Wow, I'm really REALLY puzzled.
I'm using Nifi through the docker image, and docker-compose.
I was used to do docker-compose up/down, and it failed.
But this time, I did a docker-compose down, AND destroyed the folder in
which the application is deployed. And this time, it worked ! I'm now
logged in as my ldap uid.
Thank you very much Pierre !
Le 20/08/2019 à 10:55, Pierre Villard a écrit :
Something that I can suggest: the users.xml and authorizations.xml
files are generated when NiFi starts for the first time. If you did
some modifications (such as the initial admin identity), the files
users/authorizations won't be updated with your configuration
change... Something you could try: delete authorizations.xml and
users.xml files and restart NiFi to be sure it uses the last version
of your configuration.
Le mar. 20 août 2019 à 10:33, Nicolas Delsaux <nicolas.dels...@gmx.fr
<mailto:nicolas.dels...@gmx.fr>> a écrit :
When I try to login, UI shows
Insufficient Permissions
Unable to view the user interface. Contact the system administrator.
The log file contains
2019-08-20 08:22:18,808 INFO [main]
o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Tue
Aug 20 08:22:18 UTC 2019
2019-08-20 08:28:24,459 INFO [NiFi Web Server-20]
o.a.n.w.a.c.IllegalStateExceptionMapper
java.lang.IllegalStateException: Kerberos ticket login not
supported by this NiFi.. Returning Conflict response.
2019-08-20 08:28:24,521 INFO [NiFi Web Server-20]
o.a.n.w.a.c.IllegalStateExceptionMapper
java.lang.IllegalStateException: OpenId Connect is not
configured.. Returning Conflict response.
2019-08-20 08:28:24,678 INFO [NiFi Web Server-26]
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous],
groups[none] does not have permission to access the requested
resource. Unknown user with identity 'anonymous'. Returning
Unauthorized response.
2019-08-20 08:28:31,702 INFO [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT
token>) GET
https://nifi-psh.adeo.com:8443/nifi-api/flow/current-user (source
ip: 172.20.0.1)
2019-08-20 08:28:31,710 INFO [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com
<http://corp.leroymerlin.com>
2019-08-20 08:28:31,718 INFO [NiFi Web Server-26]
o.a.n.w.a.c.AccessDeniedExceptionMapper
identity[uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com
<http://corp.leroymerlin.com>],
groups[GO-LM-ROLE-DATA-INGEST-ADMIN] does not have permission to
access the requested resource. Unable to view the user interface.
Returning Forbidden response.
I would love to be able to confirm that my authorizations.xml
contains authorization for my initial admin, but the file only
contains the opaque identifier ...
I have no users.xml generated (which seems normal to me, since I
get users from LDAP)
I still don't understand what's wrong ... And I really appreciate
your help.
Le 19/08/2019 à 14:42, Pierre Villard a écrit :
Hi Nicolas,
Can you share the message you get when accessing the UI? The logs
from the nifi-user.log file? As well as having a look at the
users.xml and authorizations.xml file generated the first time
NiFi is starting based on your configuration?
Thanks,
Pierre
Le lun. 19 août 2019 à 11:35, Nicolas Delsaux
<nicolas.dels...@gmx.fr <mailto:nicolas.dels...@gmx.fr>> a écrit :
Hello all
I now have a nifi instance able to connect to LDAP server,
with valid certificates and so on.
But i'm unable to connect to Nifi UI, altough I have set
myself as initial admin identity.
My ldap full DN is set as initial admin identity
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<propertyname="User Group
Provider">ldap-user-group-provider</property>
<propertyname="Authorizations
File">./conf/authorizations.xml</property>
<propertyname="Initial Admin
Identity">uid=20008203,ou=people,ou=go-lm,o=corp.company.com
<http://corp.company.com></property>
<propertyname="Legacy Authorized Users File"></property>
<propertyname="Node Identity 1"></property>
<propertyname="Node Group"></property>
</accessPolicyProvider>
And I'm a member of the group which is used to allow access
<propertyname="Group Search
Base">cn=GO-LM-ROLE-DATA-INGEST-ADMIN,ou=DATA-INGEST,ou=applicationRole,ou=role,ou=GO-LM,o=corp.company.com
<http://corp.company.com></property>
<propertyname="Group Object Class">groupofuniquenames</property>
<propertyname="Group Search Scope">SUBTREE</property>
<propertyname="Group Search Filter"></property>
<propertyname="Group Name Attribute">cn</property>
<propertyname="Group Member Attribute">uniqueMember</property>
<propertyname="Group Member Attribute - Referenced User
Attribute"></property>
</userGroupProvider>
But, when i debug the StandardManagedAuthorizer code
it seems the User object created from the authentication
attempt has a different identifier than the initial admin.
Is it possible ? And if so, how to configure Nifi to make
sure the user obtained from a login has the same identifier
than an existing one ?
Thanks