Matt, The issue looks to be on our end with certain files (including authorized-users.xml) being clobbered by some configuration management services . Nifi seems to be working correctly – as you have described. We have straightened out this issue and will see if anything else crops up.
Thanks! Ralph From: Matt Gilman <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, July 26, 2016 at 11:09 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: authentication problem Ralph, I'm guessing that every user is not disabled since you said that you are manually adding them back in through the UI. Is there anything in common with the user's that are being revoked? To follow up on Clarke's comment... As your updating the users through the UI, the authorized-users.xml file should be updated to reflect those changes. Are you seeing any errors logged there? Can you confirm that the authorized-users.xml is accurate at that point? Matt On Tue, Jul 26, 2016 at 1:31 PM, Perko, Ralph J <[email protected]<mailto:[email protected]>> wrote: Thanks for the responses. Matt Clarke: The permissions look fine. Nifi runs as user “nifi” and all files are owned by “nifi” (with write permissions of course) Matt Gilman: As far as additional logging here is what I found – No errors of any sort: 016-07-25 16:10:59,420 INFO [main] o.a.nifi.admin.UserDataSourceFactoryBean Existing database found and connected to at: jdbc:h2:./database_repository/nifi-users;AUTOCOMMIT=OFF;DB_CLOSE_ON_EXIT=FALSE;LOCK_MODE=3;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE 2016-07-25 16:10:59,473 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created: <enabled user 1>. Updating authorities... 2016-07-25 16:10:59,485 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created: <enabled user 2>. Updating authorities... 2016-07-25 16:10:59,487 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created: <enabled user 3>. Updating authorities... 2016-07-25 16:10:59,492 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created: <enabled user 4>. Updating authorities... 2016-07-25 16:10:59,494 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created:<enabled user 5>. Updating authorities… .. 2016-07-25 16:10:59,508 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized with configured provider: <disabled user 1>. Disabling account... 2016-07-25 16:10:59,509 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized with configured provider: <disabled user 2>. Disabling account... … From: Matthew Clarke <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, July 26, 2016 at 10:03 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: authentication problem Verify the user running your nifi has the correct permissions to read and edit all the database files in the NiFi database repository directory. Also make sure the user running NiFi had permissions to edit the authorized-users.xml file. This file is only read on start-up. After nifi is running it operates solely from the memory and DBs. My guess is here that nifi can not update the authorized-users.xml file with the changes you are making in the User management UI. Thanks, Matt On Jul 26, 2016 12:47 PM, "Perko, Ralph J" <[email protected]<mailto:[email protected]>> wrote: Hi – whenever we restart Nifi half the accounts are disabled with this message: INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized with configured provider: <user-id>. Disabling account... The users are in the authorized-users.xml file. Is this a configuration issue on our part or a bug? It is curious that not all the accounts get disabled only some and it is always the same accounts. To re-enable the accounts I go into the users page, select the disabled user (click the little pencil) and click ‘apply’ with no changes - the account is re-enabled. Details: Nifi 0.6.1 authority-providers.xml: default file provider login-identy-management.xml: kerberos-provider (corporate system – everyone is in it) authorized-users.xml:setup for each user Thanks, Ralph
