Hey guys, I just wanted to chime in here. The grayed out buttons on the canvas may be due to the fact that there was no flow.xml.gz in your conf directory when the users/authorizers were seeded. Due to the clustering model, a node may not know what the root group will be. Because of this, the initial admin is granted the necessary permissions to modify these policies through the UI after starting up. If there is a flow.xml.gz in the conf directory, the initial admin will be automatically given permissions for the root group.
>From the admin guide... "For a brand new secure flow, providing the "Initial Admin Identity" gives that user access to get into the UI and to manage users, groups and policies. But if that user wants to start modifying the flow, they need to grant themselves policies for the root process group. The system is unable to do this automatically because in a new flow the UUID of the root process group is not permanent until the flow.xml.gz is generated. If the NiFi instance is an upgrade from an existing flow.xml.gz or a 1.x instance going from unsecure to secure, then the "Initial Admin Identity" user is automatically given the privileges to modify the flow." Matt On Mon, Dec 4, 2017 at 4:30 AM, Pierre Villard <[email protected]> wrote: > Hey guys, > > I'll try to write a new blog with all the new features coming with NiFi > 1.4.0. > All the new stuff to have LDAP sync is really nice. > > Pierre > > 2017-12-03 19:12 GMT+01:00 Kevin Doran <[email protected]>: > >> Hi Mike, >> >> You also have to enable the LdapUserGroupProvider in authorizes xml by >> uncommenting it, configuring the properties, and changing the >> FileAccessPolicyProvider (also in authorizers.xml) to use the >> ldap-user-group-provider instead of the default file-user-group-provider. >> >> Then delete users.xml and authorizations.xml and restart. >> >> This will disable any certificate-based identities you have configured, >> so you will need to choose an ldap-based user to be your initial admin. Or >> configure a CompositeUserGroupProvider so that you can use certificates and >> only require ldap login in absence of a client certificate. >> >> -Kevin >> >> ------------------------------ >> *From:* Mike Thomsen <[email protected]> >> *Sent:* Sunday, December 3, 2017 9:45:18 AM >> >> *To:* [email protected] >> *Subject:* Re: Buttons are greyed out when initial admin account logs in >> >> I added the ldap-provider to the identity provider line in >> nifi.properties, but I don't see any users from LDAP. I tried deleting >> users.xml and authorizations.xml and restarting, but the user listing >> doesn't show any of the users from LDAP. Any ideas on how to troubleshoot? >> >> Thanks, >> >> Mike >> >> On Fri, Dec 1, 2017 at 7:05 PM, Kevin Doran <[email protected]> >> wrote: >> >>> Mike, >>> >>> >>> >>> I should also mention that since the time of Pierre's inital blog post >>> on LDAP integration, support for user & group syncing with LDAP has been >>> added to NiFi. See the instructions for the "LdapUserGroupProvider" in >>> Authorizers.xml section of the the Admin Guide [1]. >>> >>> >>> >>> You will still need to set per-group or per-user policies as the initial >>> admin, but you do not need to manually add users and groups in order to set >>> policies. Also, your initial admin can use an identity from LDAP rather >>> than a certificate (if that is preferred, otherwise, you can still use >>> certificates alongside LDAP by using a CompositeUserGroupProvider as >>> described in the Admin Guide). >>> >>> >>> >>> [1] https://nifi.apache.org/docs/nifi-docs/html/administration-g >>> uide.html#authorizers-setup >>> >>> >>> >>> -Kevin >>> >>> >>> >>> *From: *Kevin Doran <[email protected]> >>> *Date: *Friday, December 1, 2017 at 18:43 >>> *To: *<[email protected]> >>> *Subject: *Re: Buttons are greyed out when initial admin account logs in >>> >>> >>> >>> Hi Mike, >>> >>> >>> >>> Your authorizers.xml and nifi.properties look correct to me to establish >>> the certificate "CN=admin, OU=NIFI" as an admin user. >>> >>> >>> >>> Here's one idea that you may have already thought of... the initial >>> admin is only granted admin policies if users/policies are empty on >>> startup. Try deleting conf/users.xml and conf/authorizations.xml and >>> restarting NiFi. >>> >>> >>> >>> Hope this helps! If you have any other questions about configuring LDAP >>> or authorizers, let me know. >>> >>> >>> >>> Kevin >>> >>> >>> >>> >>> >>> >>> >>> *From: *Mike Thomsen <[email protected]> >>> *Reply-To: *<[email protected]> >>> *Date: *Friday, December 1, 2017 at 18:27 >>> *To: *<[email protected]> >>> *Subject: *Buttons are greyed out when initial admin account logs in >>> >>> >>> >>> I'm following Pierre's blog post that shows how to set up LDAP w/ >>> ApacheDS: >>> >>> https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap >>> >>> I've tried this with 1.4.0 and 1.5.0-SNAPSHOT (toolkits built for each >>> too) for what it's worth. >>> >>> Built the certs with this command: >>> >>> bin/tls-toolkit.sh standalone -n localhost -C "CN=admin,OU=NIFI" -O -o >>> ../security_output >>> >>> Copied security_output/localhost/* to $NIFI_ROOT/conf >>> >>> With or without the identity provider set to use the LDAP configuration, >>> it's greyed out. >>> >>> >>> >>> Any ideas on what I'm doing wrong? >>> >>> >>> >>> Thanks, >>> >>> >>> >>> Mike >>> >> >> >
