Thanx Bryan, On a side note, after beating my skull against a sharp pen all for a few hours and losing about a pint of blood... I was able to get this working. One thing to note that wasn't clear to me initially, is that you need to add all the cluster nodes into both the userGroupProvider and accessPolicyProvider. Once I did this everything came together....
So glad to see this OpenID added! Regards, Dano On Sat, Nov 11, 2017 at 11:40 AM Bryan Bende <[email protected]> wrote: > Hello, > > The default authorizers.xml that comes with 1.4.0 has a new style of > configuration which requires you to enter the initial admin identity > in two places. > > First in the userGroupProvider in <property name="Initial User > Identity 1"></property> > > Second in the accessPolicyProvider in <property name="Initial Admin > Identity"></property> > > Those two values need to be the same, you are basically telling the > accessPolicyProvider which user from the userGroupProvider is the > initial admin. > > Thanks, > > Bryan > > On Sat, Nov 11, 2017 at 12:41 AM, Cédric <[email protected]> wrote: > > Hello, > > > > I would like to know what is the easiest way to evaluate Authorization > and > > Multi-Tenancy functionnalities ? > > > > I've tried installation with the following steps but I've a "Unable to > > locate initial admin" at the end. > > > > Steps : > > - Download nifi-1.4.0-bin.zip and unzip in nifi-1.4.0 > > > > - download nifi-toolkit-1.4.0-bin.zip and unzip in nifi-toolkit-1.4.0 > > > > - cd nifi-toolkit-1.4.0 > > > > # .\bin\tls-toolkit.bat standalone -n localhost -C "CN=bbende, > > OU=ApacheNiFi" -o ../target > > > > 2017/11/11 06:18:11 INFO [main] > > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: > No > > nifiPropertiesFile specified, using embedded one. > > 2017/11/11 06:18:12 INFO [main] > > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running > > standalone certificate generation with output directory ..\target > > 2017/11/11 06:18:12 INFO [main] > > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using > existing > > CA certificate ..\target\nifi-cert.pem and key ..\target\nifi-key.key > > 2017/11/11 06:18:12 INFO [main] > > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new > ssl > > configuration to ..\target\localhost > > 2017/11/11 06:18:13 INFO [main] > > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully > > generated TLS configuration for localhost 1 in ..\target\localhost > > 2017/11/11 06:18:13 INFO [main] > > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating > new > > client certificate ..\target\CN=bbende_OU=ApacheNiFi.p12 > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > > ********************************************************************************** > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > WARNING!!!! > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > > ********************************************************************************** > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > Unlimited JCE Policy is not installed which means we cannot utilize a > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > PKCS12 password longer than 7 characters. > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > Autogenerated password has been reduced to 7 characters. > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > Please strongly consider installing Unlimited JCE Policy at > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > > http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > Another alternative is to add a stronger password with the openssl tool > to > > the > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > resulting client certificate: ..\target\CN=bbende_OU=ApacheNiFi.p12 > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > openssl pkcs12 -in '..\target\CN=bbende_OU=ApacheNiFi.p12' -out > > '/tmp/CN=bbende_OU=ApacheNiFi.p12' > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > openssl pkcs12 -export -in '/tmp/CN=bbende_OU=ApacheNiFi.p12' -out > > '..\target\CN=bbende_OU=ApacheNiFi.p12' > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > rm -f '/tmp/CN=bbende_OU=ApacheNiFi.p12' > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > 2017/11/11 06:18:13 WARN [main] > org.apache.nifi.toolkit.tls.util.TlsHelper: > > > ********************************************************************************** > > 2017/11/11 06:18:13 INFO [main] > > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully > > generated client certificate ..\target\CN=bbende_OU=ApacheNiFi.p12 > > 2017/11/11 06:18:13 INFO [main] > > org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit > > standalone completed successfully > > > > > > # cd .. > > > > # copy target\localhost\* nifi-1.4.0\conf > > > > - Edit nifi-1.4.0\conf\authorizers.xml and set the following: > > <accessPolicyProvider> > > > > <identifier>file-access-policy-provider</identifier> > > > > > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > > > > <property name="User Group > > Provider">file-user-group-provider</property> > > > > <property name="Authorizations > > File">./conf/authorizations.xml</property> > > > > <property name="Initial Admin Identity">CN=bbende, > > OU=ApacheNiFi</property> > > > > <property name="Legacy Authorized Users File"></property> > > > > > > <property name="Node Identity 1"></property> > > > > </accessPolicyProvider> > > > > - Start apache nifi : > > # cd nifi-1.4.0 > > # bin\run-nifi.bat > > > > Failed to determine if Process 14172 is running; assuming that it is not > > 2017-11-11 06:26:22,402 INFO [main] org.apache.nifi.bootstrap.Command > > Starting Apache NiFi... > > 2017-11-11 06:26:22,402 INFO [main] org.apache.nifi.bootstrap.Command > > Working Directory: C:\Users\cedri\nifi\NIFI-1~1.0 > > 2017-11-11 06:26:22,402 INFO [main] org.apache.nifi.bootstrap.Command > > Command: C:\Program Files\Java\jdk1.8.0_144\bin\java.exe -classpath > > > C:\Users\cedri\nifi\NIFI-1~1.0\.\conf;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\javax.servlet-api-3.1.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\jcl-over-slf4j-1.7.25.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\jetty-schemas-3.1.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\jul-to-slf4j-1.7.25.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\log4j-over-slf4j-1.7.25.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\logback-classic-1.2.3.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\logback-core-1.2.3.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-api-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-framework-api-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-nar-utils-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-properties-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-runtime-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\slf4j-api-1.7.25.jar > > -Dorg.apache.jasper.compiler.disablejsr199=true -Xmx512m -Xms512m > > -Djava.security.egd=file:/dev/urandom > > -Dsun.net.http.allowRestrictedHeaders=true > -Djava.net.preferIPv4Stack=true > > -Djava.awt.headless=true -XX:+UseG1GC > > -Djava.protocol.handler.pkgs=sun.net.www.protocol > > > -Dnifi.properties.file.path=C:\Users\cedri\nifi\NIFI-1~1.0\.\conf\nifi.properties > > -Dnifi.bootstrap.listen.port=50727 -Dapp=NiFi > > > -Dorg.apache.nifi.bootstrap.config.log.dir=C:\Users\cedri\nifi\NIFI-1~1.0\bin\..\\logs > > org.apache.nifi.NiFi > > 2017-11-11 06:26:22,787 WARN [main] org.apache.nifi.bootstrap.Command > Failed > > to set permissions so that only the owner can read pid file > > C:\Users\cedri\nifi\NIFI-1~1.0\bin\..\run\nifi.pid; this may allows > others > > to have access to the key needed to communicate with NiFi. Permissions > > should be changed so that only the owner can read this file > > 2017-11-11 06:26:22,787 WARN [main] org.apache.nifi.bootstrap.Command > Failed > > to set permissions so that only the owner can read status file > > C:\Users\cedri\nifi\NIFI-1~1.0\bin\..\run\nifi.status; this may allows > > others to have access to the key needed to communicate with NiFi. > > Permissions should be changed so that only the owner can read this file > > 2017-11-11 06:26:22,802 INFO [main] org.apache.nifi.bootstrap.Command > > Launched Apache NiFi with Process ID 12968 > > > > > > But the server fail to start :-( with this error : > > Error creating bean with name 'authorizer': FactoryBean threw exception > on > > object creation; nested exception is > > org.apache.nifi.authorization.exception.AuthorizerCreationException: > > org.apache.nifi.authorization.exception.AuthorizerCreationException: > Unable > > to locate initial admin CN=bbende, OU=ApacheNiFi to seed policies > > . > > What I'm missing ? > > > > nifi-app.log > > < > http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/nifi-app.log > > > > nifi-bootstrap.log > > < > http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/nifi-bootstrap.log > > > > nifi-user.log > > < > http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/nifi-user.log > > > > authorizers.xml > > < > http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/authorizers.xml > > > > nifi.properties > > < > http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/nifi.properties > > > > > > > > Regards > > > > Cédric > > > > > > > > > > > > > > > > -- > > Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/ >
