[
https://issues.apache.org/jira/browse/NIFI-9049?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nathan Gough updated NIFI-9049:
-------------------------------
Resolution: Fixed
Status: Resolved (was: Patch Available)
> SingleUserAuthorizer allows unauthorised access after NiFi restart (and user
> credentials may be lost)
> -----------------------------------------------------------------------------------------------------
>
> Key: NIFI-9049
> URL: https://issues.apache.org/jira/browse/NIFI-9049
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.14.0, 1.15.0
> Reporter: Chris Sampson
> Assignee: David Handermann
> Priority: Major
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> Having started a new instance of NiFi (using the latest development version
> from {{main}}) with the default SingleUserAuthorizer setup, then restarting
> the instance (after updating an unrelated NAR in the lib/ folder), I was
> still able to access the NiFi UI without re-authenticating through my browser
> *but* I was unable to view any content because "unathorised access has not
> been enabled".
> This is confusing - if I'm unauthorised, how am I able to access the UI at
> all, Stop/Start processors and reconfigure them, etc.?
> I suspect this is something to do with the browser caching a NiFi JWT from
> the initial login for a time, then the UI seeing that I've got a JWT and
> allowing me access, but then denying content-based access when trying to view
> those screens because my JWT is no longer valid (or something like that - but
> this is a guess and with no real evidence to support it).
> *Also* the default username/password is only output to the logs during the
> first startup of the instance. These logs may not be persisted in Docker
> images, so users would not be able to obtain them after a restart and
> therefore would not be able to re-authenticate if they didn't know/think to
> write them down anywhere (but the user/auth configuration has been persisted
> through a restart in an externalised volume along with the {{flow.xml.gz}},
> etc.). Also, even if the log files are persisted (in Docker or on a
> bare-metal install), the log files rotate and delete after a while, so again
> the username/password would be lost (possibly before the default dev user
> credential expire) - this could cause problems for users.
> The authorisation issue also impacts one's ability to download Templates or
> Flow Definitions from the NiFi UI.
> To reproduce:
> * Run NiFi (with default SingleUserAuthorizer)
> * Obtain username/password from logs
> * Login to the NiFi UI
> * Create a basic Flow (e.g. GenerateFlowFile => Funnel) and leave data in a
> queue
> * View FlowFile content from within the queue (List Queue => View)
> * Stop NiFi
> * Wait some time (I'm not sure how long a time is necessary, think I might
> have witnessed this after several hours of my NiFi instance being offline and
> a computer restart before the problem manifested)
> * Restart NiFi
> * Refresh browser tab
> * Stop/Start/reconfigure Flow
> * Attempt to view FlowFile content (observe error message)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
