Ok to diagnose, look at the users.xml to see if there is a user matching that DN, and if so, it should have a UUID. Then in the authorizations.xml there should be policies defined in a hierarchical manner associating those users with a right on a specific resource (component/processor). If so, you can copy/paste as many as you want to define them.
Again, this is not the ideal situation; most of this should be possible through the UI but I’m not sitting there to diagnose the issue. Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com He/Him PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Aug 22, 2020, at 16:56, White, Daniel <daniel.wh...@lgim.com> wrote: > > > Hi Andy, > > I tried removing users.xml and authorizations.xml but I’m still getting the > same error. > > Suspect it’s something to do with authorizers.xml, but I can’t see any issues > with it. > > I see this in the nifi-user.log : > > <image001.png> > Thanks > Dan > > From: Andy LoPresto <alopresto.apa...@gmail.com> > Sent: 23 August 2020 00:12 > To: users@nifi.apache.org > Subject: Re: SSL/LDAP Configuration > > CAUTION: This email originated from outside of the organisation. Do not click > links or open attachments unless you recognise the sender and know the > content is safe. > > Daniel, > > A couple options: > > The “easy way” is to shut down NiFi, delete “users.xml” and > “authorizations.xml” in the “conf/“ directory, and then restart NiFi. > Whatever user was specified as the IAI should have enough permissions to get > started now. > > Once you can access the main canvas, you’ll want to go into the global > policies dialog (global menu top right > policies) and give yourself the > specific view & modify permissions on the root process group. I understand > this manual effort is less than ideal, but the stages in which things are > defined has mandated this for now. > > I think the User Guide does a good job of explaining the theory here as well > as specific component steps (but doesn’t go soup to nuts on the process), so > I’d recommend that as well as the “end” (the last 3-4 steps) of the > Walkthrough guide section on securing NiFi. > > I’m on my phone so I don’t have all my usual resources available, but > hopefully this guides you in the right direction. If not, please let me know > and tomorrow I can provide more specific instructions. > > > Andy LoPresto > alopre...@apache.org > alopresto.apa...@gmail.com > He/Him > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > On Aug 22, 2020, at 16:05, White, Daniel <daniel.wh...@lgim.com> wrote: > > > Hi Andy, > > I’ve now managed to login to Nifi using my AD account but am getting the > following error : > > Insufficient Permissions – No applicable policies could be found. > > <image001.png> > > Any pointers would be gratefully received. > > Thanks > Dan > > From: Andy LoPresto <alopre...@apache.org> > Sent: 03 August 2020 03:07 > To: users@nifi.apache.org > Subject: Re: SSL/LDAP Configuration > > CAUTION: This email originated from outside of the organisation. Do not click > links or open attachments unless you recognise the sender and know the > content is safe. > > Also, your authorizers.xml is not correct — you haven’t configured (or even > uncommented) the LDAP user group provider, so the specified user group > provider is the file users.xml, and you haven’t configured any initial > admins, so no users will be allowed to log in. Did you follow the steps in > the NiFi Admin Guide [3][4] for configuring this? Authentication and > authorization are decoupled in NiFi, and while you can use LDAP for both, > you’ll have to configure it for each. > > Also, your login-identity-providers.xml uses START_TLS as the authentication > strategy but does not specify any properties for the keystore or truststore, > which will be required. > > [3] > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider > [4] > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider > > > > Andy LoPresto > alopre...@apache.org > alopresto.apa...@gmail.com > He/Him > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > > On Aug 2, 2020, at 7:02 PM, Andy LoPresto <alopre...@apache.org> wrote: > > Hi Daniel, > > Did you verify that the provided credentials are correct? There will be two > sets — the “manager” DN and password which are provided as configuration > values in the authorizers.xml file, and the individual user credentials > provided on each login attempt. The manager credentials allow NiFi to make an > authenticated request to the LDAP service, and the request itself contains > the user’s credentials. > > You can verify these credentials by using the ldapsearch [1][2] tool from one > of the machines where NiFi is installed. This allows you to verify TLS, > ports, network reachability, and the correctness of the credentials > themselves. > > Something like: > > $ ldapsearch -x -b “dc=<your_org>,dc=com" -H ldap://<ldap_server_url> -D > "cn=admin,dc=<your_org>,dc=com" -W > > That will conduct a general search using the account provided by -D, and > prompt for the password with -W. You can also switch out the account in -D > for the specific user you’re trying to log in as to verify those credentials. > > [1] > https://forums.opensuse.org/showthread.php/401522-performing-ldapsearch-over-tls-ssl-against-active-directory#post1908811 > [2] https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/ > > Andy LoPresto > alopre...@apache.org > alopresto.apa...@gmail.com > He/Him > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > > On Aug 2, 2020, at 1:11 PM, White, Daniel <daniel.wh...@lgim.com> wrote: > > Confidential > > Hi All, > > Looking for some assistance with setting up SSL/LDAP to enable user admin > within Nifi. > > I’ve setup and configured my non-prod environment but am having issue login > in : > > Unable to validate the supplied credentials. Please contact the system > administrator > > I’ve followed the config guide and am stuck as to what the issue could be. > > The steps I followed : > > Generate keys etc using tls-toolkit.sh > Updated nifi.properties to set > nifi.security.user.login.identity.provider=ldap-provider > Modified login-identity-providers.xml (copy attached) > Modified authorizers.xml (copy attached) > > Nifi starts and I can get to the login page, just unable to login (with error > shown above). > > Any help will be very grateful. > > Thanks > > Dan White > Lead Technical Architect > Legal & General Investment Management > One Coleman Street, London, EC2R 5AA > Tel: +44 203 124 4048 > Mob: +44 7980 027 656 > www.lgim.com > > This e-mail (and any attachments) may contain privileged and/or confidential > information. If you are not the intended recipient please do not disclose, > copy, distribute, disseminate or take any action in reliance on it. If you > have received this message in error please reply and tell us and then delete > it. Should you wish to communicate with us by e-mail we cannot guarantee the > security of any data outside our own computer systems. > > Any information contained in this message may be subject to applicable terms > and conditions and must not be construed as giving investment advice within > or outside the United Kingdom or Republic of Ireland. > > Telephone Conversations may be recorded for your protection and to ensure > quality of service > > Legal & General Investment Management Limited (no 2091894), LGIM Real Assets > (Operator) Limited (no 05522016), LGIM (International) Limited (no 7716001) > Legal & General Unit Trust Managers (no 1009418), GO ETF Solutions LLP > (OC329482) and LGIM Corporate Director Limited (no 7105051) are authorised > and regulated by the Financial Conduct Authority. All are registered in > England & Wales with a registered office at One Coleman Street, London, EC2R > 5AA > > Legal & General Assurance (Pensions Management) Limited (no 1006112) is > authorised by the Prudential Regulation Authority and regulated by the > Financial Conduct Authority and the Prudential Regulation Authority. It is > registered in England & Wales with a registered office at One Coleman Street, > London, EC2R 5AA. > > Legal & General Property Limited (no 2091897) is authorised and regulated by > the Financial Conduct Authority for insurance mediation activities. It is > registered in England & Wales with a registered office at One Coleman Street, > London, EC2R 5AA. > > LGIM Managers (Europe) Limited is authorised and regulated by the Central > Bank of Ireland (C173733). It is registered in the Republic of Ireland (no > 609677) with a registered office at 33/34 Sir John Rogerson's Quay, Dublin 2, > D02 XK09. > > Legal & General Group PLC, Registered Office One Coleman Street, London, EC2R > 5AA. > > Registered in England no: 1417162 > ________________________________________________________________________ > **** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal & > General **** > <authorizers.xml><login-identity-providers.xml> > > > > ________________________________________________________________________ > *** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal & > General. Please report unwanted spam email to secur...@lgim.com *** > > Please consider the environment before printing this email. > > ________________________________________________________________________ > **** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal & > General **** > > ________________________________________________________________________ > *** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal & > General. Please report unwanted spam email to secur...@lgim.com *** > > Please consider the environment before printing this email. > > ________________________________________________________________________ > **** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal & > General ****
