> > What is this Access Token it cites at top? > NiFi UI attempts to get the access token expiration. However, since you're authenticating with a certificate the endpoint returns an IllegalState because there was no token in the request.
Looking at the logs and the supplied configuration it appears there are spaces and the ordering is reversed in your initial admin identity when compared with the value from the certificate. C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 CN=admin2, OU=NIFI, O=C4 Rampart, L=Reston, ST=Virginia, C=US Hope this helps! Matt On Wed, Apr 24, 2024 at 8:41 PM James McMahon <jsmcmah...@gmail.com> wrote: > Looking at the nifi-user.log, I find I am getting a Conflict response, > Access Token not found. > > more ./nifi-user.log > 2024-04-25 00:23:49,329 INFO [main] o.a.n.a.FileUserGroupProvider Creating > new users file at /opt/nifi/config_resources/users.xml > 2024-04-25 00:23:49,352 INFO [main] o.a.n.a.FileAccessPolicyProvider > Creating new authorizations file at > /opt/nifi/config_resources/authorizations.xml > 2024-04-25 00:23:49,573 INFO [main] o.a.n.a.FileAccessPolicyProvider > Populating authorizations for Initial Admin: C = US, ST = Virginia, L = > Reston, O = C4 Rampart, OU = NIFI, > CN = admin2 > 2024-04-25 00:24:51,107 INFO [NiFi Web Server-100] > o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 173.73.40.110 > [CN=admin2, OU=NIFI, O=C4 Rampart, L=Reston, ST=Virgi > nia, C=US] POST > https://ec2-44-219-227-80.compute-1.amazonaws.com:8443/nifi-api/access/kerberos > 2024-04-25 00:24:51,110 INFO [NiFi Web Server-100] > o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=admin2, > OU=NIFI, O=C4 Rampart, L=Reston, ST=Virginia, C=US] 173 > .73.40.110 POST > https://ec2-44-219-227-80.compute-1.amazonaws.com:8443/nifi-api/access/kerberos > 2024-04-25 00:24:51,166 INFO [NiFi Web Server-104] > o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 173.73.40.110 > [CN=admin2, OU=NIFI, O=C4 Rampart, L=Reston, ST=Virgi > nia, C=US] GET > https://ec2-44-219-227-80.compute-1.amazonaws.com:8443/nifi-api/access/token/expiration > 2024-04-25 00:24:51,166 INFO [NiFi Web Server-104] > o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=admin2, > OU=NIFI, O=C4 Rampart, L=Reston, ST=Virginia, C=US] 173 > .73.40.110 GET > https://ec2-44-219-227-80.compute-1.amazonaws.com:8443/nifi-api/access/token/expiration > 2024-04-25 00:24:51,172 WARN [NiFi Web Server-104] > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > *Access Token not found. Returning Conflict > response.java.lang.IllegalStateException: Access Token not found* > at > org.apache.nifi.web.api.AccessResource.getAccessTokenExpiration(AccessResource.java:463) > at > java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) > at java.base/java.lang.reflect.Method.invoke(Method.java:580) > > followed by > > 2024-04-25 00:24:51,185 INFO [NiFi Web Server-100] > o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 173.73.40.110 > [CN=admin2, OU=NIFI, O=C4 Rampart, L=Reston, ST=Virgi > nia, C=US] GET > https://ec2-44-219-227-80.compute-1.amazonaws.com:8443/nifi-api/flow/current-user > 2024-04-25 00:24:51,186 INFO [NiFi Web Server-100] > o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=admin2, > OU=NIFI, O=C4 Rampart, L=Reston, ST=Virginia, C=US] 173 > .73.40.110 GET > https://ec2-44-219-227-80.compute-1.amazonaws.com:8443/nifi-api/flow/current-user > 2024-04-25 00:24:51,192 INFO [NiFi Web Server-100] > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=admin2, OU=NIFI, O=C4 > Rampart, L=Reston, ST=Virginia, C=US], groups[] > *does not have permission to access the requested resource. Unable to view > the user interface. Returning Forbidden response.* > > What is this Access Token it cites at top? > > Based on what I have read in the documentation, nifi itself must be > allowed to create the authorizations.xml file at initial startup. Is there > a reason it would omit permission to view and use the UI? > > On Wed, Apr 24, 2024 at 5:18 PM Matt Gilman <matt.c.gil...@gmail.com> > wrote: > >> James, >> >> If you check the nifi-user.log in the logs directory, you should see >> messages for the requests that are being rejected. In that log message you >> should see the identity that you're authenticated with. Can you compare >> that with the user that you've configured the policies for. Hopefully, that >> will help point to where the issue is. >> >> Matt >> >> On Wed, Apr 24, 2024 at 5:03 PM James McMahon <jsmcmah...@gmail.com> >> wrote: >> >>> I still cannot access my own NiFi 2.0 instance. I continue to get this >>> rejection: >>> >>> Insufficient Permissions >>> >>> - home >>> >>> Unable to view the user interface. Contact the system administrator. >>> >>> >>> The canvas flashes for an instant when I try to hit my secure URL, but >>> is immediately replaced with this rejection message. >>> >>> There is no error or warning in nifi-app.log >>> >>> Has anyone experienced a similar problem? >>> >>> >>> Here is my authorizers.xml: >>> >>> <authorizers> >>> <userGroupProvider> >>> <identifier>file-user-group-provider</identifier> >>> >>> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> >>> <property name="Users >>> File">/opt/nifi/config_resources/users.xml</property> >>> <property name="Legacy Authorized Users File"></property> >>> <property name="Initial User Identity 1">C = US, ST = Virginia, >>> L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property> >>> </userGroupProvider> >>> <accessPolicyProvider> >>> <identifier>file-access-policy-provider</identifier> >>> >>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >>> <property name="User Group >>> Provider">file-user-group-provider</property> >>> <property name="Authorizations >>> File">/opt/nifi/config_resources/authorizations.xml</property> >>> <property name="Initial Admin Identity">C = US, ST = Virginia, L >>> = Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property> >>> <property name="Legacy Authorized Users File"></property> >>> <property name="Node Identity 1"></property> >>> </accessPolicyProvider> >>> <authorizer> >>> <identifier>managed-authorizer</identifier> >>> >>> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> >>> <property name="Access Policy >>> Provider">file-access-policy-provider</property> >>> </authorizer> >>> </authorizers> >>> >>> >>> Here is my authorizations.xml (nifi creates at first startup): >>> >>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >>> <authorizations> >>> <policies> >>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" >>> resource="/flow" action="R"> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> >>> </policy> >>> <policy identifier="ae1ef91b-11d8-38a4-9d8a-33e7ee25d65e" >>> resource="/data/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" >>> action="R"> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> >>> </policy> >>> <policy identifier="818d3b60-f65b-3d67-960e-f7e7aea0f6cc" >>> resource="/data/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" >>> action="W"> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> >>> </policy> >>> <policy identifier="6e49aea6-93bd-3a2a-a0d6-b5afb4581b4f" >>> resource="/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" action="R"> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> >>> </policy> >>> <policy identifier="3755b3ac-380b-3c02-83a6-10c3870f377a" >>> resource="/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" action="W"> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> >>> </policy> >>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" >>> resource="/restricted-components" action="W"> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> >>> </policy> >>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" >>> resource="/tenants" action="R"> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> >>> </policy> >>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" >>> resource="/tenants" action="W"> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> >>> </policy> >>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" >>> resource="/policies" action="R"> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> >>> </policy> >>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" >>> resource="/policies" action="W"> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> >>> </policy> >>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" >>> resource="/controller" action="R"> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> >>> </policy> >>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" >>> resource="/controller" action="W"> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834"/> >>> </policy> >>> </policies> >>> </authorizations> >>> >>> >>> >>> Here is my users.xml (nifi creates at first startup): >>> >>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >>> <tenants> >>> <groups/> >>> <users> >>> <user identifier="03e0564a-4cad-3d24-bf64-3f09d78a5834" >>> identity="C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN >>> = admin2"/> >>> </users> >>> </tenants> >>> >>> >>> On Wed, Apr 24, 2024 at 8:21 AM James McMahon <jsmcmah...@gmail.com> >>> wrote: >>> >>>> I'll review this closely once again when I get back to this system >>>> tonight - thanks very much for your reply, Isha. >>>> >>>> I also feel I need to look more closely in nifi.properties, at values I >>>> have set for keys nifi.security.identity.mapping.[value, transform, >>>> pattern].CN1 >>>> >>>> I noticed some odd behavior and suspect it is a reflection of an issue >>>> I have not set properly in my configuration: >>>> The first time I started my 2.0 instance with my Initial Admin Identity >>>> defined as shown, the UI in my browser actually presented me with a list >>>> (of one) Personal cert to select from - the cert for admin2. I was in a >>>> happy place: *finally*, nifi and the browser appeared to be in synch for >>>> the Subject name in the cert. >>>> >>>> I selected this cert, but then was crushed by the rejection mentioned >>>> above: >>>> Unable to view the user interface. Contact the system >>>> administrator. >>>> Insufficient Permissions home >>>> >>>> I restarted nifi so I could "tail -f" nifi-app.log. >>>> After restart, I once again tried to hit my NiFi URL. >>>> This time though, the browser failed to present the admin2 cert for >>>> selection. Shouldn't it have still presented that to me in the browser fro >>>> my selection? >>>> Do you have any thoughts why this behavior is occurring? >>>> >>>> Would you say it is it advisable to manually create by hand an >>>> authorizations.xml file should I continue to experience Insufficient >>>> Permissions problems? I recall reading that users.xml and >>>> authorizations.xml - if absent at initial startup - should be created by >>>> nifi from info in authorizers.xml. But this Insufficient Permissions makes >>>> me suspect something is missing from authorizations. >>>> >>>> Jim >>>> >>>> On Wed, Apr 24, 2024 at 5:33 AM Isha Lamboo < >>>> isha.lam...@virtualsciences.nl> wrote: >>>> >>>>> Hi James, >>>>> >>>>> >>>>> >>>>> Have you changed these settings in authorizers.xml since you first >>>>> started NiFi? If so, you may need to delete users.xml and >>>>> authorizations.xml. >>>>> >>>>> A new admin user will not be created if those files already exist. >>>>> >>>>> >>>>> >>>>> Otherwise, the trickiest part is usually that the user DN needs to >>>>> match **exactly** with that specified. Capitals and whitespace >>>>> matter. Since you are getting insufficient permissions instead of unknown >>>>> user, I don’t think that’s your problem here. Still, it may be worth >>>>> checking for a mismatch in the initial admin identity vs initial user >>>>> identity vs certificate. >>>>> >>>>> >>>>> >>>>> Regards, >>>>> >>>>> >>>>> >>>>> Isha >>>>> >>>>> >>>>> >>>>> *Van:* James McMahon <jsmcmah...@gmail.com> >>>>> *Verzonden:* woensdag 24 april 2024 02:14 >>>>> *Aan:* users <users@nifi.apache.org> >>>>> *Onderwerp:* Insufficient permissions on initial start up (NiFi 2.0) >>>>> >>>>> >>>>> >>>>> I am trying to start my new NiFi 2.0 installation. I have a user >>>>> admin2 that has a cert. The nifi server also has a cert. Both are signed >>>>> by >>>>> the same CA. >>>>> >>>>> >>>>> >>>>> At start up in my browser I am denied due to insufficient privileges: >>>>> >>>>> >>>>> >>>>> Unable to view the user interface. Contact the system administrator. >>>>> >>>>> Insufficient Permissions home >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> My authorizors.xml has been configured as follows: >>>>> >>>>> <authorizers> >>>>> <userGroupProvider> >>>>> <identifier>file-user-group-provider</identifier> >>>>> >>>>> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> >>>>> <property name="Users >>>>> File">/opt/nifi/config_resources/users.xml</property> >>>>> <property name="Legacy Authorized Users File"></property> >>>>> <property name="Initial User Identity 1">C = US, ST = >>>>> Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property> >>>>> </userGroupProvider> >>>>> <accessPolicyProvider> >>>>> <identifier>file-access-policy-provider</identifier> >>>>> >>>>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >>>>> <property name="User Group >>>>> Provider">file-user-group-provider</property> >>>>> <property name="Authorizations >>>>> File">/opt/nifi/config_resources/authorizations.xml</property> >>>>> <property name="Initial Admin Identity">C = US, ST = Virginia, >>>>> L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2</property> >>>>> <property name="Legacy Authorized Users File"></property> >>>>> <property name="Node Identity 1"></property> >>>>> </accessPolicyProvider> >>>>> <authorizer> >>>>> <identifier>managed-authorizer</identifier> >>>>> >>>>> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> >>>>> <property name="Access Policy >>>>> Provider">file-access-policy-provider</property> >>>>> </authorizer> >>>>> </authorizers> >>>>> >>>>> >>>>> >>>>> I read that at start up, authorizations.xml and users.xml would be >>>>> created by NiFi - those files are not to be hand jammed. >>>>> >>>>> >>>>> >>>>> So how do I actually get in with my admin2 user? >>>>> >>>>> What have I overlooked on this magical mystery tour? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>
