According to https://nifi.apache.org/documentation/nifi-2.0.0-M2/html/administration-guide.html#file-based-ldap-authentication there is "File-based (LDAP Authentication)" with FileUserGroupProvider + FileAccessPolicyProvider and there is "LDAP-based Users/Groups Referencing User DN" with <identifier>ldap-user-group-provider</identifier>. I thought based on my understanding of the documentation that there is enough to "File-based (LDAP Authentication)" with FileUserGroupProvider + FileAccessPolicyProvider in order to pass authoritarian od AD. Currently, I'm using SIMPLE "Authentication Strategy" for LDAP-provider at my login-identity-providers.xml don't FileUserGroupProvider + FileAccessPolicyProvider enough at my authorizers.xml?
From: Michael Moser <[email protected]> Sent: Thursday, February 22, 2024 4:24 PM To: [email protected]; Alexei Rozenvaser <[email protected]> Subject: Re: Insufficient Permissions - Unable to view the user interface - at WebUI You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hello Alexei, If you have configured an org.apache.nifi.ldap.LdapProvider in your NiFi login-identity-providers.xml for *authentication* then you will also have to configure an org.apache.nifi.ldap.tenants.LdapUserGroupProvider in your NiFi authorizers.xml for *authorization*. Some instructions are in the NiFi Admin Guide. Also, if you use an LdapUserGroupProvider that will contain your identity in AD, then you will not need a "Initial User Identity 1" in your definition of FileUserGroupProvider. Kind regards, -- Mike On Thu, Feb 22, 2024 at 9:09 AM Alexei Rozenvaser <[email protected]<mailto:[email protected]>> wrote: My ./config/authorizers.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Initial User Identity 1">CN=My Name,OU=MyOU,DC=MyDomain</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">CN=My Name,OU=MyOU,DC=MyDomain</property> <property name="Node Identity 1"></property> <property name="Node Group"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers> From: Alexei Rozenvaser <[email protected]<mailto:[email protected]>> Sent: Thursday, February 22, 2024 2:59 PM To: [email protected]<mailto:[email protected]> Subject: Insufficient Permissions - Unable to view the user interface - at WebUI Hi Everyone I have a brand new installation of NiFi 2.0. I configured LDAP user authentication. I have my AD DN defined as both "Initial User Identity 1" and "Initial Admin Identity" in authorizers.xml 1. Now I can launch the NiFi server successfully. 2. I can successfully log in to NiFi's webUI with my AD user 3. But I get: "Insufficient Permissions" - "Unable to view the user interface." at WebUI 4. There is an AccessDeniedExeptionMapper identity [cn=My Name,ou=MyOU,DC=MyDC], group[] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response. entry at nifi-user.log If I understand the situation correctly I can pass the authentication phase but my user wasn't authorized for UI access? What should I check first?
