Hello Alexei, Since you are loving in using your sAMAccountName, I recommend using them identity string instead of the full DN of your AD users. In your ldap-provider, change USE_DN to USE_USERNAME. Upon successfully authentication the username you provided in the login window will be posted to configured authorized in your NiFi. Using sAMAccountName instead of the full DN will also make it easier setting up additional AD user authorizations later via NiFi UI.
Then configure your initial user identity (file-user-group-provider) and admin identity (file-access-policy-provider) to match your username. Keep in mind that NiFi is case sensitive. You then need to delete or rename your current users.xml and authorizations.xml files. These files are only created on NiFi startup if they do NOT already exist. The content is never modified in existing files when you make changes to the authorizers.xml. Thanks, Matt On Thu, Feb 22, 2024, 9:24 AM Michael Moser <[email protected]> wrote: > Hello Alexei, > > If you have configured an org.apache.nifi.ldap.LdapProvider in your NiFi > login-identity-providers.xml for *authentication* then you will also have > to configure an org.apache.nifi.ldap.tenants.LdapUserGroupProvider in your > NiFi authorizers.xml for *authorization*. Some instructions are in the > NiFi Admin Guide. > > Also, if you use an LdapUserGroupProvider that will contain your identity > in AD, then you will not need a "Initial User Identity 1" in your > definition of FileUserGroupProvider. > > Kind regards, > -- Mike > > > On Thu, Feb 22, 2024 at 9:09 AM Alexei Rozenvaser < > [email protected]> wrote: > >> My ./config/authorizers.xml >> >> >> >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> >> <authorizers> >> >> <userGroupProvider> >> >> <identifier>file-user-group-provider</identifier> >> >> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> >> >> <property name="Users File">./conf/users.xml</property> >> >> <property name="Initial User Identity 1">CN=My >> Name,OU=MyOU,DC=MyDomain</property> >> >> </userGroupProvider> >> >> <accessPolicyProvider> >> >> <identifier>file-access-policy-provider</identifier> >> >> >> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >> >> <property name="User Group >> Provider">file-user-group-provider</property> >> >> <property name="Authorizations >> File">./conf/authorizations.xml</property> >> >> <property name="Initial Admin Identity">CN=My >> Name,OU=MyOU,DC=MyDomain</property> >> >> <property name="Node Identity 1"></property> >> >> <property name="Node Group"></property> >> >> </accessPolicyProvider> >> >> <authorizer> >> >> <identifier>managed-authorizer</identifier> >> >> >> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> >> >> <property name="Access Policy >> Provider">file-access-policy-provider</property> >> >> </authorizer> >> >> </authorizers> >> >> >> >> >> >> *From:* Alexei Rozenvaser <[email protected]> >> *Sent:* Thursday, February 22, 2024 2:59 PM >> *To:* [email protected] >> *Subject:* Insufficient Permissions - Unable to view the user interface >> - at WebUI >> >> >> >> Hi Everyone >> >> >> >> I have a brand new installation of NiFi 2.0. >> >> I configured LDAP user authentication. >> I have my AD DN defined as both "Initial User Identity 1" and "Initial >> Admin Identity" in *authorizers.xml* >> >> 1. Now I can launch the NiFi server successfully. >> >> 2. I can successfully log in to NiFi's webUI with my AD user >> >> 3. But I get: "Insufficient Permissions" - "Unable to view the user >> interface." at WebUI >> >> 4. There is an AccessDeniedExeptionMapper identity [cn=My >> Name,ou=MyOU,DC=MyDC], group[] does not have permission to access the >> requested resource. Unable to view the user interface. Returning Forbidden >> response. entry at nifi-user.log >> >> If I understand the situation correctly I can pass the authentication >> phase but my user wasn't authorized for UI access? >> What should I check first? >> >> >> >
