[
https://issues.apache.org/jira/browse/NIFI-9049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17399730#comment-17399730
]
David Handermann commented on NIFI-9049:
----------------------------------------
Thanks for providing the background on the behavior [~Chris S].
To address the second concern first, the current implementation only logs the
credentials once by design. After the Single User Login Identity Provider
generates the password, it stores a hashed representation of the password in
{{login-identity-providers.xml}}. As a result of hashing, it is not possible to
recover the generated password. Automatic credential generation is an initial
bootstrap capability, and the set-single-user-credentials command provides the
option to set a new username and password at any time, so that should address
any concerns with losing the generated credentials.
Regarding the primary issue, you are on the right track regarding the NiFi JWT.
The Single User Login Identity Provider has a hard-coded expiration of eight
hours, after which NiFi will no longer accept the JWT. The browser, however,
retains the HTTP Cookie containing the JWT as long as the browser window
remains open. It sounds like what should happen is that NiFi should send an
HTTP response invalidating the session cookie, which should prompt a more
accurate error message when trying to view content. This already happens for
the main flow view, but it sounds like it is not happening for content viewer
windows.
> SingleUserAuthorizer allows unauthorised access after NiFi restart (and user
> credentials may be lost)
> -----------------------------------------------------------------------------------------------------
>
> Key: NIFI-9049
> URL: https://issues.apache.org/jira/browse/NIFI-9049
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.14.0
> Reporter: Chris Sampson
> Priority: Major
>
> Having started a new instance of NiFi (using the latest development version
> from {{main}}) with the default SingleUserAuthorizer setup, then restarting
> the instance (after updating an unrelated NAR in the lib/ folder), I was
> still able to access the NiFi UI without re-authenticating through my browser
> *but* I was unable to view any content because "unathorised access has not
> been enabled".
> This is confusing - if I'm unauthorised, how am I able to access the UI at
> all, Stop/Start processors and reconfigure them, etc.?
> I suspect this is something to do with the browser caching a NiFi JWT from
> the initial login for a time, then the UI seeing that I've got a JWT and
> allowing me access, but then denying content-based access when trying to view
> those screens because my JWT is no longer valid (or something like that - but
> this is a guess and with no real evidence to support it).
> *Also* the default username/password is only output to the logs during the
> first startup of the instance. These logs may not be persisted in Docker
> images, so users would not be able to obtain them after a restart and
> therefore would not be able to re-authenticate if they didn't know/think to
> write them down anywhere (but the user/auth configuration has been persisted
> through a restart in an externalised volume along with the {{flow.xml.gz}},
> etc.). Also, even if the log files are persisted (in Docker or on a
> bare-metal install), the log files rotate and delete after a while, so again
> the username/password would be lost (possibly before the default dev user
> credential expire) - this could cause problems for users.
> The authorisation issue also impacts one's ability to download Templates or
> Flow Definitions from the NiFi UI.
> To reproduce:
> * Run NiFi (with default SingleUserAuthorizer)
> * Obtain username/password from logs
> * Login to the NiFi UI
> * Create a basic Flow (e.g. GenerateFlowFile => Funnel) and leave data in a
> queue
> * View FlowFile content from within the queue (List Queue => View)
> * Stop NiFi
> * Wait some time (I'm not sure how long a time is necessary, think I might
> have witnessed this after several hours of my NiFi instance being offline and
> a computer restart before the problem manifested)
> * Restart NiFi
> * Refresh browser tab
> * Stop/Start/reconfigure Flow
> * Attempt to view FlowFile content (observe error message)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
