Hello Mike, Can you elaborate a little bit more on your last post?
1) "sAMAccountName" First of I'm using "sAMAccountName" only because: 1.1) it is mentioned in official documentation https://nifi.apache.org/documentation/nifi-2.0.0-M2/html/administration-guide.html#ldap_login_identity_provider 1.2) I don't know any better 1.3) What would be your suggestion? 2) Do you suggest that if one uses sAMAccountName as "User Search Filter" in login-identity-providers.xml, one can't use DN as "Initial User Identity 1" or/and "Initial Admin Identity" in corresponding authorizers.xml? What is the proper and coherent way to do it? 2.1) If I'm using "sAMAccountName" then I must use "USE_USERNAME" for "Identity Strategy" in login-identity-providers.xml and username like usern...@domain.com as "Initial User Identity 1" and "Initial Admin Identity" in authorizers.xml? 2.2) If one is using DN "Initial User Identity 1" and "Initial Admin Identity" in authorizers.xml and the "USE_DN" for "Identity Strategy" in login-identity-providers.xml then what should one use as "User Search Filter" in login-identity-providers.xml? Thanks From: Matthew Clarke <matt.clarke....@gmail.com> Sent: Sunday, February 25, 2024 11:19 PM To: users@nifi.apache.org Cc: Alexei Rozenvaser <alexei....@tomer-rs.co.il> Subject: Re: Insufficient Permissions - Unable to view the user interface - at WebUI You don't often get email from matt.clarke....@gmail.com<mailto:matt.clarke....@gmail.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hello Alexei, Since you are loving in using your sAMAccountName, I recommend using them identity string instead of the full DN of your AD users. In your ldap-provider, change USE_DN to USE_USERNAME. Upon successfully authentication the username you provided in the login window will be posted to configured authorized in your NiFi. Using sAMAccountName instead of the full DN will also make it easier setting up additional AD user authorizations later via NiFi UI. Then configure your initial user identity (file-user-group-provider) and admin identity (file-access-policy-provider) to match your username. Keep in mind that NiFi is case sensitive. You then need to delete or rename your current users.xml and authorizations.xml files. These files are only created on NiFi startup if they do NOT already exist. The content is never modified in existing files when you make changes to the authorizers.xml. Thanks, Matt On Thu, Feb 22, 2024, 9:24 AM Michael Moser <moser...@gmail.com<mailto:moser...@gmail.com>> wrote: Hello Alexei, If you have configured an org.apache.nifi.ldap.LdapProvider in your NiFi login-identity-providers.xml for *authentication* then you will also have to configure an org.apache.nifi.ldap.tenants.LdapUserGroupProvider in your NiFi authorizers.xml for *authorization*. Some instructions are in the NiFi Admin Guide. Also, if you use an LdapUserGroupProvider that will contain your identity in AD, then you will not need a "Initial User Identity 1" in your definition of FileUserGroupProvider. Kind regards, -- Mike On Thu, Feb 22, 2024 at 9:09 AM Alexei Rozenvaser <alexei....@tomer-rs.co.il<mailto:alexei....@tomer-rs.co.il>> wrote: My ./config/authorizers.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Initial User Identity 1">CN=My Name,OU=MyOU,DC=MyDomain</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">CN=My Name,OU=MyOU,DC=MyDomain</property> <property name="Node Identity 1"></property> <property name="Node Group"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers> From: Alexei Rozenvaser <alexei....@tomer-rs.co.il<mailto:alexei....@tomer-rs.co.il>> Sent: Thursday, February 22, 2024 2:59 PM To: users@nifi.apache.org<mailto:users@nifi.apache.org> Subject: Insufficient Permissions - Unable to view the user interface - at WebUI Hi Everyone I have a brand new installation of NiFi 2.0. I configured LDAP user authentication. I have my AD DN defined as both "Initial User Identity 1" and "Initial Admin Identity" in authorizers.xml 1. Now I can launch the NiFi server successfully. 2. I can successfully log in to NiFi's webUI with my AD user 3. But I get: "Insufficient Permissions" - "Unable to view the user interface." at WebUI 4. There is an AccessDeniedExeptionMapper identity [cn=My Name,ou=MyOU,DC=MyDC], group[] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response. entry at nifi-user.log If I understand the situation correctly I can pass the authentication phase but my user wasn't authorized for UI access? What should I check first?
