alopresto commented on issue #3537: NIFI-5973 Adds ShellUserGroupProvider. URL: https://github.com/apache/nifi/pull/3537#issuecomment-503377730 Hi Troy. Reviewing this leads me to the same scenario I encountered on PR #3495 -- the authentication with LDAP works successfully, but the user with identity *alopresto* doesn't have any groups populated and despite being set as the Initial Admin Identity, it does not have the expected (or any) permissions. There are permissions defined in `authorizations.xml` but for a user with ID *502*, and I don't see them being correctly associated. ``` 2019-06-18 19:06:21,025 INFO [main] org.eclipse.jetty.server.Server Started @28024ms 2019-06-18 19:06:21,043 INFO [main] org.apache.nifi.nar.NarAutoLoader Starting NAR Auto-Loader for directory ./extensions ... 2019-06-18 19:06:21,044 INFO [main] org.apache.nifi.nar.NarAutoLoader NAR Auto-Loader started 2019-06-18 19:06:21,044 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs: 2019-06-18 19:06:21,044 INFO [main] org.apache.nifi.web.server.JettyServer https://andy.nifi:9443/nifi 2019-06-18 19:06:21,045 INFO [main] org.apache.nifi.BootstrapListener Successfully initiated communication with Bootstrap 2019-06-18 19:06:21,045 INFO [main] org.apache.nifi.NiFi Controller initialization took 19686979297 nanoseconds (19 seconds). ^C...1.10.0-SNAPSHOT-bin/nifi-1.10.0-SNAPSHOT (pr3537) 😉 🔓 0s @ 19:07:09 $ bca ───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── │ File: conf/authorizations.xml ───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 │ <?xml version="1.0" encoding="UTF-8" standalone="yes"?> 2 │ <authorizations> 3 │ <policies> 4 │ <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R"> 5 │ <user identifier="502"/> 6 │ </policy> 7 │ <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W"> 8 │ <user identifier="502"/> 9 │ </policy> 10 │ <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R"> 11 │ <user identifier="502"/> 12 │ </policy> 13 │ <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W"> 14 │ <user identifier="502"/> 15 │ </policy> 16 │ <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R"> 17 │ <user identifier="502"/> 18 │ </policy> 19 │ <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W"> 20 │ <user identifier="502"/> 21 │ </policy> 22 │ <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R"> 23 │ <user identifier="502"/> 24 │ </policy> 25 │ <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W"> 26 │ <user identifier="502"/> 27 │ </policy> 28 │ </policies> 29 │ </authorizations> ───────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ...1.10.0-SNAPSHOT-bin/nifi-1.10.0-SNAPSHOT (pr3537) 😉 🔓 4s @ 19:07:39 $ grc tail -f logs/nifi-user.log 2019-06-18 19:06:16,744 DEBUG [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.dn was found, but no transform was present. Using NONE. 2019-06-18 19:06:16,744 DEBUG [main] o.a.n.a.util.IdentityMappingUtil Found Identity Mapping with key = dn, pattern = (?i)^CN=([^,]*),.*$, value = $1, transform = NONE 2019-06-18 19:06:16,790 DEBUG [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.dn was found, but no transform was present. Using NONE. 2019-06-18 19:06:16,790 DEBUG [main] o.a.n.a.util.IdentityMappingUtil Found Identity Mapping with key = dn, pattern = (?i)^CN=([^,]*),.*$, value = $1, transform = NONE 2019-06-18 19:06:58,710 DEBUG [NiFi Web Server-32] o.a.nifi.authorization.util.ShellRunner Run Command 'Get Single User by Id': [sh, -c, id -P alopresto | cut -f 1,3,4 -d ':'] 2019-06-18 19:06:59,353 INFO [NiFi Web Server-27] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://andy.nifi:9443/nifi-api/flow/current-user (source ip: 127.0.0.1) 2019-06-18 19:06:59,354 DEBUG [NiFi Web Server-27] o.a.nifi.authorization.util.ShellRunner Run Command 'Get Single User by Id': [sh, -c, id -P alopresto | cut -f 1,3,4 -d ':'] 2019-06-18 19:06:59,376 INFO [NiFi Web Server-27] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for alopresto 2019-06-18 19:06:59,450 DEBUG [NiFi Web Server-27] o.a.nifi.authorization.util.ShellRunner Run Command 'Get Single User by Id': [sh, -c, id -P alopresto | cut -f 1,3,4 -d ':'] 2019-06-18 19:06:59,477 INFO [NiFi Web Server-27] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[alopresto], groups[] does not have permission to access the requested resource. Unknown user with identity 'alopresto'. Returning Forbidden response. ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
