Hello, The default authorizers.xml that comes with 1.4.0 has a new style of configuration which requires you to enter the initial admin identity in two places.
First in the userGroupProvider in <property name="Initial User Identity 1"></property> Second in the accessPolicyProvider in <property name="Initial Admin Identity"></property> Those two values need to be the same, you are basically telling the accessPolicyProvider which user from the userGroupProvider is the initial admin. Thanks, Bryan On Sat, Nov 11, 2017 at 12:41 AM, Cédric <c...@globepayroll.com> wrote: > Hello, > > I would like to know what is the easiest way to evaluate Authorization and > Multi-Tenancy functionnalities ? > > I've tried installation with the following steps but I've a "Unable to > locate initial admin" at the end. > > Steps : > - Download nifi-1.4.0-bin.zip and unzip in nifi-1.4.0 > > - download nifi-toolkit-1.4.0-bin.zip and unzip in nifi-toolkit-1.4.0 > > - cd nifi-toolkit-1.4.0 > > # .\bin\tls-toolkit.bat standalone -n localhost -C "CN=bbende, > OU=ApacheNiFi" -o ../target > > 2017/11/11 06:18:11 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No > nifiPropertiesFile specified, using embedded one. > 2017/11/11 06:18:12 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running > standalone certificate generation with output directory ..\target > 2017/11/11 06:18:12 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing > CA certificate ..\target\nifi-cert.pem and key ..\target\nifi-key.key > 2017/11/11 06:18:12 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl > configuration to ..\target\localhost > 2017/11/11 06:18:13 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully > generated TLS configuration for localhost 1 in ..\target\localhost > 2017/11/11 06:18:13 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new > client certificate ..\target\CN=bbende_OU=ApacheNiFi.p12 > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > ********************************************************************************** > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > WARNING!!!! > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > ********************************************************************************** > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > Unlimited JCE Policy is not installed which means we cannot utilize a > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > PKCS12 password longer than 7 characters. > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > Autogenerated password has been reduced to 7 characters. > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > Please strongly consider installing Unlimited JCE Policy at > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > Another alternative is to add a stronger password with the openssl tool to > the > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > resulting client certificate: ..\target\CN=bbende_OU=ApacheNiFi.p12 > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > openssl pkcs12 -in '..\target\CN=bbende_OU=ApacheNiFi.p12' -out > '/tmp/CN=bbende_OU=ApacheNiFi.p12' > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > openssl pkcs12 -export -in '/tmp/CN=bbende_OU=ApacheNiFi.p12' -out > '..\target\CN=bbende_OU=ApacheNiFi.p12' > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > rm -f '/tmp/CN=bbende_OU=ApacheNiFi.p12' > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: > ********************************************************************************** > 2017/11/11 06:18:13 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully > generated client certificate ..\target\CN=bbende_OU=ApacheNiFi.p12 > 2017/11/11 06:18:13 INFO [main] > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit > standalone completed successfully > > > # cd .. > > # copy target\localhost\* nifi-1.4.0\conf > > - Edit nifi-1.4.0\conf\authorizers.xml and set the following: > <accessPolicyProvider> > > <identifier>file-access-policy-provider</identifier> > > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > > <property name="User Group > Provider">file-user-group-provider</property> > > <property name="Authorizations > File">./conf/authorizations.xml</property> > > <property name="Initial Admin Identity">CN=bbende, > OU=ApacheNiFi</property> > > <property name="Legacy Authorized Users File"></property> > > > <property name="Node Identity 1"></property> > > </accessPolicyProvider> > > - Start apache nifi : > # cd nifi-1.4.0 > # bin\run-nifi.bat > > Failed to determine if Process 14172 is running; assuming that it is not > 2017-11-11 06:26:22,402 INFO [main] org.apache.nifi.bootstrap.Command > Starting Apache NiFi... > 2017-11-11 06:26:22,402 INFO [main] org.apache.nifi.bootstrap.Command > Working Directory: C:\Users\cedri\nifi\NIFI-1~1.0 > 2017-11-11 06:26:22,402 INFO [main] org.apache.nifi.bootstrap.Command > Command: C:\Program Files\Java\jdk1.8.0_144\bin\java.exe -classpath > C:\Users\cedri\nifi\NIFI-1~1.0\.\conf;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\javax.servlet-api-3.1.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\jcl-over-slf4j-1.7.25.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\jetty-schemas-3.1.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\jul-to-slf4j-1.7.25.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\log4j-over-slf4j-1.7.25.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\logback-classic-1.2.3.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\logback-core-1.2.3.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-api-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-framework-api-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-nar-utils-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-properties-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-runtime-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\slf4j-api-1.7.25.jar > -Dorg.apache.jasper.compiler.disablejsr199=true -Xmx512m -Xms512m > -Djava.security.egd=file:/dev/urandom > -Dsun.net.http.allowRestrictedHeaders=true -Djava.net.preferIPv4Stack=true > -Djava.awt.headless=true -XX:+UseG1GC > -Djava.protocol.handler.pkgs=sun.net.www.protocol > -Dnifi.properties.file.path=C:\Users\cedri\nifi\NIFI-1~1.0\.\conf\nifi.properties > -Dnifi.bootstrap.listen.port=50727 -Dapp=NiFi > -Dorg.apache.nifi.bootstrap.config.log.dir=C:\Users\cedri\nifi\NIFI-1~1.0\bin\..\\logs > org.apache.nifi.NiFi > 2017-11-11 06:26:22,787 WARN [main] org.apache.nifi.bootstrap.Command Failed > to set permissions so that only the owner can read pid file > C:\Users\cedri\nifi\NIFI-1~1.0\bin\..\run\nifi.pid; this may allows others > to have access to the key needed to communicate with NiFi. Permissions > should be changed so that only the owner can read this file > 2017-11-11 06:26:22,787 WARN [main] org.apache.nifi.bootstrap.Command Failed > to set permissions so that only the owner can read status file > C:\Users\cedri\nifi\NIFI-1~1.0\bin\..\run\nifi.status; this may allows > others to have access to the key needed to communicate with NiFi. > Permissions should be changed so that only the owner can read this file > 2017-11-11 06:26:22,802 INFO [main] org.apache.nifi.bootstrap.Command > Launched Apache NiFi with Process ID 12968 > > > But the server fail to start :-( with this error : > Error creating bean with name 'authorizer': FactoryBean threw exception on > object creation; nested exception is > org.apache.nifi.authorization.exception.AuthorizerCreationException: > org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable > to locate initial admin CN=bbende, OU=ApacheNiFi to seed policies > . > What I'm missing ? > > nifi-app.log > <http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/nifi-app.log> > nifi-bootstrap.log > <http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/nifi-bootstrap.log> > nifi-user.log > <http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/nifi-user.log> > authorizers.xml > <http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/authorizers.xml> > nifi.properties > <http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/nifi.properties> > > > Regards > > Cédric > > > > > > > > -- > Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/
