Hi Pierre,
Thank you again for your continued help. I have implemented your last
suggestion regarding the 'Initial Admin Identity' in my `authorizers.xml` file.
The application now starts without the previous error. However, a new error is
appearing on the login page.
I am getting an "Invalid username and password" error when trying to log in
with "admin-user". The `nifi-user.log` shows `Password verification failed`.
I have reviewed my `login-identity-providers.xml` file and found a possible
mismatch. The user was defined by a UUID, while my `authorizers.xml` file uses
"admin-user".
I have updated the `login-identity-providers.xml` file to use `admin-user` and
also added a test password.
Here is the content of my `login-identity-providers.xml` file for your review:
---
login-identity-providers.xml
---
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--><!--
This file lists the login identity providers to use when running securely.
In order
to use a specific provider it must be configured here and it's identifier
must be specified in the nifi.properties file.
--><loginIdentityProviders>
<!--
Single User Login Identity Provider supporting automated generation of
Username and Password
The provider will write the following log messages when 'Username' and
'Password' are empty:
Generated Username [USERNAME]
Generated Password [PASSWORD]
The 'Username' will be a random UUID and the 'Password' will be stored
using bcrypt hashing
-->
<provider>
<identifier>single-user-provider</identifier>
<class>org.apache.nifi.authentication.single.user.SingleUserLoginIdentityProvider</class>
<property name="User">admin-user</property>
<property name="Initial User Password">NiFi_P@ssw0rd!123</property>
</provider>
<!--
Identity Provider for users logging in with username/password against
an LDAP server.
'Authentication Strategy' - How the connection to the LDAP server is
authenticated. Possible
values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
'Manager DN' - The DN of the manager that is used to bind to the LDAP
server to search for users.
'Manager Password' - The password of the manager that is used to bind
to the LDAP server to
search for users.
'TLS - Keystore' - Path to the Keystore that is used when connecting to
LDAP using LDAPS or START_TLS.
'TLS - Keystore Password' - Password for the Keystore that is used when
connecting to LDAP
using LDAPS or START_TLS.
'TLS - Keystore Type' - Type of the Keystore that is used when
connecting to LDAP using
LDAPS or START_TLS such as PKCS12.
'TLS - Truststore' - Path to the Truststore that is used when
connecting to LDAP using LDAPS or START_TLS.
'TLS - Truststore Password' - Password for the Truststore that is used
when connecting to
LDAP using LDAPS or START_TLS.
'TLS - Truststore Type' - Type of the Truststore that is used when
connecting to LDAP using
LDAPS or START_TLS such as PKCS12.
'TLS - Client Auth' - Client authentication policy when connecting to
LDAP using LDAPS or START_TLS.
Possible values are REQUIRED, WANT, NONE.
'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS
or START_TLS. (i.e. TLS,
TLSv1.1, TLSv1.2, etc).
'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut
down gracefully
before the target context is closed. Defaults to false.
'Referral Strategy' - Strategy for handling referrals. Possible values
are FOLLOW, IGNORE, THROW.
'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
'Read Timeout' - Duration of read timeout. (i.e. 10 secs).
'Url' - Space-separated list of URLs of the LDAP servers (i.e.
ldap://<hostname>:<port>).
'User Search Base' - Base DN for searching for users (i.e.
CN=Users,DC=example,DC=com).
'User Search Filter' - Filter for searching for users against the 'User
Search Base'.
(i.e. sAMAccountName={0}). The user specified name is inserted into
'{0}'.
'Identity Strategy' - Strategy to identify users. Possible values are
USE_DN and USE_USERNAME.
The default functionality if this property is missing is USE_DN in
order to retain
backward compatibility. USE_DN will use the full DN of the user
entry if possible.
USE_USERNAME will use the username the user logged in with.
'Authentication Expiration' - The duration of how long the user
authentication is valid
for. If the user never logs out, they will be required to log back
in following
this duration.
-->
<!-- To enable the ldap-provider remove 2 lines. This is 1 of 2.
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">START_TLS</property>
<property name="Manager DN"></property>
<property name="Manager Password"></property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url"></property>
<property name="User Search Base"></property>
<property name="User Search Filter"></property>
<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
To enable the ldap-provider remove 2 lines. This is 2 of 2. -->
<!--
Identity Provider for users logging in with username/password against a
Kerberos KDC server.
'Default Realm' - Default realm to provide when user enters incomplete
user principal (i.e. NIFI.APACHE.ORG).
'Authentication Expiration' - The duration of how long the user
authentication is valid for. If the user never logs out, they will be required
to log back in following this duration.
-->
<!-- To enable the kerberos-provider remove 2 lines. This is 1 of 2.
<provider>
<identifier>kerberos-provider</identifier>
<class>org.apache.nifi.kerberos.KerberosProvider</class>
<property name="Default Realm">NIFI.APACHE.ORG</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
To enable the kerberos-provider remove 2 lines. This is 2 of 2. -->
</loginIdentityProviders>
---
Do you have any further suggestions on what might be causing the login to fail,
even with this change?
Thank you for your time.
Best Regards,
Dana
________________________________
From: Pierre Villard <pierre.villard...@gmail.com>
Sent: Saturday, August 2, 2025 5:29 PM
To: ariad...@agsconsultingservice.com <ariad...@agsconsultingservice.com>
Cc: users@nifi.apache.org <users@nifi.apache.org>
Subject: Re: [NIFI-2.5.0] Persistent startup error: Element 'user' must have no
character or element information item
The identifier is something that is purely internal to NiFi. In your
configuration files you'd reference the admin user by its identity,
not its identifier. So you'd need:
<property name="Initial Admin Identity">admin-user</property>
In your authorizers.xml file, where appropriate.
Please note that a successful configuration also depends on how you
have configured login-identity-providers.xml.
At a high level, your login identity provider would persist users and
groups in your users.xml file that would be used by your authorizers
and then applied against to define your policies.
Le sam. 2 août 2025 à 02:47, ariad...@agsconsultingservice.com
<ariad...@agsconsultingservice.com> a écrit :
>
> Hi Pierre,
>
> Thank you again for your continued help.
>
> I have performed a final check on all of my configuration files, and I am
> still seeing the same error.
>
> Here is what I have confirmed:
>
> 1. The UUID in my `authorizers.xml` and `users.xml` files are an exact,
> character-for-character match.
>
> 2. The `nifi.properties` file correctly references `managed-authorizer`.
>
> 3. I have checked for a different NiFi installation and confirmed I am
> running the correct one.
>
> Given that all configuration files are correct, I am still at a loss as to
> what is causing the `Unable to locate initial admin` error.
>
> Below is `authorizers.xml` and `users.xml` files for your review.
>
> authorizers.xml
> ---------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizers>
> <userGroupProvider>
> <identifier>file-user-group-provider</identifier>
> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
> <property name="Users File">./conf/users.xml</property>
> </userGroupProvider>
>
> <accessPolicyProvider>
> <identifier>file-access-policy-provider</identifier>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> <property name="User Group
> Provider">file-user-group-provider</property>
> <property name="Authorizations
> File">./conf/authorizations.xml</property>
> <property name="Initial Admin
> Identity">b64b7120-1d20-4b10-9cd8-f53a0502167b</property>
> </accessPolicyProvider>
>
> <authorizer>
> <identifier>managed-authorizer</identifier>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
> <property name="Access Policy
> Provider">file-access-policy-provider</property>
> <property name="User Group
> Provider">file-user-group-provider</property>
> <property name="Initial Admin
> Identity">b64b7120-1d20-4b10-9cd8-f53a0502167b</property>
> </authorizer>
> </authorizers>
> ----
>
> users.xml
> ---
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <tenants>
> <groups/>
> <users>
> <user identifier="b64b7120-1d20-4b10-9cd8-f53a0502167b"
> identity="admin-user" />
> </users>
> </tenants>
> ---
>
> Do you have any other suggestions, or could this be an issue with my local
> environment?
>
> Thank you for your time.
>
> Best Regards,
>
> Dana
>
>
>
> ________________________________
> From: Pierre Villard <pierre.villard...@gmail.com>
> Sent: Friday, August 1, 2025 11:05 PM
> To: ariad...@agsconsultingservice.com <ariad...@agsconsultingservice.com>
> Cc: users@nifi.apache.org <users@nifi.apache.org>
> Subject: Re: [NIFI-2.5.0] Persistent startup error: Element 'user' must have
> no character or element information item
>
> This is now an entirely different issue:
>
> Caused by:
> org.apache.nifi.authorization.exception.AuthorizerCreationException:
> Unable to locate initial admin b64b7120-1d20-4b10-9cd8-f53a0502167b to
> seed policies
>
> This error is usually because there is a mismatch on how you
> configured your initial admin in authorizers.xml and how your
> corresponding user is specified in users.xml.
>
> Le ven. 1 août 2025 à 17:39, ariad...@agsconsultingservice.com
> <ariad...@agsconsultingservice.com> a écrit :
> >
> > Hi Pierre,
> >
> > Thank you again for your quick response and for providing the correct
> > format for users.xml.
> >
> > I have applied the fix you provided. However, I am still getting an error
> > after several more troubleshooting steps.
> >
> > Here is what I have done since my last email:
> >
> > 1. I have updated the users.xml file to the exact attribute-based format
> > you provided.
> > 2. I have deleted the authorizations.xml file and the entire work
> > directory.
> > 3. I have restarted NiFi, forcing it to rebuild all its files from scratch.
> >
> > Despite all these steps, I am still getting the same error.
> >
> > The log shows the following:
> >
> > ---
> > 2025-08-01 22:25:58,193 ERROR [main] o.s.web.context.ContextLoader Context
> > initialization failed
> > org.springframework.beans.factory.UnsatisfiedDependencyException: ...
> > Caused by: org.springframework.beans.factory.BeanCreationException: Error
> > creating bean with name 'authorizer': FactoryBean threw exception on object
> > creation
> > ...
> > Caused by:
> > org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable
> > to locate initial admin b64b7120-1d20-4b10-9cd8-f53a0502167b to seed
> > policies
> > ...
> > ---
> >
> > Given that the users.xml file is now in the correct format, I am very
> > confused as to why the error persists. It seems the issue might be beyond a
> > simple configuration file problem.
> >
> > Do you have any further suggestions, perhaps related to a system-level or
> > environment-specific issue?
> >
> > Thank you for your time and continued assistance.
> >
> > Best Regards,
> >
> > Dana
> >
> >
> > ________________________________
> > From: Pierre Villard <pierre.villard...@gmail.com>
> > Sent: Friday, August 1, 2025 9:12 PM
> > To: ariad...@agsconsultingservice.com <ariad...@agsconsultingservice.com>
> > Cc: users@nifi.apache.org <users@nifi.apache.org>
> > Subject: Re: [NIFI-2.5.0] Persistent startup error: Element 'user' must
> > have no character or element information item
> >
> > You should define the users as below:
> >
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <tenants>
> > <groups/>
> > <users>
> > <user identifier="b64b7120-1d20-4b10-9cd8-f53a0502167b"
> > identity="admin-user" />
> > ...
> > </users>
> > </tenants>
> >
> > Hope this helps,
> > Pierre
> >
> > Le ven. 1 août 2025 à 16:05, ariad...@agsconsultingservice.com
> > <ariad...@agsconsultingservice.com> a écrit :
> > >
> > > Hi Pierre,
> > >
> > > Thank you for the quick reply.
> > >
> > > Here is the content of my users.xml file, as requested.
> > >
> > > ---
> > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > > <tenants>
> > > <groups/>
> > > <users>
> > > <user>
> > > <identifier>b64b7120-1d20-4b10-9cd8-f53a0502167b</identifier>
> > > <identity>admin-user</identity>
> > > </user>
> > > </users>
> > > </tenants>
> > > ---
> > >
> > > I appreciate your help in looking into this.
> > >
> > > Thank you.
> > >
> > > Best Regards,
> > >
> > > Dana
> > >
> > > ________________________________
> > > From: Pierre Villard <pierre.villard...@gmail.com>
> > > Sent: Friday, August 1, 2025 5:59 PM
> > > To: users@nifi.apache.org <users@nifi.apache.org>
> > > Subject: Re: [NIFI-2.5.0] Persistent startup error: Element 'user' must
> > > have no character or element information item
> > >
> > > Hi Dana,
> > >
> > > Can you share the (redacted if needed) content of users.xml file?
> > >
> > > Thanks,
> > > Pierre
> > >
> > > Le ven. 1 août 2025 à 12:39, ariad...@agsconsultingservice.com
> > > <ariad...@agsconsultingservice.com> a écrit :
> > > >
> > > > Hello everyone,
> > > >
> > > > I'm trying to set up a new instance of Apache NiFi 2.5.0 with security
> > > > enabled for a new project.
> > > >
> > > > I have been running into a persistent startup error and am looking for
> > > > some guidance.
> > > >
> > > > Environment Details
> > > >
> > > > NiFi Version: 2.5.0
> > > > Java : openjdk version "21.0.7"
> > > > OS : Windows 10 Home
> > > >
> > > > The Problem Description
> > > >
> > > > The application fails to start with the following error:
> > > > 2025-08-01 16:53:11,024 ERROR [main] o.s.web.context.ContextLoader
> > > > Context initialization failed
> > > > org.springframework.beans.factory.UnsatisfiedDependencyException: ...
> > > > Caused by: org.springframework.beans.factory.BeanCreationException:
> > > > Error creating bean with name 'authorizer': FactoryBean threw exception
> > > > on object creation ... Caused by:
> > > > org.apache.nifi.authorization.exception.AuthorizerCreationException:
> > > > jakarta.xml.bind.UnmarshalException - with linked exception:
> > > > [org.xml.sax.SAXParseException; systemId:
> > > > file:/C:/nifi-2.5.0-bin/nifi-2.5.0/./conf/users.xml; lineNumber: 8;
> > > > columnNumber: 16; cvc-complex-type.2.1: Element 'user' must have no
> > > > character or element information item [children], because the type's
> > > > content type is empty.] ...
> > > >
> > > > Based on standard troubleshooting, here is a list of the steps I have
> > > > already taken:
> > > >
> > > > 1. Configured security files (authorizers.xml, users.xml) and verified
> > > > the configuration multiple times.
> > > >
> > > > 2. Confirmed the 'Initial Admin Identity' is correctly set in both the
> > > > access policy provider and the managed authorizer blocks.
> > > >
> > > > 3. Ensured the 'User Group Provider' property is correctly defined in
> > > > all relevant sections of authorizers.xml.
> > > >
> > > > 4. Corrected the 'nifi.security.user.authorizer' property in
> > > > nifi.properties to point to 'managed-authorizer'.
> > > >
> > > > 5. Confirmed the users.xml file has the correct structure (groups
> > > > before users, valid tags, etc.) and contains the admin user definition.
> > > >
> > > > 6. Recreated users.xml from scratch using a clean text editor and from
> > > > the command line to rule out hidden character or formatting issues.
> > > >
> > > > 7. Performed a complete and clean reinstallation of NiFi 2.5.0,
> > > > deleting all old files and re-applying the configuration.
> > > >
> > > > 8. Confirmed that the user running NiFi has Full Control permissions
> > > > over the NiFi installation directory.
> > > >
> > > > Despite all these steps, the error persists.
> > > >
> > > > This is an unusual issue, and I'm at a loss for what to try next. Could
> > > > someone please provide some guidance on what might be causing this
> > > > error, or if there's something I've missed?
> > > >
> > > > Thank you for your time and expertise.
> > > >
> > > > Best Regards,
> > > >
> > > > Dana
