When I try to login, UI shows

Insufficient Permissions
Unable to view the user interface. Contact the system administrator.

The log file contains

2019-08-20 08:22:18,808 INFO [main] o.a.n.a.FileAccessPolicyProvider
Authorizations file loaded at Tue Aug 20 08:22:18 UTC 2019
2019-08-20 08:28:24,459 INFO [NiFi Web Server-20]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
Kerberos ticket login not supported by this NiFi.. Returning Conflict
response.
2019-08-20 08:28:24,521 INFO [NiFi Web Server-20]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
OpenId Connect is not configured.. Returning Conflict response.
2019-08-20 08:28:24,678 INFO [NiFi Web Server-26]
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous],
groups[none] does not have permission to access the requested resource.
Unknown user with identity 'anonymous'. Returning Unauthorized response.
2019-08-20 08:28:31,702 INFO [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>)
GET https://nifi-psh.adeo.com:8443/nifi-api/flow/current-user (source
ip: 172.20.0.1)
2019-08-20 08:28:31,710 INFO [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com
2019-08-20 08:28:31,718 INFO [NiFi Web Server-26]
o.a.n.w.a.c.AccessDeniedExceptionMapper
identity[uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com],
groups[GO-LM-ROLE-DATA-INGEST-ADMIN] does not have permission to access
the requested resource. Unable to view the user interface. Returning
Forbidden response.

I would love to be able to confirm that my authorizations.xml contains
authorization for my initial admin, but the file only contains the
opaque identifier ...

I have no users.xml generated (which seems normal to me, since I get
users from LDAP)

I still don't understand what's wrong ... And I really appreciate your help.

Le 19/08/2019 à 14:42, Pierre Villard a écrit :
Hi Nicolas,

Can you share the message you get when accessing the UI? The logs from
the nifi-user.log file? As well as having a look at the users.xml and
authorizations.xml file generated the first time NiFi is starting
based on your configuration?

Thanks,
Pierre

Le lun. 19 août 2019 à 11:35, Nicolas Delsaux <nicolas.dels...@gmx.fr
<mailto:nicolas.dels...@gmx.fr>> a écrit :

    Hello all

    I now have a nifi instance able to connect to LDAP server, with
    valid certificates and so on.

    But i'm unable to connect to Nifi UI, altough I have set myself as
    initial admin identity.


    My ldap full DN is set as initial admin identity

    <accessPolicyProvider>
    <identifier>file-access-policy-provider</identifier>
    <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
    <propertyname="User Group
    Provider">ldap-user-group-provider</property>
    <propertyname="Authorizations
    File">./conf/authorizations.xml</property>
    <propertyname="Initial Admin
    Identity">uid=20008203,ou=people,ou=go-lm,o=corp.company.com
    <http://corp.company.com></property>
    <propertyname="Legacy Authorized Users File"></property>
    <propertyname="Node Identity 1"></property>
    <propertyname="Node Group"></property>
    </accessPolicyProvider>

    And I'm a member of the group which is used to allow access

    <propertyname="Group Search
    
Base">cn=GO-LM-ROLE-DATA-INGEST-ADMIN,ou=DATA-INGEST,ou=applicationRole,ou=role,ou=GO-LM,o=corp.company.com
    <http://corp.company.com></property>
    <propertyname="Group Object Class">groupofuniquenames</property>
    <propertyname="Group Search Scope">SUBTREE</property>
    <propertyname="Group Search Filter"></property>
    <propertyname="Group Name Attribute">cn</property>
    <propertyname="Group Member Attribute">uniqueMember</property>
    <propertyname="Group Member Attribute - Referenced User
    Attribute"></property>
    </userGroupProvider>

    But, when i debug the StandardManagedAuthorizer code

    it seems the User object created from the authentication attempt
    has a different identifier than the initial admin.

    Is it possible ? And if so, how to configure Nifi to make sure the
    user obtained from a login has the same identifier than an
    existing one ?

    Thanks


Reply via email to