Nicolas,
If Bryan’s suggestion doesn’t work (and he’s probably correct), you may not
have named your user correctly in NiFi. Go try to authenticate again, then go
to {nifi install directory}/logs and look at the end of nif-user.log. You
should see more details about your authentication request and what name it
tried to use to authenticate you. This was how I worked around getting my
naming conventions to match.
In my case I had enabled “Identity Mapping Properties” in nifi.properties so
that I could use both certificates and Kerberos, but had forgotten to rename
the account objects I had already added to NiFi.
Thanks,
Peter
From: Bryan Bende [mailto:[email protected]]
Sent: Monday, September 26, 2016 10:14 AM
To: [email protected]
Subject: Re: Access denied for kerberos users
Hello,
Since you are getting to "insufficient permissions" page this means that NiFi
successfully authenticated your user against the KDC, but then the authorizer
in NiFi said the user didn't have permissions for something.
What policies did you grant to the kerberos user in NiFi?
At a minimum they need a policy for "view the user interface" from the global
policies in the top-right menu.
-Bryan
On Mon, Sep 26, 2016 at 11:43 AM, Provenzano Nicolas
<[email protected]<mailto:[email protected]>> wrote:
Hi all,
I configured an 1.0.0 NIFI instance to use Kerberos services for authentication.
I can connect to the UI using the certificate corresponding to the user
declared in the Initial Admin Identity.
However, when I try to connect using a user declared in the Kerberos server :
1. Based on some docs, I should be able to submit a request to get access
to the UI. It’s not the case.
2. Using the initial admin user, I created a user in Nifi and add in some
profiles.
However, I still have the following message :
“Access Denied
Unable to perform the desired action due to insufficient permissions. Contact
the system administrator.”
The user is correctly declared in the Kerberos server. When it is not, a pop-up
displays :
The supplied username and password are not valid.
Have someone already met this issue ?
Thanks in advance
BR
Nicolas
