Hello - I have a 3 node NiFi cluster up and running. I am running v 1.19.1
I followed the steps described in the Apache NiFi Walkthroughs i.e., specifically, "Creating and Security a NiFi Cluster with the TLS Toolkit i.e., https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-provided-certificates Specifically, I followed the instructions for: Creating and Securing a NiFi Cluster with the TLS Toolkit. Per Step 1, I ran the optional command to execute all steps together using the the toolkit pattern syntax: ./bin/tls-toolkit.sh standalone - n 'node[1-3].nifi' -C 'CN=ec2-user' -c 'ca.nifi' Per step 9, I updated the authorizers.xml file, in the <userGroupProvider> section, I added the line <property name="Initial User Identity 1">CN=ec2-user</property> In the <accessPolicyProvider> section, I updated the file as described. Regarding the Initial Admin Identity, I updated the file as follows: <property name="Initial Admin Identity">CN=ec2-user</property> I copied the authorizers.xml file to all 3 nodes. After starting nifi on all 3 nodes, I then access the GUI and select the imported certificate i.e., CN=ec2-user.p12 which I successfully imported, and I can successfully access the GUI. I see that on the upper right of the GUI screen, the user is indicated as CN=ec2-user. But, when I access the menu on the upper right of the screen, I do not receive the users option. To add: At step 13, per the walkthrough i.e., NiFi Cluster Using NiFi CA, as described, I stopped each of the nifi instances, i then deleted the authorizations.xml and users.xml file from each node in the nifi/conf directory, and then restarted each node. And, then I logged onto the NiFi GUI, and still I do not see the users option in the menu... An update: So, after starting NiFi, i reviewed the logs in the nifi-user.log file. This is what was output: ...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/access/kerberos ...NiFi AuthenticationFilter Authentication Success [CN=ec2-user] xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/access/kerberos ...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/access/oidc/exchange<https://nifi1:9443/nifi-api/access/kerberos> ...NiFi AuthenticationFilter Authentication Success [CN=ec2-user] xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/access/oidc/exchange<https://nifi1:9443/nifi-api/access/kerberos> ...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/token/expiration<https://nifi1:9443/nifi-api/access/kerberos> ...NiFi AuthenticationFilter Authentication Success [CN=ec2-user] xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/token/expiration<https://nifi1:9443/nifi-api/access/kerberos> WARN [NiFi Web Server-37] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Access token not found. Returning Conflict response.. Another update: I looked in the authorizations.xml file and see that the user ec2-user has the following authorizations: flow action "R" data/process-groups/ action "R" data/process-groups action "W" process-groups action "R" process-groups action "W" restricted-components "W" tenants actions "R" and "W" policies actions "R" and "W" controller actions "R" and "W" Has anyone had a similar experience/issue and resolved it? If so, can you let me know how you resolved this issue? Thank you! VR, Dave The information contained in this e-mail and any attachments from Science Applications International Corporation ("SAIC") may contain sensitive, privileged and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any attachments.
