Re: In nifi-registry, why can't I edit other users privileges
Ouch. That is understandably frustrating, and can be improved. I’ll look into replacing that with a case-insensitive match, as well as logging warnings for unrecognized properties. Sorry for the difficultly you experienced in getting this working. Thanks for sharing the resolution. Let me know if you have any other questions. From: Nicolas Delsaux Sent: Thursday, September 5, 2019 2:47 AM To: users@nifi.apache.org Subject: Re: In nifi-registry, why can't I edit other users privileges Well, in fact, I had a number of issues with configuration files. So I took the time to verify all those files, and I took the time to understand Nifi registry UI for permissions (which is as user-friendly as nifi one). And I finally understood what problem I had. In fact, the worst part came when I tried to understand why my nifi runner couldn't connect to nifi registry. Which was simply due to the fact that, on nifi registry side, in authorizers.xml, I used a property called "Nifi identify 1", whereas I should have used "NiFi Identity 1". Can you spot the difference ? For me, it took one phase of reading authorization code, then running the regexp for that property in an online editor. TO my mind, this would deserve a bug, because really, using property names this way is really too much error-prone. I would at least add code to detect nearby texts (through Levenshtein distance, as an example) and show a BIG warning to explain the user what is wrong. But I'm only a user ;-) (a little grumpy, this morning, indeed) Le 04/09/2019 à 18:59, Kevin Doran a écrit : > Hi Nicolas, > > Is it possible you changed the initial admin identity at some point? > If so, you will need to delete authorizations.xml and restart NiFi > Registry to allow it to be recreated with the new initial admin. > > Also, nifi registry never allows modifying the permissions for the > current user. you would have to login as another admin to change your > permissions. > > Hope this helps, > Kevin > > On Mon, Sep 2, 2019 at 8:56 AM Nicolas Delsaux wrote: >> Hi all >> >> I'm still trying to connect nifi to registry with both of them using >> authentication. >> >> So far, i've understood that, like in Nifi, I have to set >> identity-providers.xml and authorizers.xml to have connection to ldap >> configured. >> >> And I can connect to the registry using my ldap, so it works (to a >> certain extend). >> >> *However*, it seems like my user is not really an admin, as I can't >> manage other users. >> >> To say things more clearly, nifi-registry UI allow me to view my user >> privileges, but I can't edit my permissions, and I can edit none of the >> other users permissions. I can no more add/remove users. >> >> Which is weird, cosnidering I'm the initial admin of nifi-registry. >> >> Is there smothing I forgot ? >> >> >> Here is my authorizers.xml for nifi-registry >> >> >> >> file-user-group-provider >> org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider >> ./conf/users.xml >> cn=nifi-runner.mycompany.com, ou=0008 43120727, ou=ssl infra server, >> o=mycompany, c=fr >> >> >> ldap-user-group-provider >> org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider >> LDAPS >> >> uid=dont-ask-me,ou=applicationAccounts,o=mycompany.com >> YOU_KIDDIN___DO_YOU >> >> >> >> >> /opt/certs/cacerts.jks >> pfeblelep >> JKS >> >> TLSv1 >> >> >> FOLLOW >> 10 secs >> 10 secs >> >> > name="Url">ldaps://ldapserver.my.company.com:636 >> >> 30 mins >> >> >> >> OBJECT >> >> >> >> >> >> cn=NIFI-ADMIN,ou=DATAou=applicationRole,ou=role,ou=OU,o=mycompany.com >> groupofuniquenames >> SUBTREE >> >> cn >> uniqueMember >> >> >> >> composite-user-group-provider >> org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider >> ldap-user-group-provider >> file-user-group-provider >> >> >> file-access-policy-provider >> org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider >> composite-user-group-provider >> ./conf/authorizations.xml >> uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com >> cn=nifi-psh.adeo.com, ou=0002 >> 421206079, ou=ssl infra server, o=adeo services, c=fr >> >> >> managed-authorizer >> org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer >> file-access-policy-provider >> >> >> >> Thanks for your help >>
Re: In nifi-registry, why can't I edit other users privileges
Well, in fact, I had a number of issues with configuration files. So I took the time to verify all those files, and I took the time to understand Nifi registry UI for permissions (which is as user-friendly as nifi one). And I finally understood what problem I had. In fact, the worst part came when I tried to understand why my nifi runner couldn't connect to nifi registry. Which was simply due to the fact that, on nifi registry side, in authorizers.xml, I used a property called "Nifi identify 1", whereas I should have used "NiFi Identity 1". Can you spot the difference ? For me, it took one phase of reading authorization code, then running the regexp for that property in an online editor. TO my mind, this would deserve a bug, because really, using property names this way is really too much error-prone. I would at least add code to detect nearby texts (through Levenshtein distance, as an example) and show a BIG warning to explain the user what is wrong. But I'm only a user ;-) (a little grumpy, this morning, indeed) Le 04/09/2019 à 18:59, Kevin Doran a écrit : Hi Nicolas, Is it possible you changed the initial admin identity at some point? If so, you will need to delete authorizations.xml and restart NiFi Registry to allow it to be recreated with the new initial admin. Also, nifi registry never allows modifying the permissions for the current user. you would have to login as another admin to change your permissions. Hope this helps, Kevin On Mon, Sep 2, 2019 at 8:56 AM Nicolas Delsaux wrote: Hi all I'm still trying to connect nifi to registry with both of them using authentication. So far, i've understood that, like in Nifi, I have to set identity-providers.xml and authorizers.xml to have connection to ldap configured. And I can connect to the registry using my ldap, so it works (to a certain extend). *However*, it seems like my user is not really an admin, as I can't manage other users. To say things more clearly, nifi-registry UI allow me to view my user privileges, but I can't edit my permissions, and I can edit none of the other users permissions. I can no more add/remove users. Which is weird, cosnidering I'm the initial admin of nifi-registry. Is there smothing I forgot ? Here is my authorizers.xml for nifi-registry file-user-group-provider org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider ./conf/users.xml cn=nifi-runner.mycompany.com, ou=0008 43120727, ou=ssl infra server, o=mycompany, c=fr ldap-user-group-provider org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider LDAPS uid=dont-ask-me,ou=applicationAccounts,o=mycompany.com YOU_KIDDIN___DO_YOU /opt/certs/cacerts.jks pfeblelep JKS TLSv1 FOLLOW 10 secs 10 secs ldaps://ldapserver.my.company.com:636 30 mins OBJECT cn=NIFI-ADMIN,ou=DATAou=applicationRole,ou=role,ou=OU,o=mycompany.com groupofuniquenames SUBTREE cn uniqueMember composite-user-group-provider org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider ldap-user-group-provider file-user-group-provider file-access-policy-provider org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider composite-user-group-provider ./conf/authorizations.xml uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com cn=nifi-psh.adeo.com, ou=0002 421206079, ou=ssl infra server, o=adeo services, c=fr managed-authorizer org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer file-access-policy-provider Thanks for your help
Re: In nifi-registry, why can't I edit other users privileges
Hi Nicolas, Is it possible you changed the initial admin identity at some point? If so, you will need to delete authorizations.xml and restart NiFi Registry to allow it to be recreated with the new initial admin. Also, nifi registry never allows modifying the permissions for the current user. you would have to login as another admin to change your permissions. Hope this helps, Kevin On Mon, Sep 2, 2019 at 8:56 AM Nicolas Delsaux wrote: > > Hi all > > I'm still trying to connect nifi to registry with both of them using > authentication. > > So far, i've understood that, like in Nifi, I have to set > identity-providers.xml and authorizers.xml to have connection to ldap > configured. > > And I can connect to the registry using my ldap, so it works (to a > certain extend). > > *However*, it seems like my user is not really an admin, as I can't > manage other users. > > To say things more clearly, nifi-registry UI allow me to view my user > privileges, but I can't edit my permissions, and I can edit none of the > other users permissions. I can no more add/remove users. > > Which is weird, cosnidering I'm the initial admin of nifi-registry. > > Is there smothing I forgot ? > > > Here is my authorizers.xml for nifi-registry > > > > file-user-group-provider > org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider > ./conf/users.xml > cn=nifi-runner.mycompany.com, ou=0008 43120727, ou=ssl infra server, > o=mycompany, c=fr > > > ldap-user-group-provider > org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider > LDAPS > > uid=dont-ask-me,ou=applicationAccounts,o=mycompany.com > YOU_KIDDIN___DO_YOU > > > > > /opt/certs/cacerts.jks > pfeblelep > JKS > > TLSv1 > > > FOLLOW > 10 secs > 10 secs > > name="Url">ldaps://ldapserver.my.company.com:636 > > 30 mins > > > > OBJECT > > > > > > cn=NIFI-ADMIN,ou=DATAou=applicationRole,ou=role,ou=OU,o=mycompany.com > groupofuniquenames > SUBTREE > > cn > uniqueMember > > > > composite-user-group-provider > org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider > ldap-user-group-provider > file-user-group-provider > > > file-access-policy-provider > org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider > composite-user-group-provider > ./conf/authorizations.xml > uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com > cn=nifi-psh.adeo.com, ou=0002 > 421206079, ou=ssl infra server, o=adeo services, c=fr > > > managed-authorizer > org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer > file-access-policy-provider > > > > Thanks for your help >
In nifi-registry, why can't I edit other users privileges
Hi all I'm still trying to connect nifi to registry with both of them using authentication. So far, i've understood that, like in Nifi, I have to set identity-providers.xml and authorizers.xml to have connection to ldap configured. And I can connect to the registry using my ldap, so it works (to a certain extend). *However*, it seems like my user is not really an admin, as I can't manage other users. To say things more clearly, nifi-registry UI allow me to view my user privileges, but I can't edit my permissions, and I can edit none of the other users permissions. I can no more add/remove users. Which is weird, cosnidering I'm the initial admin of nifi-registry. Is there smothing I forgot ? Here is my authorizers.xml for nifi-registry file-user-group-provider org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider ./conf/users.xml cn=nifi-runner.mycompany.com, ou=0008 43120727, ou=ssl infra server, o=mycompany, c=fr ldap-user-group-provider org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider LDAPS uid=dont-ask-me,ou=applicationAccounts,o=mycompany.com YOU_KIDDIN___DO_YOU /opt/certs/cacerts.jks pfeblelep JKS TLSv1 FOLLOW 10 secs 10 secs ldaps://ldapserver.my.company.com:636 30 mins OBJECT cn=NIFI-ADMIN,ou=DATAou=applicationRole,ou=role,ou=OU,o=mycompany.com groupofuniquenames SUBTREE cn uniqueMember composite-user-group-provider org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider ldap-user-group-provider file-user-group-provider file-access-policy-provider org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider composite-user-group-provider ./conf/authorizations.xml uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com cn=nifi-psh.adeo.com, ou=0002 421206079, ou=ssl infra server, o=adeo services, c=fr managed-authorizer org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer file-access-policy-provider Thanks for your help