Hi Nicolas, Is it possible you changed the initial admin identity at some point? If so, you will need to delete authorizations.xml and restart NiFi Registry to allow it to be recreated with the new initial admin.
Also, nifi registry never allows modifying the permissions for the current user. you would have to login as another admin to change your permissions. Hope this helps, Kevin On Mon, Sep 2, 2019 at 8:56 AM Nicolas Delsaux <[email protected]> wrote: > > Hi all > > I'm still trying to connect nifi to registry with both of them using > authentication. > > So far, i've understood that, like in Nifi, I have to set > identity-providers.xml and authorizers.xml to have connection to ldap > configured. > > And I can connect to the registry using my ldap, so it works (to a > certain extend). > > *However*, it seems like my user is not really an admin, as I can't > manage other users. > > To say things more clearly, nifi-registry UI allow me to view my user > privileges, but I can't edit my permissions, and I can edit none of the > other users permissions. I can no more add/remove users. > > Which is weird, cosnidering I'm the initial admin of nifi-registry. > > Is there smothing I forgot ? > > > Here is my authorizers.xml for nifi-registry > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <authorizers> <userGroupProvider> > <identifier>file-user-group-provider</identifier> > <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> > <property name="Users File">./conf/users.xml</property> > <property name="Initial User Identity > 1">cn=nifi-runner.mycompany.com, ou=0008 43120727, ou=ssl infra server, > o=mycompany, c=fr</property> > </userGroupProvider> > <userGroupProvider> > <identifier>ldap-user-group-provider</identifier> > <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class> > <property name="Authentication Strategy">LDAPS</property> > > <property name="Manager > DN">uid=dont-ask-me,ou=applicationAccounts,o=mycompany.com</property> > <property name="Manager Password">YOU_KIDDIN___DO_YOU</property> > > <property name="TLS - Keystore"></property> > <property name="TLS - Keystore Password"></property> > <property name="TLS - Keystore Type"></property> > <property name="TLS - Truststore">/opt/certs/cacerts.jks</property> > <property name="TLS - Truststore Password">pfeblelep</property> > <property name="TLS - Truststore Type">JKS</property> > <property name="TLS - Client Auth"></property> > <property name="TLS - Protocol">TLSv1</property> > <property name="TLS - Shutdown Gracefully"></property> > > <property name="Referral Strategy">FOLLOW</property> > <property name="Connect Timeout">10 secs</property> > <property name="Read Timeout">10 secs</property> > > <property > name="Url">ldaps://ldapserver.my.company.com:636</property> > <property name="Page Size"></property> > <property name="Sync Interval">30 mins</property> > > <property name="User Search Base"></property> > <property name="User Object Class"></property> > <property name="User Search Scope">OBJECT</property> > <property name="User Search Filter"></property> > <property name="User Identity Attribute"></property> > <property name="User Group Name Attribute"></property> > <property name="User Group Name Attribute - Referenced Group > Attribute"></property> > > <property name="Group Search > Base">cn=NIFI-ADMIN,ou=DATAou=applicationRole,ou=role,ou=OU,o=mycompany.com</property> > <property name="Group Object Class">groupofuniquenames</property> > <property name="Group Search Scope">SUBTREE</property> > <property name="Group Search Filter"></property> > <property name="Group Name Attribute">cn</property> > <property name="Group Member Attribute">uniqueMember</property> > <property name="Group Member Attribute - Referenced User > Attribute"></property> > </userGroupProvider> > <userGroupProvider> > <identifier>composite-user-group-provider</identifier> > <class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class> > <property name="User Group Provider > 1">ldap-user-group-provider</property> > <property name="User Group Provider > 2">file-user-group-provider</property> > </userGroupProvider> > <accessPolicyProvider> > <identifier>file-access-policy-provider</identifier> > <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> > <property name="User Group > Provider">composite-user-group-provider</property> > <property name="Authorizations > File">./conf/authorizations.xml</property> > <property name="Initial Admin > Identity">uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com</property> > <property name="Nifi Identity 1">cn=nifi-psh.adeo.com, ou=0002 > 421206079, ou=ssl infra server, o=adeo services, c=fr</property> > </accessPolicyProvider> > <authorizer> > <identifier>managed-authorizer</identifier> > <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> > <property name="Access Policy > Provider">file-access-policy-provider</property> > </authorizer> > </authorizers> > > Thanks for your help >
