The FileAccessPolicyProvider is making a call to the user group provider using the value you entered for initial admin:
final User initialAdmin = userGroupProvider.getUserByIdentity(initialAdminIdentity); It has something to do with the value you entered for the initial admin not lining up with the identities being returned from the LDAP provider. If you entered a full DN, but the LDAP provider returns just the short name, or vice versa, then it doesn't line up. On Fri, Jul 19, 2019 at 9:59 AM Nicolas Delsaux <[email protected]> wrote: > > And indeed, it changed the error > > > nifi-runner_1 | Caused by: > org.springframework.beans.factory.BeanCreationException: Error creating bean > with name 'authorizer': FactoryBean threw exception on object creation; > nested exception is > org.apache.nifi.authorization.exception.AuthorizerCreationException: > org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable > to locate initial admin a_dn to seed policies > nifi-runner_1 | at > org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185) > nifi-runner_1 | at > org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) > nifi-runner_1 | at > org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640) > nifi-runner_1 | at > org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323) > nifi-runner_1 | at > org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) > nifi-runner_1 | at > org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351) > nifi-runner_1 | ... 96 common frames omitted > nifi-runner_1 | Caused by: > org.apache.nifi.authorization.exception.AuthorizerCreationException: > org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable > to locate initial admin a_dn to seed policies > nifi-runner_1 | at > org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:263) > nifi-runner_1 | at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > nifi-runner_1 | at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > nifi-runner_1 | at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > nifi-runner_1 | at java.lang.reflect.Method.invoke(Method.java:498) > nifi-runner_1 | at > org.apache.nifi.authorization.AccessPolicyProviderInvocationHandler.invoke(AccessPolicyProviderInvocationHandler.java:54) > nifi-runner_1 | at com.sun.proxy.$Proxy78.onConfigured(Unknown Source) > nifi-runner_1 | at > org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:153) > nifi-runner_1 | at > org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178) > nifi-runner_1 | ... 101 common frames omitted > nifi-runner_1 | Caused by: > org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable > to locate initial admin a_dn to seed policies > nifi-runner_1 | at > org.apache.nifi.authorization.FileAccessPolicyProvider.populateInitialAdmin(FileAccessPolicyProvider.java:598) > nifi-runner_1 | at > org.apache.nifi.authorization.FileAccessPolicyProvider.load(FileAccessPolicyProvider.java:541) > nifi-runner_1 | at > org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:254) > nifi-runner_1 | ... 109 common frames omitted > > which seems to indicate that on startup, the FileAccessPolicyProvider will > try to get informations for the manager dn in the file (which, as far as a I > understand, is not yet loaded) > > . > > So there must be some weird back-and-forth dance between the ldap user group > provider and the file policy provider ... But I don't understand the dance in > question > > Le 19/07/2019 à 15:38, Edward Armes a écrit : > > Hi Nicolas, > > In your actual configuration, is this the actual entry and not sanitized > version? > > <property name="User Group Name Attribute">This attribute doesn't exist to > make sure no grouping is done</property> > > If so I think this is the problem. As I what I think is happening Nifi is > trying to interpret this value as a DN and failing, if you only need the > users returned from the LDAP search to be the list of valid users then this > field can just be left blank, if however you need a list of valid (not > necessarily authorized) users to be filtered to be a member of a specific > LDAP group then you can specify the DN for that group here. > > I would change it to: > > <property name="User Group Name Attribute"></property> > > and see if that works > > Edward > > On Fri, Jul 19, 2019 at 2:04 PM Nicolas Delsaux <[email protected]> > wrote: >> >> Here is the full version (with obvious replacements for manager dn, manager >> password, ldap server url, and other "sensitive" informations >> >> >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> <!-- >> Licensed to the Apache Software Foundation (ASF) under one or more >> contributor license agreements. See the NOTICE file distributed with >> this work for additional information regarding copyright ownership. >> The ASF licenses this file to You under the Apache License, Version 2.0 >> (the "License"); you may not use this file except in compliance with >> the License. You may obtain a copy of the License at >> http://www.apache.org/licenses/LICENSE-2.0 >> Unless required by applicable law or agreed to in writing, software >> distributed under the License is distributed on an "AS IS" BASIS, >> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >> See the License for the specific language governing permissions and >> limitations under the License. >> --> >> <!-- >> This file lists the userGroupProviders, accessPolicyProviders, and >> authorizers to use when running securely. In order >> to use a specific authorizer it must be configured here and it's identifier >> must be specified in the nifi.properties file. >> If the authorizer is a managedAuthorizer, it may need to be configured with >> an accessPolicyProvider and an userGroupProvider. >> This file allows for configuration of them, but they must be configured in >> order: >> ... >> all userGroupProviders >> all accessPolicyProviders >> all Authorizers >> ... >> --> >> <authorizers> >> <!-- >> The FileUserGroupProvider will provide support for managing users and groups >> which is backed by a file >> on the local file system. >> - Users File - The file where the FileUserGroupProvider will store users and >> groups. >> - Legacy Authorized Users File - The full path to an existing >> authorized-users.xml that will be automatically >> be used to load the users and groups into the Users File. >> - Initial User Identity [unique key] - The identity of a users and systems >> to seed the Users File. The name of >> each property must be unique, for example: "Initial User Identity A", >> "Initial User Identity B", >> "Initial User Identity C" or "Initial User Identity 1", "Initial User >> Identity 2", "Initial User Identity 3" >> NOTE: Any identity mapping rules specified in nifi.properties will also be >> applied to the user identities, >> so the values should be the unmapped identities (i.e. full DN from a >> certificate). >> --> >> <!-- >> <userGroupProvider> >> <identifier>file-user-group-provider</identifier> >> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> >> <property name="Users File">./conf/users.xml</property> >> <property name="Legacy Authorized Users File"></property> >> <property name="Initial User Identity 1"></property> >> </userGroupProvider> >> --> >> <!-- >> The LdapUserGroupProvider will retrieve users and groups from an LDAP >> server. The users and groups >> are not configurable. >> 'Authentication Strategy' - How the connection to the LDAP server is >> authenticated. Possible >> values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS. >> 'Manager DN' - The DN of the manager that is used to bind to the LDAP server >> to search for users. >> 'Manager Password' - The password of the manager that is used to bind to the >> LDAP server to >> search for users. >> 'TLS - Keystore' - Path to the Keystore that is used when connecting to LDAP >> using LDAPS or START_TLS. >> 'TLS - Keystore Password' - Password for the Keystore that is used when >> connecting to LDAP >> using LDAPS or START_TLS. >> 'TLS - Keystore Type' - Type of the Keystore that is used when connecting to >> LDAP using >> LDAPS or START_TLS (i.e. JKS or PKCS12). >> 'TLS - Truststore' - Path to the Truststore that is used when connecting to >> LDAP using LDAPS or START_TLS. >> 'TLS - Truststore Password' - Password for the Truststore that is used when >> connecting to >> LDAP using LDAPS or START_TLS. >> 'TLS - Truststore Type' - Type of the Truststore that is used when >> connecting to LDAP using >> LDAPS or START_TLS (i.e. JKS or PKCS12). >> 'TLS - Client Auth' - Client authentication policy when connecting to LDAP >> using LDAPS or START_TLS. >> Possible values are REQUIRED, WANT, NONE. >> 'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or >> START_TLS. (i.e. TLS, >> TLSv1.1, TLSv1.2, etc). >> 'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut down >> gracefully >> before the target context is closed. Defaults to false. >> 'Referral Strategy' - Strategy for handling referrals. Possible values are >> FOLLOW, IGNORE, THROW. >> 'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs). >> 'Read Timeout' - Duration of read timeout. (i.e. 10 secs). >> 'Url' - Space-separated list of URLs of the LDAP servers (i.e. >> ldap://<hostname>:<port>). >> 'Page Size' - Sets the page size when retrieving users and groups. If not >> specified, no paging is performed. >> 'Sync Interval' - Duration of time between syncing users and groups (i.e. 30 >> mins). Minimum allowable value is 10 secs. >> 'User Search Base' - Base DN for searching for users (i.e. ou=users,o=nifi). >> Required to search users. >> 'User Object Class' - Object class for identifying users (i.e. person). >> Required if searching users. >> 'User Search Scope' - Search scope for searching users (ONE_LEVEL, OBJECT, >> or SUBTREE). Required if searching users. >> 'User Search Filter' - Filter for searching for users against the 'User >> Search Base' (i.e. (memberof=cn=team1,ou=groups,o=nifi) ). Optional. >> 'User Identity Attribute' - Attribute to use to extract user identity (i.e. >> cn). Optional. If not set, the entire DN is used. >> 'User Group Name Attribute' - Attribute to use to define group membership >> (i.e. memberof). Optional. If not set >> group membership will not be calculated through the users. Will rely on >> group membership being defined >> through 'Group Member Attribute' if set. The value of this property is the >> name of the attribute in the user ldap entry that >> associates them with a group. The value of that user attribute could be a dn >> or group name for instance. What value is expected >> is configured in the 'User Group Name Attribute - Referenced Group >> Attribute'. >> 'User Group Name Attribute - Referenced Group Attribute' - If blank, the >> value of the attribute defined in 'User Group Name Attribute' >> is expected to be the full dn of the group. If not blank, this property will >> define the attribute of the group ldap entry that >> the value of the attribute defined in 'User Group Name Attribute' is >> referencing (i.e. name). Use of this property requires that >> 'Group Search Base' is also configured. >> 'Group Search Base' - Base DN for searching for groups (i.e. >> ou=groups,o=nifi). Required to search groups. >> 'Group Object Class' - Object class for identifying groups (i.e. >> groupOfNames). Required if searching groups. >> 'Group Search Scope' - Search scope for searching groups (ONE_LEVEL, OBJECT, >> or SUBTREE). Required if searching groups. >> 'Group Search Filter' - Filter for searching for groups against the 'Group >> Search Base'. Optional. >> 'Group Name Attribute' - Attribute to use to extract group name (i.e. cn). >> Optional. If not set, the entire DN is used. >> 'Group Member Attribute' - Attribute to use to define group membership (i.e. >> member). Optional. If not set >> group membership will not be calculated through the groups. Will rely on >> group membership being defined >> through 'User Group Name Attribute' if set. The value of this property is >> the name of the attribute in the group ldap entry that >> associates them with a user. The value of that group attribute could be a dn >> or memberUid for instance. What value is expected >> is configured in the 'Group Member Attribute - Referenced User Attribute'. >> (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1) >> 'Group Member Attribute - Referenced User Attribute' - If blank, the value >> of the attribute defined in 'Group Member Attribute' >> is expected to be the full dn of the user. If not blank, this property will >> define the attribute of the user ldap entry that >> the value of the attribute defined in 'Group Member Attribute' is >> referencing (i.e. uid). Use of this property requires that >> 'User Search Base' is also configured. (i.e. member: cn=User >> 1,ou=users,o=nifi vs. memberUid: user1) >> NOTE: Any identity mapping rules specified in nifi.properties will also be >> applied to the user identities. >> Group names are not mapped. >> --> >> <userGroupProvider> >> <identifier>ldap-user-group-provider</identifier> >> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> >> <property name="Authentication Strategy">LDAPS</property> >> <property name="Manager DN">a_dn</property> >> <property name="Manager Password">a_password</property> >> <property name="TLS - Keystore"></property> >> <property name="TLS - Keystore Password"></property> >> <property name="TLS - Keystore Type"></property> >> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property> >> <property name="TLS - Truststore Password">changeit</property> >> <property name="TLS - Truststore Type">JKS</property> >> <property name="TLS - Client Auth"></property> >> <property name="TLS - Protocol">TLSv1</property> >> <property name="TLS - Shutdown Gracefully"></property> >> <property name="Referral Strategy">FOLLOW</property> >> <property name="Connect Timeout">10 secs</property> >> <property name="Read Timeout">10 secs</property> >> <property name="Url">ldaps://myserver.mycompany.com:636</property> >> <property name="Page Size"></property> >> <property name="Sync Interval">30 mins</property> >> <property name="User Search Base">ou=people,o=mycompany.com</property> >> <property name="User Object Class">privPerson</property> >> <property name="User Search Scope">SUBTREE</property> >> <property name="User Search Filter"></property> >> <property name="User Identity Attribute">uid</property> >> <property name="User Group Name Attribute">This attribute doesn't exist to >> make sure no grouping is done</property> >> <property name="User Group Name Attribute - Referenced Group >> Attribute"></property> >> <property name="Group Search Base"></property> >> <property name="Group Object Class">group</property> >> <property name="Group Search Scope">ONE_LEVEL</property> >> <property name="Group Search Filter"></property> >> <property name="Group Name Attribute"></property> >> <property name="Group Member Attribute"></property> >> <property name="Group Member Attribute - Referenced User >> Attribute"></property> >> </userGroupProvider> >> <!-- >> The CompositeUserGroupProvider will provide support for retrieving users and >> groups from multiple sources. >> - User Group Provider [unique key] - The identifier of user group providers >> to load from. The name of >> each property must be unique, for example: "User Group Provider A", "User >> Group Provider B", >> "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", >> "User Group Provider 3" >> NOTE: Any identity mapping rules specified in nifi.properties are not >> applied in this implementation. This behavior >> would need to be applied by the base implementation. >> --> >> <!-- To enable the composite-user-group-provider remove 2 lines. This is 1 >> of 2. >> <userGroupProvider> >> <identifier>composite-user-group-provider</identifier> >> <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class> >> <property name="User Group Provider 1"></property> >> </userGroupProvider> >> To enable the composite-user-group-provider remove 2 lines. This is 2 of 2. >> --> >> <!-- >> The CompositeConfigurableUserGroupProvider will provide support for >> retrieving users and groups from multiple sources. >> Additionally, a single configurable user group provider is required. Users >> from the configurable user group provider >> are configurable, however users loaded from one of the User Group Provider >> [unique key] will not be. >> - Configurable User Group Provider - A configurable user group provider. >> - User Group Provider [unique key] - The identifier of user group providers >> to load from. The name of >> each property must be unique, for example: "User Group Provider A", "User >> Group Provider B", >> "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", >> "User Group Provider 3" >> NOTE: Any identity mapping rules specified in nifi.properties are not >> applied in this implementation. This behavior >> would need to be applied by the base implementation. >> --> >> <!-- To enable the composite-configurable-user-group-provider remove 2 >> lines. This is 1 of 2. >> <userGroupProvider> >> <identifier>composite-configurable-user-group-provider</identifier> >> <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class> >> <property name="Configurable User Group >> Provider">file-user-group-provider</property> >> <property name="User Group Provider 1"></property> >> </userGroupProvider> >> To enable the composite-configurable-user-group-provider remove 2 lines. >> This is 2 of 2. --> >> <!-- >> The FileAccessPolicyProvider will provide support for managing access >> policies which is backed by a file >> on the local file system. >> - User Group Provider - The identifier for an User Group Provider defined >> above that will be used to access >> users and groups for use in the managed access policies. >> - Authorizations File - The file where the FileAccessPolicyProvider will >> store policies. >> - Initial Admin Identity - The identity of an initial admin user that will >> be granted access to the UI and >> given the ability to create additional users, groups, and policies. The >> value of this property could be >> a DN when using certificates or LDAP, or a Kerberos principal. This property >> will only be used when there >> are no other policies defined. If this property is specified then a Legacy >> Authorized Users File can not be specified. >> NOTE: Any identity mapping rules specified in nifi.properties will also be >> applied to the initial admin identity, >> so the value should be the unmapped identity. This identity must be found in >> the configured User Group Provider. >> - Legacy Authorized Users File - The full path to an existing >> authorized-users.xml that will be automatically >> converted to the new authorizations model. If this property is specified >> then an Initial Admin Identity can >> not be specified, and this property will only be used when there are no >> other users, groups, and policies defined. >> NOTE: Any users in the legacy users file must be found in the configured >> User Group Provider. >> - Node Identity [unique key] - The identity of a NiFi cluster node. When >> clustered, a property for each node >> should be defined, so that every node knows about every other node. If not >> clustered these properties can be ignored. >> The name of each property must be unique, for example for a three node >> cluster: >> "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity >> 1", "Node Identity 2", "Node Identity 3" >> NOTE: Any identity mapping rules specified in nifi.properties will also be >> applied to the node identities, >> so the values should be the unmapped identities (i.e. full DN from a >> certificate). This identity must be found >> in the configured User Group Provider. >> - Node Group - The name of a group containing NiFi cluster nodes. The >> typical use for this is when nodes are dynamically >> added/removed from the cluster. >> NOTE: The group must exist before starting NiFi. >> --> >> <accessPolicyProvider> >> <identifier>file-access-policy-provider</identifier> >> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >> <property name="User Group Provider">ldap-user-group-provider</property> >> <property name="Authorizations File">./conf/authorizations.xml</property> >> <property name="Initial Admin Identity"></property> >> <property name="Legacy Authorized Users File"></property> >> <property name="Node Identity 1"></property> >> <property name="Node Group"></property> >> </accessPolicyProvider> >> <!-- >> The StandardManagedAuthorizer. This authorizer implementation must be >> configured with the >> Access Policy Provider which it will use to access and manage users, groups, >> and policies. >> These users, groups, and policies will be used to make all access decisions >> during authorization >> requests. >> - Access Policy Provider - The identifier for an Access Policy Provider >> defined above. >> --> >> <authorizer> >> <identifier>managed-authorizer</identifier> >> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> >> <property name="Access Policy >> Provider">file-access-policy-provider</property> >> </authorizer> >> <!-- >> NOTE: This Authorizer has been replaced with the more granular approach >> configured above with the Standard >> Managed Authorizer. However, it is still available for backwards >> compatibility reasons. >> The FileAuthorizer is NiFi's provided authorizer and has the following >> properties: >> - Authorizations File - The file where the FileAuthorizer will store >> policies. >> - Users File - The file where the FileAuthorizer will store users and groups. >> - Initial Admin Identity - The identity of an initial admin user that will >> be granted access to the UI and >> given the ability to create additional users, groups, and policies. The >> value of this property could be >> a DN when using certificates or LDAP, or a Kerberos principal. This property >> will only be used when there >> are no other users, groups, and policies defined. If this property is >> specified then a Legacy Authorized >> Users File can not be specified. >> NOTE: Any identity mapping rules specified in nifi.properties will also be >> applied to the initial admin identity, >> so the value should be the unmapped identity. >> - Legacy Authorized Users File - The full path to an existing >> authorized-users.xml that will be automatically >> converted to the new authorizations model. If this property is specified >> then an Initial Admin Identity can >> not be specified, and this property will only be used when there are no >> other users, groups, and policies defined. >> - Node Identity [unique key] - The identity of a NiFi cluster node. When >> clustered, a property for each node >> should be defined, so that every node knows about every other node. If not >> clustered these properties can be ignored. >> The name of each property must be unique, for example for a three node >> cluster: >> "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity >> 1", "Node Identity 2", "Node Identity 3" >> NOTE: Any identity mapping rules specified in nifi.properties will also be >> applied to the node identities, >> so the values should be the unmapped identities (i.e. full DN from a >> certificate). >> --> >> <!-- <authorizer> >> <identifier>file-provider</identifier> >> <class>org.apache.nifi.authorization.FileAuthorizer</class> >> <property name="Authorizations File">./conf/authorizations.xml</property> >> <property name="Users File">./conf/users.xml</property> >> <property name="Initial Admin Identity"></property> >> <property name="Legacy Authorized Users File"></property> >> <property name="Node Identity 1"></property> >> </authorizer> >> --> >> </authorizers> >> Le 19/07/2019 à 12:03, Pierre Villard a écrit : >> >> Hi Nicolas, >> >> Could you share the full content of your authorizers.xml file? Sometimes >> it's just a matter of references not being in the right "order". >> >> Le ven. 19 juil. 2019 à 11:59, Edward Armes <[email protected]> a écrit >> : >>> >>> I wasn't able to find any single good way, I don't know if switching the >>> logs down to debug or trace might give you a bit more info though . In the >>> end I just went through a worked it out by hand using a combination of >>> manual checking against an alternative tool (i.e. an LDAP browser), file >>> format checkers, or just commenting things out by hand. >>> >>> I did sometimes find that white space character (new line etc...) can >>> occasionally cause a problem with the Spring loading. >>> >>> Edward >>> >>> On Fri, Jul 19, 2019 at 10:45 AM Nicolas Delsaux <[email protected]> >>> wrote: >>>> >>>> Is there any way to get a better error ? >>>> >>>> Le 19/07/2019 à 11:36, Edward Armes a écrit : >>>> >>>> Hi Nicolas, >>>> >>>> This one is a bit of a Spring special. The actual cause here is that the >>>> Spring Bean that is being created from this file has silently failed, and >>>> thus the auto-wiring has failed as well. The result is you get this lovely >>>> misleading error. The normal reason for the bean not being created I found >>>> was because I made a typo in the configuration file(s). >>>> >>>> Edward >>>> >>>> On Fri, Jul 19, 2019 at 10:21 AM Nicolas Delsaux <[email protected]> >>>> wrote: >>>>> >>>>> Hi all >>>>> >>>>> Now I know how to connect to my LDAP directory, i now have a strange error >>>>> >>>>> >>>>> nifi-runner_1 | >>>>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error >>>>> creating bean with name >>>>> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': >>>>> Unsatisfied dependency expressed through method >>>>> 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is >>>>> org.springframework.beans.factory.BeanExpressionException: Expression >>>>> parsing failed; nested exception is >>>>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error >>>>> creating bean with name >>>>> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied >>>>> dependency expressed through method 'setJwtAuthenticationProvider' >>>>> parameter 0; nested exception is >>>>> org.springframework.beans.factory.BeanCreationException: Error creating >>>>> bean with name 'jwtAuthenticationProvider' defined in class path resource >>>>> [nifi-web-security-context.xml]: Cannot resolve reference to bean >>>>> 'authorizer' while setting constructor argument; nested exception is >>>>> org.springframework.beans.factory.BeanCreationException: Error creating >>>>> bean with name 'authorizer': FactoryBean threw exception on object >>>>> creation; nested exception is java.lang.Exception: The specified >>>>> authorizer 'ldap-user-group-provider' could not be found. >>>>> >>>>> [... let me just skip the uninteresting Spring stack ...] >>>>> >>>>> nifi-runner_1 | Caused by: >>>>> org.springframework.beans.factory.BeanCreationException: Error creating >>>>> bean with name 'authorizer': FactoryBean threw exception on object >>>>> creation; nested exception is java.lang.Exception: The specified >>>>> authorizer 'ldap-user-group-provider' could not be found. >>>>> nifi-runner_1 | at >>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185) >>>>> nifi-runner_1 | at >>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) >>>>> nifi-runner_1 | at >>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640) >>>>> nifi-runner_1 | at >>>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323) >>>>> nifi-runner_1 | at >>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) >>>>> nifi-runner_1 | at >>>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351) >>>>> nifi-runner_1 | ... 96 common frames omitted >>>>> nifi-runner_1 | Caused by: java.lang.Exception: The specified authorizer >>>>> 'ldap-user-group-provider' could not be found. >>>>> nifi-runner_1 | at >>>>> org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:175) >>>>> nifi-runner_1 | at >>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178) >>>>> >>>>> From what I understand, it seems like the AuthorizerFactoryBean tries to >>>>> read my user-group-provider from the authorizers.xml file. >>>>> >>>>> >>>>> I have such an user group provider, which is a ldap one : >>>>> >>>>> <authorizers> >>>>> <userGroupProvider> >>>>> <identifier>ldap-user-group-provider</identifier> >>>>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> >>>>> <property name="Authentication Strategy">LDAPS</property> >>>>> <property name="Manager DN">a_dn</property> >>>>> <property name="Manager Password">a_password</property> >>>>> <property name="TLS - Keystore"></property> >>>>> <property name="TLS - Keystore Password"></property> >>>>> <property name="TLS - Keystore Type"></property> >>>>> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property> >>>>> <property name="TLS - Truststore Password">another</property> >>>>> <property name="TLS - Truststore Type">JKS</property> >>>>> <property name="TLS - Client Auth"></property> >>>>> <property name="TLS - Protocol">TLSv1</property> >>>>> <property name="TLS - Shutdown Gracefully"></property> >>>>> <property name="Referral Strategy">FOLLOW</property> >>>>> <property name="Connect Timeout">10 secs</property> >>>>> <property name="Read Timeout">10 secs</property> >>>>> <property name="Url">ldaps://myserver.mycompany.com:636</property> >>>>> <property name="Page Size"></property> >>>>> <property name="Sync Interval">30 mins</property> >>>>> <property name="User Search Base">ou=people,o=mycompany.com</property> >>>>> <property name="User Object Class">privPerson</property> >>>>> <property name="User Search Scope">SUBTREE</property> >>>>> <property name="User Search Filter"></property> >>>>> <property name="User Identity Attribute">uid</property> >>>>> <property name="User Group Name Attribute">This attribute doesn't exist >>>>> to make sure no grouping is done</property> >>>>> <property name="User Group Name Attribute - Referenced Group >>>>> Attribute"></property> >>>>> <property name="Group Search Base"></property> >>>>> <property name="Group Object Class">group</property> >>>>> <property name="Group Search Scope">ONE_LEVEL</property> >>>>> <property name="Group Search Filter"></property> >>>>> <property name="Group Name Attribute"></property> >>>>> <property name="Group Member Attribute"></property> >>>>> <property name="Group Member Attribute - Referenced User >>>>> Attribute"></property> >>>>> </userGroupProvider> >>>>> >>>>> So why can't it be loaded ? >>>>> >>>>> Because I don't see any other exception (typically, I would expect a >>>>> search fail exception, but it seems to work).
