code: > Authorization_RequestDenied Error message: Insufficient privileges to > complete the operation. > > GET > https://graph.microsoft.com/v1.0/groups?%24select=displayName&%24top=100 > SdkVersion : graph-java/v2.10.0 Authorization : [PII_REDACTED] > > 403 : Forbidden [...] > > [Some information was truncated for brevity, enable debug logging for more > details] 2023-11-02 04:37:16,072 ERROR [main] o.s.web.context.ContextLoader > Context initialization failed > org.springframework.beans.factory.UnsatisfiedDependencyException: Error > creating bean with name > 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': > Unsatisfied dependency expressed through method > 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is > org.springframework.beans.factory.BeanExpressionException: Expression > parsing failed; nested exception is > org.springframework.beans.factory.UnsatisfiedDependencyException: Error > creating bean with name > 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied > dependency expressed through method 'setJwtAuthenticationProvider' > parameter 0; nested exception is > org.springframework.beans.factory.BeanCreationException: Error creating > bean with name 'jwtAuthenticationProvider' defined in class path resource > [nifi-web-security-context.xml]: Cannot resolve reference to bean > 'authorizer' while setting constructor argument; nested exception is > org.springframework.beans.factory.BeanCreationException: Error creating > bean with name 'authorizer': FactoryBean threw exception on object > creation; nested exception is > org.apache.nifi.authorization.exception.AuthorizerCreationException: Failed > to load UserGroup due to Error code: Authorization_RequestDenied Error > message: Insufficient privileges to complete the operation. > > > > Can you please help me with this issue ? Thank you. > > Best Regards, > > Lourdes Ursela Carmen > >
