[
https://issues.apache.org/jira/browse/NIFI-9049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17400581#comment-17400581
]
David Handermann edited comment on NIFI-9049 at 8/17/21, 7:37 PM:
------------------------------------------------------------------
Thanks for providing the error message and additional details [~Chris S]. I was
able to reproduce the behavior in both Google Chrome and Firefox. Evaluating
the network requests helped track down the reason for the behavior.
Prior to implementing support for passing the JWT through a session cookie in
NIFI-7870, NiFi persisted the JWT in browser localStorage with an expiration.
Closing all browser instances removes HTTP session cookies, but does not remove
entries from localStorage. As a result of this behavior, NiFi allows access to
the UI when opening a new browser instance by loading the JWT from
localStorage. The JWT is still valid based on its expiration, so this is
standard behavior. However, new windows, such as the NiFi Content Viewer,
require the HTTP cookie to load styling assets. Without having the HTTP
session cookie, NiFi falls back to standard behavior, returning the {{Anonymous
authentication has not been configured}} message.
The presence of the JWT in localStorage still provides security for HTTP POST
requests as a means of mitigating potential Cross-Site Request Forgery. In
order to avoid confusion, however, it seems like changing the approach to
persist the JWT in sessionStorage would make more sense. Unlike localStorage,
the browser removes sessionStorage items after closing all browser instances,
which would follow the same behavior as the HTTP session cookie. That would
force the user to login again after closing all windows and revisiting the UI,
but it seems like a more intuitive approach than the current behavior.
was (Author: exceptionfactory):
Thanks for providing the error message and additional details [~Chris S]. I was
able to reproduce the behavior in both Google Chrome and Firefox. Evaluating
the network requests helped track down the reason for the behavior.
Prior to implementing support for passing the JWT through a session cookie in
NIFI-7870, NiFi persisted the JWT in browser localStorage with an expiration.
Closing all browser instances removes HTTP session cookies, but does not remove
entries from localStorage. As a result of this behavior, NiFi allows access to
the UI when opening a new browser instance by loading the JWT from
localStorage. The JWT is still valid based on its expiration, so this is
standard behavior. However, new windows, such as the NiFi Content Viewer,
require the HTTP cookie to load styling assets. Without having the HTTP
session cookie, NiFi falls back to standard behavior, returning the {{Anonymous
authentication has not been configured}} message.
The presence of the JWT in localStorage still provides security for HTTP POST
requests a means of mitigation potential for Cross-Site Request Forgery. In
order to avoid confusion, however, it seems like changing the approach to
persist the JWT in sessionStorage would make more sense. Unlike localStorage,
the browser removes sessionStorage items after closing all browser instances,
which would follow the same behavior as the HTTP session cookie. That would
force the user to login again after closing all windows and revisiting the UI,
but it seems like a more intuitive approach than the current behavior.
> SingleUserAuthorizer allows unauthorised access after NiFi restart (and user
> credentials may be lost)
> -----------------------------------------------------------------------------------------------------
>
> Key: NIFI-9049
> URL: https://issues.apache.org/jira/browse/NIFI-9049
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.14.0
> Reporter: Chris Sampson
> Priority: Major
>
> Having started a new instance of NiFi (using the latest development version
> from {{main}}) with the default SingleUserAuthorizer setup, then restarting
> the instance (after updating an unrelated NAR in the lib/ folder), I was
> still able to access the NiFi UI without re-authenticating through my browser
> *but* I was unable to view any content because "unathorised access has not
> been enabled".
> This is confusing - if I'm unauthorised, how am I able to access the UI at
> all, Stop/Start processors and reconfigure them, etc.?
> I suspect this is something to do with the browser caching a NiFi JWT from
> the initial login for a time, then the UI seeing that I've got a JWT and
> allowing me access, but then denying content-based access when trying to view
> those screens because my JWT is no longer valid (or something like that - but
> this is a guess and with no real evidence to support it).
> *Also* the default username/password is only output to the logs during the
> first startup of the instance. These logs may not be persisted in Docker
> images, so users would not be able to obtain them after a restart and
> therefore would not be able to re-authenticate if they didn't know/think to
> write them down anywhere (but the user/auth configuration has been persisted
> through a restart in an externalised volume along with the {{flow.xml.gz}},
> etc.). Also, even if the log files are persisted (in Docker or on a
> bare-metal install), the log files rotate and delete after a while, so again
> the username/password would be lost (possibly before the default dev user
> credential expire) - this could cause problems for users.
> The authorisation issue also impacts one's ability to download Templates or
> Flow Definitions from the NiFi UI.
> To reproduce:
> * Run NiFi (with default SingleUserAuthorizer)
> * Obtain username/password from logs
> * Login to the NiFi UI
> * Create a basic Flow (e.g. GenerateFlowFile => Funnel) and leave data in a
> queue
> * View FlowFile content from within the queue (List Queue => View)
> * Stop NiFi
> * Wait some time (I'm not sure how long a time is necessary, think I might
> have witnessed this after several hours of my NiFi instance being offline and
> a computer restart before the problem manifested)
> * Restart NiFi
> * Refresh browser tab
> * Stop/Start/reconfigure Flow
> * Attempt to view FlowFile content (observe error message)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
