[
https://issues.apache.org/jira/browse/NIFI-9049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17399995#comment-17399995
]
David Handermann commented on NIFI-9049:
----------------------------------------
[~Chris S] Do you have any additional details on the exact error message you
received, as well as anything from the NiFi logs? In testing this with an
artificially short expiration, NiFi automatically redirects the main flow
screen to a page with the following message:
{{Unable to validate the access token.}}
Attempting to view the content showed the same error message text without the
NiFi page styling. Less than a minute after clicking on View content, the main
NiFi screen redirected to that page. From that point, click on home returned to
the login screen.
This particular behavior is not specific to the Single User provider, and
impacts any username and password login identity provider. If you received a
different message, any additional details would be helpful.
> SingleUserAuthorizer allows unauthorised access after NiFi restart (and user
> credentials may be lost)
> -----------------------------------------------------------------------------------------------------
>
> Key: NIFI-9049
> URL: https://issues.apache.org/jira/browse/NIFI-9049
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.14.0
> Reporter: Chris Sampson
> Priority: Major
>
> Having started a new instance of NiFi (using the latest development version
> from {{main}}) with the default SingleUserAuthorizer setup, then restarting
> the instance (after updating an unrelated NAR in the lib/ folder), I was
> still able to access the NiFi UI without re-authenticating through my browser
> *but* I was unable to view any content because "unathorised access has not
> been enabled".
> This is confusing - if I'm unauthorised, how am I able to access the UI at
> all, Stop/Start processors and reconfigure them, etc.?
> I suspect this is something to do with the browser caching a NiFi JWT from
> the initial login for a time, then the UI seeing that I've got a JWT and
> allowing me access, but then denying content-based access when trying to view
> those screens because my JWT is no longer valid (or something like that - but
> this is a guess and with no real evidence to support it).
> *Also* the default username/password is only output to the logs during the
> first startup of the instance. These logs may not be persisted in Docker
> images, so users would not be able to obtain them after a restart and
> therefore would not be able to re-authenticate if they didn't know/think to
> write them down anywhere (but the user/auth configuration has been persisted
> through a restart in an externalised volume along with the {{flow.xml.gz}},
> etc.). Also, even if the log files are persisted (in Docker or on a
> bare-metal install), the log files rotate and delete after a while, so again
> the username/password would be lost (possibly before the default dev user
> credential expire) - this could cause problems for users.
> The authorisation issue also impacts one's ability to download Templates or
> Flow Definitions from the NiFi UI.
> To reproduce:
> * Run NiFi (with default SingleUserAuthorizer)
> * Obtain username/password from logs
> * Login to the NiFi UI
> * Create a basic Flow (e.g. GenerateFlowFile => Funnel) and leave data in a
> queue
> * View FlowFile content from within the queue (List Queue => View)
> * Stop NiFi
> * Wait some time (I'm not sure how long a time is necessary, think I might
> have witnessed this after several hours of my NiFi instance being offline and
> a computer restart before the problem manifested)
> * Restart NiFi
> * Refresh browser tab
> * Stop/Start/reconfigure Flow
> * Attempt to view FlowFile content (observe error message)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
