You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Nicolas Delsaux <ni...@gmx.fr> on 2019/07/19 09:21:40 UTC
Continuing my LDAP auth adventures
Hi all
Now I know how to connect to my LDAP directory, i now have a strange error
nifi-runner_1 |
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name
'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
Unsatisfied dependency expressed through method
'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
org.springframework.beans.factory.BeanExpressionException: Expression
parsing failed; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name
'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
dependency expressed through method 'setJwtAuthenticationProvider'
parameter 0; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'jwtAuthenticationProvider' defined in class path
resource [nifi-web-security-context.xml]: Cannot resolve reference to
bean 'authorizer' while setting constructor argument; nested exception
is org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'authorizer': FactoryBean threw exception on
object creation; nested exception is java.lang.Exception: The specified
authorizer 'ldap-user-group-provider' could not be found.
[... let me just skip the uninteresting Spring stack ...]
nifi-runner_1 | Caused by:
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'authorizer': FactoryBean threw exception on object
creation; nested exception is java.lang.Exception: The specified
authorizer 'ldap-user-group-provider' could not be found.
nifi-runner_1 | at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
nifi-runner_1 | at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
nifi-runner_1 | at
org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
nifi-runner_1 | at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
nifi-runner_1 | at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
nifi-runner_1 | at
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
nifi-runner_1 | ... 96 common frames omitted
nifi-runner_1 | Caused by: java.lang.Exception: The specified
authorizer 'ldap-user-group-provider' could not be found.
nifi-runner_1 | at
org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:175)
nifi-runner_1 | at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
From what I understand, it seems like the AuthorizerFactoryBean tries
to read my user-group-provider from the authorizers.xml file.
I have such an user group provider, which is a ldap one :
<authorizers>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<propertyname="Authentication Strategy">LDAPS</property>
<propertyname="Manager DN">a_dn</property>
<propertyname="Manager Password">a_password</property>
<propertyname="TLS - Keystore"></property>
<propertyname="TLS - Keystore Password"></property>
<propertyname="TLS - Keystore Type"></property>
<propertyname="TLS - Truststore">/opt/certs/cacerts.jks</property>
<propertyname="TLS - Truststore Password">another</property>
<propertyname="TLS - Truststore Type">JKS</property>
<propertyname="TLS - Client Auth"></property>
<propertyname="TLS - Protocol">TLSv1</property>
<propertyname="TLS - Shutdown Gracefully"></property>
<propertyname="Referral Strategy">FOLLOW</property>
<propertyname="Connect Timeout">10 secs</property>
<propertyname="Read Timeout">10 secs</property>
<propertyname="Url">ldaps://myserver.mycompany.com:636</property>
<propertyname="Page Size"></property>
<propertyname="Sync Interval">30 mins</property>
<propertyname="User Search Base">ou=people,o=mycompany.com</property>
<propertyname="User Object Class">privPerson</property>
<propertyname="User Search Scope">SUBTREE</property>
<propertyname="User Search Filter"></property>
<propertyname="User Identity Attribute">uid</property>
<propertyname="User Group Name Attribute">This attribute doesn't exist
to make sure no grouping is done</property>
<propertyname="User Group Name Attribute - Referenced Group
Attribute"></property>
<propertyname="Group Search Base"></property>
<propertyname="Group Object Class">group</property>
<propertyname="Group Search Scope">ONE_LEVEL</property>
<propertyname="Group Search Filter"></property>
<propertyname="Group Name Attribute"></property>
<propertyname="Group Member Attribute"></property>
<propertyname="Group Member Attribute - Referenced User
Attribute"></property>
</userGroupProvider>
So why can't it be loaded ?
Because I don't see any other exception (typically, I would expect a
search fail exception, but it seems to work).
Re: Continuing my LDAP auth adventures
Posted by Edward Armes <ed...@gmail.com>.
So when you use the LDAP provider the initial admin identity still needs to
be set. However as your using the LDAP plugin, it does need to be the full
DN of the user who is going to connect to cluster the first time to setup
all the user permissions for all the other users.
This site gives a good example and a break down on how to specify a unique
user by attributes with a DN:
http://www.zytrax.com/books/ldap/apa/dn-rdn.html
Edward
On Fri, Jul 19, 2019 at 2:59 PM Nicolas Delsaux <ni...@gmx.fr>
wrote:
> And indeed, it changed the error
>
>
> nifi-runner_1 | Caused by:
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'authorizer': FactoryBean threw exception on object
> creation; nested exception is
> org.apache.nifi.authorization.exception.AuthorizerCreationException:
> org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable
> to locate initial admin a_dn to seed policies
> nifi-runner_1 | at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
> nifi-runner_1 | ... 96 common frames omitted
> nifi-runner_1 | Caused by:
> org.apache.nifi.authorization.exception.AuthorizerCreationException:
> org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable
> to locate initial admin a_dn to seed policies
> nifi-runner_1 | at
> org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:263)
> nifi-runner_1 | at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> nifi-runner_1 | at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> nifi-runner_1 | at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> nifi-runner_1 | at java.lang.reflect.Method.invoke(Method.java:498)
> nifi-runner_1 | at
> org.apache.nifi.authorization.AccessPolicyProviderInvocationHandler.invoke(AccessPolicyProviderInvocationHandler.java:54)
> nifi-runner_1 | at com.sun.proxy.$Proxy78.onConfigured(Unknown
> Source)
> nifi-runner_1 | at
> org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:153)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
> nifi-runner_1 | ... 101 common frames omitted
> nifi-runner_1 | Caused by:
> org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable
> to locate initial admin a_dn to seed policies
> nifi-runner_1 | at
> org.apache.nifi.authorization.FileAccessPolicyProvider.populateInitialAdmin(FileAccessPolicyProvider.java:598)
> nifi-runner_1 | at
> org.apache.nifi.authorization.FileAccessPolicyProvider.load(FileAccessPolicyProvider.java:541)
> nifi-runner_1 | at
> org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:254)
> nifi-runner_1 | ... 109 common frames omitted
>
> which seems to indicate that on startup, the FileAccessPolicyProvider will
> try to get informations for the manager dn in the file (which, as far as a
> I understand, is not yet loaded)
>
> .
>
> So there must be some weird back-and-forth dance between the ldap user
> group provider and the file policy provider ... But I don't understand the
> dance in question
> Le 19/07/2019 à 15:38, Edward Armes a écrit :
>
> Hi Nicolas,
>
> In your actual configuration, is this the actual entry and not sanitized
> version?
>
> <property name="User Group Name Attribute">This attribute doesn't exist
> to make sure no grouping is done</property>
>
> If so I think this is the problem. As I what I think is happening Nifi is
> trying to interpret this value as a DN and failing, if you only need the
> users returned from the LDAP search to be the list of valid users then this
> field can just be left blank, if however you need a list of valid (not
> necessarily authorized) users to be filtered to be a member of a specific
> LDAP group then you can specify the DN for that group here.
>
> I would change it to:
>
> <property name="User Group Name Attribute"></property>
>
> and see if that works
>
> Edward
>
> On Fri, Jul 19, 2019 at 2:04 PM Nicolas Delsaux <ni...@gmx.fr>
> wrote:
>
>> Here is the full version (with obvious replacements for manager dn,
>> manager password, ldap server url, and other "sensitive" informations
>>
>>
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <!--
>> Licensed to the Apache Software Foundation (ASF) under one or more
>> contributor license agreements. See the NOTICE file distributed with
>> this work for additional information regarding copyright ownership.
>> The ASF licenses this file to You under the Apache License, Version 2.0
>> (the "License"); you may not use this file except in compliance with
>> the License. You may obtain a copy of the License at
>> http://www.apache.org/licenses/LICENSE-2.0
>> Unless required by applicable law or agreed to in writing, software
>> distributed under the License is distributed on an "AS IS" BASIS,
>> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>> See the License for the specific language governing permissions and
>> limitations under the License.
>> -->
>> <!--
>> This file lists the userGroupProviders, accessPolicyProviders, and
>> authorizers to use when running securely. In order
>> to use a specific authorizer it must be configured here and it's
>> identifier must be specified in the nifi.properties file.
>> If the authorizer is a managedAuthorizer, it may need to be configured
>> with an accessPolicyProvider and an userGroupProvider.
>> This file allows for configuration of them, but they must be configured
>> in order:
>> ...
>> all userGroupProviders
>> all accessPolicyProviders
>> all Authorizers
>> ...
>> -->
>> <authorizers>
>> <!--
>> The FileUserGroupProvider will provide support for managing users and
>> groups which is backed by a file
>> on the local file system.
>> - Users File - The file where the FileUserGroupProvider will store users
>> and groups.
>> - Legacy Authorized Users File - The full path to an existing
>> authorized-users.xml that will be automatically
>> be used to load the users and groups into the Users File.
>> - Initial User Identity [unique key] - The identity of a users and
>> systems to seed the Users File. The name of
>> each property must be unique, for example: "Initial User Identity A",
>> "Initial User Identity B",
>> "Initial User Identity C" or "Initial User Identity 1", "Initial User
>> Identity 2", "Initial User Identity 3"
>> NOTE: Any identity mapping rules specified in nifi.properties will also
>> be applied to the user identities,
>> so the values should be the unmapped identities (i.e. full DN from a
>> certificate).
>> -->
>> <!--
>> <userGroupProvider>
>> <identifier>file-user-group-provider</identifier>
>> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>> <property name="Users File">./conf/users.xml</property>
>> <property name="Legacy Authorized Users File"></property>
>> <property name="Initial User Identity 1"></property>
>> </userGroupProvider>
>> -->
>> <!--
>> The LdapUserGroupProvider will retrieve users and groups from an LDAP
>> server. The users and groups
>> are not configurable.
>> 'Authentication Strategy' - How the connection to the LDAP server is
>> authenticated. Possible
>> values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
>> 'Manager DN' - The DN of the manager that is used to bind to the LDAP
>> server to search for users.
>> 'Manager Password' - The password of the manager that is used to bind to
>> the LDAP server to
>> search for users.
>> 'TLS - Keystore' - Path to the Keystore that is used when connecting to
>> LDAP using LDAPS or START_TLS.
>> 'TLS - Keystore Password' - Password for the Keystore that is used when
>> connecting to LDAP
>> using LDAPS or START_TLS.
>> 'TLS - Keystore Type' - Type of the Keystore that is used when connecting
>> to LDAP using
>> LDAPS or START_TLS (i.e. JKS or PKCS12).
>> 'TLS - Truststore' - Path to the Truststore that is used when connecting
>> to LDAP using LDAPS or START_TLS.
>> 'TLS - Truststore Password' - Password for the Truststore that is used
>> when connecting to
>> LDAP using LDAPS or START_TLS.
>> 'TLS - Truststore Type' - Type of the Truststore that is used when
>> connecting to LDAP using
>> LDAPS or START_TLS (i.e. JKS or PKCS12).
>> 'TLS - Client Auth' - Client authentication policy when connecting to
>> LDAP using LDAPS or START_TLS.
>> Possible values are REQUIRED, WANT, NONE.
>> 'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or
>> START_TLS. (i.e. TLS,
>> TLSv1.1, TLSv1.2, etc).
>> 'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut
>> down gracefully
>> before the target context is closed. Defaults to false.
>> 'Referral Strategy' - Strategy for handling referrals. Possible values
>> are FOLLOW, IGNORE, THROW.
>> 'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
>> 'Read Timeout' - Duration of read timeout. (i.e. 10 secs).
>> 'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://
>> <hostname>:<port>).
>> 'Page Size' - Sets the page size when retrieving users and groups. If not
>> specified, no paging is performed.
>> 'Sync Interval' - Duration of time between syncing users and groups (i.e.
>> 30 mins). Minimum allowable value is 10 secs.
>> 'User Search Base' - Base DN for searching for users (i.e.
>> ou=users,o=nifi). Required to search users.
>> 'User Object Class' - Object class for identifying users (i.e. person).
>> Required if searching users.
>> 'User Search Scope' - Search scope for searching users (ONE_LEVEL,
>> OBJECT, or SUBTREE). Required if searching users.
>> 'User Search Filter' - Filter for searching for users against the 'User
>> Search Base' (i.e. (memberof=cn=team1,ou=groups,o=nifi) ). Optional.
>> 'User Identity Attribute' - Attribute to use to extract user identity
>> (i.e. cn). Optional. If not set, the entire DN is used.
>> 'User Group Name Attribute' - Attribute to use to define group membership
>> (i.e. memberof). Optional. If not set
>> group membership will not be calculated through the users. Will rely on
>> group membership being defined
>> through 'Group Member Attribute' if set. The value of this property is
>> the name of the attribute in the user ldap entry that
>> associates them with a group. The value of that user attribute could be a
>> dn or group name for instance. What value is expected
>> is configured in the 'User Group Name Attribute - Referenced Group
>> Attribute'.
>> 'User Group Name Attribute - Referenced Group Attribute' - If blank, the
>> value of the attribute defined in 'User Group Name Attribute'
>> is expected to be the full dn of the group. If not blank, this property
>> will define the attribute of the group ldap entry that
>> the value of the attribute defined in 'User Group Name Attribute' is
>> referencing (i.e. name). Use of this property requires that
>> 'Group Search Base' is also configured.
>> 'Group Search Base' - Base DN for searching for groups (i.e.
>> ou=groups,o=nifi). Required to search groups.
>> 'Group Object Class' - Object class for identifying groups (i.e.
>> groupOfNames). Required if searching groups.
>> 'Group Search Scope' - Search scope for searching groups (ONE_LEVEL,
>> OBJECT, or SUBTREE). Required if searching groups.
>> 'Group Search Filter' - Filter for searching for groups against the
>> 'Group Search Base'. Optional.
>> 'Group Name Attribute' - Attribute to use to extract group name (i.e.
>> cn). Optional. If not set, the entire DN is used.
>> 'Group Member Attribute' - Attribute to use to define group membership
>> (i.e. member). Optional. If not set
>> group membership will not be calculated through the groups. Will rely on
>> group membership being defined
>> through 'User Group Name Attribute' if set. The value of this property is
>> the name of the attribute in the group ldap entry that
>> associates them with a user. The value of that group attribute could be a
>> dn or memberUid for instance. What value is expected
>> is configured in the 'Group Member Attribute - Referenced User
>> Attribute'. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
>> 'Group Member Attribute - Referenced User Attribute' - If blank, the
>> value of the attribute defined in 'Group Member Attribute'
>> is expected to be the full dn of the user. If not blank, this property
>> will define the attribute of the user ldap entry that
>> the value of the attribute defined in 'Group Member Attribute' is
>> referencing (i.e. uid). Use of this property requires that
>> 'User Search Base' is also configured. (i.e. member: cn=User
>> 1,ou=users,o=nifi vs. memberUid: user1)
>> NOTE: Any identity mapping rules specified in nifi.properties will also
>> be applied to the user identities.
>> Group names are not mapped.
>> -->
>> <userGroupProvider>
>> <identifier>ldap-user-group-provider</identifier>
>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>> <property name="Authentication Strategy">LDAPS</property>
>> <property name="Manager DN">a_dn</property>
>> <property name="Manager Password">a_password</property>
>> <property name="TLS - Keystore"></property>
>> <property name="TLS - Keystore Password"></property>
>> <property name="TLS - Keystore Type"></property>
>> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
>> <property name="TLS - Truststore Password">changeit</property>
>> <property name="TLS - Truststore Type">JKS</property>
>> <property name="TLS - Client Auth"></property>
>> <property name="TLS - Protocol">TLSv1</property>
>> <property name="TLS - Shutdown Gracefully"></property>
>> <property name="Referral Strategy">FOLLOW</property>
>> <property name="Connect Timeout">10 secs</property>
>> <property name="Read Timeout">10 secs</property>
>> <property name="Url">ldaps://myserver.mycompany.com:636</property>
>> <property name="Page Size"></property>
>> <property name="Sync Interval">30 mins</property>
>> <property name="User Search Base">ou=people,o=mycompany.com</property>
>> <property name="User Object Class">privPerson</property>
>> <property name="User Search Scope">SUBTREE</property>
>> <property name="User Search Filter"></property>
>> <property name="User Identity Attribute">uid</property>
>> <property name="User Group Name Attribute">This attribute doesn't exist
>> to make sure no grouping is done</property>
>> <property name="User Group Name Attribute - Referenced Group Attribute"
>> ></property>
>> <property name="Group Search Base"></property>
>> <property name="Group Object Class">group</property>
>> <property name="Group Search Scope">ONE_LEVEL</property>
>> <property name="Group Search Filter"></property>
>> <property name="Group Name Attribute"></property>
>> <property name="Group Member Attribute"></property>
>> <property name="Group Member Attribute - Referenced User Attribute"></
>> property>
>> </userGroupProvider>
>> <!--
>> The CompositeUserGroupProvider will provide support for retrieving users
>> and groups from multiple sources.
>> - User Group Provider [unique key] - The identifier of user group
>> providers to load from. The name of
>> each property must be unique, for example: "User Group Provider A", "User
>> Group Provider B",
>> "User Group Provider C" or "User Group Provider 1", "User Group Provider
>> 2", "User Group Provider 3"
>> NOTE: Any identity mapping rules specified in nifi.properties are not
>> applied in this implementation. This behavior
>> would need to be applied by the base implementation.
>> -->
>> <!-- To enable the composite-user-group-provider remove 2 lines. This is
>> 1 of 2.
>> <userGroupProvider>
>> <identifier>composite-user-group-provider</identifier>
>> <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
>> <property name="User Group Provider 1"></property>
>> </userGroupProvider>
>> To enable the composite-user-group-provider remove 2 lines. This is 2 of
>> 2. -->
>> <!--
>> The CompositeConfigurableUserGroupProvider will provide support for
>> retrieving users and groups from multiple sources.
>> Additionally, a single configurable user group provider is required.
>> Users from the configurable user group provider
>> are configurable, however users loaded from one of the User Group
>> Provider [unique key] will not be.
>> - Configurable User Group Provider - A configurable user group provider.
>> - User Group Provider [unique key] - The identifier of user group
>> providers to load from. The name of
>> each property must be unique, for example: "User Group Provider A", "User
>> Group Provider B",
>> "User Group Provider C" or "User Group Provider 1", "User Group Provider
>> 2", "User Group Provider 3"
>> NOTE: Any identity mapping rules specified in nifi.properties are not
>> applied in this implementation. This behavior
>> would need to be applied by the base implementation.
>> -->
>> <!-- To enable the composite-configurable-user-group-provider remove 2
>> lines. This is 1 of 2.
>> <userGroupProvider>
>> <identifier>composite-configurable-user-group-provider</identifier>
>>
>> <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
>> <property name="Configurable User Group
>> Provider">file-user-group-provider</property>
>> <property name="User Group Provider 1"></property>
>> </userGroupProvider>
>> To enable the composite-configurable-user-group-provider remove 2 lines.
>> This is 2 of 2. -->
>> <!--
>> The FileAccessPolicyProvider will provide support for managing access
>> policies which is backed by a file
>> on the local file system.
>> - User Group Provider - The identifier for an User Group Provider defined
>> above that will be used to access
>> users and groups for use in the managed access policies.
>> - Authorizations File - The file where the FileAccessPolicyProvider will
>> store policies.
>> - Initial Admin Identity - The identity of an initial admin user that
>> will be granted access to the UI and
>> given the ability to create additional users, groups, and policies. The
>> value of this property could be
>> a DN when using certificates or LDAP, or a Kerberos principal. This
>> property will only be used when there
>> are no other policies defined. If this property is specified then a
>> Legacy Authorized Users File can not be specified.
>> NOTE: Any identity mapping rules specified in nifi.properties will also
>> be applied to the initial admin identity,
>> so the value should be the unmapped identity. This identity must be found
>> in the configured User Group Provider.
>> - Legacy Authorized Users File - The full path to an existing
>> authorized-users.xml that will be automatically
>> converted to the new authorizations model. If this property is specified
>> then an Initial Admin Identity can
>> not be specified, and this property will only be used when there are no
>> other users, groups, and policies defined.
>> NOTE: Any users in the legacy users file must be found in the configured
>> User Group Provider.
>> - Node Identity [unique key] - The identity of a NiFi cluster node. When
>> clustered, a property for each node
>> should be defined, so that every node knows about every other node. If
>> not clustered these properties can be ignored.
>> The name of each property must be unique, for example for a three node
>> cluster:
>> "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity
>> 1", "Node Identity 2", "Node Identity 3"
>> NOTE: Any identity mapping rules specified in nifi.properties will also
>> be applied to the node identities,
>> so the values should be the unmapped identities (i.e. full DN from a
>> certificate). This identity must be found
>> in the configured User Group Provider.
>> - Node Group - The name of a group containing NiFi cluster nodes. The
>> typical use for this is when nodes are dynamically
>> added/removed from the cluster.
>> NOTE: The group must exist before starting NiFi.
>> -->
>> <accessPolicyProvider>
>> <identifier>file-access-policy-provider</identifier>
>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>> <property name="User Group Provider">ldap-user-group-provider</property>
>> <property name="Authorizations File">./conf/authorizations.xml</property>
>> <property name="Initial Admin Identity"></property>
>> <property name="Legacy Authorized Users File"></property>
>> <property name="Node Identity 1"></property>
>> <property name="Node Group"></property>
>> </accessPolicyProvider>
>> <!--
>> The StandardManagedAuthorizer. This authorizer implementation must be
>> configured with the
>> Access Policy Provider which it will use to access and manage users,
>> groups, and policies.
>> These users, groups, and policies will be used to make all access
>> decisions during authorization
>> requests.
>> - Access Policy Provider - The identifier for an Access Policy Provider
>> defined above.
>> -->
>> <authorizer>
>> <identifier>managed-authorizer</identifier>
>> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
>> <property name="Access Policy Provider">file-access-policy-provider</
>> property>
>> </authorizer>
>> <!--
>> NOTE: This Authorizer has been replaced with the more granular approach
>> configured above with the Standard
>> Managed Authorizer. However, it is still available for backwards
>> compatibility reasons.
>> The FileAuthorizer is NiFi's provided authorizer and has the following
>> properties:
>> - Authorizations File - The file where the FileAuthorizer will store
>> policies.
>> - Users File - The file where the FileAuthorizer will store users and
>> groups.
>> - Initial Admin Identity - The identity of an initial admin user that
>> will be granted access to the UI and
>> given the ability to create additional users, groups, and policies. The
>> value of this property could be
>> a DN when using certificates or LDAP, or a Kerberos principal. This
>> property will only be used when there
>> are no other users, groups, and policies defined. If this property is
>> specified then a Legacy Authorized
>> Users File can not be specified.
>> NOTE: Any identity mapping rules specified in nifi.properties will also
>> be applied to the initial admin identity,
>> so the value should be the unmapped identity.
>> - Legacy Authorized Users File - The full path to an existing
>> authorized-users.xml that will be automatically
>> converted to the new authorizations model. If this property is specified
>> then an Initial Admin Identity can
>> not be specified, and this property will only be used when there are no
>> other users, groups, and policies defined.
>> - Node Identity [unique key] - The identity of a NiFi cluster node. When
>> clustered, a property for each node
>> should be defined, so that every node knows about every other node. If
>> not clustered these properties can be ignored.
>> The name of each property must be unique, for example for a three node
>> cluster:
>> "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity
>> 1", "Node Identity 2", "Node Identity 3"
>> NOTE: Any identity mapping rules specified in nifi.properties will also
>> be applied to the node identities,
>> so the values should be the unmapped identities (i.e. full DN from a
>> certificate).
>> -->
>> <!-- <authorizer>
>> <identifier>file-provider</identifier>
>> <class>org.apache.nifi.authorization.FileAuthorizer</class>
>> <property name="Authorizations File">./conf/authorizations.xml</property>
>> <property name="Users File">./conf/users.xml</property>
>> <property name="Initial Admin Identity"></property>
>> <property name="Legacy Authorized Users File"></property>
>> <property name="Node Identity 1"></property>
>> </authorizer>
>> -->
>> </authorizers>
>> Le 19/07/2019 à 12:03, Pierre Villard a écrit :
>>
>> Hi Nicolas,
>>
>> Could you share the full content of your authorizers.xml file? Sometimes
>> it's just a matter of references not being in the right "order".
>>
>> Le ven. 19 juil. 2019 à 11:59, Edward Armes <ed...@gmail.com> a
>> écrit :
>>
>>> I wasn't able to find any single good way, I don't know if switching the
>>> logs down to debug or trace might give you a bit more info though . In the
>>> end I just went through a worked it out by hand using a combination of
>>> manual checking against an alternative tool (i.e. an LDAP browser), file
>>> format checkers, or just commenting things out by hand.
>>>
>>> I did sometimes find that white space character (new line etc...) can
>>> occasionally cause a problem with the Spring loading.
>>>
>>> Edward
>>>
>>> On Fri, Jul 19, 2019 at 10:45 AM Nicolas Delsaux <ni...@gmx.fr>
>>> wrote:
>>>
>>>> Is there any way to get a better error ?
>>>> Le 19/07/2019 à 11:36, Edward Armes a écrit :
>>>>
>>>> Hi Nicolas,
>>>>
>>>> This one is a bit of a Spring special. The actual cause here is that
>>>> the Spring Bean that is being created from this file has silently failed,
>>>> and thus the auto-wiring has failed as well. The result is you get this
>>>> lovely misleading error. The normal reason for the bean not being created I
>>>> found was because I made a typo in the configuration file(s).
>>>>
>>>> Edward
>>>>
>>>> On Fri, Jul 19, 2019 at 10:21 AM Nicolas Delsaux <
>>>> nicolas.delsaux@gmx.fr> wrote:
>>>>
>>>>> Hi all
>>>>>
>>>>> Now I know how to connect to my LDAP directory, i now have a strange
>>>>> error
>>>>>
>>>>>
>>>>> nifi-runner_1 |
>>>>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>>>>> creating bean with name
>>>>> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
>>>>> Unsatisfied dependency expressed through method
>>>>> 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
>>>>> org.springframework.beans.factory.BeanExpressionException: Expression
>>>>> parsing failed; nested exception is
>>>>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>>>>> creating bean with name
>>>>> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
>>>>> dependency expressed through method 'setJwtAuthenticationProvider'
>>>>> parameter 0; nested exception is
>>>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>>>> bean with name 'jwtAuthenticationProvider' defined in class path resource
>>>>> [nifi-web-security-context.xml]: Cannot resolve reference to bean
>>>>> 'authorizer' while setting constructor argument; nested exception is
>>>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>>>> bean with name 'authorizer': FactoryBean threw exception on object
>>>>> creation; nested exception is java.lang.Exception: The specified authorizer
>>>>> 'ldap-user-group-provider' could not be found.
>>>>>
>>>>> [... let me just skip the uninteresting Spring stack ...]
>>>>>
>>>>> nifi-runner_1 | Caused by:
>>>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>>>> bean with name 'authorizer': FactoryBean threw exception on object
>>>>> creation; nested exception is java.lang.Exception: The specified authorizer
>>>>> 'ldap-user-group-provider' could not be found.
>>>>> nifi-runner_1 | at
>>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
>>>>> nifi-runner_1 | at
>>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
>>>>> nifi-runner_1 | at
>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
>>>>> nifi-runner_1 | at
>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
>>>>> nifi-runner_1 | at
>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
>>>>> nifi-runner_1 | at
>>>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
>>>>> nifi-runner_1 | ... 96 common frames omitted
>>>>> nifi-runner_1 | Caused by: java.lang.Exception: The specified
>>>>> authorizer 'ldap-user-group-provider' could not be found.
>>>>> nifi-runner_1 | at
>>>>> org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:175)
>>>>> nifi-runner_1 | at
>>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
>>>>>
>>>>> From what I understand, it seems like the AuthorizerFactoryBean tries
>>>>> to read my user-group-provider from the authorizers.xml file.
>>>>>
>>>>>
>>>>> I have such an user group provider, which is a ldap one :
>>>>> <authorizers>
>>>>> <userGroupProvider>
>>>>> <identifier>ldap-user-group-provider</identifier>
>>>>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>>>>> <property name="Authentication Strategy">LDAPS</property>
>>>>> <property name="Manager DN">a_dn</property>
>>>>> <property name="Manager Password">a_password</property>
>>>>> <property name="TLS - Keystore"></property>
>>>>> <property name="TLS - Keystore Password"></property>
>>>>> <property name="TLS - Keystore Type"></property>
>>>>> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
>>>>> <property name="TLS - Truststore Password">another</property>
>>>>> <property name="TLS - Truststore Type">JKS</property>
>>>>> <property name="TLS - Client Auth"></property>
>>>>> <property name="TLS - Protocol">TLSv1</property>
>>>>> <property name="TLS - Shutdown Gracefully"></property>
>>>>> <property name="Referral Strategy">FOLLOW</property>
>>>>> <property name="Connect Timeout">10 secs</property>
>>>>> <property name="Read Timeout">10 secs</property>
>>>>> <property name="Url">ldaps://myserver.mycompany.com:636</property>
>>>>> <property name="Page Size"></property>
>>>>> <property name="Sync Interval">30 mins</property>
>>>>> <property name="User Search Base">ou=people,o=mycompany.com</property>
>>>>> <property name="User Object Class">privPerson</property>
>>>>> <property name="User Search Scope">SUBTREE</property>
>>>>> <property name="User Search Filter"></property>
>>>>> <property name="User Identity Attribute">uid</property>
>>>>> <property name="User Group Name Attribute">This attribute doesn't
>>>>> exist to make sure no grouping is done</property>
>>>>> <property name="User Group Name Attribute - Referenced Group
>>>>> Attribute"></property>
>>>>> <property name="Group Search Base"></property>
>>>>> <property name="Group Object Class">group</property>
>>>>> <property name="Group Search Scope">ONE_LEVEL</property>
>>>>> <property name="Group Search Filter"></property>
>>>>> <property name="Group Name Attribute"></property>
>>>>> <property name="Group Member Attribute"></property>
>>>>> <property name="Group Member Attribute - Referenced User Attribute"></
>>>>> property>
>>>>> </userGroupProvider>
>>>>>
>>>>> So why can't it be loaded ?
>>>>>
>>>>> Because I don't see any other exception (typically, I would expect a
>>>>> search fail exception, but it seems to work).
>>>>>
>>>>
Re: Continuing my LDAP auth adventures
Posted by Nicolas Delsaux <ni...@gmx.fr>.
Oh god
nifi-runner_1 | Caused by:
org.springframework.ldap.UncategorizedLdapException: Uncategorized
exception occured during LDAP processing; nested exception is
javax.naming.NamingException: LDAP response read timed out, timeout
used:10000ms.
nifi-runner_1 | at
org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:228)
nifi-runner_1 | at
org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:397)
nifi-runner_1 | at
org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:328)
nifi-runner_1 | at
org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:629)
nifi-runner_1 | at
org.apache.nifi.ldap.tenants.LdapUserGroupProvider.load(LdapUserGroupProvider.java:493)
nifi-runner_1 | at
org.apache.nifi.ldap.tenants.LdapUserGroupProvider.onConfigured(LdapUserGroupProvider.java:387)
nifi-runner_1 | at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
nifi-runner_1 | at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
nifi-runner_1 | at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
nifi-runner_1 | at java.lang.reflect.Method.invoke(Method.java:498)
nifi-runner_1 | at
org.apache.nifi.authorization.UserGroupProviderInvocationHandler.invoke(UserGroupProviderInvocationHandler.java:38)
nifi-runner_1 | at com.sun.proxy.$Proxy75.onConfigured(Unknown
Source)
nifi-runner_1 | at
org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:139)
nifi-runner_1 | at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
nifi-runner_1 | ... 101 common frames omitted
nifi-runner_1 | Caused by: javax.naming.NamingException: LDAP response
read timed out, timeout used:10000ms.
nifi-runner_1 | at
com.sun.jndi.ldap.Connection.readReply(Connection.java:507)
nifi-runner_1 | at
com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:638)
nifi-runner_1 | at
com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:606)
nifi-runner_1 | at
com.sun.jndi.ldap.LdapCtx.getSearchReply(LdapCtx.java:1918)
nifi-runner_1 | at
com.sun.jndi.ldap.AbstractLdapNamingEnumeration.getNextBatch(AbstractLdapNamingEnumeration.java:130)
nifi-runner_1 | at
com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:217)
nifi-runner_1 | at
com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
nifi-runner_1 | at
org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:365)
nifi-runner_1 | ... 113 common frames omitted
Seems like I'm trying to get a little too much users from LDAP :-)
I guess it's time to use group search
Le 19/07/2019 à 16:24, Bryan Bende a écrit :
> The FileAccessPolicyProvider is making a call to the user group
> provider using the value you entered for initial admin:
>
> final User initialAdmin =
> userGroupProvider.getUserByIdentity(initialAdminIdentity);
>
> It has something to do with the value you entered for the initial
> admin not lining up with the identities being returned from the LDAP
> provider.
>
> If you entered a full DN, but the LDAP provider returns just the short
> name, or vice versa, then it doesn't line up.
>
> On Fri, Jul 19, 2019 at 9:59 AM Nicolas Delsaux <ni...@gmx.fr> wrote:
>> And indeed, it changed the error
>>
>>
>> nifi-runner_1 | Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin a_dn to seed policies
>> nifi-runner_1 | at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
>> nifi-runner_1 | at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) nifi-runner_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
>> nifi-runner_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
>> nifi-runner_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
>> nifi-runner_1 | at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
>> nifi-runner_1 | ... 96 common frames omitted
>> nifi-runner_1 | Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin a_dn to seed policies
>> nifi-runner_1 | at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:263)
>> nifi-runner_1 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> nifi-runner_1 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> nifi-runner_1 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> nifi-runner_1 | at java.lang.reflect.Method.invoke(Method.java:498)
>> nifi-runner_1 | at org.apache.nifi.authorization.AccessPolicyProviderInvocationHandler.invoke(AccessPolicyProviderInvocationHandler.java:54)
>> nifi-runner_1 | at com.sun.proxy.$Proxy78.onConfigured(Unknown Source)
>> nifi-runner_1 | at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:153)
>> nifi-runner_1 | at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
>> nifi-runner_1 | ... 101 common frames omitted
>> nifi-runner_1 | Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin a_dn to seed policies
>> nifi-runner_1 | at org.apache.nifi.authorization.FileAccessPolicyProvider.populateInitialAdmin(FileAccessPolicyProvider.java:598)
>> nifi-runner_1 | at org.apache.nifi.authorization.FileAccessPolicyProvider.load(FileAccessPolicyProvider.java:541)
>> nifi-runner_1 | at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:254)
>> nifi-runner_1 | ... 109 common frames omitted
>>
>> which seems to indicate that on startup, the FileAccessPolicyProvider will try to get informations for the manager dn in the file (which, as far as a I understand, is not yet loaded)
>>
>> .
>>
>> So there must be some weird back-and-forth dance between the ldap user group provider and the file policy provider ... But I don't understand the dance in question
>>
>> Le 19/07/2019 à 15:38, Edward Armes a écrit :
>>
>> Hi Nicolas,
>>
>> In your actual configuration, is this the actual entry and not sanitized version?
>>
>> <property name="User Group Name Attribute">This attribute doesn't exist to make sure no grouping is done</property>
>>
>> If so I think this is the problem. As I what I think is happening Nifi is trying to interpret this value as a DN and failing, if you only need the users returned from the LDAP search to be the list of valid users then this field can just be left blank, if however you need a list of valid (not necessarily authorized) users to be filtered to be a member of a specific LDAP group then you can specify the DN for that group here.
>>
>> I would change it to:
>>
>> <property name="User Group Name Attribute"></property>
>>
>> and see if that works
>>
>> Edward
>>
>> On Fri, Jul 19, 2019 at 2:04 PM Nicolas Delsaux <ni...@gmx.fr> wrote:
>>> Here is the full version (with obvious replacements for manager dn, manager password, ldap server url, and other "sensitive" informations
>>>
>>>
>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>> <!--
>>> Licensed to the Apache Software Foundation (ASF) under one or more
>>> contributor license agreements. See the NOTICE file distributed with
>>> this work for additional information regarding copyright ownership.
>>> The ASF licenses this file to You under the Apache License, Version 2.0
>>> (the "License"); you may not use this file except in compliance with
>>> the License. You may obtain a copy of the License at
>>> http://www.apache.org/licenses/LICENSE-2.0
>>> Unless required by applicable law or agreed to in writing, software
>>> distributed under the License is distributed on an "AS IS" BASIS,
>>> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>>> See the License for the specific language governing permissions and
>>> limitations under the License.
>>> -->
>>> <!--
>>> This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use when running securely. In order
>>> to use a specific authorizer it must be configured here and it's identifier must be specified in the nifi.properties file.
>>> If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider and an userGroupProvider.
>>> This file allows for configuration of them, but they must be configured in order:
>>> ...
>>> all userGroupProviders
>>> all accessPolicyProviders
>>> all Authorizers
>>> ...
>>> -->
>>> <authorizers>
>>> <!--
>>> The FileUserGroupProvider will provide support for managing users and groups which is backed by a file
>>> on the local file system.
>>> - Users File - The file where the FileUserGroupProvider will store users and groups.
>>> - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
>>> be used to load the users and groups into the Users File.
>>> - Initial User Identity [unique key] - The identity of a users and systems to seed the Users File. The name of
>>> each property must be unique, for example: "Initial User Identity A", "Initial User Identity B",
>>> "Initial User Identity C" or "Initial User Identity 1", "Initial User Identity 2", "Initial User Identity 3"
>>> NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities,
>>> so the values should be the unmapped identities (i.e. full DN from a certificate).
>>> -->
>>> <!--
>>> <userGroupProvider>
>>> <identifier>file-user-group-provider</identifier>
>>> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>>> <property name="Users File">./conf/users.xml</property>
>>> <property name="Legacy Authorized Users File"></property>
>>> <property name="Initial User Identity 1"></property>
>>> </userGroupProvider>
>>> -->
>>> <!--
>>> The LdapUserGroupProvider will retrieve users and groups from an LDAP server. The users and groups
>>> are not configurable.
>>> 'Authentication Strategy' - How the connection to the LDAP server is authenticated. Possible
>>> values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
>>> 'Manager DN' - The DN of the manager that is used to bind to the LDAP server to search for users.
>>> 'Manager Password' - The password of the manager that is used to bind to the LDAP server to
>>> search for users.
>>> 'TLS - Keystore' - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
>>> 'TLS - Keystore Password' - Password for the Keystore that is used when connecting to LDAP
>>> using LDAPS or START_TLS.
>>> 'TLS - Keystore Type' - Type of the Keystore that is used when connecting to LDAP using
>>> LDAPS or START_TLS (i.e. JKS or PKCS12).
>>> 'TLS - Truststore' - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
>>> 'TLS - Truststore Password' - Password for the Truststore that is used when connecting to
>>> LDAP using LDAPS or START_TLS.
>>> 'TLS - Truststore Type' - Type of the Truststore that is used when connecting to LDAP using
>>> LDAPS or START_TLS (i.e. JKS or PKCS12).
>>> 'TLS - Client Auth' - Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
>>> Possible values are REQUIRED, WANT, NONE.
>>> 'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS,
>>> TLSv1.1, TLSv1.2, etc).
>>> 'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut down gracefully
>>> before the target context is closed. Defaults to false.
>>> 'Referral Strategy' - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
>>> 'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
>>> 'Read Timeout' - Duration of read timeout. (i.e. 10 secs).
>>> 'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
>>> 'Page Size' - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
>>> 'Sync Interval' - Duration of time between syncing users and groups (i.e. 30 mins). Minimum allowable value is 10 secs.
>>> 'User Search Base' - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
>>> 'User Object Class' - Object class for identifying users (i.e. person). Required if searching users.
>>> 'User Search Scope' - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
>>> 'User Search Filter' - Filter for searching for users against the 'User Search Base' (i.e. (memberof=cn=team1,ou=groups,o=nifi) ). Optional.
>>> 'User Identity Attribute' - Attribute to use to extract user identity (i.e. cn). Optional. If not set, the entire DN is used.
>>> 'User Group Name Attribute' - Attribute to use to define group membership (i.e. memberof). Optional. If not set
>>> group membership will not be calculated through the users. Will rely on group membership being defined
>>> through 'Group Member Attribute' if set. The value of this property is the name of the attribute in the user ldap entry that
>>> associates them with a group. The value of that user attribute could be a dn or group name for instance. What value is expected
>>> is configured in the 'User Group Name Attribute - Referenced Group Attribute'.
>>> 'User Group Name Attribute - Referenced Group Attribute' - If blank, the value of the attribute defined in 'User Group Name Attribute'
>>> is expected to be the full dn of the group. If not blank, this property will define the attribute of the group ldap entry that
>>> the value of the attribute defined in 'User Group Name Attribute' is referencing (i.e. name). Use of this property requires that
>>> 'Group Search Base' is also configured.
>>> 'Group Search Base' - Base DN for searching for groups (i.e. ou=groups,o=nifi). Required to search groups.
>>> 'Group Object Class' - Object class for identifying groups (i.e. groupOfNames). Required if searching groups.
>>> 'Group Search Scope' - Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.
>>> 'Group Search Filter' - Filter for searching for groups against the 'Group Search Base'. Optional.
>>> 'Group Name Attribute' - Attribute to use to extract group name (i.e. cn). Optional. If not set, the entire DN is used.
>>> 'Group Member Attribute' - Attribute to use to define group membership (i.e. member). Optional. If not set
>>> group membership will not be calculated through the groups. Will rely on group membership being defined
>>> through 'User Group Name Attribute' if set. The value of this property is the name of the attribute in the group ldap entry that
>>> associates them with a user. The value of that group attribute could be a dn or memberUid for instance. What value is expected
>>> is configured in the 'Group Member Attribute - Referenced User Attribute'. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
>>> 'Group Member Attribute - Referenced User Attribute' - If blank, the value of the attribute defined in 'Group Member Attribute'
>>> is expected to be the full dn of the user. If not blank, this property will define the attribute of the user ldap entry that
>>> the value of the attribute defined in 'Group Member Attribute' is referencing (i.e. uid). Use of this property requires that
>>> 'User Search Base' is also configured. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
>>> NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities.
>>> Group names are not mapped.
>>> -->
>>> <userGroupProvider>
>>> <identifier>ldap-user-group-provider</identifier>
>>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>>> <property name="Authentication Strategy">LDAPS</property>
>>> <property name="Manager DN">a_dn</property>
>>> <property name="Manager Password">a_password</property>
>>> <property name="TLS - Keystore"></property>
>>> <property name="TLS - Keystore Password"></property>
>>> <property name="TLS - Keystore Type"></property>
>>> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
>>> <property name="TLS - Truststore Password">changeit</property>
>>> <property name="TLS - Truststore Type">JKS</property>
>>> <property name="TLS - Client Auth"></property>
>>> <property name="TLS - Protocol">TLSv1</property>
>>> <property name="TLS - Shutdown Gracefully"></property>
>>> <property name="Referral Strategy">FOLLOW</property>
>>> <property name="Connect Timeout">10 secs</property>
>>> <property name="Read Timeout">10 secs</property>
>>> <property name="Url">ldaps://myserver.mycompany.com:636</property>
>>> <property name="Page Size"></property>
>>> <property name="Sync Interval">30 mins</property>
>>> <property name="User Search Base">ou=people,o=mycompany.com</property>
>>> <property name="User Object Class">privPerson</property>
>>> <property name="User Search Scope">SUBTREE</property>
>>> <property name="User Search Filter"></property>
>>> <property name="User Identity Attribute">uid</property>
>>> <property name="User Group Name Attribute">This attribute doesn't exist to make sure no grouping is done</property>
>>> <property name="User Group Name Attribute - Referenced Group Attribute"></property>
>>> <property name="Group Search Base"></property>
>>> <property name="Group Object Class">group</property>
>>> <property name="Group Search Scope">ONE_LEVEL</property>
>>> <property name="Group Search Filter"></property>
>>> <property name="Group Name Attribute"></property>
>>> <property name="Group Member Attribute"></property>
>>> <property name="Group Member Attribute - Referenced User Attribute"></property>
>>> </userGroupProvider>
>>> <!--
>>> The CompositeUserGroupProvider will provide support for retrieving users and groups from multiple sources.
>>> - User Group Provider [unique key] - The identifier of user group providers to load from. The name of
>>> each property must be unique, for example: "User Group Provider A", "User Group Provider B",
>>> "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
>>> NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
>>> would need to be applied by the base implementation.
>>> -->
>>> <!-- To enable the composite-user-group-provider remove 2 lines. This is 1 of 2.
>>> <userGroupProvider>
>>> <identifier>composite-user-group-provider</identifier>
>>> <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
>>> <property name="User Group Provider 1"></property>
>>> </userGroupProvider>
>>> To enable the composite-user-group-provider remove 2 lines. This is 2 of 2. -->
>>> <!--
>>> The CompositeConfigurableUserGroupProvider will provide support for retrieving users and groups from multiple sources.
>>> Additionally, a single configurable user group provider is required. Users from the configurable user group provider
>>> are configurable, however users loaded from one of the User Group Provider [unique key] will not be.
>>> - Configurable User Group Provider - A configurable user group provider.
>>> - User Group Provider [unique key] - The identifier of user group providers to load from. The name of
>>> each property must be unique, for example: "User Group Provider A", "User Group Provider B",
>>> "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
>>> NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
>>> would need to be applied by the base implementation.
>>> -->
>>> <!-- To enable the composite-configurable-user-group-provider remove 2 lines. This is 1 of 2.
>>> <userGroupProvider>
>>> <identifier>composite-configurable-user-group-provider</identifier>
>>> <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
>>> <property name="Configurable User Group Provider">file-user-group-provider</property>
>>> <property name="User Group Provider 1"></property>
>>> </userGroupProvider>
>>> To enable the composite-configurable-user-group-provider remove 2 lines. This is 2 of 2. -->
>>> <!--
>>> The FileAccessPolicyProvider will provide support for managing access policies which is backed by a file
>>> on the local file system.
>>> - User Group Provider - The identifier for an User Group Provider defined above that will be used to access
>>> users and groups for use in the managed access policies.
>>> - Authorizations File - The file where the FileAccessPolicyProvider will store policies.
>>> - Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
>>> given the ability to create additional users, groups, and policies. The value of this property could be
>>> a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
>>> are no other policies defined. If this property is specified then a Legacy Authorized Users File can not be specified.
>>> NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
>>> so the value should be the unmapped identity. This identity must be found in the configured User Group Provider.
>>> - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
>>> converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
>>> not be specified, and this property will only be used when there are no other users, groups, and policies defined.
>>> NOTE: Any users in the legacy users file must be found in the configured User Group Provider.
>>> - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
>>> should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
>>> The name of each property must be unique, for example for a three node cluster:
>>> "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
>>> NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
>>> so the values should be the unmapped identities (i.e. full DN from a certificate). This identity must be found
>>> in the configured User Group Provider.
>>> - Node Group - The name of a group containing NiFi cluster nodes. The typical use for this is when nodes are dynamically
>>> added/removed from the cluster.
>>> NOTE: The group must exist before starting NiFi.
>>> -->
>>> <accessPolicyProvider>
>>> <identifier>file-access-policy-provider</identifier>
>>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>>> <property name="User Group Provider">ldap-user-group-provider</property>
>>> <property name="Authorizations File">./conf/authorizations.xml</property>
>>> <property name="Initial Admin Identity"></property>
>>> <property name="Legacy Authorized Users File"></property>
>>> <property name="Node Identity 1"></property>
>>> <property name="Node Group"></property>
>>> </accessPolicyProvider>
>>> <!--
>>> The StandardManagedAuthorizer. This authorizer implementation must be configured with the
>>> Access Policy Provider which it will use to access and manage users, groups, and policies.
>>> These users, groups, and policies will be used to make all access decisions during authorization
>>> requests.
>>> - Access Policy Provider - The identifier for an Access Policy Provider defined above.
>>> -->
>>> <authorizer>
>>> <identifier>managed-authorizer</identifier>
>>> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
>>> <property name="Access Policy Provider">file-access-policy-provider</property>
>>> </authorizer>
>>> <!--
>>> NOTE: This Authorizer has been replaced with the more granular approach configured above with the Standard
>>> Managed Authorizer. However, it is still available for backwards compatibility reasons.
>>> The FileAuthorizer is NiFi's provided authorizer and has the following properties:
>>> - Authorizations File - The file where the FileAuthorizer will store policies.
>>> - Users File - The file where the FileAuthorizer will store users and groups.
>>> - Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
>>> given the ability to create additional users, groups, and policies. The value of this property could be
>>> a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
>>> are no other users, groups, and policies defined. If this property is specified then a Legacy Authorized
>>> Users File can not be specified.
>>> NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
>>> so the value should be the unmapped identity.
>>> - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
>>> converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
>>> not be specified, and this property will only be used when there are no other users, groups, and policies defined.
>>> - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
>>> should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
>>> The name of each property must be unique, for example for a three node cluster:
>>> "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
>>> NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
>>> so the values should be the unmapped identities (i.e. full DN from a certificate).
>>> -->
>>> <!-- <authorizer>
>>> <identifier>file-provider</identifier>
>>> <class>org.apache.nifi.authorization.FileAuthorizer</class>
>>> <property name="Authorizations File">./conf/authorizations.xml</property>
>>> <property name="Users File">./conf/users.xml</property>
>>> <property name="Initial Admin Identity"></property>
>>> <property name="Legacy Authorized Users File"></property>
>>> <property name="Node Identity 1"></property>
>>> </authorizer>
>>> -->
>>> </authorizers>
>>> Le 19/07/2019 à 12:03, Pierre Villard a écrit :
>>>
>>> Hi Nicolas,
>>>
>>> Could you share the full content of your authorizers.xml file? Sometimes it's just a matter of references not being in the right "order".
>>>
>>> Le ven. 19 juil. 2019 à 11:59, Edward Armes <ed...@gmail.com> a écrit :
>>>> I wasn't able to find any single good way, I don't know if switching the logs down to debug or trace might give you a bit more info though . In the end I just went through a worked it out by hand using a combination of manual checking against an alternative tool (i.e. an LDAP browser), file format checkers, or just commenting things out by hand.
>>>>
>>>> I did sometimes find that white space character (new line etc...) can occasionally cause a problem with the Spring loading.
>>>>
>>>> Edward
>>>>
>>>> On Fri, Jul 19, 2019 at 10:45 AM Nicolas Delsaux <ni...@gmx.fr> wrote:
>>>>> Is there any way to get a better error ?
>>>>>
>>>>> Le 19/07/2019 à 11:36, Edward Armes a écrit :
>>>>>
>>>>> Hi Nicolas,
>>>>>
>>>>> This one is a bit of a Spring special. The actual cause here is that the Spring Bean that is being created from this file has silently failed, and thus the auto-wiring has failed as well. The result is you get this lovely misleading error. The normal reason for the bean not being created I found was because I made a typo in the configuration file(s).
>>>>>
>>>>> Edward
>>>>>
>>>>> On Fri, Jul 19, 2019 at 10:21 AM Nicolas Delsaux <ni...@gmx.fr> wrote:
>>>>>> Hi all
>>>>>>
>>>>>> Now I know how to connect to my LDAP directory, i now have a strange error
>>>>>>
>>>>>>
>>>>>> nifi-runner_1 | org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is org.springframework.beans.factory.BeanExpressionException: Expression parsing failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setJwtAuthenticationProvider' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is java.lang.Exception: The specified authorizer 'ldap-user-group-provider' could not be found.
>>>>>>
>>>>>> [... let me just skip the uninteresting Spring stack ...]
>>>>>>
>>>>>> nifi-runner_1 | Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is java.lang.Exception: The specified authorizer 'ldap-user-group-provider' could not be found.
>>>>>> nifi-runner_1 | at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
>>>>>> nifi-runner_1 | at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) nifi-runner_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
>>>>>> nifi-runner_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
>>>>>> nifi-runner_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
>>>>>> nifi-runner_1 | at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
>>>>>> nifi-runner_1 | ... 96 common frames omitted
>>>>>> nifi-runner_1 | Caused by: java.lang.Exception: The specified authorizer 'ldap-user-group-provider' could not be found.
>>>>>> nifi-runner_1 | at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:175)
>>>>>> nifi-runner_1 | at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
>>>>>>
>>>>>> From what I understand, it seems like the AuthorizerFactoryBean tries to read my user-group-provider from the authorizers.xml file.
>>>>>>
>>>>>>
>>>>>> I have such an user group provider, which is a ldap one :
>>>>>>
>>>>>> <authorizers>
>>>>>> <userGroupProvider>
>>>>>> <identifier>ldap-user-group-provider</identifier>
>>>>>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>>>>>> <property name="Authentication Strategy">LDAPS</property>
>>>>>> <property name="Manager DN">a_dn</property>
>>>>>> <property name="Manager Password">a_password</property>
>>>>>> <property name="TLS - Keystore"></property>
>>>>>> <property name="TLS - Keystore Password"></property>
>>>>>> <property name="TLS - Keystore Type"></property>
>>>>>> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
>>>>>> <property name="TLS - Truststore Password">another</property>
>>>>>> <property name="TLS - Truststore Type">JKS</property>
>>>>>> <property name="TLS - Client Auth"></property>
>>>>>> <property name="TLS - Protocol">TLSv1</property>
>>>>>> <property name="TLS - Shutdown Gracefully"></property>
>>>>>> <property name="Referral Strategy">FOLLOW</property>
>>>>>> <property name="Connect Timeout">10 secs</property>
>>>>>> <property name="Read Timeout">10 secs</property>
>>>>>> <property name="Url">ldaps://myserver.mycompany.com:636</property>
>>>>>> <property name="Page Size"></property>
>>>>>> <property name="Sync Interval">30 mins</property>
>>>>>> <property name="User Search Base">ou=people,o=mycompany.com</property>
>>>>>> <property name="User Object Class">privPerson</property>
>>>>>> <property name="User Search Scope">SUBTREE</property>
>>>>>> <property name="User Search Filter"></property>
>>>>>> <property name="User Identity Attribute">uid</property>
>>>>>> <property name="User Group Name Attribute">This attribute doesn't exist to make sure no grouping is done</property>
>>>>>> <property name="User Group Name Attribute - Referenced Group Attribute"></property>
>>>>>> <property name="Group Search Base"></property>
>>>>>> <property name="Group Object Class">group</property>
>>>>>> <property name="Group Search Scope">ONE_LEVEL</property>
>>>>>> <property name="Group Search Filter"></property>
>>>>>> <property name="Group Name Attribute"></property>
>>>>>> <property name="Group Member Attribute"></property>
>>>>>> <property name="Group Member Attribute - Referenced User Attribute"></property>
>>>>>> </userGroupProvider>
>>>>>>
>>>>>> So why can't it be loaded ?
>>>>>>
>>>>>> Because I don't see any other exception (typically, I would expect a search fail exception, but it seems to work).
Re: Continuing my LDAP auth adventures
Posted by Bryan Bende <bb...@gmail.com>.
The FileAccessPolicyProvider is making a call to the user group
provider using the value you entered for initial admin:
final User initialAdmin =
userGroupProvider.getUserByIdentity(initialAdminIdentity);
It has something to do with the value you entered for the initial
admin not lining up with the identities being returned from the LDAP
provider.
If you entered a full DN, but the LDAP provider returns just the short
name, or vice versa, then it doesn't line up.
On Fri, Jul 19, 2019 at 9:59 AM Nicolas Delsaux <ni...@gmx.fr> wrote:
>
> And indeed, it changed the error
>
>
> nifi-runner_1 | Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin a_dn to seed policies
> nifi-runner_1 | at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
> nifi-runner_1 | at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) nifi-runner_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
> nifi-runner_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
> nifi-runner_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
> nifi-runner_1 | at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
> nifi-runner_1 | ... 96 common frames omitted
> nifi-runner_1 | Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin a_dn to seed policies
> nifi-runner_1 | at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:263)
> nifi-runner_1 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> nifi-runner_1 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> nifi-runner_1 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> nifi-runner_1 | at java.lang.reflect.Method.invoke(Method.java:498)
> nifi-runner_1 | at org.apache.nifi.authorization.AccessPolicyProviderInvocationHandler.invoke(AccessPolicyProviderInvocationHandler.java:54)
> nifi-runner_1 | at com.sun.proxy.$Proxy78.onConfigured(Unknown Source)
> nifi-runner_1 | at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:153)
> nifi-runner_1 | at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
> nifi-runner_1 | ... 101 common frames omitted
> nifi-runner_1 | Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin a_dn to seed policies
> nifi-runner_1 | at org.apache.nifi.authorization.FileAccessPolicyProvider.populateInitialAdmin(FileAccessPolicyProvider.java:598)
> nifi-runner_1 | at org.apache.nifi.authorization.FileAccessPolicyProvider.load(FileAccessPolicyProvider.java:541)
> nifi-runner_1 | at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:254)
> nifi-runner_1 | ... 109 common frames omitted
>
> which seems to indicate that on startup, the FileAccessPolicyProvider will try to get informations for the manager dn in the file (which, as far as a I understand, is not yet loaded)
>
> .
>
> So there must be some weird back-and-forth dance between the ldap user group provider and the file policy provider ... But I don't understand the dance in question
>
> Le 19/07/2019 à 15:38, Edward Armes a écrit :
>
> Hi Nicolas,
>
> In your actual configuration, is this the actual entry and not sanitized version?
>
> <property name="User Group Name Attribute">This attribute doesn't exist to make sure no grouping is done</property>
>
> If so I think this is the problem. As I what I think is happening Nifi is trying to interpret this value as a DN and failing, if you only need the users returned from the LDAP search to be the list of valid users then this field can just be left blank, if however you need a list of valid (not necessarily authorized) users to be filtered to be a member of a specific LDAP group then you can specify the DN for that group here.
>
> I would change it to:
>
> <property name="User Group Name Attribute"></property>
>
> and see if that works
>
> Edward
>
> On Fri, Jul 19, 2019 at 2:04 PM Nicolas Delsaux <ni...@gmx.fr> wrote:
>>
>> Here is the full version (with obvious replacements for manager dn, manager password, ldap server url, and other "sensitive" informations
>>
>>
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <!--
>> Licensed to the Apache Software Foundation (ASF) under one or more
>> contributor license agreements. See the NOTICE file distributed with
>> this work for additional information regarding copyright ownership.
>> The ASF licenses this file to You under the Apache License, Version 2.0
>> (the "License"); you may not use this file except in compliance with
>> the License. You may obtain a copy of the License at
>> http://www.apache.org/licenses/LICENSE-2.0
>> Unless required by applicable law or agreed to in writing, software
>> distributed under the License is distributed on an "AS IS" BASIS,
>> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>> See the License for the specific language governing permissions and
>> limitations under the License.
>> -->
>> <!--
>> This file lists the userGroupProviders, accessPolicyProviders, and authorizers to use when running securely. In order
>> to use a specific authorizer it must be configured here and it's identifier must be specified in the nifi.properties file.
>> If the authorizer is a managedAuthorizer, it may need to be configured with an accessPolicyProvider and an userGroupProvider.
>> This file allows for configuration of them, but they must be configured in order:
>> ...
>> all userGroupProviders
>> all accessPolicyProviders
>> all Authorizers
>> ...
>> -->
>> <authorizers>
>> <!--
>> The FileUserGroupProvider will provide support for managing users and groups which is backed by a file
>> on the local file system.
>> - Users File - The file where the FileUserGroupProvider will store users and groups.
>> - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
>> be used to load the users and groups into the Users File.
>> - Initial User Identity [unique key] - The identity of a users and systems to seed the Users File. The name of
>> each property must be unique, for example: "Initial User Identity A", "Initial User Identity B",
>> "Initial User Identity C" or "Initial User Identity 1", "Initial User Identity 2", "Initial User Identity 3"
>> NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities,
>> so the values should be the unmapped identities (i.e. full DN from a certificate).
>> -->
>> <!--
>> <userGroupProvider>
>> <identifier>file-user-group-provider</identifier>
>> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>> <property name="Users File">./conf/users.xml</property>
>> <property name="Legacy Authorized Users File"></property>
>> <property name="Initial User Identity 1"></property>
>> </userGroupProvider>
>> -->
>> <!--
>> The LdapUserGroupProvider will retrieve users and groups from an LDAP server. The users and groups
>> are not configurable.
>> 'Authentication Strategy' - How the connection to the LDAP server is authenticated. Possible
>> values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
>> 'Manager DN' - The DN of the manager that is used to bind to the LDAP server to search for users.
>> 'Manager Password' - The password of the manager that is used to bind to the LDAP server to
>> search for users.
>> 'TLS - Keystore' - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
>> 'TLS - Keystore Password' - Password for the Keystore that is used when connecting to LDAP
>> using LDAPS or START_TLS.
>> 'TLS - Keystore Type' - Type of the Keystore that is used when connecting to LDAP using
>> LDAPS or START_TLS (i.e. JKS or PKCS12).
>> 'TLS - Truststore' - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
>> 'TLS - Truststore Password' - Password for the Truststore that is used when connecting to
>> LDAP using LDAPS or START_TLS.
>> 'TLS - Truststore Type' - Type of the Truststore that is used when connecting to LDAP using
>> LDAPS or START_TLS (i.e. JKS or PKCS12).
>> 'TLS - Client Auth' - Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
>> Possible values are REQUIRED, WANT, NONE.
>> 'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS,
>> TLSv1.1, TLSv1.2, etc).
>> 'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut down gracefully
>> before the target context is closed. Defaults to false.
>> 'Referral Strategy' - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
>> 'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
>> 'Read Timeout' - Duration of read timeout. (i.e. 10 secs).
>> 'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
>> 'Page Size' - Sets the page size when retrieving users and groups. If not specified, no paging is performed.
>> 'Sync Interval' - Duration of time between syncing users and groups (i.e. 30 mins). Minimum allowable value is 10 secs.
>> 'User Search Base' - Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
>> 'User Object Class' - Object class for identifying users (i.e. person). Required if searching users.
>> 'User Search Scope' - Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
>> 'User Search Filter' - Filter for searching for users against the 'User Search Base' (i.e. (memberof=cn=team1,ou=groups,o=nifi) ). Optional.
>> 'User Identity Attribute' - Attribute to use to extract user identity (i.e. cn). Optional. If not set, the entire DN is used.
>> 'User Group Name Attribute' - Attribute to use to define group membership (i.e. memberof). Optional. If not set
>> group membership will not be calculated through the users. Will rely on group membership being defined
>> through 'Group Member Attribute' if set. The value of this property is the name of the attribute in the user ldap entry that
>> associates them with a group. The value of that user attribute could be a dn or group name for instance. What value is expected
>> is configured in the 'User Group Name Attribute - Referenced Group Attribute'.
>> 'User Group Name Attribute - Referenced Group Attribute' - If blank, the value of the attribute defined in 'User Group Name Attribute'
>> is expected to be the full dn of the group. If not blank, this property will define the attribute of the group ldap entry that
>> the value of the attribute defined in 'User Group Name Attribute' is referencing (i.e. name). Use of this property requires that
>> 'Group Search Base' is also configured.
>> 'Group Search Base' - Base DN for searching for groups (i.e. ou=groups,o=nifi). Required to search groups.
>> 'Group Object Class' - Object class for identifying groups (i.e. groupOfNames). Required if searching groups.
>> 'Group Search Scope' - Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.
>> 'Group Search Filter' - Filter for searching for groups against the 'Group Search Base'. Optional.
>> 'Group Name Attribute' - Attribute to use to extract group name (i.e. cn). Optional. If not set, the entire DN is used.
>> 'Group Member Attribute' - Attribute to use to define group membership (i.e. member). Optional. If not set
>> group membership will not be calculated through the groups. Will rely on group membership being defined
>> through 'User Group Name Attribute' if set. The value of this property is the name of the attribute in the group ldap entry that
>> associates them with a user. The value of that group attribute could be a dn or memberUid for instance. What value is expected
>> is configured in the 'Group Member Attribute - Referenced User Attribute'. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
>> 'Group Member Attribute - Referenced User Attribute' - If blank, the value of the attribute defined in 'Group Member Attribute'
>> is expected to be the full dn of the user. If not blank, this property will define the attribute of the user ldap entry that
>> the value of the attribute defined in 'Group Member Attribute' is referencing (i.e. uid). Use of this property requires that
>> 'User Search Base' is also configured. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
>> NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities.
>> Group names are not mapped.
>> -->
>> <userGroupProvider>
>> <identifier>ldap-user-group-provider</identifier>
>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>> <property name="Authentication Strategy">LDAPS</property>
>> <property name="Manager DN">a_dn</property>
>> <property name="Manager Password">a_password</property>
>> <property name="TLS - Keystore"></property>
>> <property name="TLS - Keystore Password"></property>
>> <property name="TLS - Keystore Type"></property>
>> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
>> <property name="TLS - Truststore Password">changeit</property>
>> <property name="TLS - Truststore Type">JKS</property>
>> <property name="TLS - Client Auth"></property>
>> <property name="TLS - Protocol">TLSv1</property>
>> <property name="TLS - Shutdown Gracefully"></property>
>> <property name="Referral Strategy">FOLLOW</property>
>> <property name="Connect Timeout">10 secs</property>
>> <property name="Read Timeout">10 secs</property>
>> <property name="Url">ldaps://myserver.mycompany.com:636</property>
>> <property name="Page Size"></property>
>> <property name="Sync Interval">30 mins</property>
>> <property name="User Search Base">ou=people,o=mycompany.com</property>
>> <property name="User Object Class">privPerson</property>
>> <property name="User Search Scope">SUBTREE</property>
>> <property name="User Search Filter"></property>
>> <property name="User Identity Attribute">uid</property>
>> <property name="User Group Name Attribute">This attribute doesn't exist to make sure no grouping is done</property>
>> <property name="User Group Name Attribute - Referenced Group Attribute"></property>
>> <property name="Group Search Base"></property>
>> <property name="Group Object Class">group</property>
>> <property name="Group Search Scope">ONE_LEVEL</property>
>> <property name="Group Search Filter"></property>
>> <property name="Group Name Attribute"></property>
>> <property name="Group Member Attribute"></property>
>> <property name="Group Member Attribute - Referenced User Attribute"></property>
>> </userGroupProvider>
>> <!--
>> The CompositeUserGroupProvider will provide support for retrieving users and groups from multiple sources.
>> - User Group Provider [unique key] - The identifier of user group providers to load from. The name of
>> each property must be unique, for example: "User Group Provider A", "User Group Provider B",
>> "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
>> NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
>> would need to be applied by the base implementation.
>> -->
>> <!-- To enable the composite-user-group-provider remove 2 lines. This is 1 of 2.
>> <userGroupProvider>
>> <identifier>composite-user-group-provider</identifier>
>> <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
>> <property name="User Group Provider 1"></property>
>> </userGroupProvider>
>> To enable the composite-user-group-provider remove 2 lines. This is 2 of 2. -->
>> <!--
>> The CompositeConfigurableUserGroupProvider will provide support for retrieving users and groups from multiple sources.
>> Additionally, a single configurable user group provider is required. Users from the configurable user group provider
>> are configurable, however users loaded from one of the User Group Provider [unique key] will not be.
>> - Configurable User Group Provider - A configurable user group provider.
>> - User Group Provider [unique key] - The identifier of user group providers to load from. The name of
>> each property must be unique, for example: "User Group Provider A", "User Group Provider B",
>> "User Group Provider C" or "User Group Provider 1", "User Group Provider 2", "User Group Provider 3"
>> NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
>> would need to be applied by the base implementation.
>> -->
>> <!-- To enable the composite-configurable-user-group-provider remove 2 lines. This is 1 of 2.
>> <userGroupProvider>
>> <identifier>composite-configurable-user-group-provider</identifier>
>> <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
>> <property name="Configurable User Group Provider">file-user-group-provider</property>
>> <property name="User Group Provider 1"></property>
>> </userGroupProvider>
>> To enable the composite-configurable-user-group-provider remove 2 lines. This is 2 of 2. -->
>> <!--
>> The FileAccessPolicyProvider will provide support for managing access policies which is backed by a file
>> on the local file system.
>> - User Group Provider - The identifier for an User Group Provider defined above that will be used to access
>> users and groups for use in the managed access policies.
>> - Authorizations File - The file where the FileAccessPolicyProvider will store policies.
>> - Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
>> given the ability to create additional users, groups, and policies. The value of this property could be
>> a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
>> are no other policies defined. If this property is specified then a Legacy Authorized Users File can not be specified.
>> NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
>> so the value should be the unmapped identity. This identity must be found in the configured User Group Provider.
>> - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
>> converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
>> not be specified, and this property will only be used when there are no other users, groups, and policies defined.
>> NOTE: Any users in the legacy users file must be found in the configured User Group Provider.
>> - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
>> should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
>> The name of each property must be unique, for example for a three node cluster:
>> "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
>> NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
>> so the values should be the unmapped identities (i.e. full DN from a certificate). This identity must be found
>> in the configured User Group Provider.
>> - Node Group - The name of a group containing NiFi cluster nodes. The typical use for this is when nodes are dynamically
>> added/removed from the cluster.
>> NOTE: The group must exist before starting NiFi.
>> -->
>> <accessPolicyProvider>
>> <identifier>file-access-policy-provider</identifier>
>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>> <property name="User Group Provider">ldap-user-group-provider</property>
>> <property name="Authorizations File">./conf/authorizations.xml</property>
>> <property name="Initial Admin Identity"></property>
>> <property name="Legacy Authorized Users File"></property>
>> <property name="Node Identity 1"></property>
>> <property name="Node Group"></property>
>> </accessPolicyProvider>
>> <!--
>> The StandardManagedAuthorizer. This authorizer implementation must be configured with the
>> Access Policy Provider which it will use to access and manage users, groups, and policies.
>> These users, groups, and policies will be used to make all access decisions during authorization
>> requests.
>> - Access Policy Provider - The identifier for an Access Policy Provider defined above.
>> -->
>> <authorizer>
>> <identifier>managed-authorizer</identifier>
>> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
>> <property name="Access Policy Provider">file-access-policy-provider</property>
>> </authorizer>
>> <!--
>> NOTE: This Authorizer has been replaced with the more granular approach configured above with the Standard
>> Managed Authorizer. However, it is still available for backwards compatibility reasons.
>> The FileAuthorizer is NiFi's provided authorizer and has the following properties:
>> - Authorizations File - The file where the FileAuthorizer will store policies.
>> - Users File - The file where the FileAuthorizer will store users and groups.
>> - Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
>> given the ability to create additional users, groups, and policies. The value of this property could be
>> a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
>> are no other users, groups, and policies defined. If this property is specified then a Legacy Authorized
>> Users File can not be specified.
>> NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
>> so the value should be the unmapped identity.
>> - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
>> converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
>> not be specified, and this property will only be used when there are no other users, groups, and policies defined.
>> - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
>> should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
>> The name of each property must be unique, for example for a three node cluster:
>> "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
>> NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
>> so the values should be the unmapped identities (i.e. full DN from a certificate).
>> -->
>> <!-- <authorizer>
>> <identifier>file-provider</identifier>
>> <class>org.apache.nifi.authorization.FileAuthorizer</class>
>> <property name="Authorizations File">./conf/authorizations.xml</property>
>> <property name="Users File">./conf/users.xml</property>
>> <property name="Initial Admin Identity"></property>
>> <property name="Legacy Authorized Users File"></property>
>> <property name="Node Identity 1"></property>
>> </authorizer>
>> -->
>> </authorizers>
>> Le 19/07/2019 à 12:03, Pierre Villard a écrit :
>>
>> Hi Nicolas,
>>
>> Could you share the full content of your authorizers.xml file? Sometimes it's just a matter of references not being in the right "order".
>>
>> Le ven. 19 juil. 2019 à 11:59, Edward Armes <ed...@gmail.com> a écrit :
>>>
>>> I wasn't able to find any single good way, I don't know if switching the logs down to debug or trace might give you a bit more info though . In the end I just went through a worked it out by hand using a combination of manual checking against an alternative tool (i.e. an LDAP browser), file format checkers, or just commenting things out by hand.
>>>
>>> I did sometimes find that white space character (new line etc...) can occasionally cause a problem with the Spring loading.
>>>
>>> Edward
>>>
>>> On Fri, Jul 19, 2019 at 10:45 AM Nicolas Delsaux <ni...@gmx.fr> wrote:
>>>>
>>>> Is there any way to get a better error ?
>>>>
>>>> Le 19/07/2019 à 11:36, Edward Armes a écrit :
>>>>
>>>> Hi Nicolas,
>>>>
>>>> This one is a bit of a Spring special. The actual cause here is that the Spring Bean that is being created from this file has silently failed, and thus the auto-wiring has failed as well. The result is you get this lovely misleading error. The normal reason for the bean not being created I found was because I made a typo in the configuration file(s).
>>>>
>>>> Edward
>>>>
>>>> On Fri, Jul 19, 2019 at 10:21 AM Nicolas Delsaux <ni...@gmx.fr> wrote:
>>>>>
>>>>> Hi all
>>>>>
>>>>> Now I know how to connect to my LDAP directory, i now have a strange error
>>>>>
>>>>>
>>>>> nifi-runner_1 | org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is org.springframework.beans.factory.BeanExpressionException: Expression parsing failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setJwtAuthenticationProvider' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is java.lang.Exception: The specified authorizer 'ldap-user-group-provider' could not be found.
>>>>>
>>>>> [... let me just skip the uninteresting Spring stack ...]
>>>>>
>>>>> nifi-runner_1 | Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is java.lang.Exception: The specified authorizer 'ldap-user-group-provider' could not be found.
>>>>> nifi-runner_1 | at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
>>>>> nifi-runner_1 | at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) nifi-runner_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
>>>>> nifi-runner_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
>>>>> nifi-runner_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
>>>>> nifi-runner_1 | at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
>>>>> nifi-runner_1 | ... 96 common frames omitted
>>>>> nifi-runner_1 | Caused by: java.lang.Exception: The specified authorizer 'ldap-user-group-provider' could not be found.
>>>>> nifi-runner_1 | at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:175)
>>>>> nifi-runner_1 | at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
>>>>>
>>>>> From what I understand, it seems like the AuthorizerFactoryBean tries to read my user-group-provider from the authorizers.xml file.
>>>>>
>>>>>
>>>>> I have such an user group provider, which is a ldap one :
>>>>>
>>>>> <authorizers>
>>>>> <userGroupProvider>
>>>>> <identifier>ldap-user-group-provider</identifier>
>>>>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>>>>> <property name="Authentication Strategy">LDAPS</property>
>>>>> <property name="Manager DN">a_dn</property>
>>>>> <property name="Manager Password">a_password</property>
>>>>> <property name="TLS - Keystore"></property>
>>>>> <property name="TLS - Keystore Password"></property>
>>>>> <property name="TLS - Keystore Type"></property>
>>>>> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
>>>>> <property name="TLS - Truststore Password">another</property>
>>>>> <property name="TLS - Truststore Type">JKS</property>
>>>>> <property name="TLS - Client Auth"></property>
>>>>> <property name="TLS - Protocol">TLSv1</property>
>>>>> <property name="TLS - Shutdown Gracefully"></property>
>>>>> <property name="Referral Strategy">FOLLOW</property>
>>>>> <property name="Connect Timeout">10 secs</property>
>>>>> <property name="Read Timeout">10 secs</property>
>>>>> <property name="Url">ldaps://myserver.mycompany.com:636</property>
>>>>> <property name="Page Size"></property>
>>>>> <property name="Sync Interval">30 mins</property>
>>>>> <property name="User Search Base">ou=people,o=mycompany.com</property>
>>>>> <property name="User Object Class">privPerson</property>
>>>>> <property name="User Search Scope">SUBTREE</property>
>>>>> <property name="User Search Filter"></property>
>>>>> <property name="User Identity Attribute">uid</property>
>>>>> <property name="User Group Name Attribute">This attribute doesn't exist to make sure no grouping is done</property>
>>>>> <property name="User Group Name Attribute - Referenced Group Attribute"></property>
>>>>> <property name="Group Search Base"></property>
>>>>> <property name="Group Object Class">group</property>
>>>>> <property name="Group Search Scope">ONE_LEVEL</property>
>>>>> <property name="Group Search Filter"></property>
>>>>> <property name="Group Name Attribute"></property>
>>>>> <property name="Group Member Attribute"></property>
>>>>> <property name="Group Member Attribute - Referenced User Attribute"></property>
>>>>> </userGroupProvider>
>>>>>
>>>>> So why can't it be loaded ?
>>>>>
>>>>> Because I don't see any other exception (typically, I would expect a search fail exception, but it seems to work).
Re: Continuing my LDAP auth adventures
Posted by Nicolas Delsaux <ni...@gmx.fr>.
And indeed, it changed the error
nifi-runner_1 | Caused by:
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'authorizer': FactoryBean threw exception on object
creation; nested exception is
org.apache.nifi.authorization.exception.AuthorizerCreationException:
org.apache.nifi.authorization.exception.AuthorizerCreationException:
Unable to locate initial admin a_dn to seed policies
nifi-runner_1 | at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
nifi-runner_1 | at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
nifi-runner_1 | at
org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
nifi-runner_1 | at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
nifi-runner_1 | at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
nifi-runner_1 | at
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
nifi-runner_1 | ... 96 common frames omitted
nifi-runner_1 | Caused by:
org.apache.nifi.authorization.exception.AuthorizerCreationException:
org.apache.nifi.authorization.exception.AuthorizerCreationException:
Unable to locate initial admin a_dn to seed policies
nifi-runner_1 | at
org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:263)
nifi-runner_1 | at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
nifi-runner_1 | at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
nifi-runner_1 | at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
nifi-runner_1 | at java.lang.reflect.Method.invoke(Method.java:498)
nifi-runner_1 | at
org.apache.nifi.authorization.AccessPolicyProviderInvocationHandler.invoke(AccessPolicyProviderInvocationHandler.java:54)
nifi-runner_1 | at com.sun.proxy.$Proxy78.onConfigured(Unknown
Source)
nifi-runner_1 | at
org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:153)
nifi-runner_1 | at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
nifi-runner_1 | ... 101 common frames omitted
nifi-runner_1 | Caused by:
org.apache.nifi.authorization.exception.AuthorizerCreationException:
Unable to locate initial admin a_dn to seed policies
nifi-runner_1 | at
org.apache.nifi.authorization.FileAccessPolicyProvider.populateInitialAdmin(FileAccessPolicyProvider.java:598)
nifi-runner_1 | at
org.apache.nifi.authorization.FileAccessPolicyProvider.load(FileAccessPolicyProvider.java:541)
nifi-runner_1 | at
org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:254)
nifi-runner_1 | ... 109 common frames omitted
which seems to indicate that on startup, the FileAccessPolicyProvider
will try to get informations for the manager dn in the file (which, as
far as a I understand, is not yet loaded)
.
So there must be some weird back-and-forth dance between the ldap user
group provider and the file policy provider ... But I don't understand
the dance in question
Le 19/07/2019 à 15:38, Edward Armes a écrit :
> Hi Nicolas,
>
> In your actual configuration, is this the actual entry and not
> sanitized version?
>
> <propertyname="User Group Name Attribute">This attribute doesn't exist
> to make sure no grouping is done</property>
>
> If so I think this is the problem. As I what I think is happening Nifi
> is trying to interpret this value as a DN and failing, if you only
> need the users returned from the LDAP search to be the list of valid
> users then this field can just be left blank, if however you need a
> list of valid (not necessarily authorized) users to be filtered to be
> a member of a specific LDAP group then you can specify the DN for that
> group here.
>
> I would change it to:
>
> <propertyname="User Group Name Attribute"></property>
>
> and see if that works
>
> Edward
>
> On Fri, Jul 19, 2019 at 2:04 PM Nicolas Delsaux
> <nicolas.delsaux@gmx.fr <ma...@gmx.fr>> wrote:
>
> Here is the full version (with obvious replacements for manager
> dn, manager password, ldap server url, and other "sensitive"
> informations
>
>
> <?xmlversion="1.0"encoding="UTF-8"standalone="yes"?>
> <!--
> Licensed to the Apache Software Foundation (ASF) under one or more
> contributor license agreements. See the NOTICE file distributed with
> this work for additional information regarding copyright ownership.
> The ASF licenses this file to You under the Apache License,
> Version 2.0
> (the "License"); you may not use this file except in compliance with
> the License. You may obtain a copy of the License at
> http://www.apache.org/licenses/LICENSE-2.0
> Unless required by applicable law or agreed to in writing, software
> distributed under the License is distributed on an "AS IS" BASIS,
> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> implied.
> See the License for the specific language governing permissions and
> limitations under the License.
> -->
> <!--
> This file lists the userGroupProviders, accessPolicyProviders, and
> authorizers to use when running securely. In order
> to use a specific authorizer it must be configured here and it's
> identifier must be specified in the nifi.properties file.
> If the authorizer is a managedAuthorizer, it may need to be
> configured with an accessPolicyProvider and an userGroupProvider.
> This file allows for configuration of them, but they must be
> configured in order:
> ...
> all userGroupProviders
> all accessPolicyProviders
> all Authorizers
> ...
> -->
> <authorizers>
> <!--
> The FileUserGroupProvider will provide support for managing users
> and groups which is backed by a file
> on the local file system.
> - Users File - The file where the FileUserGroupProvider will store
> users and groups.
> - Legacy Authorized Users File - The full path to an existing
> authorized-users.xml that will be automatically
> be used to load the users and groups into the Users File.
> - Initial User Identity [unique key] - The identity of a users and
> systems to seed the Users File. The name of
> each property must be unique, for example: "Initial User Identity
> A", "Initial User Identity B",
> "Initial User Identity C" or "Initial User Identity 1", "Initial
> User Identity 2", "Initial User Identity 3"
> NOTE: Any identity mapping rules specified in nifi.properties will
> also be applied to the user identities,
> so the values should be the unmapped identities (i.e. full DN from
> a certificate).
> -->
> <!--
> <userGroupProvider>
> <identifier>file-user-group-provider</identifier>
> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
> <property name="Users File">./conf/users.xml</property>
> <property name="Legacy Authorized Users File"></property>
> <property name="Initial User Identity 1"></property>
> </userGroupProvider>
> -->
> <!--
> The LdapUserGroupProvider will retrieve users and groups from an
> LDAP server. The users and groups
> are not configurable.
> 'Authentication Strategy' - How the connection to the LDAP server
> is authenticated. Possible
> values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
> 'Manager DN' - The DN of the manager that is used to bind to the
> LDAP server to search for users.
> 'Manager Password' - The password of the manager that is used to
> bind to the LDAP server to
> search for users.
> 'TLS - Keystore' - Path to the Keystore that is used when
> connecting to LDAP using LDAPS or START_TLS.
> 'TLS - Keystore Password' - Password for the Keystore that is used
> when connecting to LDAP
> using LDAPS or START_TLS.
> 'TLS - Keystore Type' - Type of the Keystore that is used when
> connecting to LDAP using
> LDAPS or START_TLS (i.e. JKS or PKCS12).
> 'TLS - Truststore' - Path to the Truststore that is used when
> connecting to LDAP using LDAPS or START_TLS.
> 'TLS - Truststore Password' - Password for the Truststore that is
> used when connecting to
> LDAP using LDAPS or START_TLS.
> 'TLS - Truststore Type' - Type of the Truststore that is used when
> connecting to LDAP using
> LDAPS or START_TLS (i.e. JKS or PKCS12).
> 'TLS - Client Auth' - Client authentication policy when connecting
> to LDAP using LDAPS or START_TLS.
> Possible values are REQUIRED, WANT, NONE.
> 'TLS - Protocol' - Protocol to use when connecting to LDAP using
> LDAPS or START_TLS. (i.e. TLS,
> TLSv1.1, TLSv1.2, etc).
> 'TLS - Shutdown Gracefully' - Specifies whether the TLS should be
> shut down gracefully
> before the target context is closed. Defaults to false.
> 'Referral Strategy' - Strategy for handling referrals. Possible
> values are FOLLOW, IGNORE, THROW.
> 'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
> 'Read Timeout' - Duration of read timeout. (i.e. 10 secs).
> 'Url' - Space-separated list of URLs of the LDAP servers (i.e.
> ldap://<hostname>:<port>).
> 'Page Size' - Sets the page size when retrieving users and groups.
> If not specified, no paging is performed.
> 'Sync Interval' - Duration of time between syncing users and
> groups (i.e. 30 mins). Minimum allowable value is 10 secs.
> 'User Search Base' - Base DN for searching for users (i.e.
> ou=users,o=nifi). Required to search users.
> 'User Object Class' - Object class for identifying users (i.e.
> person). Required if searching users.
> 'User Search Scope' - Search scope for searching users (ONE_LEVEL,
> OBJECT, or SUBTREE). Required if searching users.
> 'User Search Filter' - Filter for searching for users against the
> 'User Search Base' (i.e. (memberof=cn=team1,ou=groups,o=nifi) ).
> Optional.
> 'User Identity Attribute' - Attribute to use to extract user
> identity (i.e. cn). Optional. If not set, the entire DN is used.
> 'User Group Name Attribute' - Attribute to use to define group
> membership (i.e. memberof). Optional. If not set
> group membership will not be calculated through the users. Will
> rely on group membership being defined
> through 'Group Member Attribute' if set. The value of this
> property is the name of the attribute in the user ldap entry that
> associates them with a group. The value of that user attribute
> could be a dn or group name for instance. What value is expected
> is configured in the 'User Group Name Attribute - Referenced Group
> Attribute'.
> 'User Group Name Attribute - Referenced Group Attribute' - If
> blank, the value of the attribute defined in 'User Group Name
> Attribute'
> is expected to be the full dn of the group. If not blank, this
> property will define the attribute of the group ldap entry that
> the value of the attribute defined in 'User Group Name Attribute'
> is referencing (i.e. name). Use of this property requires that
> 'Group Search Base' is also configured.
> 'Group Search Base' - Base DN for searching for groups (i.e.
> ou=groups,o=nifi). Required to search groups.
> 'Group Object Class' - Object class for identifying groups (i.e.
> groupOfNames). Required if searching groups.
> 'Group Search Scope' - Search scope for searching groups
> (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.
> 'Group Search Filter' - Filter for searching for groups against
> the 'Group Search Base'. Optional.
> 'Group Name Attribute' - Attribute to use to extract group name
> (i.e. cn). Optional. If not set, the entire DN is used.
> 'Group Member Attribute' - Attribute to use to define group
> membership (i.e. member). Optional. If not set
> group membership will not be calculated through the groups. Will
> rely on group membership being defined
> through 'User Group Name Attribute' if set. The value of this
> property is the name of the attribute in the group ldap entry that
> associates them with a user. The value of that group attribute
> could be a dn or memberUid for instance. What value is expected
> is configured in the 'Group Member Attribute - Referenced User
> Attribute'. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid:
> user1)
> 'Group Member Attribute - Referenced User Attribute' - If blank,
> the value of the attribute defined in 'Group Member Attribute'
> is expected to be the full dn of the user. If not blank, this
> property will define the attribute of the user ldap entry that
> the value of the attribute defined in 'Group Member Attribute' is
> referencing (i.e. uid). Use of this property requires that
> 'User Search Base' is also configured. (i.e. member: cn=User
> 1,ou=users,o=nifi vs. memberUid: user1)
> NOTE: Any identity mapping rules specified in nifi.properties will
> also be applied to the user identities.
> Group names are not mapped.
> -->
> <userGroupProvider>
> <identifier>ldap-user-group-provider</identifier>
> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
> <propertyname="Authentication Strategy">LDAPS</property>
> <propertyname="Manager DN">a_dn</property>
> <propertyname="Manager Password">a_password</property>
> <propertyname="TLS - Keystore"></property>
> <propertyname="TLS - Keystore Password"></property>
> <propertyname="TLS - Keystore Type"></property>
> <propertyname="TLS - Truststore">/opt/certs/cacerts.jks</property>
> <propertyname="TLS - Truststore Password">changeit</property>
> <propertyname="TLS - Truststore Type">JKS</property>
> <propertyname="TLS - Client Auth"></property>
> <propertyname="TLS - Protocol">TLSv1</property>
> <propertyname="TLS - Shutdown Gracefully"></property>
> <propertyname="Referral Strategy">FOLLOW</property>
> <propertyname="Connect Timeout">10 secs</property>
> <propertyname="Read Timeout">10 secs</property>
> <propertyname="Url">ldaps://myserver.mycompany.com:636</property>
> <propertyname="Page Size"></property>
> <propertyname="Sync Interval">30 mins</property>
> <propertyname="User Search Base">ou=people,o=mycompany.com
> <http://mycompany.com></property>
> <propertyname="User Object Class">privPerson</property>
> <propertyname="User Search Scope">SUBTREE</property>
> <propertyname="User Search Filter"></property>
> <propertyname="User Identity Attribute">uid</property>
> <propertyname="User Group Name Attribute">This attribute doesn't
> exist to make sure no grouping is done</property>
> <propertyname="User Group Name Attribute - Referenced Group
> Attribute"></property>
> <propertyname="Group Search Base"></property>
> <propertyname="Group Object Class">group</property>
> <propertyname="Group Search Scope">ONE_LEVEL</property>
> <propertyname="Group Search Filter"></property>
> <propertyname="Group Name Attribute"></property>
> <propertyname="Group Member Attribute"></property>
> <propertyname="Group Member Attribute - Referenced User
> Attribute"></property>
> </userGroupProvider>
> <!--
> The CompositeUserGroupProvider will provide support for retrieving
> users and groups from multiple sources.
> - User Group Provider [unique key] - The identifier of user group
> providers to load from. The name of
> each property must be unique, for example: "User Group Provider
> A", "User Group Provider B",
> "User Group Provider C" or "User Group Provider 1", "User Group
> Provider 2", "User Group Provider 3"
> NOTE: Any identity mapping rules specified in nifi.properties are
> not applied in this implementation. This behavior
> would need to be applied by the base implementation.
> -->
> <!-- To enable the composite-user-group-provider remove 2 lines.
> This is 1 of 2.
> <userGroupProvider>
> <identifier>composite-user-group-provider</identifier>
> <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
> <property name="User Group Provider 1"></property>
> </userGroupProvider>
> To enable the composite-user-group-provider remove 2 lines. This
> is 2 of 2. -->
> <!--
> The CompositeConfigurableUserGroupProvider will provide support
> for retrieving users and groups from multiple sources.
> Additionally, a single configurable user group provider is
> required. Users from the configurable user group provider
> are configurable, however users loaded from one of the User Group
> Provider [unique key] will not be.
> - Configurable User Group Provider - A configurable user group
> provider.
> - User Group Provider [unique key] - The identifier of user group
> providers to load from. The name of
> each property must be unique, for example: "User Group Provider
> A", "User Group Provider B",
> "User Group Provider C" or "User Group Provider 1", "User Group
> Provider 2", "User Group Provider 3"
> NOTE: Any identity mapping rules specified in nifi.properties are
> not applied in this implementation. This behavior
> would need to be applied by the base implementation.
> -->
> <!-- To enable the composite-configurable-user-group-provider
> remove 2 lines. This is 1 of 2.
> <userGroupProvider>
> <identifier>composite-configurable-user-group-provider</identifier>
> <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
> <property name="Configurable User Group
> Provider">file-user-group-provider</property>
> <property name="User Group Provider 1"></property>
> </userGroupProvider>
> To enable the composite-configurable-user-group-provider remove 2
> lines. This is 2 of 2. -->
> <!--
> The FileAccessPolicyProvider will provide support for managing
> access policies which is backed by a file
> on the local file system.
> - User Group Provider - The identifier for an User Group Provider
> defined above that will be used to access
> users and groups for use in the managed access policies.
> - Authorizations File - The file where the
> FileAccessPolicyProvider will store policies.
> - Initial Admin Identity - The identity of an initial admin user
> that will be granted access to the UI and
> given the ability to create additional users, groups, and
> policies. The value of this property could be
> a DN when using certificates or LDAP, or a Kerberos principal.
> This property will only be used when there
> are no other policies defined. If this property is specified then
> a Legacy Authorized Users File can not be specified.
> NOTE: Any identity mapping rules specified in nifi.properties will
> also be applied to the initial admin identity,
> so the value should be the unmapped identity. This identity must
> be found in the configured User Group Provider.
> - Legacy Authorized Users File - The full path to an existing
> authorized-users.xml that will be automatically
> converted to the new authorizations model. If this property is
> specified then an Initial Admin Identity can
> not be specified, and this property will only be used when there
> are no other users, groups, and policies defined.
> NOTE: Any users in the legacy users file must be found in the
> configured User Group Provider.
> - Node Identity [unique key] - The identity of a NiFi cluster
> node. When clustered, a property for each node
> should be defined, so that every node knows about every other
> node. If not clustered these properties can be ignored.
> The name of each property must be unique, for example for a three
> node cluster:
> "Node Identity A", "Node Identity B", "Node Identity C" or "Node
> Identity 1", "Node Identity 2", "Node Identity 3"
> NOTE: Any identity mapping rules specified in nifi.properties will
> also be applied to the node identities,
> so the values should be the unmapped identities (i.e. full DN from
> a certificate). This identity must be found
> in the configured User Group Provider.
> - Node Group - The name of a group containing NiFi cluster nodes.
> The typical use for this is when nodes are dynamically
> added/removed from the cluster.
> NOTE: The group must exist before starting NiFi.
> -->
> <accessPolicyProvider>
> <identifier>file-access-policy-provider</identifier>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> <propertyname="User Group
> Provider">ldap-user-group-provider</property>
> <propertyname="Authorizations
> File">./conf/authorizations.xml</property>
> <propertyname="Initial Admin Identity"></property>
> <propertyname="Legacy Authorized Users File"></property>
> <propertyname="Node Identity 1"></property>
> <propertyname="Node Group"></property>
> </accessPolicyProvider>
> <!--
> The StandardManagedAuthorizer. This authorizer implementation must
> be configured with the
> Access Policy Provider which it will use to access and manage
> users, groups, and policies.
> These users, groups, and policies will be used to make all access
> decisions during authorization
> requests.
> - Access Policy Provider - The identifier for an Access Policy
> Provider defined above.
> -->
> <authorizer>
> <identifier>managed-authorizer</identifier>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
> <propertyname="Access Policy
> Provider">file-access-policy-provider</property>
> </authorizer>
> <!--
> NOTE: This Authorizer has been replaced with the more granular
> approach configured above with the Standard
> Managed Authorizer. However, it is still available for backwards
> compatibility reasons.
> The FileAuthorizer is NiFi's provided authorizer and has the
> following properties:
> - Authorizations File - The file where the FileAuthorizer will
> store policies.
> - Users File - The file where the FileAuthorizer will store users
> and groups.
> - Initial Admin Identity - The identity of an initial admin user
> that will be granted access to the UI and
> given the ability to create additional users, groups, and
> policies. The value of this property could be
> a DN when using certificates or LDAP, or a Kerberos principal.
> This property will only be used when there
> are no other users, groups, and policies defined. If this property
> is specified then a Legacy Authorized
> Users File can not be specified.
> NOTE: Any identity mapping rules specified in nifi.properties will
> also be applied to the initial admin identity,
> so the value should be the unmapped identity.
> - Legacy Authorized Users File - The full path to an existing
> authorized-users.xml that will be automatically
> converted to the new authorizations model. If this property is
> specified then an Initial Admin Identity can
> not be specified, and this property will only be used when there
> are no other users, groups, and policies defined.
> - Node Identity [unique key] - The identity of a NiFi cluster
> node. When clustered, a property for each node
> should be defined, so that every node knows about every other
> node. If not clustered these properties can be ignored.
> The name of each property must be unique, for example for a three
> node cluster:
> "Node Identity A", "Node Identity B", "Node Identity C" or "Node
> Identity 1", "Node Identity 2", "Node Identity 3"
> NOTE: Any identity mapping rules specified in nifi.properties will
> also be applied to the node identities,
> so the values should be the unmapped identities (i.e. full DN from
> a certificate).
> -->
> <!-- <authorizer>
> <identifier>file-provider</identifier>
> <class>org.apache.nifi.authorization.FileAuthorizer</class>
> <property name="Authorizations
> File">./conf/authorizations.xml</property>
> <property name="Users File">./conf/users.xml</property>
> <property name="Initial Admin Identity"></property>
> <property name="Legacy Authorized Users File"></property>
> <property name="Node Identity 1"></property>
> </authorizer>
> -->
> </authorizers>
> Le 19/07/2019 à 12:03, Pierre Villard a écrit :
>> Hi Nicolas,
>>
>> Could you share the full content of your authorizers.xml file?
>> Sometimes it's just a matter of references not being in the right
>> "order".
>>
>> Le ven. 19 juil. 2019 à 11:59, Edward Armes
>> <edward.armes@gmail.com <ma...@gmail.com>> a écrit :
>>
>> I wasn't able to find any single good way, I don't know if
>> switching the logs down to debug or trace might give you a
>> bit more info though . In the end I just went through a
>> worked it out by hand using a combination of manual checking
>> against an alternative tool (i.e. an LDAP browser), file
>> format checkers, or just commenting things out by hand.
>>
>> I did sometimes find that white space character (new line
>> etc...) can occasionally cause a problem with the Spring loading.
>>
>> Edward
>>
>> On Fri, Jul 19, 2019 at 10:45 AM Nicolas Delsaux
>> <nicolas.delsaux@gmx.fr <ma...@gmx.fr>> wrote:
>>
>> Is there any way to get a better error ?
>>
>> Le 19/07/2019 à 11:36, Edward Armes a écrit :
>>> Hi Nicolas,
>>>
>>> This one is a bit of a Spring special. The actual cause
>>> here is that the Spring Bean that is being created from
>>> this file has silently failed, and thus the auto-wiring
>>> has failed as well. The result is you get this lovely
>>> misleading error. The normal reason for the bean not
>>> being created I found was because I made a typo in the
>>> configuration file(s).
>>>
>>> Edward
>>>
>>> On Fri, Jul 19, 2019 at 10:21 AM Nicolas Delsaux
>>> <nicolas.delsaux@gmx.fr <ma...@gmx.fr>>
>>> wrote:
>>>
>>> Hi all
>>>
>>> Now I know how to connect to my LDAP directory, i
>>> now have a strange error
>>>
>>>
>>> nifi-runner_1 |
>>> org.springframework.beans.factory.UnsatisfiedDependencyException:
>>> Error creating bean with name
>>> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
>>> Unsatisfied dependency expressed through method
>>> 'setFilterChainProxySecurityConfigurer' parameter 1;
>>> nested exception is
>>> org.springframework.beans.factory.BeanExpressionException:
>>> Expression parsing failed; nested exception is
>>> org.springframework.beans.factory.UnsatisfiedDependencyException:
>>> Error creating bean with name
>>> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration':
>>> Unsatisfied dependency expressed through method
>>> 'setJwtAuthenticationProvider' parameter 0; nested
>>> exception is
>>> org.springframework.beans.factory.BeanCreationException:
>>> Error creating bean with name
>>> 'jwtAuthenticationProvider' defined in class path
>>> resource [nifi-web-security-context.xml]: Cannot
>>> resolve reference to bean 'authorizer' while setting
>>> constructor argument; nested exception is
>>> org.springframework.beans.factory.BeanCreationException:
>>> Error creating bean with name 'authorizer':
>>> FactoryBean threw exception on object creation;
>>> nested exception is java.lang.Exception: The
>>> specified authorizer 'ldap-user-group-provider'
>>> could not be found.
>>>
>>> [... let me just skip the uninteresting Spring stack
>>> ...]
>>>
>>> nifi-runner_1 | Caused by:
>>> org.springframework.beans.factory.BeanCreationException:
>>> Error creating bean with name 'authorizer':
>>> FactoryBean threw exception on object creation;
>>> nested exception is java.lang.Exception: The
>>> specified authorizer 'ldap-user-group-provider'
>>> could not be found.
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
>>> nifi-runner_1 | ... 96 common frames omitted
>>> nifi-runner_1 | Caused by: java.lang.Exception: The
>>> specified authorizer 'ldap-user-group-provider'
>>> could not be found.
>>> nifi-runner_1 | at
>>> org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:175)
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
>>>
>>> From what I understand, it seems like the
>>> AuthorizerFactoryBean tries to read my
>>> user-group-provider from the authorizers.xml file.
>>>
>>>
>>> I have such an user group provider, which is a ldap
>>> one :
>>>
>>> <authorizers>
>>> <userGroupProvider>
>>> <identifier>ldap-user-group-provider</identifier>
>>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>>> <propertyname="Authentication Strategy">LDAPS</property>
>>> <propertyname="Manager DN">a_dn</property>
>>> <propertyname="Manager Password">a_password</property>
>>> <propertyname="TLS - Keystore"></property>
>>> <propertyname="TLS - Keystore Password"></property>
>>> <propertyname="TLS - Keystore Type"></property>
>>> <propertyname="TLS -
>>> Truststore">/opt/certs/cacerts.jks</property>
>>> <propertyname="TLS - Truststore
>>> Password">another</property>
>>> <propertyname="TLS - Truststore Type">JKS</property>
>>> <propertyname="TLS - Client Auth"></property>
>>> <propertyname="TLS - Protocol">TLSv1</property>
>>> <propertyname="TLS - Shutdown Gracefully"></property>
>>> <propertyname="Referral Strategy">FOLLOW</property>
>>> <propertyname="Connect Timeout">10 secs</property>
>>> <propertyname="Read Timeout">10 secs</property>
>>> <propertyname="Url">ldaps://myserver.mycompany.com:636</property>
>>> <propertyname="Page Size"></property>
>>> <propertyname="Sync Interval">30 mins</property>
>>> <propertyname="User Search
>>> Base">ou=people,o=mycompany.com
>>> <http://mycompany.com></property>
>>> <propertyname="User Object Class">privPerson</property>
>>> <propertyname="User Search Scope">SUBTREE</property>
>>> <propertyname="User Search Filter"></property>
>>> <propertyname="User Identity Attribute">uid</property>
>>> <propertyname="User Group Name Attribute">This
>>> attribute doesn't exist to make sure no grouping is
>>> done</property>
>>> <propertyname="User Group Name Attribute -
>>> Referenced Group Attribute"></property>
>>> <propertyname="Group Search Base"></property>
>>> <propertyname="Group Object Class">group</property>
>>> <propertyname="Group Search Scope">ONE_LEVEL</property>
>>> <propertyname="Group Search Filter"></property>
>>> <propertyname="Group Name Attribute"></property>
>>> <propertyname="Group Member Attribute"></property>
>>> <propertyname="Group Member Attribute - Referenced
>>> User Attribute"></property>
>>> </userGroupProvider>
>>>
>>> So why can't it be loaded ?
>>>
>>> Because I don't see any other exception (typically,
>>> I would expect a search fail exception, but it seems
>>> to work).
>>>
Re: Continuing my LDAP auth adventures
Posted by Edward Armes <ed...@gmail.com>.
Hi Nicolas,
In your actual configuration, is this the actual entry and not sanitized
version?
<property name="User Group Name Attribute">This attribute doesn't exist to
make sure no grouping is done</property>
If so I think this is the problem. As I what I think is happening Nifi is
trying to interpret this value as a DN and failing, if you only need the
users returned from the LDAP search to be the list of valid users then this
field can just be left blank, if however you need a list of valid (not
necessarily authorized) users to be filtered to be a member of a specific
LDAP group then you can specify the DN for that group here.
I would change it to:
<property name="User Group Name Attribute"></property>
and see if that works
Edward
On Fri, Jul 19, 2019 at 2:04 PM Nicolas Delsaux <ni...@gmx.fr>
wrote:
> Here is the full version (with obvious replacements for manager dn,
> manager password, ldap server url, and other "sensitive" informations
>
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <!--
> Licensed to the Apache Software Foundation (ASF) under one or more
> contributor license agreements. See the NOTICE file distributed with
> this work for additional information regarding copyright ownership.
> The ASF licenses this file to You under the Apache License, Version 2.0
> (the "License"); you may not use this file except in compliance with
> the License. You may obtain a copy of the License at
> http://www.apache.org/licenses/LICENSE-2.0
> Unless required by applicable law or agreed to in writing, software
> distributed under the License is distributed on an "AS IS" BASIS,
> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> See the License for the specific language governing permissions and
> limitations under the License.
> -->
> <!--
> This file lists the userGroupProviders, accessPolicyProviders, and
> authorizers to use when running securely. In order
> to use a specific authorizer it must be configured here and it's
> identifier must be specified in the nifi.properties file.
> If the authorizer is a managedAuthorizer, it may need to be configured
> with an accessPolicyProvider and an userGroupProvider.
> This file allows for configuration of them, but they must be configured in
> order:
> ...
> all userGroupProviders
> all accessPolicyProviders
> all Authorizers
> ...
> -->
> <authorizers>
> <!--
> The FileUserGroupProvider will provide support for managing users and
> groups which is backed by a file
> on the local file system.
> - Users File - The file where the FileUserGroupProvider will store users
> and groups.
> - Legacy Authorized Users File - The full path to an existing
> authorized-users.xml that will be automatically
> be used to load the users and groups into the Users File.
> - Initial User Identity [unique key] - The identity of a users and systems
> to seed the Users File. The name of
> each property must be unique, for example: "Initial User Identity A",
> "Initial User Identity B",
> "Initial User Identity C" or "Initial User Identity 1", "Initial User
> Identity 2", "Initial User Identity 3"
> NOTE: Any identity mapping rules specified in nifi.properties will also be
> applied to the user identities,
> so the values should be the unmapped identities (i.e. full DN from a
> certificate).
> -->
> <!--
> <userGroupProvider>
> <identifier>file-user-group-provider</identifier>
> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
> <property name="Users File">./conf/users.xml</property>
> <property name="Legacy Authorized Users File"></property>
> <property name="Initial User Identity 1"></property>
> </userGroupProvider>
> -->
> <!--
> The LdapUserGroupProvider will retrieve users and groups from an LDAP
> server. The users and groups
> are not configurable.
> 'Authentication Strategy' - How the connection to the LDAP server is
> authenticated. Possible
> values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
> 'Manager DN' - The DN of the manager that is used to bind to the LDAP
> server to search for users.
> 'Manager Password' - The password of the manager that is used to bind to
> the LDAP server to
> search for users.
> 'TLS - Keystore' - Path to the Keystore that is used when connecting to
> LDAP using LDAPS or START_TLS.
> 'TLS - Keystore Password' - Password for the Keystore that is used when
> connecting to LDAP
> using LDAPS or START_TLS.
> 'TLS - Keystore Type' - Type of the Keystore that is used when connecting
> to LDAP using
> LDAPS or START_TLS (i.e. JKS or PKCS12).
> 'TLS - Truststore' - Path to the Truststore that is used when connecting
> to LDAP using LDAPS or START_TLS.
> 'TLS - Truststore Password' - Password for the Truststore that is used
> when connecting to
> LDAP using LDAPS or START_TLS.
> 'TLS - Truststore Type' - Type of the Truststore that is used when
> connecting to LDAP using
> LDAPS or START_TLS (i.e. JKS or PKCS12).
> 'TLS - Client Auth' - Client authentication policy when connecting to LDAP
> using LDAPS or START_TLS.
> Possible values are REQUIRED, WANT, NONE.
> 'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or
> START_TLS. (i.e. TLS,
> TLSv1.1, TLSv1.2, etc).
> 'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut
> down gracefully
> before the target context is closed. Defaults to false.
> 'Referral Strategy' - Strategy for handling referrals. Possible values are
> FOLLOW, IGNORE, THROW.
> 'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
> 'Read Timeout' - Duration of read timeout. (i.e. 10 secs).
> 'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://
> <hostname>:<port>).
> 'Page Size' - Sets the page size when retrieving users and groups. If not
> specified, no paging is performed.
> 'Sync Interval' - Duration of time between syncing users and groups (i.e.
> 30 mins). Minimum allowable value is 10 secs.
> 'User Search Base' - Base DN for searching for users (i.e.
> ou=users,o=nifi). Required to search users.
> 'User Object Class' - Object class for identifying users (i.e. person).
> Required if searching users.
> 'User Search Scope' - Search scope for searching users (ONE_LEVEL, OBJECT,
> or SUBTREE). Required if searching users.
> 'User Search Filter' - Filter for searching for users against the 'User
> Search Base' (i.e. (memberof=cn=team1,ou=groups,o=nifi) ). Optional.
> 'User Identity Attribute' - Attribute to use to extract user identity
> (i.e. cn). Optional. If not set, the entire DN is used.
> 'User Group Name Attribute' - Attribute to use to define group membership
> (i.e. memberof). Optional. If not set
> group membership will not be calculated through the users. Will rely on
> group membership being defined
> through 'Group Member Attribute' if set. The value of this property is the
> name of the attribute in the user ldap entry that
> associates them with a group. The value of that user attribute could be a
> dn or group name for instance. What value is expected
> is configured in the 'User Group Name Attribute - Referenced Group
> Attribute'.
> 'User Group Name Attribute - Referenced Group Attribute' - If blank, the
> value of the attribute defined in 'User Group Name Attribute'
> is expected to be the full dn of the group. If not blank, this property
> will define the attribute of the group ldap entry that
> the value of the attribute defined in 'User Group Name Attribute' is
> referencing (i.e. name). Use of this property requires that
> 'Group Search Base' is also configured.
> 'Group Search Base' - Base DN for searching for groups (i.e.
> ou=groups,o=nifi). Required to search groups.
> 'Group Object Class' - Object class for identifying groups (i.e.
> groupOfNames). Required if searching groups.
> 'Group Search Scope' - Search scope for searching groups (ONE_LEVEL,
> OBJECT, or SUBTREE). Required if searching groups.
> 'Group Search Filter' - Filter for searching for groups against the 'Group
> Search Base'. Optional.
> 'Group Name Attribute' - Attribute to use to extract group name (i.e. cn).
> Optional. If not set, the entire DN is used.
> 'Group Member Attribute' - Attribute to use to define group membership
> (i.e. member). Optional. If not set
> group membership will not be calculated through the groups. Will rely on
> group membership being defined
> through 'User Group Name Attribute' if set. The value of this property is
> the name of the attribute in the group ldap entry that
> associates them with a user. The value of that group attribute could be a
> dn or memberUid for instance. What value is expected
> is configured in the 'Group Member Attribute - Referenced User Attribute'.
> (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
> 'Group Member Attribute - Referenced User Attribute' - If blank, the value
> of the attribute defined in 'Group Member Attribute'
> is expected to be the full dn of the user. If not blank, this property
> will define the attribute of the user ldap entry that
> the value of the attribute defined in 'Group Member Attribute' is
> referencing (i.e. uid). Use of this property requires that
> 'User Search Base' is also configured. (i.e. member: cn=User
> 1,ou=users,o=nifi vs. memberUid: user1)
> NOTE: Any identity mapping rules specified in nifi.properties will also be
> applied to the user identities.
> Group names are not mapped.
> -->
> <userGroupProvider>
> <identifier>ldap-user-group-provider</identifier>
> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
> <property name="Authentication Strategy">LDAPS</property>
> <property name="Manager DN">a_dn</property>
> <property name="Manager Password">a_password</property>
> <property name="TLS - Keystore"></property>
> <property name="TLS - Keystore Password"></property>
> <property name="TLS - Keystore Type"></property>
> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
> <property name="TLS - Truststore Password">changeit</property>
> <property name="TLS - Truststore Type">JKS</property>
> <property name="TLS - Client Auth"></property>
> <property name="TLS - Protocol">TLSv1</property>
> <property name="TLS - Shutdown Gracefully"></property>
> <property name="Referral Strategy">FOLLOW</property>
> <property name="Connect Timeout">10 secs</property>
> <property name="Read Timeout">10 secs</property>
> <property name="Url">ldaps://myserver.mycompany.com:636</property>
> <property name="Page Size"></property>
> <property name="Sync Interval">30 mins</property>
> <property name="User Search Base">ou=people,o=mycompany.com</property>
> <property name="User Object Class">privPerson</property>
> <property name="User Search Scope">SUBTREE</property>
> <property name="User Search Filter"></property>
> <property name="User Identity Attribute">uid</property>
> <property name="User Group Name Attribute">This attribute doesn't exist
> to make sure no grouping is done</property>
> <property name="User Group Name Attribute - Referenced Group Attribute"></
> property>
> <property name="Group Search Base"></property>
> <property name="Group Object Class">group</property>
> <property name="Group Search Scope">ONE_LEVEL</property>
> <property name="Group Search Filter"></property>
> <property name="Group Name Attribute"></property>
> <property name="Group Member Attribute"></property>
> <property name="Group Member Attribute - Referenced User Attribute"></
> property>
> </userGroupProvider>
> <!--
> The CompositeUserGroupProvider will provide support for retrieving users
> and groups from multiple sources.
> - User Group Provider [unique key] - The identifier of user group
> providers to load from. The name of
> each property must be unique, for example: "User Group Provider A", "User
> Group Provider B",
> "User Group Provider C" or "User Group Provider 1", "User Group Provider
> 2", "User Group Provider 3"
> NOTE: Any identity mapping rules specified in nifi.properties are not
> applied in this implementation. This behavior
> would need to be applied by the base implementation.
> -->
> <!-- To enable the composite-user-group-provider remove 2 lines. This is 1
> of 2.
> <userGroupProvider>
> <identifier>composite-user-group-provider</identifier>
> <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
> <property name="User Group Provider 1"></property>
> </userGroupProvider>
> To enable the composite-user-group-provider remove 2 lines. This is 2 of
> 2. -->
> <!--
> The CompositeConfigurableUserGroupProvider will provide support for
> retrieving users and groups from multiple sources.
> Additionally, a single configurable user group provider is required. Users
> from the configurable user group provider
> are configurable, however users loaded from one of the User Group Provider
> [unique key] will not be.
> - Configurable User Group Provider - A configurable user group provider.
> - User Group Provider [unique key] - The identifier of user group
> providers to load from. The name of
> each property must be unique, for example: "User Group Provider A", "User
> Group Provider B",
> "User Group Provider C" or "User Group Provider 1", "User Group Provider
> 2", "User Group Provider 3"
> NOTE: Any identity mapping rules specified in nifi.properties are not
> applied in this implementation. This behavior
> would need to be applied by the base implementation.
> -->
> <!-- To enable the composite-configurable-user-group-provider remove 2
> lines. This is 1 of 2.
> <userGroupProvider>
> <identifier>composite-configurable-user-group-provider</identifier>
>
> <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
> <property name="Configurable User Group
> Provider">file-user-group-provider</property>
> <property name="User Group Provider 1"></property>
> </userGroupProvider>
> To enable the composite-configurable-user-group-provider remove 2 lines.
> This is 2 of 2. -->
> <!--
> The FileAccessPolicyProvider will provide support for managing access
> policies which is backed by a file
> on the local file system.
> - User Group Provider - The identifier for an User Group Provider defined
> above that will be used to access
> users and groups for use in the managed access policies.
> - Authorizations File - The file where the FileAccessPolicyProvider will
> store policies.
> - Initial Admin Identity - The identity of an initial admin user that will
> be granted access to the UI and
> given the ability to create additional users, groups, and policies. The
> value of this property could be
> a DN when using certificates or LDAP, or a Kerberos principal. This
> property will only be used when there
> are no other policies defined. If this property is specified then a Legacy
> Authorized Users File can not be specified.
> NOTE: Any identity mapping rules specified in nifi.properties will also be
> applied to the initial admin identity,
> so the value should be the unmapped identity. This identity must be found
> in the configured User Group Provider.
> - Legacy Authorized Users File - The full path to an existing
> authorized-users.xml that will be automatically
> converted to the new authorizations model. If this property is specified
> then an Initial Admin Identity can
> not be specified, and this property will only be used when there are no
> other users, groups, and policies defined.
> NOTE: Any users in the legacy users file must be found in the configured
> User Group Provider.
> - Node Identity [unique key] - The identity of a NiFi cluster node. When
> clustered, a property for each node
> should be defined, so that every node knows about every other node. If not
> clustered these properties can be ignored.
> The name of each property must be unique, for example for a three node
> cluster:
> "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity
> 1", "Node Identity 2", "Node Identity 3"
> NOTE: Any identity mapping rules specified in nifi.properties will also be
> applied to the node identities,
> so the values should be the unmapped identities (i.e. full DN from a
> certificate). This identity must be found
> in the configured User Group Provider.
> - Node Group - The name of a group containing NiFi cluster nodes. The
> typical use for this is when nodes are dynamically
> added/removed from the cluster.
> NOTE: The group must exist before starting NiFi.
> -->
> <accessPolicyProvider>
> <identifier>file-access-policy-provider</identifier>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> <property name="User Group Provider">ldap-user-group-provider</property>
> <property name="Authorizations File">./conf/authorizations.xml</property>
> <property name="Initial Admin Identity"></property>
> <property name="Legacy Authorized Users File"></property>
> <property name="Node Identity 1"></property>
> <property name="Node Group"></property>
> </accessPolicyProvider>
> <!--
> The StandardManagedAuthorizer. This authorizer implementation must be
> configured with the
> Access Policy Provider which it will use to access and manage users,
> groups, and policies.
> These users, groups, and policies will be used to make all access
> decisions during authorization
> requests.
> - Access Policy Provider - The identifier for an Access Policy Provider
> defined above.
> -->
> <authorizer>
> <identifier>managed-authorizer</identifier>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
> <property name="Access Policy Provider">file-access-policy-provider</
> property>
> </authorizer>
> <!--
> NOTE: This Authorizer has been replaced with the more granular approach
> configured above with the Standard
> Managed Authorizer. However, it is still available for backwards
> compatibility reasons.
> The FileAuthorizer is NiFi's provided authorizer and has the following
> properties:
> - Authorizations File - The file where the FileAuthorizer will store
> policies.
> - Users File - The file where the FileAuthorizer will store users and
> groups.
> - Initial Admin Identity - The identity of an initial admin user that will
> be granted access to the UI and
> given the ability to create additional users, groups, and policies. The
> value of this property could be
> a DN when using certificates or LDAP, or a Kerberos principal. This
> property will only be used when there
> are no other users, groups, and policies defined. If this property is
> specified then a Legacy Authorized
> Users File can not be specified.
> NOTE: Any identity mapping rules specified in nifi.properties will also be
> applied to the initial admin identity,
> so the value should be the unmapped identity.
> - Legacy Authorized Users File - The full path to an existing
> authorized-users.xml that will be automatically
> converted to the new authorizations model. If this property is specified
> then an Initial Admin Identity can
> not be specified, and this property will only be used when there are no
> other users, groups, and policies defined.
> - Node Identity [unique key] - The identity of a NiFi cluster node. When
> clustered, a property for each node
> should be defined, so that every node knows about every other node. If not
> clustered these properties can be ignored.
> The name of each property must be unique, for example for a three node
> cluster:
> "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity
> 1", "Node Identity 2", "Node Identity 3"
> NOTE: Any identity mapping rules specified in nifi.properties will also be
> applied to the node identities,
> so the values should be the unmapped identities (i.e. full DN from a
> certificate).
> -->
> <!-- <authorizer>
> <identifier>file-provider</identifier>
> <class>org.apache.nifi.authorization.FileAuthorizer</class>
> <property name="Authorizations File">./conf/authorizations.xml</property>
> <property name="Users File">./conf/users.xml</property>
> <property name="Initial Admin Identity"></property>
> <property name="Legacy Authorized Users File"></property>
> <property name="Node Identity 1"></property>
> </authorizer>
> -->
> </authorizers>
> Le 19/07/2019 à 12:03, Pierre Villard a écrit :
>
> Hi Nicolas,
>
> Could you share the full content of your authorizers.xml file? Sometimes
> it's just a matter of references not being in the right "order".
>
> Le ven. 19 juil. 2019 à 11:59, Edward Armes <ed...@gmail.com> a
> écrit :
>
>> I wasn't able to find any single good way, I don't know if switching the
>> logs down to debug or trace might give you a bit more info though . In the
>> end I just went through a worked it out by hand using a combination of
>> manual checking against an alternative tool (i.e. an LDAP browser), file
>> format checkers, or just commenting things out by hand.
>>
>> I did sometimes find that white space character (new line etc...) can
>> occasionally cause a problem with the Spring loading.
>>
>> Edward
>>
>> On Fri, Jul 19, 2019 at 10:45 AM Nicolas Delsaux <ni...@gmx.fr>
>> wrote:
>>
>>> Is there any way to get a better error ?
>>> Le 19/07/2019 à 11:36, Edward Armes a écrit :
>>>
>>> Hi Nicolas,
>>>
>>> This one is a bit of a Spring special. The actual cause here is that the
>>> Spring Bean that is being created from this file has silently failed, and
>>> thus the auto-wiring has failed as well. The result is you get this lovely
>>> misleading error. The normal reason for the bean not being created I found
>>> was because I made a typo in the configuration file(s).
>>>
>>> Edward
>>>
>>> On Fri, Jul 19, 2019 at 10:21 AM Nicolas Delsaux <ni...@gmx.fr>
>>> wrote:
>>>
>>>> Hi all
>>>>
>>>> Now I know how to connect to my LDAP directory, i now have a strange
>>>> error
>>>>
>>>>
>>>> nifi-runner_1 |
>>>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>>>> creating bean with name
>>>> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
>>>> Unsatisfied dependency expressed through method
>>>> 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
>>>> org.springframework.beans.factory.BeanExpressionException: Expression
>>>> parsing failed; nested exception is
>>>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>>>> creating bean with name
>>>> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
>>>> dependency expressed through method 'setJwtAuthenticationProvider'
>>>> parameter 0; nested exception is
>>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>>> bean with name 'jwtAuthenticationProvider' defined in class path resource
>>>> [nifi-web-security-context.xml]: Cannot resolve reference to bean
>>>> 'authorizer' while setting constructor argument; nested exception is
>>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>>> bean with name 'authorizer': FactoryBean threw exception on object
>>>> creation; nested exception is java.lang.Exception: The specified authorizer
>>>> 'ldap-user-group-provider' could not be found.
>>>>
>>>> [... let me just skip the uninteresting Spring stack ...]
>>>>
>>>> nifi-runner_1 | Caused by:
>>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>>> bean with name 'authorizer': FactoryBean threw exception on object
>>>> creation; nested exception is java.lang.Exception: The specified authorizer
>>>> 'ldap-user-group-provider' could not be found.
>>>> nifi-runner_1 | at
>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
>>>> nifi-runner_1 | at
>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
>>>> nifi-runner_1 | at
>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
>>>> nifi-runner_1 | at
>>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
>>>> nifi-runner_1 | at
>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
>>>> nifi-runner_1 | at
>>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
>>>> nifi-runner_1 | ... 96 common frames omitted
>>>> nifi-runner_1 | Caused by: java.lang.Exception: The specified
>>>> authorizer 'ldap-user-group-provider' could not be found.
>>>> nifi-runner_1 | at
>>>> org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:175)
>>>> nifi-runner_1 | at
>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
>>>>
>>>> From what I understand, it seems like the AuthorizerFactoryBean tries
>>>> to read my user-group-provider from the authorizers.xml file.
>>>>
>>>>
>>>> I have such an user group provider, which is a ldap one :
>>>> <authorizers>
>>>> <userGroupProvider>
>>>> <identifier>ldap-user-group-provider</identifier>
>>>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>>>> <property name="Authentication Strategy">LDAPS</property>
>>>> <property name="Manager DN">a_dn</property>
>>>> <property name="Manager Password">a_password</property>
>>>> <property name="TLS - Keystore"></property>
>>>> <property name="TLS - Keystore Password"></property>
>>>> <property name="TLS - Keystore Type"></property>
>>>> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
>>>> <property name="TLS - Truststore Password">another</property>
>>>> <property name="TLS - Truststore Type">JKS</property>
>>>> <property name="TLS - Client Auth"></property>
>>>> <property name="TLS - Protocol">TLSv1</property>
>>>> <property name="TLS - Shutdown Gracefully"></property>
>>>> <property name="Referral Strategy">FOLLOW</property>
>>>> <property name="Connect Timeout">10 secs</property>
>>>> <property name="Read Timeout">10 secs</property>
>>>> <property name="Url">ldaps://myserver.mycompany.com:636</property>
>>>> <property name="Page Size"></property>
>>>> <property name="Sync Interval">30 mins</property>
>>>> <property name="User Search Base">ou=people,o=mycompany.com</property>
>>>> <property name="User Object Class">privPerson</property>
>>>> <property name="User Search Scope">SUBTREE</property>
>>>> <property name="User Search Filter"></property>
>>>> <property name="User Identity Attribute">uid</property>
>>>> <property name="User Group Name Attribute">This attribute doesn't
>>>> exist to make sure no grouping is done</property>
>>>> <property name="User Group Name Attribute - Referenced Group Attribute"
>>>> ></property>
>>>> <property name="Group Search Base"></property>
>>>> <property name="Group Object Class">group</property>
>>>> <property name="Group Search Scope">ONE_LEVEL</property>
>>>> <property name="Group Search Filter"></property>
>>>> <property name="Group Name Attribute"></property>
>>>> <property name="Group Member Attribute"></property>
>>>> <property name="Group Member Attribute - Referenced User Attribute"></
>>>> property>
>>>> </userGroupProvider>
>>>>
>>>> So why can't it be loaded ?
>>>>
>>>> Because I don't see any other exception (typically, I would expect a
>>>> search fail exception, but it seems to work).
>>>>
>>>
Re: Continuing my LDAP auth adventures
Posted by Nicolas Delsaux <ni...@gmx.fr>.
Here is the full version (with obvious replacements for manager dn,
manager password, ldap server url, and other "sensitive" informations
<?xmlversion="1.0"encoding="UTF-8"standalone="yes"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!--
This file lists the userGroupProviders, accessPolicyProviders, and
authorizers to use when running securely. In order
to use a specific authorizer it must be configured here and it's
identifier must be specified in the nifi.properties file.
If the authorizer is a managedAuthorizer, it may need to be configured
with an accessPolicyProvider and an userGroupProvider.
This file allows for configuration of them, but they must be configured
in order:
...
all userGroupProviders
all accessPolicyProviders
all Authorizers
...
-->
<authorizers>
<!--
The FileUserGroupProvider will provide support for managing users and
groups which is backed by a file
on the local file system.
- Users File - The file where the FileUserGroupProvider will store users
and groups.
- Legacy Authorized Users File - The full path to an existing
authorized-users.xml that will be automatically
be used to load the users and groups into the Users File.
- Initial User Identity [unique key] - The identity of a users and
systems to seed the Users File. The name of
each property must be unique, for example: "Initial User Identity A",
"Initial User Identity B",
"Initial User Identity C" or "Initial User Identity 1", "Initial User
Identity 2", "Initial User Identity 3"
NOTE: Any identity mapping rules specified in nifi.properties will also
be applied to the user identities,
so the values should be the unmapped identities (i.e. full DN from a
certificate).
-->
<!--
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1"></property>
</userGroupProvider>
-->
<!--
The LdapUserGroupProvider will retrieve users and groups from an LDAP
server. The users and groups
are not configurable.
'Authentication Strategy' - How the connection to the LDAP server is
authenticated. Possible
values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
'Manager DN' - The DN of the manager that is used to bind to the LDAP
server to search for users.
'Manager Password' - The password of the manager that is used to bind to
the LDAP server to
search for users.
'TLS - Keystore' - Path to the Keystore that is used when connecting to
LDAP using LDAPS or START_TLS.
'TLS - Keystore Password' - Password for the Keystore that is used when
connecting to LDAP
using LDAPS or START_TLS.
'TLS - Keystore Type' - Type of the Keystore that is used when
connecting to LDAP using
LDAPS or START_TLS (i.e. JKS or PKCS12).
'TLS - Truststore' - Path to the Truststore that is used when connecting
to LDAP using LDAPS or START_TLS.
'TLS - Truststore Password' - Password for the Truststore that is used
when connecting to
LDAP using LDAPS or START_TLS.
'TLS - Truststore Type' - Type of the Truststore that is used when
connecting to LDAP using
LDAPS or START_TLS (i.e. JKS or PKCS12).
'TLS - Client Auth' - Client authentication policy when connecting to
LDAP using LDAPS or START_TLS.
Possible values are REQUIRED, WANT, NONE.
'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS
or START_TLS. (i.e. TLS,
TLSv1.1, TLSv1.2, etc).
'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut
down gracefully
before the target context is closed. Defaults to false.
'Referral Strategy' - Strategy for handling referrals. Possible values
are FOLLOW, IGNORE, THROW.
'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
'Read Timeout' - Duration of read timeout. (i.e. 10 secs).
'Url' - Space-separated list of URLs of the LDAP servers (i.e.
ldap://<hostname>:<port>).
'Page Size' - Sets the page size when retrieving users and groups. If
not specified, no paging is performed.
'Sync Interval' - Duration of time between syncing users and groups
(i.e. 30 mins). Minimum allowable value is 10 secs.
'User Search Base' - Base DN for searching for users (i.e.
ou=users,o=nifi). Required to search users.
'User Object Class' - Object class for identifying users (i.e. person).
Required if searching users.
'User Search Scope' - Search scope for searching users (ONE_LEVEL,
OBJECT, or SUBTREE). Required if searching users.
'User Search Filter' - Filter for searching for users against the 'User
Search Base' (i.e. (memberof=cn=team1,ou=groups,o=nifi) ). Optional.
'User Identity Attribute' - Attribute to use to extract user identity
(i.e. cn). Optional. If not set, the entire DN is used.
'User Group Name Attribute' - Attribute to use to define group
membership (i.e. memberof). Optional. If not set
group membership will not be calculated through the users. Will rely on
group membership being defined
through 'Group Member Attribute' if set. The value of this property is
the name of the attribute in the user ldap entry that
associates them with a group. The value of that user attribute could be
a dn or group name for instance. What value is expected
is configured in the 'User Group Name Attribute - Referenced Group
Attribute'.
'User Group Name Attribute - Referenced Group Attribute' - If blank, the
value of the attribute defined in 'User Group Name Attribute'
is expected to be the full dn of the group. If not blank, this property
will define the attribute of the group ldap entry that
the value of the attribute defined in 'User Group Name Attribute' is
referencing (i.e. name). Use of this property requires that
'Group Search Base' is also configured.
'Group Search Base' - Base DN for searching for groups (i.e.
ou=groups,o=nifi). Required to search groups.
'Group Object Class' - Object class for identifying groups (i.e.
groupOfNames). Required if searching groups.
'Group Search Scope' - Search scope for searching groups (ONE_LEVEL,
OBJECT, or SUBTREE). Required if searching groups.
'Group Search Filter' - Filter for searching for groups against the
'Group Search Base'. Optional.
'Group Name Attribute' - Attribute to use to extract group name (i.e.
cn). Optional. If not set, the entire DN is used.
'Group Member Attribute' - Attribute to use to define group membership
(i.e. member). Optional. If not set
group membership will not be calculated through the groups. Will rely on
group membership being defined
through 'User Group Name Attribute' if set. The value of this property
is the name of the attribute in the group ldap entry that
associates them with a user. The value of that group attribute could be
a dn or memberUid for instance. What value is expected
is configured in the 'Group Member Attribute - Referenced User
Attribute'. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
'Group Member Attribute - Referenced User Attribute' - If blank, the
value of the attribute defined in 'Group Member Attribute'
is expected to be the full dn of the user. If not blank, this property
will define the attribute of the user ldap entry that
the value of the attribute defined in 'Group Member Attribute' is
referencing (i.e. uid). Use of this property requires that
'User Search Base' is also configured. (i.e. member: cn=User
1,ou=users,o=nifi vs. memberUid: user1)
NOTE: Any identity mapping rules specified in nifi.properties will also
be applied to the user identities.
Group names are not mapped.
-->
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<propertyname="Authentication Strategy">LDAPS</property>
<propertyname="Manager DN">a_dn</property>
<propertyname="Manager Password">a_password</property>
<propertyname="TLS - Keystore"></property>
<propertyname="TLS - Keystore Password"></property>
<propertyname="TLS - Keystore Type"></property>
<propertyname="TLS - Truststore">/opt/certs/cacerts.jks</property>
<propertyname="TLS - Truststore Password">changeit</property>
<propertyname="TLS - Truststore Type">JKS</property>
<propertyname="TLS - Client Auth"></property>
<propertyname="TLS - Protocol">TLSv1</property>
<propertyname="TLS - Shutdown Gracefully"></property>
<propertyname="Referral Strategy">FOLLOW</property>
<propertyname="Connect Timeout">10 secs</property>
<propertyname="Read Timeout">10 secs</property>
<propertyname="Url">ldaps://myserver.mycompany.com:636</property>
<propertyname="Page Size"></property>
<propertyname="Sync Interval">30 mins</property>
<propertyname="User Search Base">ou=people,o=mycompany.com</property>
<propertyname="User Object Class">privPerson</property>
<propertyname="User Search Scope">SUBTREE</property>
<propertyname="User Search Filter"></property>
<propertyname="User Identity Attribute">uid</property>
<propertyname="User Group Name Attribute">This attribute doesn't exist
to make sure no grouping is done</property>
<propertyname="User Group Name Attribute - Referenced Group
Attribute"></property>
<propertyname="Group Search Base"></property>
<propertyname="Group Object Class">group</property>
<propertyname="Group Search Scope">ONE_LEVEL</property>
<propertyname="Group Search Filter"></property>
<propertyname="Group Name Attribute"></property>
<propertyname="Group Member Attribute"></property>
<propertyname="Group Member Attribute - Referenced User
Attribute"></property>
</userGroupProvider>
<!--
The CompositeUserGroupProvider will provide support for retrieving users
and groups from multiple sources.
- User Group Provider [unique key] - The identifier of user group
providers to load from. The name of
each property must be unique, for example: "User Group Provider A",
"User Group Provider B",
"User Group Provider C" or "User Group Provider 1", "User Group Provider
2", "User Group Provider 3"
NOTE: Any identity mapping rules specified in nifi.properties are not
applied in this implementation. This behavior
would need to be applied by the base implementation.
-->
<!-- To enable the composite-user-group-provider remove 2 lines. This is
1 of 2.
<userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
<property name="User Group Provider 1"></property>
</userGroupProvider>
To enable the composite-user-group-provider remove 2 lines. This is 2 of
2. -->
<!--
The CompositeConfigurableUserGroupProvider will provide support for
retrieving users and groups from multiple sources.
Additionally, a single configurable user group provider is required.
Users from the configurable user group provider
are configurable, however users loaded from one of the User Group
Provider [unique key] will not be.
- Configurable User Group Provider - A configurable user group provider.
- User Group Provider [unique key] - The identifier of user group
providers to load from. The name of
each property must be unique, for example: "User Group Provider A",
"User Group Provider B",
"User Group Provider C" or "User Group Provider 1", "User Group Provider
2", "User Group Provider 3"
NOTE: Any identity mapping rules specified in nifi.properties are not
applied in this implementation. This behavior
would need to be applied by the base implementation.
-->
<!-- To enable the composite-configurable-user-group-provider remove 2
lines. This is 1 of 2.
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group
Provider">file-user-group-provider</property>
<property name="User Group Provider 1"></property>
</userGroupProvider>
To enable the composite-configurable-user-group-provider remove 2 lines.
This is 2 of 2. -->
<!--
The FileAccessPolicyProvider will provide support for managing access
policies which is backed by a file
on the local file system.
- User Group Provider - The identifier for an User Group Provider
defined above that will be used to access
users and groups for use in the managed access policies.
- Authorizations File - The file where the FileAccessPolicyProvider will
store policies.
- Initial Admin Identity - The identity of an initial admin user that
will be granted access to the UI and
given the ability to create additional users, groups, and policies. The
value of this property could be
a DN when using certificates or LDAP, or a Kerberos principal. This
property will only be used when there
are no other policies defined. If this property is specified then a
Legacy Authorized Users File can not be specified.
NOTE: Any identity mapping rules specified in nifi.properties will also
be applied to the initial admin identity,
so the value should be the unmapped identity. This identity must be
found in the configured User Group Provider.
- Legacy Authorized Users File - The full path to an existing
authorized-users.xml that will be automatically
converted to the new authorizations model. If this property is specified
then an Initial Admin Identity can
not be specified, and this property will only be used when there are no
other users, groups, and policies defined.
NOTE: Any users in the legacy users file must be found in the configured
User Group Provider.
- Node Identity [unique key] - The identity of a NiFi cluster node. When
clustered, a property for each node
should be defined, so that every node knows about every other node. If
not clustered these properties can be ignored.
The name of each property must be unique, for example for a three node
cluster:
"Node Identity A", "Node Identity B", "Node Identity C" or "Node
Identity 1", "Node Identity 2", "Node Identity 3"
NOTE: Any identity mapping rules specified in nifi.properties will also
be applied to the node identities,
so the values should be the unmapped identities (i.e. full DN from a
certificate). This identity must be found
in the configured User Group Provider.
- Node Group - The name of a group containing NiFi cluster nodes. The
typical use for this is when nodes are dynamically
added/removed from the cluster.
NOTE: The group must exist before starting NiFi.
-->
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<propertyname="User Group Provider">ldap-user-group-provider</property>
<propertyname="Authorizations File">./conf/authorizations.xml</property>
<propertyname="Initial Admin Identity"></property>
<propertyname="Legacy Authorized Users File"></property>
<propertyname="Node Identity 1"></property>
<propertyname="Node Group"></property>
</accessPolicyProvider>
<!--
The StandardManagedAuthorizer. This authorizer implementation must be
configured with the
Access Policy Provider which it will use to access and manage users,
groups, and policies.
These users, groups, and policies will be used to make all access
decisions during authorization
requests.
- Access Policy Provider - The identifier for an Access Policy Provider
defined above.
-->
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<propertyname="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
<!--
NOTE: This Authorizer has been replaced with the more granular approach
configured above with the Standard
Managed Authorizer. However, it is still available for backwards
compatibility reasons.
The FileAuthorizer is NiFi's provided authorizer and has the following
properties:
- Authorizations File - The file where the FileAuthorizer will store
policies.
- Users File - The file where the FileAuthorizer will store users and
groups.
- Initial Admin Identity - The identity of an initial admin user that
will be granted access to the UI and
given the ability to create additional users, groups, and policies. The
value of this property could be
a DN when using certificates or LDAP, or a Kerberos principal. This
property will only be used when there
are no other users, groups, and policies defined. If this property is
specified then a Legacy Authorized
Users File can not be specified.
NOTE: Any identity mapping rules specified in nifi.properties will also
be applied to the initial admin identity,
so the value should be the unmapped identity.
- Legacy Authorized Users File - The full path to an existing
authorized-users.xml that will be automatically
converted to the new authorizations model. If this property is specified
then an Initial Admin Identity can
not be specified, and this property will only be used when there are no
other users, groups, and policies defined.
- Node Identity [unique key] - The identity of a NiFi cluster node. When
clustered, a property for each node
should be defined, so that every node knows about every other node. If
not clustered these properties can be ignored.
The name of each property must be unique, for example for a three node
cluster:
"Node Identity A", "Node Identity B", "Node Identity C" or "Node
Identity 1", "Node Identity 2", "Node Identity 3"
NOTE: Any identity mapping rules specified in nifi.properties will also
be applied to the node identities,
so the values should be the unmapped identities (i.e. full DN from a
certificate).
-->
<!-- <authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
<property name="Initial Admin Identity"></property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</authorizer>
-->
</authorizers>
Le 19/07/2019 à 12:03, Pierre Villard a écrit :
> Hi Nicolas,
>
> Could you share the full content of your authorizers.xml file?
> Sometimes it's just a matter of references not being in the right "order".
>
> Le ven. 19 juil. 2019 à 11:59, Edward Armes <edward.armes@gmail.com
> <ma...@gmail.com>> a écrit :
>
> I wasn't able to find any single good way, I don't know if
> switching the logs down to debug or trace might give you a bit
> more info though . In the end I just went through a worked it out
> by hand using a combination of manual checking against an
> alternative tool (i.e. an LDAP browser), file format checkers, or
> just commenting things out by hand.
>
> I did sometimes find that white space character (new line etc...)
> can occasionally cause a problem with the Spring loading.
>
> Edward
>
> On Fri, Jul 19, 2019 at 10:45 AM Nicolas Delsaux
> <nicolas.delsaux@gmx.fr <ma...@gmx.fr>> wrote:
>
> Is there any way to get a better error ?
>
> Le 19/07/2019 à 11:36, Edward Armes a écrit :
>> Hi Nicolas,
>>
>> This one is a bit of a Spring special. The actual cause here
>> is that the Spring Bean that is being created from this file
>> has silently failed, and thus the auto-wiring has failed as
>> well. The result is you get this lovely misleading error. The
>> normal reason for the bean not being created I found was
>> because I made a typo in the configuration file(s).
>>
>> Edward
>>
>> On Fri, Jul 19, 2019 at 10:21 AM Nicolas Delsaux
>> <nicolas.delsaux@gmx.fr <ma...@gmx.fr>> wrote:
>>
>> Hi all
>>
>> Now I know how to connect to my LDAP directory, i now
>> have a strange error
>>
>>
>> nifi-runner_1 |
>> org.springframework.beans.factory.UnsatisfiedDependencyException:
>> Error creating bean with name
>> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
>> Unsatisfied dependency expressed through method
>> 'setFilterChainProxySecurityConfigurer' parameter 1;
>> nested exception is
>> org.springframework.beans.factory.BeanExpressionException:
>> Expression parsing failed; nested exception is
>> org.springframework.beans.factory.UnsatisfiedDependencyException:
>> Error creating bean with name
>> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration':
>> Unsatisfied dependency expressed through method
>> 'setJwtAuthenticationProvider' parameter 0; nested
>> exception is
>> org.springframework.beans.factory.BeanCreationException:
>> Error creating bean with name 'jwtAuthenticationProvider'
>> defined in class path resource
>> [nifi-web-security-context.xml]: Cannot resolve reference
>> to bean 'authorizer' while setting constructor argument;
>> nested exception is
>> org.springframework.beans.factory.BeanCreationException:
>> Error creating bean with name 'authorizer': FactoryBean
>> threw exception on object creation; nested exception is
>> java.lang.Exception: The specified authorizer
>> 'ldap-user-group-provider' could not be found.
>>
>> [... let me just skip the uninteresting Spring stack ...]
>>
>> nifi-runner_1 | Caused by:
>> org.springframework.beans.factory.BeanCreationException:
>> Error creating bean with name 'authorizer': FactoryBean
>> threw exception on object creation; nested exception is
>> java.lang.Exception: The specified authorizer
>> 'ldap-user-group-provider' could not be found.
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
>> nifi-runner_1 | ... 96 common frames omitted
>> nifi-runner_1 | Caused by: java.lang.Exception: The
>> specified authorizer 'ldap-user-group-provider' could not
>> be found.
>> nifi-runner_1 | at
>> org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:175)
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
>>
>> From what I understand, it seems like the
>> AuthorizerFactoryBean tries to read my
>> user-group-provider from the authorizers.xml file.
>>
>>
>> I have such an user group provider, which is a ldap one :
>>
>> <authorizers>
>> <userGroupProvider>
>> <identifier>ldap-user-group-provider</identifier>
>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>> <propertyname="Authentication Strategy">LDAPS</property>
>> <propertyname="Manager DN">a_dn</property>
>> <propertyname="Manager Password">a_password</property>
>> <propertyname="TLS - Keystore"></property>
>> <propertyname="TLS - Keystore Password"></property>
>> <propertyname="TLS - Keystore Type"></property>
>> <propertyname="TLS -
>> Truststore">/opt/certs/cacerts.jks</property>
>> <propertyname="TLS - Truststore Password">another</property>
>> <propertyname="TLS - Truststore Type">JKS</property>
>> <propertyname="TLS - Client Auth"></property>
>> <propertyname="TLS - Protocol">TLSv1</property>
>> <propertyname="TLS - Shutdown Gracefully"></property>
>> <propertyname="Referral Strategy">FOLLOW</property>
>> <propertyname="Connect Timeout">10 secs</property>
>> <propertyname="Read Timeout">10 secs</property>
>> <propertyname="Url">ldaps://myserver.mycompany.com:636</property>
>> <propertyname="Page Size"></property>
>> <propertyname="Sync Interval">30 mins</property>
>> <propertyname="User Search
>> Base">ou=people,o=mycompany.com
>> <http://mycompany.com></property>
>> <propertyname="User Object Class">privPerson</property>
>> <propertyname="User Search Scope">SUBTREE</property>
>> <propertyname="User Search Filter"></property>
>> <propertyname="User Identity Attribute">uid</property>
>> <propertyname="User Group Name Attribute">This attribute
>> doesn't exist to make sure no grouping is done</property>
>> <propertyname="User Group Name Attribute - Referenced
>> Group Attribute"></property>
>> <propertyname="Group Search Base"></property>
>> <propertyname="Group Object Class">group</property>
>> <propertyname="Group Search Scope">ONE_LEVEL</property>
>> <propertyname="Group Search Filter"></property>
>> <propertyname="Group Name Attribute"></property>
>> <propertyname="Group Member Attribute"></property>
>> <propertyname="Group Member Attribute - Referenced User
>> Attribute"></property>
>> </userGroupProvider>
>>
>> So why can't it be loaded ?
>>
>> Because I don't see any other exception (typically, I
>> would expect a search fail exception, but it seems to work).
>>
Re: Continuing my LDAP auth adventures
Posted by Pierre Villard <pi...@gmail.com>.
Hi Nicolas,
Could you share the full content of your authorizers.xml file? Sometimes
it's just a matter of references not being in the right "order".
Le ven. 19 juil. 2019 à 11:59, Edward Armes <ed...@gmail.com> a
écrit :
> I wasn't able to find any single good way, I don't know if switching the
> logs down to debug or trace might give you a bit more info though . In the
> end I just went through a worked it out by hand using a combination of
> manual checking against an alternative tool (i.e. an LDAP browser), file
> format checkers, or just commenting things out by hand.
>
> I did sometimes find that white space character (new line etc...) can
> occasionally cause a problem with the Spring loading.
>
> Edward
>
> On Fri, Jul 19, 2019 at 10:45 AM Nicolas Delsaux <ni...@gmx.fr>
> wrote:
>
>> Is there any way to get a better error ?
>> Le 19/07/2019 à 11:36, Edward Armes a écrit :
>>
>> Hi Nicolas,
>>
>> This one is a bit of a Spring special. The actual cause here is that the
>> Spring Bean that is being created from this file has silently failed, and
>> thus the auto-wiring has failed as well. The result is you get this lovely
>> misleading error. The normal reason for the bean not being created I found
>> was because I made a typo in the configuration file(s).
>>
>> Edward
>>
>> On Fri, Jul 19, 2019 at 10:21 AM Nicolas Delsaux <ni...@gmx.fr>
>> wrote:
>>
>>> Hi all
>>>
>>> Now I know how to connect to my LDAP directory, i now have a strange
>>> error
>>>
>>>
>>> nifi-runner_1 |
>>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>>> creating bean with name
>>> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
>>> Unsatisfied dependency expressed through method
>>> 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
>>> org.springframework.beans.factory.BeanExpressionException: Expression
>>> parsing failed; nested exception is
>>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>>> creating bean with name
>>> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
>>> dependency expressed through method 'setJwtAuthenticationProvider'
>>> parameter 0; nested exception is
>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>> bean with name 'jwtAuthenticationProvider' defined in class path resource
>>> [nifi-web-security-context.xml]: Cannot resolve reference to bean
>>> 'authorizer' while setting constructor argument; nested exception is
>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>> bean with name 'authorizer': FactoryBean threw exception on object
>>> creation; nested exception is java.lang.Exception: The specified authorizer
>>> 'ldap-user-group-provider' could not be found.
>>>
>>> [... let me just skip the uninteresting Spring stack ...]
>>>
>>> nifi-runner_1 | Caused by:
>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>> bean with name 'authorizer': FactoryBean threw exception on object
>>> creation; nested exception is java.lang.Exception: The specified authorizer
>>> 'ldap-user-group-provider' could not be found.
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
>>> nifi-runner_1 | ... 96 common frames omitted
>>> nifi-runner_1 | Caused by: java.lang.Exception: The specified
>>> authorizer 'ldap-user-group-provider' could not be found.
>>> nifi-runner_1 | at
>>> org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:175)
>>> nifi-runner_1 | at
>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
>>>
>>> From what I understand, it seems like the AuthorizerFactoryBean tries to
>>> read my user-group-provider from the authorizers.xml file.
>>>
>>>
>>> I have such an user group provider, which is a ldap one :
>>> <authorizers>
>>> <userGroupProvider>
>>> <identifier>ldap-user-group-provider</identifier>
>>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>>> <property name="Authentication Strategy">LDAPS</property>
>>> <property name="Manager DN">a_dn</property>
>>> <property name="Manager Password">a_password</property>
>>> <property name="TLS - Keystore"></property>
>>> <property name="TLS - Keystore Password"></property>
>>> <property name="TLS - Keystore Type"></property>
>>> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
>>> <property name="TLS - Truststore Password">another</property>
>>> <property name="TLS - Truststore Type">JKS</property>
>>> <property name="TLS - Client Auth"></property>
>>> <property name="TLS - Protocol">TLSv1</property>
>>> <property name="TLS - Shutdown Gracefully"></property>
>>> <property name="Referral Strategy">FOLLOW</property>
>>> <property name="Connect Timeout">10 secs</property>
>>> <property name="Read Timeout">10 secs</property>
>>> <property name="Url">ldaps://myserver.mycompany.com:636</property>
>>> <property name="Page Size"></property>
>>> <property name="Sync Interval">30 mins</property>
>>> <property name="User Search Base">ou=people,o=mycompany.com</property>
>>> <property name="User Object Class">privPerson</property>
>>> <property name="User Search Scope">SUBTREE</property>
>>> <property name="User Search Filter"></property>
>>> <property name="User Identity Attribute">uid</property>
>>> <property name="User Group Name Attribute">This attribute doesn't exist
>>> to make sure no grouping is done</property>
>>> <property name="User Group Name Attribute - Referenced Group Attribute"
>>> ></property>
>>> <property name="Group Search Base"></property>
>>> <property name="Group Object Class">group</property>
>>> <property name="Group Search Scope">ONE_LEVEL</property>
>>> <property name="Group Search Filter"></property>
>>> <property name="Group Name Attribute"></property>
>>> <property name="Group Member Attribute"></property>
>>> <property name="Group Member Attribute - Referenced User Attribute"></
>>> property>
>>> </userGroupProvider>
>>>
>>> So why can't it be loaded ?
>>>
>>> Because I don't see any other exception (typically, I would expect a
>>> search fail exception, but it seems to work).
>>>
>>
Re: Continuing my LDAP auth adventures
Posted by Edward Armes <ed...@gmail.com>.
I wasn't able to find any single good way, I don't know if switching the
logs down to debug or trace might give you a bit more info though . In the
end I just went through a worked it out by hand using a combination of
manual checking against an alternative tool (i.e. an LDAP browser), file
format checkers, or just commenting things out by hand.
I did sometimes find that white space character (new line etc...) can
occasionally cause a problem with the Spring loading.
Edward
On Fri, Jul 19, 2019 at 10:45 AM Nicolas Delsaux <ni...@gmx.fr>
wrote:
> Is there any way to get a better error ?
> Le 19/07/2019 à 11:36, Edward Armes a écrit :
>
> Hi Nicolas,
>
> This one is a bit of a Spring special. The actual cause here is that the
> Spring Bean that is being created from this file has silently failed, and
> thus the auto-wiring has failed as well. The result is you get this lovely
> misleading error. The normal reason for the bean not being created I found
> was because I made a typo in the configuration file(s).
>
> Edward
>
> On Fri, Jul 19, 2019 at 10:21 AM Nicolas Delsaux <ni...@gmx.fr>
> wrote:
>
>> Hi all
>>
>> Now I know how to connect to my LDAP directory, i now have a strange error
>>
>>
>> nifi-runner_1 |
>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>> creating bean with name
>> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
>> Unsatisfied dependency expressed through method
>> 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
>> org.springframework.beans.factory.BeanExpressionException: Expression
>> parsing failed; nested exception is
>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>> creating bean with name
>> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
>> dependency expressed through method 'setJwtAuthenticationProvider'
>> parameter 0; nested exception is
>> org.springframework.beans.factory.BeanCreationException: Error creating
>> bean with name 'jwtAuthenticationProvider' defined in class path resource
>> [nifi-web-security-context.xml]: Cannot resolve reference to bean
>> 'authorizer' while setting constructor argument; nested exception is
>> org.springframework.beans.factory.BeanCreationException: Error creating
>> bean with name 'authorizer': FactoryBean threw exception on object
>> creation; nested exception is java.lang.Exception: The specified authorizer
>> 'ldap-user-group-provider' could not be found.
>>
>> [... let me just skip the uninteresting Spring stack ...]
>>
>> nifi-runner_1 | Caused by:
>> org.springframework.beans.factory.BeanCreationException: Error creating
>> bean with name 'authorizer': FactoryBean threw exception on object
>> creation; nested exception is java.lang.Exception: The specified authorizer
>> 'ldap-user-group-provider' could not be found.
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
>> nifi-runner_1 | ... 96 common frames omitted
>> nifi-runner_1 | Caused by: java.lang.Exception: The specified authorizer
>> 'ldap-user-group-provider' could not be found.
>> nifi-runner_1 | at
>> org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:175)
>> nifi-runner_1 | at
>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
>>
>> From what I understand, it seems like the AuthorizerFactoryBean tries to
>> read my user-group-provider from the authorizers.xml file.
>>
>>
>> I have such an user group provider, which is a ldap one :
>> <authorizers>
>> <userGroupProvider>
>> <identifier>ldap-user-group-provider</identifier>
>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>> <property name="Authentication Strategy">LDAPS</property>
>> <property name="Manager DN">a_dn</property>
>> <property name="Manager Password">a_password</property>
>> <property name="TLS - Keystore"></property>
>> <property name="TLS - Keystore Password"></property>
>> <property name="TLS - Keystore Type"></property>
>> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
>> <property name="TLS - Truststore Password">another</property>
>> <property name="TLS - Truststore Type">JKS</property>
>> <property name="TLS - Client Auth"></property>
>> <property name="TLS - Protocol">TLSv1</property>
>> <property name="TLS - Shutdown Gracefully"></property>
>> <property name="Referral Strategy">FOLLOW</property>
>> <property name="Connect Timeout">10 secs</property>
>> <property name="Read Timeout">10 secs</property>
>> <property name="Url">ldaps://myserver.mycompany.com:636</property>
>> <property name="Page Size"></property>
>> <property name="Sync Interval">30 mins</property>
>> <property name="User Search Base">ou=people,o=mycompany.com</property>
>> <property name="User Object Class">privPerson</property>
>> <property name="User Search Scope">SUBTREE</property>
>> <property name="User Search Filter"></property>
>> <property name="User Identity Attribute">uid</property>
>> <property name="User Group Name Attribute">This attribute doesn't exist
>> to make sure no grouping is done</property>
>> <property name="User Group Name Attribute - Referenced Group Attribute"
>> ></property>
>> <property name="Group Search Base"></property>
>> <property name="Group Object Class">group</property>
>> <property name="Group Search Scope">ONE_LEVEL</property>
>> <property name="Group Search Filter"></property>
>> <property name="Group Name Attribute"></property>
>> <property name="Group Member Attribute"></property>
>> <property name="Group Member Attribute - Referenced User Attribute"></
>> property>
>> </userGroupProvider>
>>
>> So why can't it be loaded ?
>>
>> Because I don't see any other exception (typically, I would expect a
>> search fail exception, but it seems to work).
>>
>
Re: Continuing my LDAP auth adventures
Posted by Nicolas Delsaux <ni...@gmx.fr>.
Is there any way to get a better error ?
Le 19/07/2019 à 11:36, Edward Armes a écrit :
> Hi Nicolas,
>
> This one is a bit of a Spring special. The actual cause here is that
> the Spring Bean that is being created from this file has silently
> failed, and thus the auto-wiring has failed as well. The result is you
> get this lovely misleading error. The normal reason for the bean not
> being created I found was because I made a typo in the configuration
> file(s).
>
> Edward
>
> On Fri, Jul 19, 2019 at 10:21 AM Nicolas Delsaux
> <nicolas.delsaux@gmx.fr <ma...@gmx.fr>> wrote:
>
> Hi all
>
> Now I know how to connect to my LDAP directory, i now have a
> strange error
>
>
> nifi-runner_1 |
> org.springframework.beans.factory.UnsatisfiedDependencyException:
> Error creating bean with name
> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
> Unsatisfied dependency expressed through method
> 'setFilterChainProxySecurityConfigurer' parameter 1; nested
> exception is
> org.springframework.beans.factory.BeanExpressionException:
> Expression parsing failed; nested exception is
> org.springframework.beans.factory.UnsatisfiedDependencyException:
> Error creating bean with name
> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
> dependency expressed through method 'setJwtAuthenticationProvider'
> parameter 0; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'jwtAuthenticationProvider' defined in
> class path resource [nifi-web-security-context.xml]: Cannot
> resolve reference to bean 'authorizer' while setting constructor
> argument; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'authorizer': FactoryBean threw exception
> on object creation; nested exception is java.lang.Exception: The
> specified authorizer 'ldap-user-group-provider' could not be found.
>
> [... let me just skip the uninteresting Spring stack ...]
>
> nifi-runner_1 | Caused by:
> org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'authorizer': FactoryBean threw exception
> on object creation; nested exception is java.lang.Exception: The
> specified authorizer 'ldap-user-group-provider' could not be found.
> nifi-runner_1 | at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
> nifi-runner_1 | ... 96 common frames omitted
> nifi-runner_1 | Caused by: java.lang.Exception: The specified
> authorizer 'ldap-user-group-provider' could not be found.
> nifi-runner_1 | at
> org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:175)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
>
> From what I understand, it seems like the AuthorizerFactoryBean
> tries to read my user-group-provider from the authorizers.xml file.
>
>
> I have such an user group provider, which is a ldap one :
>
> <authorizers>
> <userGroupProvider>
> <identifier>ldap-user-group-provider</identifier>
> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
> <propertyname="Authentication Strategy">LDAPS</property>
> <propertyname="Manager DN">a_dn</property>
> <propertyname="Manager Password">a_password</property>
> <propertyname="TLS - Keystore"></property>
> <propertyname="TLS - Keystore Password"></property>
> <propertyname="TLS - Keystore Type"></property>
> <propertyname="TLS - Truststore">/opt/certs/cacerts.jks</property>
> <propertyname="TLS - Truststore Password">another</property>
> <propertyname="TLS - Truststore Type">JKS</property>
> <propertyname="TLS - Client Auth"></property>
> <propertyname="TLS - Protocol">TLSv1</property>
> <propertyname="TLS - Shutdown Gracefully"></property>
> <propertyname="Referral Strategy">FOLLOW</property>
> <propertyname="Connect Timeout">10 secs</property>
> <propertyname="Read Timeout">10 secs</property>
> <propertyname="Url">ldaps://myserver.mycompany.com:636</property>
> <propertyname="Page Size"></property>
> <propertyname="Sync Interval">30 mins</property>
> <propertyname="User Search Base">ou=people,o=mycompany.com
> <http://mycompany.com></property>
> <propertyname="User Object Class">privPerson</property>
> <propertyname="User Search Scope">SUBTREE</property>
> <propertyname="User Search Filter"></property>
> <propertyname="User Identity Attribute">uid</property>
> <propertyname="User Group Name Attribute">This attribute doesn't
> exist to make sure no grouping is done</property>
> <propertyname="User Group Name Attribute - Referenced Group
> Attribute"></property>
> <propertyname="Group Search Base"></property>
> <propertyname="Group Object Class">group</property>
> <propertyname="Group Search Scope">ONE_LEVEL</property>
> <propertyname="Group Search Filter"></property>
> <propertyname="Group Name Attribute"></property>
> <propertyname="Group Member Attribute"></property>
> <propertyname="Group Member Attribute - Referenced User
> Attribute"></property>
> </userGroupProvider>
>
> So why can't it be loaded ?
>
> Because I don't see any other exception (typically, I would expect
> a search fail exception, but it seems to work).
>
Re: Continuing my LDAP auth adventures
Posted by Edward Armes <ed...@gmail.com>.
Hi Nicolas,
This one is a bit of a Spring special. The actual cause here is that the
Spring Bean that is being created from this file has silently failed, and
thus the auto-wiring has failed as well. The result is you get this lovely
misleading error. The normal reason for the bean not being created I found
was because I made a typo in the configuration file(s).
Edward
On Fri, Jul 19, 2019 at 10:21 AM Nicolas Delsaux <ni...@gmx.fr>
wrote:
> Hi all
>
> Now I know how to connect to my LDAP directory, i now have a strange error
>
>
> nifi-runner_1 |
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
> creating bean with name
> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
> Unsatisfied dependency expressed through method
> 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
> org.springframework.beans.factory.BeanExpressionException: Expression
> parsing failed; nested exception is
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
> creating bean with name
> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
> dependency expressed through method 'setJwtAuthenticationProvider'
> parameter 0; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'jwtAuthenticationProvider' defined in class path resource
> [nifi-web-security-context.xml]: Cannot resolve reference to bean
> 'authorizer' while setting constructor argument; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'authorizer': FactoryBean threw exception on object
> creation; nested exception is java.lang.Exception: The specified authorizer
> 'ldap-user-group-provider' could not be found.
>
> [... let me just skip the uninteresting Spring stack ...]
>
> nifi-runner_1 | Caused by:
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'authorizer': FactoryBean threw exception on object
> creation; nested exception is java.lang.Exception: The specified authorizer
> 'ldap-user-group-provider' could not be found.
> nifi-runner_1 | at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
> nifi-runner_1 | ... 96 common frames omitted
> nifi-runner_1 | Caused by: java.lang.Exception: The specified authorizer
> 'ldap-user-group-provider' could not be found.
> nifi-runner_1 | at
> org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:175)
> nifi-runner_1 | at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
>
> From what I understand, it seems like the AuthorizerFactoryBean tries to
> read my user-group-provider from the authorizers.xml file.
>
>
> I have such an user group provider, which is a ldap one :
> <authorizers>
> <userGroupProvider>
> <identifier>ldap-user-group-provider</identifier>
> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
> <property name="Authentication Strategy">LDAPS</property>
> <property name="Manager DN">a_dn</property>
> <property name="Manager Password">a_password</property>
> <property name="TLS - Keystore"></property>
> <property name="TLS - Keystore Password"></property>
> <property name="TLS - Keystore Type"></property>
> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
> <property name="TLS - Truststore Password">another</property>
> <property name="TLS - Truststore Type">JKS</property>
> <property name="TLS - Client Auth"></property>
> <property name="TLS - Protocol">TLSv1</property>
> <property name="TLS - Shutdown Gracefully"></property>
> <property name="Referral Strategy">FOLLOW</property>
> <property name="Connect Timeout">10 secs</property>
> <property name="Read Timeout">10 secs</property>
> <property name="Url">ldaps://myserver.mycompany.com:636</property>
> <property name="Page Size"></property>
> <property name="Sync Interval">30 mins</property>
> <property name="User Search Base">ou=people,o=mycompany.com</property>
> <property name="User Object Class">privPerson</property>
> <property name="User Search Scope">SUBTREE</property>
> <property name="User Search Filter"></property>
> <property name="User Identity Attribute">uid</property>
> <property name="User Group Name Attribute">This attribute doesn't exist
> to make sure no grouping is done</property>
> <property name="User Group Name Attribute - Referenced Group Attribute"></
> property>
> <property name="Group Search Base"></property>
> <property name="Group Object Class">group</property>
> <property name="Group Search Scope">ONE_LEVEL</property>
> <property name="Group Search Filter"></property>
> <property name="Group Name Attribute"></property>
> <property name="Group Member Attribute"></property>
> <property name="Group Member Attribute - Referenced User Attribute"></
> property>
> </userGroupProvider>
>
> So why can't it be loaded ?
>
> Because I don't see any other exception (typically, I would expect a
> search fail exception, but it seems to work).
>