Hi Daniel, You define all those in authorizers.xml and use the file-user-group-provider to allow access to non-LDAP resources -- Initial admin users (FileAccessPolicyProvider, in case LDAP goes down) and NiFi hosts (FileUserGroupProvider).
You should find Cloudera docs by just typing in all the class names into Google. -- Johannes Meixner web: https://www.meixner.ch Meixner GmbH Switzerland On 2020-09-24 14:39, White, Daniel wrote: > Hi Johannes, > > Thanks. > > So do I need to configure all of those in the authorizers.xml or just the > ones that relate to LDAP? I'm only going to be authorizing via LDAP and don't > really understand the need for the file-user-group-provider? > > Apologies if this is a stupid question but we are new to Nifi. > > Are there any worked examples that you know of for these config files? > > Thanks > Dan > > -----Original Message----- > From: Johannes Meixner <[email protected]> > Sent: 24 September 2020 12:35 > To: [email protected]; White, Daniel <[email protected]> > Subject: Re: SSL/LDAP Configuration > > CAUTION: This email originated from outside of the organisation. Do not click > links or open attachments unless you recognise the sender and know the > content is safe. > > > Hi Daniel > > Your NiFi setup is choking because in line 278 of authorizers.xml you define > a file-user-group-provider but never create it (lines 47-54 are commented > out). > > What you might want to do is look into the > CompositeConfigurableUserGroupProvider class with subs > file-user-group-provider and ldap-user-group-provider. > > So you get something like this: > > StandardManagedAuthorizer --> FileAccessPolicyProvider --> > CompositeConfigurableUserGroupProvider --> file-user-group-provider / > ldap-user-group-provider (all in authorizers.xml). > > Hope that helps > > > -- > Johannes Meixner > > web: > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=YoAhW1w3y9%2Fse9H4W0oIrNRVA5kSuTeu3Yrx23yDMDc%3D&reserved=0 > > Meixner GmbH > Switzerland > On 2020-09-24 13:16, White, Daniel wrote: >> Welcome anyone else’s view on this or experience/examples used in the setup. >> >> >> >> *From:*White, Daniel <[email protected]> >> *Sent:* 24 September 2020 10:15 >> *To:* [email protected] >> *Subject:* RE: SSL/LDAP Configuration >> >> >> >> Hi Andy, >> >> >> >> Still getting issues trying to make LDAP integration work – Is there a >> reference document which shows worked examples of the configurations? >> >> >> >> I’ve attached my latest .xml files – Any help is gratefully received. >> >> >> >> I’m currently getting the following error on startup : >> >> >> >> >> >> Thanks >> >> Dan >> >> >> >> *From:*Andy LoPresto <[email protected] >> <mailto:[email protected]>> >> *Sent:* 23 August 2020 01:06 >> *To:* [email protected] <mailto:[email protected]> >> *Subject:* Re: SSL/LDAP Configuration >> >> >> >> CAUTION:This email originated from outside of the organisation. Do not >> click links or open attachments unless you recognise the sender and >> know the content is safe. >> >> >> >> Ok to diagnose, look at the users.xml to see if there is a user >> matching that DN, and if so, it should have a UUID. Then in the >> authorizations.xml there should be policies defined in a hierarchical >> manner associating those users with a right on a specific resource >> (component/processor). If so, you can copy/paste as many as you want >> to define them. >> >> >> >> Again, this is not the ideal situation; most of this should be >> possible through the UI but I’m not sitting there to diagnose the issue. >> >> Andy LoPresto >> >> [email protected] <mailto:[email protected]> >> [email protected] <mailto:[email protected]> >> >> He/Him >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >> >> >> >> On Aug 22, 2020, at 16:56, White, Daniel <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> >> Hi Andy, >> >> >> >> I tried removing users.xml and authorizations.xml but I’m still >> getting the same error. >> >> >> >> Suspect it’s something to do with authorizers.xml, but I can’t see >> any issues with it. >> >> >> >> I see this in the nifi-user.log : >> >> >> >> <image001.png> >> >> Thanks >> >> Dan >> >> >> >> *From:*Andy LoPresto <[email protected] >> <mailto:[email protected]>> >> *Sent:* 23 August 2020 00:12 >> *To:* [email protected] <mailto:[email protected]> >> *Subject:* Re: SSL/LDAP Configuration >> >> >> >> CAUTION:This email originated from outside of the organisation. Do >> not click links or open attachments unless you recognise the sender >> and know the content is safe. >> >> >> >> Daniel, >> >> >> >> A couple options: >> >> >> >> The “easy way” is to shut down NiFi, delete “users.xml” and >> “authorizations.xml” in the “conf/“ directory, and then restart >> NiFi. Whatever user was specified as the IAI should have enough >> permissions to get started now. >> >> >> >> Once you can access the main canvas, you’ll want to go into the >> global policies dialog (global menu top right > policies) and give >> yourself the specific view & modify permissions on the root process >> group. I understand this manual effort is less than ideal, but the >> stages in which things are defined has mandated this for now. >> >> >> >> I think the User Guide does a good job of explaining the theory here >> as well as specific component steps (but doesn’t go soup to nuts on >> the process), so I’d recommend that as well as the “end” (the last >> 3-4 steps) of the Walkthrough guide section on securing NiFi. >> >> >> >> I’m on my phone so I don’t have all my usual resources available, >> but hopefully this guides you in the right direction. If not, please >> let me know and tomorrow I can provide more specific instructions. >> >> >> >> >> >> Andy LoPresto >> >> [email protected] <mailto:[email protected]> >> [email protected] <mailto:[email protected]> >> >> He/Him >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D >> EF69 >> >> >> >> On Aug 22, 2020, at 16:05, White, Daniel <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> >> Hi Andy, >> >> >> >> I’ve now managed to login to Nifi using my AD account but am >> getting the following error : >> >> >> >> Insufficient Permissions – No applicable policies could be found. >> >> >> >> <image001.png> >> >> >> >> Any pointers would be gratefully received. >> >> >> >> Thanks >> >> Dan >> >> >> >> *From:*Andy LoPresto <[email protected] >> <mailto:[email protected]>> >> *Sent:* 03 August 2020 03:07 >> *To:* [email protected] <mailto:[email protected]> >> *Subject:* Re: SSL/LDAP Configuration >> >> >> >> CAUTION:This email originated from outside of the organisation. >> Do not click links or open attachments unless you recognise the >> sender and know the content is safe. >> >> >> >> Also, your authorizers.xml is not correct — you haven’t >> configured (or even uncommented) the LDAP user group provider, >> so the specified user group provider is the file users.xml, and >> you haven’t configured any initial admins, so no users will be >> allowed to log in. Did you follow the steps in the NiFi Admin >> Guide [3][4] for configuring this? Authentication and >> authorization are decoupled in NiFi, and while you can use LDAP >> for both, you’ll have to configure it for each. >> >> >> >> Also, your login-identity-providers.xml uses START_TLS as the >> authentication strategy but does not specify any properties for >> the keystore or truststore, which will be required. >> >> >> >> [3] >> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhbHJD2DhUwPp8%2BXrVc%3D&reserved=0 >> >> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif >> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23l >> dap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.com >> %7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d >> %7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhbH >> JD2DhUwPp8%2BXrVc%3D&reserved=0> >> >> [4] >> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZeJDRTb%2Fo3U%3D&reserved=0 >> >> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif >> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23l >> dapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C0717 >> aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C >> 1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZeJ >> DRTb%2Fo3U%3D&reserved=0> >> >> >> >> >> >> >> >> Andy LoPresto >> [email protected] <mailto:[email protected]> >> /[email protected] <mailto:[email protected]>/ >> He/Him >> >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D >> EF69 >> >> >> >> >> On Aug 2, 2020, at 7:02 PM, Andy LoPresto >> <[email protected] <mailto:[email protected]>> wrote: >> >> >> >> Hi Daniel, >> >> >> >> Did you verify that the provided credentials are correct? >> There will be two sets — the “manager” DN and password which >> are provided as configuration values in the authorizers.xml >> file, and the individual user credentials provided on each >> login attempt. The manager credentials allow NiFi to make an >> authenticated request to the LDAP service, and the request >> itself contains the user’s credentials. >> >> >> >> You can verify these credentials by using the ldapsearch >> [1][2] tool from one of the machines where NiFi is >> installed. This allows you to verify TLS, ports, network >> reachability, and the correctness of the credentials >> themselves. >> >> >> >> Something like: >> >> >> >> $ ldapsearch -x -b “dc=<your_org>,dc=com" -H >> ldap://<ldap_server_url> -D >> "cn=admin,dc=<your_org>,dc=com" -W >> >> >> >> That will conduct a general search using the account >> provided by -D, and prompt for the password with -W. You can >> also switch out the account in -D for the specific user >> you’re trying to log in as to verify those credentials. >> >> >> >> [1] >> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over-tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1voicx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0 >> >> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffor >> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over- >> tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDani >> el.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004 >> ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1vo >> icx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0> >> >> [2] >> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevconnected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved=0 >> >> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdev >> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&da >> ta=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13b >> a%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494& >> sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved= >> 0> >> >> >> >> Andy LoPresto >> [email protected] <mailto:[email protected]> >> /[email protected] <mailto:[email protected]>/ >> He/Him >> >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B >> 2F7D EF69 >> >> >> >> >> On Aug 2, 2020, at 1:11 PM, White, Daniel >> <[email protected] <mailto:[email protected]>> >> wrote: >> >> >> >> Confidential >> >> >> >> Hi All, >> >> >> >> Looking for some assistance with setting up SSL/LDAP to >> enable user admin within Nifi. >> >> >> >> I’ve setup and configured my non-prod environment but am >> having issue login in : >> >> >> >> Unable to validate the supplied credentials. Please >> contact the system administrator >> >> >> >> I’ve followed the config guide and am stuck as to what >> the issue could be. >> >> >> >> The steps I followed : >> >> >> >> 1. Generate keys etc using tls-toolkit.sh >> 2. Updated nifi.properties to set >> nifi.security.user.login.identity.provider=ldap-provider >> 3. Modified login-identity-providers.xml (copy attached) >> 4. Modified authorizers.xml (copy attached) >> >> >> >> Nifi starts and I can get to the login page, just unable >> to login (with error shown above). >> >> >> >> Any help will be very grateful. >> >> >> >> Thanks >> >> >> >> *Dan White * >> *Lead Technical Architect** >> *Legal & General Investment Management >> One Coleman Street, London, EC2R 5AA >> Tel: +44 203 124 4048 >> >> Mob: +44 7980 027 656 >> >> >> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMtgM%3D&reserved=0 >> >> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww. >> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914 >> b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C63736 >> 5441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMtg >> M%3D&reserved=0> >> >> >> >> This e-mail (and any attachments) may contain privileged >> and/or confidential information. If you are not the >> intended recipient please do not disclose, copy, >> distribute, disseminate or take any action in reliance >> on it. If you have received this message in error please >> reply and tell us and then delete it. Should you wish to >> communicate with us by e-mail we cannot guarantee the >> security of any data outside our own computer systems. >> >> Any information contained in this message may be subject >> to applicable terms and conditions and must not be >> construed as giving investment advice within or outside >> the United Kingdom or Republic of Ireland. >> >> Telephone Conversations may be recorded for your >> protection and to ensure quality of service >> >> Legal & General Investment Management Limited (no >> 2091894), LGIM Real Assets (Operator) Limited (no >> 05522016), LGIM (International) Limited (no 7716001) >> Legal & General Unit Trust Managers (no 1009418), GO ETF >> Solutions LLP (OC329482) and LGIM Corporate Director >> Limited (no 7105051) are authorised and regulated by the >> Financial Conduct Authority. All are registered in >> England & Wales with a registered office at One Coleman >> Street, London, EC2R 5AA >> >> Legal & General Assurance (Pensions Management) Limited >> (no 1006112) is authorised by the Prudential Regulation >> Authority and regulated by the Financial Conduct >> Authority and the Prudential Regulation Authority. It is >> registered in England & Wales with a registered office >> at One Coleman Street, London, EC2R 5AA. >> >> Legal & General Property Limited (no 2091897) is >> authorised and regulated by the Financial Conduct >> Authority for insurance mediation activities. It is >> registered in England & Wales with a registered office >> at One Coleman Street, London, EC2R 5AA. >> >> LGIM Managers (Europe) Limited is authorised and >> regulated by the Central Bank of Ireland (C173733). It >> is registered in the Republic of Ireland (no 609677) >> with a registered office at 33/34 Sir John Rogerson's >> Quay, Dublin 2, D02 XK09. >> >> Legal & General Group PLC, Registered Office One Coleman >> Street, London, EC2R 5AA. >> >> Registered in England no: 1417162 >> >> ________________________________________________________________________ >> **** This email has come from the internet and has been >> scanned for all viruses and potentially offensive >> content by Messagelabs on behalf of Legal & General **** >> <authorizers.xml><login-identity-providers.xml> >> >> >> >> >> >> >> >> ________________________________________________________________________ >> *** This email has come from the internet and has been scanned >> for all viruses and potentially offensive content by Messagelabs >> on behalf of Legal & General. Please report unwanted spam email >> to [email protected] <mailto:[email protected]> *** >> >> Please consider the environment before printing this email. >> >> >> >> ________________________________________________________________________ >> **** This email has come from the internet and has been scanned >> for all viruses and potentially offensive content by Messagelabs >> on behalf of Legal & General **** >> >> >> ________________________________________________________________________ >> *** This email has come from the internet and has been scanned for >> all viruses and potentially offensive content by Messagelabs on >> behalf of Legal & General. Please report unwanted spam email to >> [email protected] <mailto:[email protected]> *** >> >> Please consider the environment before printing this email. >> >> >> ________________________________________________________________________ >> **** This email has come from the internet and has been scanned for >> all viruses and potentially offensive content by Messagelabs on >> behalf of Legal & General **** >> >> >> ______________________________________________________________________ >> __ >> *** This email has come from the internet and has been scanned for all >> viruses and potentially offensive content by Messagelabs on behalf of >> Legal & General. Please report unwanted spam email to >> [email protected] <mailto:[email protected]> *** >> >> Please consider the environment before printing this email. >> >> >> ______________________________________________________________________ >> __ >> **** This email has come from the internet and has been scanned for >> all viruses and potentially offensive content by Messagelabs on behalf >> of Legal & General **** >> >> ______________________________________________________________________ >> __ >> *** This email has come from the internet and has been scanned for all >> viruses and potentially offensive content by Messagelabs on behalf of >> Legal & General. Please report unwanted spam email to >> [email protected] <mailto:[email protected]> *** >> >> Please consider the environment before printing this email. >> >> >> ______________________________________________________________________ >> __ >> **** This email has come from the internet and has been scanned for >> all viruses and potentially offensive content by Messagelabs on behalf >> of Legal & General **** > > ________________________________________________________________________ > *** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal & > General. Please report unwanted spam email to [email protected] *** > > Please consider the environment before printing this email. > This e-mail (and any attachments) may contain privileged and/or confidential > information which may be protected by copyright or other intellectual > property rights. If you are not the intended recipient please do not > disclose, copy, distribute, disseminate or take any action in reliance on it. > If you have received this e-mail in error please reply to the sender and then > immediately delete it (including, any attachments). Should you wish to > communicate with us by e-mail we cannot guarantee the security of any data > outside our own computer systems or that any e-mail will be virus free. > > Any information contained in this e-mail may be subject to applicable terms > and conditions and must not be construed as giving investment advice within > or outside the United Kingdom or the Republic of Ireland. > > Telephone Conversations may be recorded, including to comply with our legal > and/or regulatory requirements and/or to monitor the quality of our service. > For information about how we use your personal data, including your legal > rights, please refer to our privacy policy at: > www.legalandgeneral.com/institutional/privacy-policy/. > > Legal & General Investment Management Limited (Company number 02091894), LGIM > Real Assets (Operator) Limited (Company number 05522016), LGIM International > Limited (Company number 07716001), Legal & General (Unit Trust Managers) > Limited (Company number 01009418), GO ETF Solutions LLP (Company number > OC329482) and LGIM Corporate Director Limited (Company number 07105051) are > each authorised and regulated by the Financial Conduct Authority. All are > registered in England & Wales with a registered office at One Coleman Street, > London, EC2R 5AA. > > Legal and General Assurance (Pensions Management) Limited (Company number > 01006112) is authorised by the Prudential Regulation Authority and regulated > by the Financial Conduct Authority and the Prudential Regulation Authority. > It is registered in England & Wales with a registered office at One Coleman > Street, London, EC2R 5AA. > > Legal & General Property Limited (Registration number 02091897) is authorised > and regulated by the Financial Conduct Authority for insurance mediation > activities. It is registered in England & Wales with a registered office at > One Coleman Street, London, EC2R 5AA. > > LGIM Managers (Europe) Limited is authorised and regulated by the Central > Bank of Ireland (Reference No C173733). It is registered in the Republic of > Ireland (Number 609677) with its principal business address at 33/34 Sir John > Rogerson's Quay, Dublin 2, D02 XK09. > > The ultimate parent company is Legal & General Group PLC (Company number > 01417162) which is registered in England & Wales and has a registered office > at One Coleman Street, London, EC2R 5AA. > > ________________________________________________________________________ > **** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal & > General **** >
