Order should not matter for Initial User Identity properties. Basically, you're just seeding a few known user/client identities for this NiFi that you want to be authorized. It's necessary in your case because when the file-access-policy-provider is creating Initial Admins and Initial Nodes, what it is really doing internally is assigning users to certain access policies, so those users have to exist or you will encounter the exception you were getting earlier.
I should also note that these properties only take effect on initial startup when no users or policies exist. If you want to start over, you would have to delete users.xml and authorizations.xml and restart nifi. Of you want to add a user or node without removing existing ones, you can do that in the UI using the initial admin you create. ________________________________ From: Ryan H <[email protected]> Sent: Saturday, February 17, 2018 5:49:17 PM To: [email protected] Subject: Re: NiFi 1.5.0 Secure Cluster: Unable to locate node CN=node-1, OU=NIFI to seed policies Hi Kevin, Thanks for the quick reply! That did the trick. Quick question, does the order of the "Initial User Identities" matter as the "Initial Node Identities" do? Or are only the Node Identities order important? -Ryan H On Sat, Feb 17, 2018 at 5:34 PM, Kevin Doran <[email protected]<mailto:[email protected]>> wrote: Hi Ryan, You’ll need to add the DN for your cluster nodes as “Initial User Identities” to the file-user-group-provider in authorizers.xml. I.e.: <property name="Initial User Identity 1"> CN=my-node-1, OU=NIFI </property> <property name="Initial User Identity 2"> CN=my-node-2, OU=NIFI </property> Let me know if you have any other questions! Cheers, Kevin From: Ryan H <[email protected]<mailto:[email protected]>> Reply-To: <[email protected]<mailto:[email protected]>> Date: Saturday, February 17, 2018 at 17:22 To: <[email protected]<mailto:[email protected]>> Subject: NiFi 1.5.0 Secure Cluster: Unable to locate node CN=node-1, OU=NIFI to seed policies Hi Users, I am trying to setup a 3 node secure cluster and running into the following error: org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate node CN=my-node-1, OU=NIFI to seed policies. I scaled it back and tried to just get a single node secure cluster working for ease of troubleshooting and get the same error. I've tried adding/removing the space in the DN just in case, but it seems that my node identity is parsing to null for whatever reason (based on the source code where the error is being thrown from ''FileAccessPolicyProvider.populateNodes()") Any help is always appreciated! Cheers, Ryan H My Config: authorizers.xml <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">CN=admin, OU=NIFI</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">CN=admin, OU=NIFI</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1">CN=my-node-1, OU=NIFI</property> </accessPolicyProvider> </authorizers> nifi.properties # web properties # nifi.web.war.directory=./lib nifi.web.http.host= nifi.web.http.port= nifi.web.http.network.interface.default= nifi.web.https.host=my-node-1 nifi.web.https.port=8443 nifi.web.https.network.interface.default= nifi.web.jetty.working.directory=./work/jetty nifi.web.jetty.threads=200 nifi.web.max.header.size=16 KB nifi.web.proxy.context.path= # security properties # nifi.sensitive.props.key= nifi.sensitive.props.key.protected= nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL nifi.sensitive.props.provider=BC nifi.sensitive.props.additional.keys= nifi.security.keystore=./keystore.jks nifi.security.keystoreType=jks nifi.security.keystorePasswd=generated-password nifi.security.keyPasswd=generated-password nifi.security.truststore=./truststore.jks nifi.security.truststoreType=jks nifi.security.truststorePasswd=generated-password nifi.security.needClientAuth=true nifi.security.user.authorizer=managed-authorizer nifi.security.user.login.identity.provider= nifi.security.ocsp.responder.url= nifi.security.ocsp.responder.certificate=
