Ouch. That is understandably frustrating, and can be improved. I’ll look into replacing that with a case-insensitive match, as well as logging warnings for unrecognized properties.
Sorry for the difficultly you experienced in getting this working. Thanks for sharing the resolution. Let me know if you have any other questions. ________________________________ From: Nicolas Delsaux <nicolas.dels...@gmx.fr> Sent: Thursday, September 5, 2019 2:47 AM To: users@nifi.apache.org Subject: Re: In nifi-registry, why can't I edit other users privileges Well, in fact, I had a number of issues with configuration files. So I took the time to verify all those files, and I took the time to understand Nifi registry UI for permissions (which is as user-friendly as nifi one). And I finally understood what problem I had. In fact, the worst part came when I tried to understand why my nifi runner couldn't connect to nifi registry. Which was simply due to the fact that, on nifi registry side, in authorizers.xml, I used a property called "Nifi identify 1", whereas I should have used "NiFi Identity 1". Can you spot the difference ? For me, it took one phase of reading authorization code, then running the regexp for that property in an online editor. TO my mind, this would deserve a bug, because really, using property names this way is really too much error-prone. I would at least add code to detect nearby texts (through Levenshtein distance, as an example) and show a BIG warning to explain the user what is wrong. But I'm only a user ;-) (a little grumpy, this morning, indeed) Le 04/09/2019 à 18:59, Kevin Doran a écrit : > Hi Nicolas, > > Is it possible you changed the initial admin identity at some point? > If so, you will need to delete authorizations.xml and restart NiFi > Registry to allow it to be recreated with the new initial admin. > > Also, nifi registry never allows modifying the permissions for the > current user. you would have to login as another admin to change your > permissions. > > Hope this helps, > Kevin > > On Mon, Sep 2, 2019 at 8:56 AM Nicolas Delsaux <nicolas.dels...@gmx.fr> wrote: >> Hi all >> >> I'm still trying to connect nifi to registry with both of them using >> authentication. >> >> So far, i've understood that, like in Nifi, I have to set >> identity-providers.xml and authorizers.xml to have connection to ldap >> configured. >> >> And I can connect to the registry using my ldap, so it works (to a >> certain extend). >> >> *However*, it seems like my user is not really an admin, as I can't >> manage other users. >> >> To say things more clearly, nifi-registry UI allow me to view my user >> privileges, but I can't edit my permissions, and I can edit none of the >> other users permissions. I can no more add/remove users. >> >> Which is weird, cosnidering I'm the initial admin of nifi-registry. >> >> Is there smothing I forgot ? >> >> >> Here is my authorizers.xml for nifi-registry >> >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> <authorizers> <userGroupProvider> >> <identifier>file-user-group-provider</identifier> >> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> >> <property name="Users File">./conf/users.xml</property> >> <property name="Initial User Identity >> 1">cn=nifi-runner.mycompany.com, ou=0008 43120727, ou=ssl infra server, >> o=mycompany, c=fr</property> >> </userGroupProvider> >> <userGroupProvider> >> <identifier>ldap-user-group-provider</identifier> >> <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class> >> <property name="Authentication Strategy">LDAPS</property> >> >> <property name="Manager >> DN">uid=dont-ask-me,ou=applicationAccounts,o=mycompany.com</property> >> <property name="Manager Password">YOU_KIDDIN___DO_YOU</property> >> >> <property name="TLS - Keystore"></property> >> <property name="TLS - Keystore Password"></property> >> <property name="TLS - Keystore Type"></property> >> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property> >> <property name="TLS - Truststore Password">pfeblelep</property> >> <property name="TLS - Truststore Type">JKS</property> >> <property name="TLS - Client Auth"></property> >> <property name="TLS - Protocol">TLSv1</property> >> <property name="TLS - Shutdown Gracefully"></property> >> >> <property name="Referral Strategy">FOLLOW</property> >> <property name="Connect Timeout">10 secs</property> >> <property name="Read Timeout">10 secs</property> >> >> <property >> name="Url">ldaps://ldapserver.my.company.com:636</property> >> <property name="Page Size"></property> >> <property name="Sync Interval">30 mins</property> >> >> <property name="User Search Base"></property> >> <property name="User Object Class"></property> >> <property name="User Search Scope">OBJECT</property> >> <property name="User Search Filter"></property> >> <property name="User Identity Attribute"></property> >> <property name="User Group Name Attribute"></property> >> <property name="User Group Name Attribute - Referenced Group >> Attribute"></property> >> >> <property name="Group Search >> Base">cn=NIFI-ADMIN,ou=DATAou=applicationRole,ou=role,ou=OU,o=mycompany.com</property> >> <property name="Group Object Class">groupofuniquenames</property> >> <property name="Group Search Scope">SUBTREE</property> >> <property name="Group Search Filter"></property> >> <property name="Group Name Attribute">cn</property> >> <property name="Group Member Attribute">uniqueMember</property> >> <property name="Group Member Attribute - Referenced User >> Attribute"></property> >> </userGroupProvider> >> <userGroupProvider> >> <identifier>composite-user-group-provider</identifier> >> <class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class> >> <property name="User Group Provider >> 1">ldap-user-group-provider</property> >> <property name="User Group Provider >> 2">file-user-group-provider</property> >> </userGroupProvider> >> <accessPolicyProvider> >> <identifier>file-access-policy-provider</identifier> >> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> >> <property name="User Group >> Provider">composite-user-group-provider</property> >> <property name="Authorizations >> File">./conf/authorizations.xml</property> >> <property name="Initial Admin >> Identity">uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com</property> >> <property name="Nifi Identity 1">cn=nifi-psh.adeo.com, ou=0002 >> 421206079, ou=ssl infra server, o=adeo services, c=fr</property> >> </accessPolicyProvider> >> <authorizer> >> <identifier>managed-authorizer</identifier> >> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> >> <property name="Access Policy >> Provider">file-access-policy-provider</property> >> </authorizer> >> </authorizers> >> >> Thanks for your help >>
