When I try to login, UI shows Insufficient Permissions Unable to view the user interface. Contact the system administrator.
The log file contains 2019-08-20 08:22:18,808 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Tue Aug 20 08:22:18 UTC 2019 2019-08-20 08:28:24,459 INFO [NiFi Web Server-20] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response. 2019-08-20 08:28:24,521 INFO [NiFi Web Server-20] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response. 2019-08-20 08:28:24,678 INFO [NiFi Web Server-26] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], groups[none] does not have permission to access the requested resource. Unknown user with identity 'anonymous'. Returning Unauthorized response. 2019-08-20 08:28:31,702 INFO [NiFi Web Server-26] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifi-psh.adeo.com:8443/nifi-api/flow/current-user (source ip: 172.20.0.1) 2019-08-20 08:28:31,710 INFO [NiFi Web Server-26] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com 2019-08-20 08:28:31,718 INFO [NiFi Web Server-26] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com], groups[GO-LM-ROLE-DATA-INGEST-ADMIN] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response. I would love to be able to confirm that my authorizations.xml contains authorization for my initial admin, but the file only contains the opaque identifier ... I have no users.xml generated (which seems normal to me, since I get users from LDAP) I still don't understand what's wrong ... And I really appreciate your help. Le 19/08/2019 à 14:42, Pierre Villard a écrit :
Hi Nicolas, Can you share the message you get when accessing the UI? The logs from the nifi-user.log file? As well as having a look at the users.xml and authorizations.xml file generated the first time NiFi is starting based on your configuration? Thanks, Pierre Le lun. 19 août 2019 à 11:35, Nicolas Delsaux <nicolas.dels...@gmx.fr <mailto:nicolas.dels...@gmx.fr>> a écrit : Hello all I now have a nifi instance able to connect to LDAP server, with valid certificates and so on. But i'm unable to connect to Nifi UI, altough I have set myself as initial admin identity. My ldap full DN is set as initial admin identity <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <propertyname="User Group Provider">ldap-user-group-provider</property> <propertyname="Authorizations File">./conf/authorizations.xml</property> <propertyname="Initial Admin Identity">uid=20008203,ou=people,ou=go-lm,o=corp.company.com <http://corp.company.com></property> <propertyname="Legacy Authorized Users File"></property> <propertyname="Node Identity 1"></property> <propertyname="Node Group"></property> </accessPolicyProvider> And I'm a member of the group which is used to allow access <propertyname="Group Search Base">cn=GO-LM-ROLE-DATA-INGEST-ADMIN,ou=DATA-INGEST,ou=applicationRole,ou=role,ou=GO-LM,o=corp.company.com <http://corp.company.com></property> <propertyname="Group Object Class">groupofuniquenames</property> <propertyname="Group Search Scope">SUBTREE</property> <propertyname="Group Search Filter"></property> <propertyname="Group Name Attribute">cn</property> <propertyname="Group Member Attribute">uniqueMember</property> <propertyname="Group Member Attribute - Referenced User Attribute"></property> </userGroupProvider> But, when i debug the StandardManagedAuthorizer code it seems the User object created from the authentication attempt has a different identifier than the initial admin. Is it possible ? And if so, how to configure Nifi to make sure the user obtained from a login has the same identifier than an existing one ? Thanks