Hello Alexei, If you have configured an org.apache.nifi.ldap.LdapProvider in your NiFi login-identity-providers.xml for *authentication* then you will also have to configure an org.apache.nifi.ldap.tenants.LdapUserGroupProvider in your NiFi authorizers.xml for *authorization*. Some instructions are in the NiFi Admin Guide.
Also, if you use an LdapUserGroupProvider that will contain your identity in AD, then you will not need a "Initial User Identity 1" in your definition of FileUserGroupProvider. Kind regards, -- Mike On Thu, Feb 22, 2024 at 9:09 AM Alexei Rozenvaser <[email protected]> wrote: > My ./config/authorizers.xml > > > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > <authorizers> > > <userGroupProvider> > > <identifier>file-user-group-provider</identifier> > > <class>org.apache.nifi.authorization.FileUserGroupProvider</class> > > <property name="Users File">./conf/users.xml</property> > > <property name="Initial User Identity 1">CN=My > Name,OU=MyOU,DC=MyDomain</property> > > </userGroupProvider> > > <accessPolicyProvider> > > <identifier>file-access-policy-provider</identifier> > > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > > <property name="User Group > Provider">file-user-group-provider</property> > > <property name="Authorizations > File">./conf/authorizations.xml</property> > > <property name="Initial Admin Identity">CN=My > Name,OU=MyOU,DC=MyDomain</property> > > <property name="Node Identity 1"></property> > > <property name="Node Group"></property> > > </accessPolicyProvider> > > <authorizer> > > <identifier>managed-authorizer</identifier> > > > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> > > <property name="Access Policy > Provider">file-access-policy-provider</property> > > </authorizer> > > </authorizers> > > > > > > *From:* Alexei Rozenvaser <[email protected]> > *Sent:* Thursday, February 22, 2024 2:59 PM > *To:* [email protected] > *Subject:* Insufficient Permissions - Unable to view the user interface - > at WebUI > > > > Hi Everyone > > > > I have a brand new installation of NiFi 2.0. > > I configured LDAP user authentication. > I have my AD DN defined as both "Initial User Identity 1" and "Initial > Admin Identity" in *authorizers.xml* > > 1. Now I can launch the NiFi server successfully. > > 2. I can successfully log in to NiFi's webUI with my AD user > > 3. But I get: "Insufficient Permissions" - "Unable to view the user > interface." at WebUI > > 4. There is an AccessDeniedExeptionMapper identity [cn=My > Name,ou=MyOU,DC=MyDC], group[] does not have permission to access the > requested resource. Unable to view the user interface. Returning Forbidden > response. entry at nifi-user.log > > If I understand the situation correctly I can pass the authentication > phase but my user wasn't authorized for UI access? > What should I check first? > > >
