Chris Sampson created NIFI-9049:
-----------------------------------
Summary: SingleUserAuthorizer allows unauthorised access after
NiFi restart (and user credentials may be lost)
Key: NIFI-9049
URL: https://issues.apache.org/jira/browse/NIFI-9049
Project: Apache NiFi
Issue Type: Bug
Affects Versions: 1.14.0
Reporter: Chris Sampson
Having started a new instance of NiFi (using the latest development version
from {{main}}) with the default SingleUserAuthorizer setup, then restarting the
instance (after updating an unrelated NAR in the lib/ folder), I was still able
to access the NiFi UI without re-authenticating through my browser *but* I was
unable to view any content because "unathorised access has not been enabled".
This is confusing - if I'm unauthorised, how am I able to access the UI at all,
Stop/Start processors and reconfigure them, etc.?
I suspect this is something to do with the browser caching a NiFi JWT from the
initial login for a time, then the UI seeing that I've got a JWT and allowing
me access, but then denying content-based access when trying to view those
screens because my JWT is no longer valid (or something like that - but this is
a guess and with no real evidence to support it).
*Also* the default username/password is only output to the logs during the
first startup of the instance. These logs may not be persisted in Docker
images, so users would not be able to obtain them after a restart and therefore
would not be able to re-authenticate if they didn't know/think to write them
down anywhere (but the user/auth configuration has been persisted through a
restart in an externalised volume along with the {{flow.xml.gz}}, etc.). Also,
even if the log files are persisted (in Docker or on a bare-metal install), the
log files rotate and delete after a while, so again the username/password would
be lost (possibly before the default dev user credential expire) - this could
cause problems for users.
The authorisation issue also impacts one's ability to download Templates or
Flow Definitions from the NiFi UI.
To reproduce:
* Run NiFi (with default SingleUserAuthorizer)
* Obtain username/password from logs
* Login to the NiFi UI
* Create a basic Flow (e.g. GenerateFlowFile => Funnel) and leave data in a
queue
* View FlowFile content from within the queue (List Queue => View)
* Stop NiFi
* Wait some time (I'm not sure how long a time is necessary, think I might have
witnessed this after several hours of my NiFi instance being offline and a
computer restart before the problem manifested)
* Restart NiFi
* Refresh browser tab
* Stop/Start/reconfigure Flow
* Attempt to view FlowFile content (observe error message)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
