[
https://issues.apache.org/jira/browse/NIFI-8228?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rafael Micó updated NIFI-8228:
------------------------------
Description:
Hi
When trying to integrate both Authentication and Authorization of NiFi with
Microsoft Active Directory via LDAP, we have seen that NiFi is unable to relate
a valid Authentication done via ldap-provider
(org.apache.nifi.ldap.LdapProvider) with an Authorization (user to group
relationship) done via ldap-user-group-provider
(org.apache.nifi.ldap.tenants.LdapUserGroupProvider).
As we have seen in the NiFi logs (enabling DEBUG mode) and on TCPDUMP dumps,
the issue seems to be related on the ldap-provider authentication. Summarizing:
1.- ldap-provider binds to the LDAP service with the "Manager DN" credentials.
2.- LDAP server (Microsoft Active Directory) responses with a successful bind
3.- ldap-provider searches for the user trying to log in (using sAMAccountName
attribute)
4.- LDAP server (Microsoft Active Directory) responses with the information of
the relevant user. In this information, the attribute "distinghuishedName" is
provided like "CN=John,OU=Users,OU=domain,OU=internal"
5.- ldap-provider binds to the LDAP service with the logged user credentials
but using the distiguishedName "cn=John,ou=Users,ou=domain,ou=internal", *with
lowercase LDAP prefixes*
6.- LDAP server (Microsoft Active Directory) responses with a successful bind
as the LDAP prefixes are accepted in uppercase or lowercase
7.- ldap-user-group-provider searches for
"CN=John,OU=Users,OU=domain,OU=internal", the authenticated user, against
"CN=John,OU=Users,OU=domain,OU=internal", the user that has been found in the
LDAP authorization. The difference in the LDAP prefixes causes the
"CN=John,OU=Users,OU=domain,OU=internal" not to belong to any authorized group,
thereafter rejecting the user.
The solution will be that ldap-provider performs the bind to the Active
Directory LDAP server using the same string for distinghishedName as it
received it from the LDAP server, not changing it to lowercase.
Our configuration
NiFi login-identity-providers.xml:
{code:java}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loginIdentityProviders>
<!--
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider
-->
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=Nifi,OU=Special
Accounts,DC=domain,DC=internal</property>
<property name="Manager Password">*****************</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property> <property
name="Url">ldap://adserver.domain.internal:389</property>
<property name="User Search
Base">OU=Users,DC=domain,DC=internal</property>
<property name="User Search Filter">sAMAccountName={0}</property>
<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
</loginIdentityProviders>
{code}
NiFi authorizers.cml:
{code:java}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<!--
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider
-->
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity Node1">CN=nifi_admin,
OU=nifi</property>
</userGroupProvider> <userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=Nifi,OU=Special
Accounts,DC=domain,DC=internal</property>
<property name="Manager Password">*****************</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property> <property
name="Url">ldap://adserver.domain.internal:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">10 mins</property>
<property name="Group Membership - Enforce Case
Sensitivity">false</property> <property name="User Search
Base">OU=Users,DC=domain,DC=internal</property>
<property name="User Object Class">user</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search
Filter">(memberOf=CN=GG_NIFI_Allowed_Users,OU=Nifi,OU=Admin
Rights,OU=Groups,DC=domain,DC=internal)</property>
<property name="User Identity Attribute">distinguishedName</property>
<property name="User Group Name Attribute">memberOf</property>
<property name="User Group Name Attribute - Referenced Group
Attribute">distinguishedName</property> <property name="Group Search
Base">OU=NIFI_App_Groups,OU=Nifi,OU=Admin
Rights,OU=Groups,DC=domain,DC=internal</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute"></property>
<!-- <property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User
Attributee">distinguishedName</property>--> </userGroupProvider>
<userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
<property name="User Group Provider
1">ldap-user-group-provider</property>
<property name="User Group Provider
2">file-user-group-provider</property>
</userGroupProvider> <accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group
Provider">composite-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=nifi_admin,
OU=nifi</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider> <authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
{code}
Extract of NiFi nifi-app.log:
{noformat}
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider
-------------------------------------
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following users
from LDAP:
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
identifier[e4e7bd27-cad9-37c1-af53-a5fb7898de66],
identity[CN=Peter,OU=Development,OU=Users,DC=domain,DC=internal]
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
identifier[1f8d8309-31d9-3831-a3c0-2a9909500d7f],
identity[CN=Frank,OU=Development,OU=Users,DC=domain,DC=internal]
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
identifier[7c635418-5897-32a9-8e5b-5a7d9594b7f9],
identity[CN=John,OU=Users,DC=domain,DC=internal]
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider
--------------------------------------
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following groups
from LDAP:
2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
identifier[f26c7633-396e-3bdd-83b3-1e395606346d],
name[CN=GG_NIFI_Admins,OU=NIFI_App_Groups,OU=Nifi,OU=Admin
Rights,OU=Groups,DC=domain,DC=internal],
users[7c635418-5897-32a9-8e5b-5a7d9594b7f9]
2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
identifier[39854ab9-993e-3523-8c52-193e7e1fdb89],
name[CN=GG_NIFI_Users,OU=NIFI_App_Groups,OU=Nifi,OU=Admin
Rights,OU=Groups,DC=domain,DC=internal],
users[1f8d8309-31d9-3831-a3c0-2a9909500d7f,
e4e7bd27-cad9-37c1-af53-a5fb7898de66]
2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider
--------------------------------------{noformat}
Extract of NiFi nifi-user.log:
{noformat}
2021-02-15 14:07:59,252 INFO [NiFi Web Server-170]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://nifi.domain.internal:9443/nifi-api/flow/current-user (source ip:
X.Y.Z.W)
2021-02-15 14:07:59,260 INFO [NiFi Web Server-170]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
cn=John,ou=Users,ou=domain,ou=internal
2021-02-15 14:07:59,301 INFO [NiFi Web Server-170]
o.a.n.w.a.c.AccessDeniedExceptionMapper
identity[cn=John,ou=Users,ou=domain,ou=internal], groups[] does not have
permission to access the requested resource. Unknown user with identity
'cn=John,ou=Users,ou=domain,ou=internal'. Returning Forbidden response.
{noformat}
was:
Hi
When trying to integrate both Authentication and Authorization of NiFi with
Microsoft Active Directory via LDAP, we have seen that NiFi is unable to relate
a valid Authentication done via ldap-provider
(org.apache.nifi.ldap.LdapProvider) with an Authorization (user to group
relationship) done via ldap-user-group-provider
(org.apache.nifi.ldap.tenants.LdapUserGroupProvider).
As we have seen in the NiFi logs (enabling DEBUG mode) and on TCPDUMP dumps,
the issue seems to be related on the ldap-provider authentication. Summarizing:
1.- ldap-provider binds to the LDAP service with the "Manager DN" credentials.
2.- LDAP server (Microsoft Active Directory) responses with a successful bind
3.- ldap-provider searches for the user trying to log in (using sAMAccountName
attribute)
4.- LDAP server (Microsoft Active Directory) responses with the information of
the relevant user. In this information, the attribute "distinghuishedName" is
provided like "CN=John,OU=Users,OU=domain,OU=internal"
5.- ldap-provider binds to the LDAP service with the logged user credentials
but using the distiguishedName "cn=John,ou=Users,ou=domain,ou=internal", with
lowercase LDAP prefixes
6.- LDAP server (Microsoft Active Directory) responses with a successful bind
as the LDAP prefixes are accepted in uppercase or lowercase
7.- ldap-user-group-provider searches for
"CN=John,OU=Users,OU=domain,OU=internal", the authenticated user, against
"CN=John,OU=Users,OU=domain,OU=internal", the user that has been found in the
LDAP authorization. The difference in the LDAP prefixes causes the
"CN=John,OU=Users,OU=domain,OU=internal" not to belong to any authorized group,
thereafter rejecting the user.
Our configuration
NiFi login-identity-providers.xml:
{code:java}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loginIdentityProviders>
<!--
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider
-->
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=Nifi,OU=Special
Accounts,DC=domain,DC=internal</property>
<property name="Manager Password">*****************</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property> <property
name="Url">ldap://adserver.domain.internal:389</property>
<property name="User Search
Base">OU=Users,DC=domain,DC=internal</property>
<property name="User Search Filter">sAMAccountName={0}</property>
<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
</loginIdentityProviders>
{code}
NiFi authorizers.cml:
{code:java}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<!--
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider
-->
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity Node1">CN=nifi_admin,
OU=nifi</property>
</userGroupProvider> <userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=Nifi,OU=Special
Accounts,DC=domain,DC=internal</property>
<property name="Manager Password">*****************</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property> <property
name="Url">ldap://adserver.domain.internal:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">10 mins</property>
<property name="Group Membership - Enforce Case
Sensitivity">false</property> <property name="User Search
Base">OU=Users,DC=domain,DC=internal</property>
<property name="User Object Class">user</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search
Filter">(memberOf=CN=GG_NIFI_Allowed_Users,OU=Nifi,OU=Admin
Rights,OU=Groups,DC=domain,DC=internal)</property>
<property name="User Identity Attribute">distinguishedName</property>
<property name="User Group Name Attribute">memberOf</property>
<property name="User Group Name Attribute - Referenced Group
Attribute">distinguishedName</property> <property name="Group Search
Base">OU=NIFI_App_Groups,OU=Nifi,OU=Admin
Rights,OU=Groups,DC=domain,DC=internal</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute"></property>
<!-- <property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User
Attributee">distinguishedName</property>--> </userGroupProvider>
<userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
<property name="User Group Provider
1">ldap-user-group-provider</property>
<property name="User Group Provider
2">file-user-group-provider</property>
</userGroupProvider> <accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group
Provider">composite-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=nifi_admin,
OU=nifi</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider> <authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
{code}
Extract of NiFi nifi-app.log:
{noformat}
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider
-------------------------------------
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following users
from LDAP:
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
identifier[e4e7bd27-cad9-37c1-af53-a5fb7898de66],
identity[CN=Peter,OU=Development,OU=Users,DC=domain,DC=internal]
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
identifier[1f8d8309-31d9-3831-a3c0-2a9909500d7f],
identity[CN=Frank,OU=Development,OU=Users,DC=domain,DC=internal]
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
identifier[7c635418-5897-32a9-8e5b-5a7d9594b7f9],
identity[CN=John,OU=Users,DC=domain,DC=internal]
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider
--------------------------------------
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following groups
from LDAP:
2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
identifier[f26c7633-396e-3bdd-83b3-1e395606346d],
name[CN=GG_NIFI_Admins,OU=NIFI_App_Groups,OU=Nifi,OU=Admin
Rights,OU=Groups,DC=domain,DC=internal],
users[7c635418-5897-32a9-8e5b-5a7d9594b7f9]
2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
identifier[39854ab9-993e-3523-8c52-193e7e1fdb89],
name[CN=GG_NIFI_Users,OU=NIFI_App_Groups,OU=Nifi,OU=Admin
Rights,OU=Groups,DC=domain,DC=internal],
users[1f8d8309-31d9-3831-a3c0-2a9909500d7f,
e4e7bd27-cad9-37c1-af53-a5fb7898de66]
2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync
thread] o.a.n.ldap.tenants.LdapUserGroupProvider
--------------------------------------{noformat}
Extract of NiFi nifi-user.log:
{noformat}
2021-02-15 14:07:59,252 INFO [NiFi Web Server-170]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://nifi.domain.internal:9443/nifi-api/flow/current-user (source ip:
X.Y.Z.W)
2021-02-15 14:07:59,260 INFO [NiFi Web Server-170]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
cn=John,ou=Users,ou=domain,ou=internal
2021-02-15 14:07:59,301 INFO [NiFi Web Server-170]
o.a.n.w.a.c.AccessDeniedExceptionMapper
identity[cn=John,ou=Users,ou=domain,ou=internal], groups[] does not have
permission to access the requested resource. Unknown user with identity
'cn=John,ou=Users,ou=domain,ou=internal'. Returning Forbidden response.
{noformat}
> Microsoft Active Directory LDAP integration bug
> -----------------------------------------------
>
> Key: NIFI-8228
> URL: https://issues.apache.org/jira/browse/NIFI-8228
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.12.1
> Reporter: Rafael Micó
> Priority: Major
> Labels: security
> Fix For: 1.12.1
>
>
> Hi
>
> When trying to integrate both Authentication and Authorization of NiFi with
> Microsoft Active Directory via LDAP, we have seen that NiFi is unable to
> relate a valid Authentication done via ldap-provider
> (org.apache.nifi.ldap.LdapProvider) with an Authorization (user to group
> relationship) done via ldap-user-group-provider
> (org.apache.nifi.ldap.tenants.LdapUserGroupProvider).
>
> As we have seen in the NiFi logs (enabling DEBUG mode) and on TCPDUMP dumps,
> the issue seems to be related on the ldap-provider authentication.
> Summarizing:
> 1.- ldap-provider binds to the LDAP service with the "Manager DN" credentials.
> 2.- LDAP server (Microsoft Active Directory) responses with a successful bind
> 3.- ldap-provider searches for the user trying to log in (using
> sAMAccountName attribute)
> 4.- LDAP server (Microsoft Active Directory) responses with the information
> of the relevant user. In this information, the attribute "distinghuishedName"
> is provided like "CN=John,OU=Users,OU=domain,OU=internal"
> 5.- ldap-provider binds to the LDAP service with the logged user credentials
> but using the distiguishedName "cn=John,ou=Users,ou=domain,ou=internal",
> *with lowercase LDAP prefixes*
> 6.- LDAP server (Microsoft Active Directory) responses with a successful bind
> as the LDAP prefixes are accepted in uppercase or lowercase
> 7.- ldap-user-group-provider searches for
> "CN=John,OU=Users,OU=domain,OU=internal", the authenticated user, against
> "CN=John,OU=Users,OU=domain,OU=internal", the user that has been found in the
> LDAP authorization. The difference in the LDAP prefixes causes the
> "CN=John,OU=Users,OU=domain,OU=internal" not to belong to any authorized
> group, thereafter rejecting the user.
>
> The solution will be that ldap-provider performs the bind to the Active
> Directory LDAP server using the same string for distinghishedName as it
> received it from the LDAP server, not changing it to lowercase.
>
> Our configuration
> NiFi login-identity-providers.xml:
>
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <loginIdentityProviders>
> <!--
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider
> -->
> <provider>
> <identifier>ldap-provider</identifier>
> <class>org.apache.nifi.ldap.LdapProvider</class>
> <property name="Authentication Strategy">SIMPLE</property>
> <property name="Manager DN">CN=Nifi,OU=Special
> Accounts,DC=domain,DC=internal</property>
> <property name="Manager Password">*****************</property>
> <property name="Referral Strategy">FOLLOW</property>
> <property name="Connect Timeout">10 secs</property>
> <property name="Read Timeout">10 secs</property> <property
> name="Url">ldap://adserver.domain.internal:389</property>
> <property name="User Search
> Base">OU=Users,DC=domain,DC=internal</property>
> <property name="User Search Filter">sAMAccountName={0}</property>
> <property name="Identity Strategy">USE_DN</property>
> <property name="Authentication Expiration">12 hours</property>
> </provider>
> </loginIdentityProviders>
> {code}
>
>
> NiFi authorizers.cml:
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizers>
> <!--
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider
> -->
> <userGroupProvider>
> <identifier>file-user-group-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
> <property name="Users File">./conf/users.xml</property>
> <property name="Legacy Authorized Users File"></property>
> <property name="Initial User Identity Node1">CN=nifi_admin,
> OU=nifi</property>
> </userGroupProvider> <userGroupProvider>
> <identifier>ldap-user-group-provider</identifier>
>
> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
> <property name="Authentication Strategy">SIMPLE</property>
> <property name="Manager DN">CN=Nifi,OU=Special
> Accounts,DC=domain,DC=internal</property>
> <property name="Manager Password">*****************</property>
> <property name="Referral Strategy">FOLLOW</property>
> <property name="Connect Timeout">10 secs</property>
> <property name="Read Timeout">10 secs</property> <property
> name="Url">ldap://adserver.domain.internal:389</property>
> <property name="Page Size"></property>
> <property name="Sync Interval">10 mins</property>
> <property name="Group Membership - Enforce Case
> Sensitivity">false</property> <property name="User Search
> Base">OU=Users,DC=domain,DC=internal</property>
> <property name="User Object Class">user</property>
> <property name="User Search Scope">SUBTREE</property>
> <property name="User Search
> Filter">(memberOf=CN=GG_NIFI_Allowed_Users,OU=Nifi,OU=Admin
> Rights,OU=Groups,DC=domain,DC=internal)</property>
> <property name="User Identity Attribute">distinguishedName</property>
> <property name="User Group Name Attribute">memberOf</property>
> <property name="User Group Name Attribute - Referenced Group
> Attribute">distinguishedName</property> <property name="Group Search
> Base">OU=NIFI_App_Groups,OU=Nifi,OU=Admin
> Rights,OU=Groups,DC=domain,DC=internal</property>
> <property name="Group Object Class">group</property>
> <property name="Group Search Scope">ONE_LEVEL</property>
> <property name="Group Search Filter"></property>
> <property name="Group Name Attribute"></property>
> <!-- <property name="Group Member Attribute">member</property>
> <property name="Group Member Attribute - Referenced User
> Attributee">distinguishedName</property>--> </userGroupProvider>
> <userGroupProvider>
> <identifier>composite-user-group-provider</identifier>
>
> <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
> <property name="User Group Provider
> 1">ldap-user-group-provider</property>
> <property name="User Group Provider
> 2">file-user-group-provider</property>
> </userGroupProvider> <accessPolicyProvider>
> <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> <property name="User Group
> Provider">composite-user-group-provider</property>
> <property name="Authorizations
> File">./conf/authorizations.xml</property>
> <property name="Initial Admin Identity">CN=nifi_admin,
> OU=nifi</property>
> <property name="Legacy Authorized Users File"></property>
> <property name="Node Identity 1"></property>
> <property name="Node Group"></property>
> </accessPolicyProvider> <authorizer>
> <identifier>managed-authorizer</identifier>
>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
> <property name="Access Policy
> Provider">file-access-policy-provider</property>
> </authorizer>
> </authorizers>
> {code}
> Extract of NiFi nifi-app.log:
>
> {noformat}
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider
> -------------------------------------
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following users
> from LDAP:
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
> identifier[e4e7bd27-cad9-37c1-af53-a5fb7898de66],
> identity[CN=Peter,OU=Development,OU=Users,DC=domain,DC=internal]
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
> identifier[1f8d8309-31d9-3831-a3c0-2a9909500d7f],
> identity[CN=Frank,OU=Development,OU=Users,DC=domain,DC=internal]
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
> identifier[7c635418-5897-32a9-8e5b-5a7d9594b7f9],
> identity[CN=John,OU=Users,DC=domain,DC=internal]
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider
> --------------------------------------
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following groups
> from LDAP:
> 2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
> identifier[f26c7633-396e-3bdd-83b3-1e395606346d],
> name[CN=GG_NIFI_Admins,OU=NIFI_App_Groups,OU=Nifi,OU=Admin
> Rights,OU=Groups,DC=domain,DC=internal],
> users[7c635418-5897-32a9-8e5b-5a7d9594b7f9]
> 2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider -
> identifier[39854ab9-993e-3523-8c52-193e7e1fdb89],
> name[CN=GG_NIFI_Users,OU=NIFI_App_Groups,OU=Nifi,OU=Admin
> Rights,OU=Groups,DC=domain,DC=internal],
> users[1f8d8309-31d9-3831-a3c0-2a9909500d7f,
> e4e7bd27-cad9-37c1-af53-a5fb7898de66]
> 2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider
> --------------------------------------{noformat}
> Extract of NiFi nifi-user.log:
>
> {noformat}
> 2021-02-15 14:07:59,252 INFO [NiFi Web Server-170]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
> https://nifi.domain.internal:9443/nifi-api/flow/current-user (source ip:
> X.Y.Z.W)
> 2021-02-15 14:07:59,260 INFO [NiFi Web Server-170]
> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
> cn=John,ou=Users,ou=domain,ou=internal
> 2021-02-15 14:07:59,301 INFO [NiFi Web Server-170]
> o.a.n.w.a.c.AccessDeniedExceptionMapper
> identity[cn=John,ou=Users,ou=domain,ou=internal], groups[] does not have
> permission to access the requested resource. Unknown user with identity
> 'cn=John,ou=Users,ou=domain,ou=internal'. Returning Forbidden response.
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
