Hi, I have some issues after initial setup and securing NiFi.
I have setup a CentOS6 (including java) machine with hostname
nifi.domeinbram.nl.
I downloaded NiFi and the tls toolkit and extracted them to /opt. I ran nifi.sh
install and startedt the nifi service. After the initial setup of NiFi 1.1.2 I
can access the UI on port 8080/nifi fine.
I then used the tls-toolkit for securing NiFi:
./tls-toolkit.sh standalone -n 'nifi.domeinbram.nl' -C 'CN=admin' -o keys/
I then copied the new nifi.properties, keystore.jks and truststore.jks to
/opt/nifi/conf/.
I imported the CN=admin.p12 into my browser and pasted the password in the
CN=admin.password file and was successfully imported.
In the authorizers.xml I added CN=admin as Initial Admin Identity and
CN=nifi.domeinbram.nl as Node Idenity 1.
I then restarted the nifi service but I get an access denied message.
I added the xml files.
Hope someone can help me out... doing something wrong :).
Kind regards,
Bram
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="fae5e3fa-eadf-3a72-bf76-d41db5fe3466" resource="/flow" action="R">
<user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
</policy>
<policy identifier="18ca28ba-fda1-307d-9933-3f9ba9df87c8" resource="/restricted-components" action="W">
<user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
</policy>
<policy identifier="d16181ab-64b4-373d-962f-37ec6dfea690" resource="/tenants" action="R">
<user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
</policy>
<policy identifier="e1c46fdb-3a7a-3bbc-b5c3-a5105b95f45a" resource="/tenants" action="W">
<user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
</policy>
<policy identifier="efd80e78-a828-3db0-af33-ee4f6016cdcb" resource="/policies" action="R">
<user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
</policy>
<policy identifier="adb5c9f4-46e7-3805-b928-2c9baeebaa4e" resource="/policies" action="W">
<user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
</policy>
<policy identifier="2bd33257-04ce-36ac-b4d8-265e4e3802af" resource="/controller" action="R">
<user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
</policy>
<policy identifier="168c06df-f12d-3c7f-94c6-ac5600837140" resource="/controller" action="W">
<user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c"/>
</policy>
</policies>
</authorizations>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!--
This file lists the authority providers to use when running securely. In order
to use a specific provider it must be configured here and it's identifier
must be specified in the nifi.properties file.
-->
<authorizers>
<!--
The FileAuthorizer is NiFi's provided authorizer and has the following properties:
- Authorizations File - The file where the FileAuthorizer will store policies.
- Users File - The file where the FileAuthorizer will store users and groups.
- Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
given the ability to create additional users, groups, and policies. The value of this property could be
a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
are no other users, groups, and policies defined. If this property is specified then a Legacy Authorized
Users File can not be specified.
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
so the value should be the unmapped identity.
- Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
not be specified, and this property will only be used when there are no other users, groups, and policies defined.
- Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
The name of each property must be unique, for example for a three node cluster:
"Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
so the values should be the unmapped identities (i.e. full DN from a certificate).
-->
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
<property name="Initial Admin Identity">CN=admin</property>
<property name="Legacy Authorized Users File"></property>
<!-- Provide the identity (typically a DN) of each node when clustered, see above description of Node Identity.
<property name="Node Identity 1"></property>-->
<property name="Node Identity 1">CN=nifi.domeinbram.nl</property>
</authorizer>
</authorizers>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c" identity="cn=admin"/>
</users>
</tenants>
