James, If you check the nifi-user.log in the logs directory, you should see messages for the requests that are being rejected. In that log message you should see the identity that you're authenticated with. Can you compare that with the user that you've configured the policies for. Hopefully, that will help point to where the issue is.
Matt On Wed, Apr 24, 2024 at 5:03 PM James McMahon <jsmcmah...@gmail.com> wrote: > I still cannot access my own NiFi 2.0 instance. I continue to get this > rejection: > > Insufficient Permissions > > - home > > Unable to view the user interface. Contact the system administrator. > > > The canvas flashes for an instant when I try to hit my secure URL, but is > immediately replaced with this rejection message. > > There is no error or warning in nifi-app.log > > Has anyone experienced a similar problem? > > > Here is my authorizers.xml: > > <authorizers> > <userGroupProvider> > <identifier>file-user-group-provider</identifier> > <class>org.apache.nifi.authorization.FileUserGroupProvider</class> > <property name="Users > File">/opt/nifi/config_resources/users.xml</property> > <property name="Legacy Authorized Users File"></property> > <property name="Initial User Identity 1">C = US, ST = Virginia, L > = Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property> > </userGroupProvider> > <accessPolicyProvider> > <identifier>file-access-policy-provider</identifier> > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > <property name="User Group > Provider">file-user-group-provider</property> > <property name="Authorizations > File">/opt/nifi/config_resources/authorizations.xml</property> > <property name="Initial Admin Identity">C = US, ST = Virginia, L = > Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property> > <property name="Legacy Authorized Users File"></property> > <property name="Node Identity 1"></property> > </accessPolicyProvider> > <authorizer> > <identifier>managed-authorizer</identifier> > > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> > <property name="Access Policy > Provider">file-access-policy-provider</property> > </authorizer> > </authorizers> > > > Here is my authorizations.xml (nifi creates at first startup): > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <authorizations> > <policies> > <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" > resource="/flow" action="R"> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> > </policy> > <policy identifier="ae1ef91b-11d8-38a4-9d8a-33e7ee25d65e" > resource="/data/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" > action="R"> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> > </policy> > <policy identifier="818d3b60-f65b-3d67-960e-f7e7aea0f6cc" > resource="/data/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" > action="W"> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> > </policy> > <policy identifier="6e49aea6-93bd-3a2a-a0d6-b5afb4581b4f" > resource="/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" action="R"> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> > </policy> > <policy identifier="3755b3ac-380b-3c02-83a6-10c3870f377a" > resource="/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" action="W"> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> > </policy> > <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" > resource="/restricted-components" action="W"> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> > </policy> > <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" > resource="/tenants" action="R"> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> > </policy> > <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" > resource="/tenants" action="W"> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> > </policy> > <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" > resource="/policies" action="R"> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> > </policy> > <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" > resource="/policies" action="W"> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> > </policy> > <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" > resource="/controller" action="R"> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> > </policy> > <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" > resource="/controller" action="W"> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> > </policy> > </policies> > </authorizations> > > > > Here is my users.xml (nifi creates at first startup): > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <tenants> > <groups/> > <users> > <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834" > identity="C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN > = admin2"/> > </users> > </tenants> > > > On Wed, Apr 24, 2024 at 8:21 AM James McMahon <jsmcmah...@gmail.com> > wrote: > >> I'll review this closely once again when I get back to this system >> tonight - thanks very much for your reply, Isha. >> >> I also feel I need to look more closely in nifi.properties, at values I >> have set for keys nifi.security.identity.mapping.[value, transform, >> pattern].CN1 >> >> I noticed some odd behavior and suspect it is a reflection of an issue I >> have not set properly in my configuration: >> The first time I started my 2.0 instance with my Initial Admin Identity >> defined as shown, the UI in my browser actually presented me with a list >> (of one) Personal cert to select from - the cert for admin2. I was in a >> happy place: *finally*, nifi and the browser appeared to be in synch for >> the Subject name in the cert. >> >> I selected this cert, but then was crushed by the rejection mentioned >> above: >> Unable to view the user interface. Contact the system administrator. >> Insufficient Permissions home >> >> I restarted nifi so I could "tail -f" nifi-app.log. >> After restart, I once again tried to hit my NiFi URL. >> This time though, the browser failed to present the admin2 cert for >> selection. Shouldn't it have still presented that to me in the browser fro >> my selection? >> Do you have any thoughts why this behavior is occurring? >> >> Would you say it is it advisable to manually create by hand an >> authorizations.xml file should I continue to experience Insufficient >> Permissions problems? I recall reading that users.xml and >> authorizations.xml - if absent at initial startup - should be created by >> nifi from info in authorizers.xml. But this Insufficient Permissions makes >> me suspect something is missing from authorizations. >> >> Jim >> >> On Wed, Apr 24, 2024 at 5:33 AM Isha Lamboo < >> isha.lam...@virtualsciences.nl> wrote: >> >>> Hi James, >>> >>> >>> >>> Have you changed these settings in authorizers.xml since you first >>> started NiFi? If so, you may need to delete users.xml and >>> authorizations.xml. >>> >>> A new admin user will not be created if those files already exist. >>> >>> >>> >>> Otherwise, the trickiest part is usually that the user DN needs to match >>> **exactly** with that specified. Capitals and whitespace matter. Since >>> you are getting insufficient permissions instead of unknown user, I don’t >>> think that’s your problem here. Still, it may be worth checking for a >>> mismatch in the initial admin identity vs initial user identity vs >>> certificate. >>> >>> >>> >>> Regards, >>> >>> >>> >>> Isha >>> >>> >>> >>> *Van:* James McMahon <jsmcmah...@gmail.com> >>> *Verzonden:* woensdag 24 april 2024 02:14 >>> *Aan:* users <users@nifi.apache.org> >>> *Onderwerp:* Insufficient permissions on initial start up (NiFi 2.0) >>> >>> >>> >>> I am trying to start my new NiFi 2.0 installation. I have a user admin2 >>> that has a cert. The nifi server also has a cert. Both are signed by the >>> same CA. >>> >>> >>> >>> At start up in my browser I am denied due to insufficient privileges: >>> >>> >>> >>> Unable to view the user interface. Contact the system administrator. >>> >>> Insufficient Permissions home >>> >>> >>> >>> >>> >>> My authorizors.xml has been configured as follows: >>> >>> <authorizers> >>> <userGroupProvider> >>> <identifier>file-user-group-provider</identifier> >>> >>> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> >>> <property name="Users >>> File">/opt/nifi/config_resources/users.xml</property> >>> <property name="Legacy Authorized Users File"></property> >>> <property name="Initial User Identity 1">C = US, ST = Virginia, >>> L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property> >>> </userGroupProvider> >>> <accessPolicyProvider> >>> <identifier>file-access-policy-provider</identifier> >>> >>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >>> <property name="User Group >>> Provider">file-user-group-provider</property> >>> <property name="Authorizations >>> File">/opt/nifi/config_resources/authorizations.xml</property> >>> <property name="Initial Admin Identity">C = US, ST = Virginia, L >>> = Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property> >>> <property name="Legacy Authorized Users File"></property> >>> <property name="Node Identity 1"></property> >>> </accessPolicyProvider> >>> <authorizer> >>> <identifier>managed-authorizer</identifier> >>> >>> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> >>> <property name="Access Policy >>> Provider">file-access-policy-provider</property> >>> </authorizer> >>> </authorizers> >>> >>> >>> >>> I read that at start up, authorizations.xml and users.xml would be >>> created by NiFi - those files are not to be hand jammed. >>> >>> >>> >>> So how do I actually get in with my admin2 user? >>> >>> What have I overlooked on this magical mystery tour? >>> >>> >>> >>> >>> >>
