Something that I can suggest: the users.xml and authorizations.xml files are generated when NiFi starts for the first time. If you did some modifications (such as the initial admin identity), the files users/authorizations won't be updated with your configuration change... Something you could try: delete authorizations.xml and users.xml files and restart NiFi to be sure it uses the last version of your configuration.
Le mar. 20 août 2019 à 10:33, Nicolas Delsaux <nicolas.dels...@gmx.fr> a écrit : > When I try to login, UI shows > Insufficient Permissions > Unable to view the user interface. Contact the system administrator. > > The log file contains > > 2019-08-20 08:22:18,808 INFO [main] o.a.n.a.FileAccessPolicyProvider > Authorizations file loaded at Tue Aug 20 08:22:18 UTC 2019 > 2019-08-20 08:28:24,459 INFO [NiFi Web Server-20] > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > Kerberos ticket login not supported by this NiFi.. Returning Conflict > response. > 2019-08-20 08:28:24,521 INFO [NiFi Web Server-20] > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > OpenId Connect is not configured.. Returning Conflict response. > 2019-08-20 08:28:24,678 INFO [NiFi Web Server-26] > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], groups[none] > does not have permission to access the requested resource. Unknown user > with identity 'anonymous'. Returning Unauthorized response. > 2019-08-20 08:28:31,702 INFO [NiFi Web Server-26] > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET > https://nifi-psh.adeo.com:8443/nifi-api/flow/current-user (source ip: > 172.20.0.1) > 2019-08-20 08:28:31,710 INFO [NiFi Web Server-26] > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for > uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com > 2019-08-20 08:28:31,718 INFO [NiFi Web Server-26] > o.a.n.w.a.c.AccessDeniedExceptionMapper > identity[uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com], > groups[GO-LM-ROLE-DATA-INGEST-ADMIN] does not have permission to access the > requested resource. Unable to view the user interface. Returning Forbidden > response. > > I would love to be able to confirm that my authorizations.xml contains > authorization for my initial admin, but the file only contains the opaque > identifier ... > > I have no users.xml generated (which seems normal to me, since I get users > from LDAP) > > I still don't understand what's wrong ... And I really appreciate your > help. > Le 19/08/2019 à 14:42, Pierre Villard a écrit : > > Hi Nicolas, > > Can you share the message you get when accessing the UI? The logs from the > nifi-user.log file? As well as having a look at the users.xml and > authorizations.xml file generated the first time NiFi is starting based on > your configuration? > > Thanks, > Pierre > > Le lun. 19 août 2019 à 11:35, Nicolas Delsaux <nicolas.dels...@gmx.fr> a > écrit : > >> Hello all >> >> I now have a nifi instance able to connect to LDAP server, with valid >> certificates and so on. >> >> But i'm unable to connect to Nifi UI, altough I have set myself as >> initial admin identity. >> >> >> My ldap full DN is set as initial admin identity >> <accessPolicyProvider> >> <identifier>file-access-policy-provider</identifier> >> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >> <property name="User Group Provider">ldap-user-group-provider</property> >> <property name="Authorizations File">./conf/authorizations.xml</property> >> <property name="Initial Admin Identity" >> >uid=20008203,ou=people,ou=go-lm,o=corp.company.com</property> >> <property name="Legacy Authorized Users File"></property> >> <property name="Node Identity 1"></property> >> <property name="Node Group"></property> >> </accessPolicyProvider> >> >> And I'm a member of the group which is used to allow access >> <property name="Group Search Base" >> >cn=GO-LM-ROLE-DATA-INGEST-ADMIN,ou=DATA-INGEST,ou=applicationRole,ou=role,ou=GO-LM,o= >> corp.company.com</property> >> <property name="Group Object Class">groupofuniquenames</property> >> <property name="Group Search Scope">SUBTREE</property> >> <property name="Group Search Filter"></property> >> <property name="Group Name Attribute">cn</property> >> <property name="Group Member Attribute">uniqueMember</property> >> <property name="Group Member Attribute - Referenced User Attribute"></ >> property> >> </userGroupProvider> >> >> But, when i debug the StandardManagedAuthorizer code >> >> it seems the User object created from the authentication attempt has a >> different identifier than the initial admin. >> >> Is it possible ? And if so, how to configure Nifi to make sure the user >> obtained from a login has the same identifier than an existing one ? >> >> Thanks >> >> >>