The Initial Admin Identity needs to exist in whatever User Group Provider is specified, which in your case is the FileUserGroupProvider, so you should be able to just add an initial user identity there:
<property name="Initial User Identity 1">[email protected]/KARBEROS</property> On Thu, Nov 4, 2021 at 6:46 AM Isha Lamboo <[email protected]> wrote: > > Hi Stefan, > > > > I see a number of things that are different from our working Kerberos > solution, but one thing in particular: we used a certificate-based user for > our initial admin identity, with the client certificate in the truststore and > the DN of that user in the authorizers file, something like “CN=admin, > OU=NiFi, O=Ourcompany,…” In an LDAP-based setup I had a lot of trouble > finding the correct initial admin setting. It turned out to be the username > without any other part of the DN. > > > > After NiFi starts (and fails), you can check the generated users.xml. It > should contain at least the user that is supposed to become the initial > admin, with some content after the [identity] showing the name it will expect > at “initial admin identity”. The documentation says that any mapping rules > will be applied, but I’m not sure that is the case. > > Be sure to delete the users.xml and authorizations.xml after a failed start, > otherwise they will not be filled with the newly configured stuff on the next > start. > > > > I don’t know if the initial admin identity error means all of the Kerberos > stuff is working already or if it occurs before initializing Kerberos beans, > but in case you run into trouble there, these settings in our kerberos setup > are different from yours. > > > > authorizers.xml: > > <property name="Initial Admin > Identity">CN=admin,OU=NiFi,O=Ourcompany</property> # this is because we used > certificate > > > > login-identity-provider.xml: > > <property name="Default Realm">OURDOMAIN.COM</property> > > > > nifi.properties: > > # kerberos service principal # > > nifi.kerberos.service.principal=nifi/[email protected] > > > > # kerberos spnego principal # > > nifi.kerberos.spnego.principal=HTTP/[email protected] > > nifi.kerberos.spnego.keytab.location=/etc/security/keytabs/spnego.service.keytab > # (obviously your path will be different, but we do have one entered here) > > > > I hope this helps you towards a working solution! > > > > Isha > > > > Van: Jakobsson Stefan <[email protected]> > Verzonden: donderdag 4 november 2021 11:06 > Aan: [email protected] > Onderwerp: Issues with Kerberos authencation. > > > > HI guys, > > > > As per previous suggestions I have tried to change authentication method to > Kerberos., but I ran into another snag, which looks to me that there is some > configuration issue. I’ve tried everything I can think of, but it’s still a > no go. Anyone who have any ideas? > > > > app.log is attached > > > > authorizers.xml: > > <accessPolicyProvider> > > <identifier>file-access-policy-provider</identifier> > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > > <property name="User Group > Provider">file-user-group-provider</property> > > <property name="Authorizations > File">./conf/authorizations.xml</property> > > <property name="Initial Admin > Identity">[email protected]/KARBEROS</property> > > <property name="Legacy Authorized Users File"></property> > > <property name="Node Identity 1"></property> > > <property name="Node Group"></property> > > </accessPolicyProvider> > > > > login-identity-provider.xml: > > <provider> > > <identifier>kerberos-provider</identifier> > > <class>org.apache.nifi.kerberos.KerberosProvider</class> > > <property name="Default Realm"> URI.OF.OUR.AD/KARBEROS </property> > > <property name="Authentication Expiration">12 hours</property> > > </provider> > > > > nifi.properties: > > nifi.security.user.authorizer=managed-authorizer > > nifi.security.allow.anonymous.authentication=false > > nifi.security.user.login.identity.provider=kerberos-provider > > > > # kerberos # > > nifi.kerberos.krb5.file=/etc/krb5.cnf > > > > # kerberos service principal # > > nifi.kerberos.service.principal=nifi/ URI.OF.OUR.AD/KERBEROS > > nifi.kerberos.service.keytab.location=/etc/krb5.keytab > > > > # kerberos spnego principal # > > nifi.kerberos.spnego.principal=HTTP/[email protected] > > nifi.kerberos.spnego.keytab.location= > > nifi.kerberos.spnego.authentication.expiration=12 hours > > > > > > Regards, > > Stefan Jakobsson > > > Systems Manager | Scania IT, IACA | Scania CV AB > > Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76 > > Forskargatan 20, SE-151 87 Södertälje, Sweden > > [email protected] > >
