alopresto commented on issue #3495: NIFI-5973 Adds ShellUserGroupProvider URL: https://github.com/apache/nifi/pull/3495#issuecomment-501916476 When testing (again, Mac OS X 10.14), I enabled debug logging in the `nifi-user.log` and tried to log in with a known user and an unknown one. For both, the authentication worked (the user did exist in LDAP), but the authorization failed ("Unknown user"). It appears there is an error occurring when loading the groups for a specific user? ``` 🔓 57s @ 16:36:42 $ tail -f logs/nifi-user.log 2019-06-13 16:36:14,398 INFO [main] o.a.n.a.FileAccessPolicyProvider Populating authorizations for Initial Admin: alopresto 2019-06-13 16:36:14,406 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Thu Jun 13 16:36:14 PDT 2019 2019-06-13 16:36:14,417 DEBUG [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.dn was found, but no transform was present. Using NONE. 2019-06-13 16:36:14,417 DEBUG [main] o.a.n.a.util.IdentityMappingUtil Found Identity Mapping with key = dn, pattern = (?i)^CN=([^,]*),.*$, value = $1, transform = NONE 2019-06-13 16:36:14,471 DEBUG [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.dn was found, but no transform was present. Using NONE. 2019-06-13 16:36:14,471 DEBUG [main] o.a.n.a.util.IdentityMappingUtil Found Identity Mapping with key = dn, pattern = (?i)^CN=([^,]*),.*$, value = $1, transform = NONE 2019-06-13 16:36:14,494 DEBUG [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.dn was found, but no transform was present. Using NONE. 2019-06-13 16:36:14,494 DEBUG [main] o.a.n.a.util.IdentityMappingUtil Found Identity Mapping with key = dn, pattern = (?i)^CN=([^,]*),.*$, value = $1, transform = NONE 2019-06-13 16:36:14,552 DEBUG [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.dn was found, but no transform was present. Using NONE. 2019-06-13 16:36:14,552 DEBUG [main] o.a.n.a.util.IdentityMappingUtil Found Identity Mapping with key = dn, pattern = (?i)^CN=([^,]*),.*$, value = $1, transform = NONE 2019-06-13 16:36:44,514 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:44,596 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:44,643 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:44,738 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:44,785 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:44,833 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:44,880 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:44,929 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:44,976 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,025 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,074 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,121 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,208 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,250 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,293 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,337 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,419 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,500 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,542 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,584 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,627 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,670 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:45,767 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:36:46,031 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:14,649 INFO [NiFi Web Server-84] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://andy.nifi:9443/nifi-api/flow/current-user (source ip: 127.0.0.1) 2019-06-13 16:37:14,653 INFO [NiFi Web Server-84] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for alopresto 2019-06-13 16:37:14,744 INFO [NiFi Web Server-84] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[alopresto], groups[] does not have permission to access the requested resource. Unknown user with identity 'alopresto'. Returning Forbidden response. 2019-06-13 16:37:16,262 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,350 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,394 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,481 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,525 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,571 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,615 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,660 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,704 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,749 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,793 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,837 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,922 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:16,964 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:17,007 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:17,050 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:17,137 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:17,226 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:17,274 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:17,319 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:17,362 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:17,405 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:17,491 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:17,733 ERROR [pool-8-thread-1] o.a.n.a.ShellUserGroupProvider refreshGroup list membership returned zero lines. 2019-06-13 16:37:30,286 INFO [NiFi Web Server-33] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://andy.nifi:9443/nifi-api/flow/current-user (source ip: 127.0.0.1) 2019-06-13 16:37:30,288 INFO [NiFi Web Server-33] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for admin 2019-06-13 16:37:30,290 INFO [NiFi Web Server-33] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[admin], groups[] does not have permission to access the requested resource. Unknown user with identity 'admin'. Returning Forbidden response. ^C ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
