1) "sAMAccountName" First of I'm using "sAMAccountName" only because: 1.1) it is mentioned in official documentation https://nifi.apache.org/documentation/nifi-2.0.0-M2/html/administration-guide.html#ldap_login_identity_provider 1.2) I don't know any better 1.3) What would be your suggestion?
-- The documentation serves only an example. You'll need to work with your LDAP/Active Directory admins to understand the structure of your LDAP users and groups and what attributes are available to use in your specific configuration. I am assuming since you stated that you saw "unable to view user interface" in the NiFi UI, that your NiFi did present you with a login window and this response can after entering your LDAP/AD username and password? Seeing "unable to view the user interface" means that user authentication was successful, but the authenticated user was not authorized to view the user interface. Check the nifi-user.log to see the exact case sensitive user identity being passed for authorization. The user identity string is what you want to be using as your initial admin value. Also make sure in your nifi.properties file that NiFi.security.user.login.identity.provider=ldap-provider is set. 2) Do you suggest that if one uses sAMAccountName as "User Search Filter" in login-identity-providers.xml, one can't use DN as "Initial User Identity 1" or/and "Initial Admin Identity" in corresponding authorizers.xml? -- I was NOT implying you must reconfigure your ldap-provider "identity strategy" to USE_USERNAME from default USE_DN. It was only a suggestion to simplify user management later. If using USE_DN -- upon successful user authentication via ldap-provider, the user's full DN will be evaluated against any identity.mapping.patterns configured in the NiFi.properties file. after which the useri identity string is passed to NiFi authorization handled via the authorizers xml. If using USE_USERNAME -- upon successful user authentication via ldap-provider, the user's username entered in login window will be evaluated against any identity.mapping.patterns configured in the NiFi.properties file. after which the useri identity string is passed to NiFi authorization handled via the authorizers.xml. Whichever you decide to use, the resulting user identity post any identity.mapping.value (if pattern regex matches) is the user string (case sensitive) you would add as the initial admin identity in the file-access-policy provider. Note: modifying the authorizers.xml will NOT result in any modification to previously generated uses.xl or authorizations.xml files. You'll need to remove it rename that files so new are created from your changes. Reference documentation links: https://nifi.apache.org/documentation/nifi-2.0.0-M2/html/administration-guide.html#ldap_login_identity_provider https://nifi.apache.org/documentation/nifi-2.0.0-M2/html/administration-guide.html#authorizers-setup https://nifi.apache.org/documentation/nifi-2.0.0-M2/html/administration-guide.html#identity-mapping-properties Hope this helps, Matt On Mon, Feb 26, 2024, 2:07 AM Alexei Rozenvaser <[email protected]> wrote: > Hello Mike, > > > > Can you elaborate a little bit more on your last post? > > > > 1) "sAMAccountName" > > First of I'm using "sAMAccountName" only because: 1.1) it is mentioned in > official documentation > https://nifi.apache.org/documentation/nifi-2.0.0-M2/html/administration-guide.html#ldap_login_identity_provider > 1.2) I don't know any better 1.3) What would be your suggestion? > > > > 2) Do you suggest that if one uses sAMAccountName as "User Search Filter" > in login-identity-providers.xml, one can't use DN as "Initial User Identity > 1" or/and "Initial Admin Identity" in corresponding authorizers.xml? > > What is the proper and coherent way to do it? > > > > 2.1) If I'm using "sAMAccountName" then I must use "USE_USERNAME" for > "Identity Strategy" in login-identity-providers.xml and username like > [email protected] as "Initial User Identity 1" and "Initial Admin > Identity" in authorizers.xml? > > > > 2.2) If one is using DN "Initial User Identity 1" and "Initial Admin > Identity" in authorizers.xml and the "USE_DN" for "Identity Strategy" in > login-identity-providers.xml then what should one use as "User Search > Filter" in login-identity-providers.xml? > > > > Thanks > > > > *From:* Matthew Clarke <[email protected]> > *Sent:* Sunday, February 25, 2024 11:19 PM > *To:* [email protected] > *Cc:* Alexei Rozenvaser <[email protected]> > *Subject:* Re: Insufficient Permissions - Unable to view the user > interface - at WebUI > > > > You don't often get email from [email protected]. Learn why this > is important <https://aka.ms/LearnAboutSenderIdentification> > > Hello Alexei, > > > > Since you are loving in using your sAMAccountName, I recommend using them > identity string instead of the full DN of your AD users. In your > ldap-provider, change USE_DN to USE_USERNAME. Upon successfully > authentication the username you provided in the login window will be posted > to configured authorized in your NiFi. Using sAMAccountName instead of the > full DN will also make it easier setting up additional AD user > authorizations later via NiFi UI. > > > > Then configure your initial user identity (file-user-group-provider) and > admin identity (file-access-policy-provider) to match your username. Keep > in mind that NiFi is case sensitive. You then need to delete or rename > your current users.xml and authorizations.xml files. These files are only > created on NiFi startup if they do NOT already exist. The content is never > modified in existing files when you make changes to the authorizers.xml. > > > > Thanks, > > Matt > > > > On Thu, Feb 22, 2024, 9:24 AM Michael Moser <[email protected]> wrote: > > Hello Alexei, > > > > If you have configured an org.apache.nifi.ldap.LdapProvider in your NiFi > login-identity-providers.xml for *authentication* then you will also have > to configure an org.apache.nifi.ldap.tenants.LdapUserGroupProvider in your > NiFi authorizers.xml for *authorization*. Some instructions are in the > NiFi Admin Guide. > > > > Also, if you use an LdapUserGroupProvider that will contain your identity > in AD, then you will not need a "Initial User Identity 1" in your > definition of FileUserGroupProvider. > > > > Kind regards, > > -- Mike > > > > > > On Thu, Feb 22, 2024 at 9:09 AM Alexei Rozenvaser < > [email protected]> wrote: > > My ./config/authorizers.xml > > > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > <authorizers> > > <userGroupProvider> > > <identifier>file-user-group-provider</identifier> > > <class>org.apache.nifi.authorization.FileUserGroupProvider</class> > > <property name="Users File">./conf/users.xml</property> > > <property name="Initial User Identity 1">CN=My > Name,OU=MyOU,DC=MyDomain</property> > > </userGroupProvider> > > <accessPolicyProvider> > > <identifier>file-access-policy-provider</identifier> > > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > > <property name="User Group > Provider">file-user-group-provider</property> > > <property name="Authorizations > File">./conf/authorizations.xml</property> > > <property name="Initial Admin Identity">CN=My > Name,OU=MyOU,DC=MyDomain</property> > > <property name="Node Identity 1"></property> > > <property name="Node Group"></property> > > </accessPolicyProvider> > > <authorizer> > > <identifier>managed-authorizer</identifier> > > > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> > > <property name="Access Policy > Provider">file-access-policy-provider</property> > > </authorizer> > > </authorizers> > > > > > > *From:* Alexei Rozenvaser <[email protected]> > *Sent:* Thursday, February 22, 2024 2:59 PM > *To:* [email protected] > *Subject:* Insufficient Permissions - Unable to view the user interface - > at WebUI > > > > Hi Everyone > > > > I have a brand new installation of NiFi 2.0. > > I configured LDAP user authentication. > I have my AD DN defined as both "Initial User Identity 1" and "Initial > Admin Identity" in *authorizers.xml* > > 1. Now I can launch the NiFi server successfully. > > 2. I can successfully log in to NiFi's webUI with my AD user > > 3. But I get: "Insufficient Permissions" - "Unable to view the user > interface." at WebUI > > 4. There is an AccessDeniedExeptionMapper identity [cn=My > Name,ou=MyOU,DC=MyDC], group[] does not have permission to access the > requested resource. Unable to view the user interface. Returning Forbidden > response. entry at nifi-user.log > > If I understand the situation correctly I can pass the authentication > phase but my user wasn't authorized for UI access? > What should I check first? > > > >
