You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Provenzano Nicolas <ni...@gfi.fr> on 2016/09/26 15:43:56 UTC

Access denied for kerberos users

Hi all,

I configured an 1.0.0 NIFI instance to use Kerberos services for authentication.

I can connect to the UI using the certificate corresponding to the user declared in the Initial Admin Identity.

However, when I try to connect using a user declared in the Kerberos server :


1.       Based on some docs, I should be able to submit a request to get access to the UI. It's not the case.

2.       Using the initial admin user, I created a user in Nifi and add in some profiles.

However, I still have the following message :

"Access Denied
Unable to perform the desired action due to insufficient permissions. Contact the system administrator."

The user is correctly declared in the Kerberos server. When it is not, a pop-up displays :
The supplied username and password are not valid.
Have someone already met this issue ?

Thanks in advance

BR

Nicolas

RE: Access denied for kerberos users

Posted by Provenzano Nicolas <ni...@gfi.fr>.
Hello Bryan,

Initially, I granted onky the « view the user interface » right. As I had the issue I described, I added each right step by step but still with the same result.

Thanks

Nicolas

De : Bryan Bende [mailto:bbende@gmail.com]
Envoyé : lundi 26 septembre 2016 18:14
À : users@nifi.apache.org
Objet : Re: Access denied for kerberos users

Hello,

Since you are getting to "insufficient permissions" page this means that NiFi successfully authenticated your user against the KDC, but then the authorizer in NiFi said the user didn't have permissions for something.

What policies did you grant to the kerberos user in NiFi?

At a minimum they need a policy for "view the user interface" from the global policies in the top-right menu.

-Bryan

On Mon, Sep 26, 2016 at 11:43 AM, Provenzano Nicolas <ni...@gfi.fr>> wrote:
Hi all,

I configured an 1.0.0 NIFI instance to use Kerberos services for authentication.

I can connect to the UI using the certificate corresponding to the user declared in the Initial Admin Identity.

However, when I try to connect using a user declared in the Kerberos server :


1.       Based on some docs, I should be able to submit a request to get access to the UI. It’s not the case.

2.       Using the initial admin user, I created a user in Nifi and add in some profiles.

However, I still have the following message :

“Access Denied
Unable to perform the desired action due to insufficient permissions. Contact the system administrator.”

The user is correctly declared in the Kerberos server. When it is not, a pop-up displays :
The supplied username and password are not valid.
Have someone already met this issue ?

Thanks in advance

BR

Nicolas

RE: Access denied for kerberos users

Posted by Provenzano Nicolas <ni...@gfi.fr>.
Hi Peter,

Thanks…. It was indeed an issue with how the user was defined in NIFI.

I simply declared XXXX while I had to declare XXXX@LOCALKDC.COM<ma...@LOCALKDC.COM>.  So it was my mistake.

Thanks again for your help,

BR

Nicolas

De : Peter Wicks (pwicks) [mailto:pwicks@micron.com]
Envoyé : mardi 27 septembre 2016 05:01
À : users@nifi.apache.org
Objet : RE: Access denied for kerberos users

Nicolas,

If Bryan’s suggestion doesn’t work (and he’s probably correct), you may not have named your user correctly in NiFi.  Go try to authenticate again, then go to {nifi install directory}/logs and look at the end of nif-user.log.  You should see more details about your authentication request and what name it tried to use to authenticate you. This was how I worked around getting my naming conventions to match.

In my case I had enabled “Identity Mapping Properties” in nifi.properties so that I could use both certificates and Kerberos, but had forgotten to rename the account objects I had already added to NiFi.

Thanks,
  Peter



From: Bryan Bende [mailto:bbende@gmail.com]
Sent: Monday, September 26, 2016 10:14 AM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: Access denied for kerberos users

Hello,

Since you are getting to "insufficient permissions" page this means that NiFi successfully authenticated your user against the KDC, but then the authorizer in NiFi said the user didn't have permissions for something.

What policies did you grant to the kerberos user in NiFi?

At a minimum they need a policy for "view the user interface" from the global policies in the top-right menu.

-Bryan

On Mon, Sep 26, 2016 at 11:43 AM, Provenzano Nicolas <ni...@gfi.fr>> wrote:
Hi all,

I configured an 1.0.0 NIFI instance to use Kerberos services for authentication.

I can connect to the UI using the certificate corresponding to the user declared in the Initial Admin Identity.

However, when I try to connect using a user declared in the Kerberos server :


1.       Based on some docs, I should be able to submit a request to get access to the UI. It’s not the case.

2.       Using the initial admin user, I created a user in Nifi and add in some profiles.

However, I still have the following message :

“Access Denied
Unable to perform the desired action due to insufficient permissions. Contact the system administrator.”

The user is correctly declared in the Kerberos server. When it is not, a pop-up displays :
The supplied username and password are not valid.
Have someone already met this issue ?

Thanks in advance

BR

Nicolas

RE: Access denied for kerberos users

Posted by "Peter Wicks (pwicks)" <pw...@micron.com>.
Nicolas,

If Bryan’s suggestion doesn’t work (and he’s probably correct), you may not have named your user correctly in NiFi.  Go try to authenticate again, then go to {nifi install directory}/logs and look at the end of nif-user.log.  You should see more details about your authentication request and what name it tried to use to authenticate you. This was how I worked around getting my naming conventions to match.

In my case I had enabled “Identity Mapping Properties” in nifi.properties so that I could use both certificates and Kerberos, but had forgotten to rename the account objects I had already added to NiFi.

Thanks,
  Peter



From: Bryan Bende [mailto:bbende@gmail.com]
Sent: Monday, September 26, 2016 10:14 AM
To: users@nifi.apache.org
Subject: Re: Access denied for kerberos users

Hello,

Since you are getting to "insufficient permissions" page this means that NiFi successfully authenticated your user against the KDC, but then the authorizer in NiFi said the user didn't have permissions for something.

What policies did you grant to the kerberos user in NiFi?

At a minimum they need a policy for "view the user interface" from the global policies in the top-right menu.

-Bryan

On Mon, Sep 26, 2016 at 11:43 AM, Provenzano Nicolas <ni...@gfi.fr>> wrote:
Hi all,

I configured an 1.0.0 NIFI instance to use Kerberos services for authentication.

I can connect to the UI using the certificate corresponding to the user declared in the Initial Admin Identity.

However, when I try to connect using a user declared in the Kerberos server :


1.       Based on some docs, I should be able to submit a request to get access to the UI. It’s not the case.

2.       Using the initial admin user, I created a user in Nifi and add in some profiles.

However, I still have the following message :

“Access Denied
Unable to perform the desired action due to insufficient permissions. Contact the system administrator.”

The user is correctly declared in the Kerberos server. When it is not, a pop-up displays :
The supplied username and password are not valid.
Have someone already met this issue ?

Thanks in advance

BR

Nicolas

Re: Access denied for kerberos users

Posted by Bryan Bende <bb...@gmail.com>.
Hello,

Since you are getting to "insufficient permissions" page this means that
NiFi successfully authenticated your user against the KDC, but then the
authorizer in NiFi said the user didn't have permissions for something.

What policies did you grant to the kerberos user in NiFi?

At a minimum they need a policy for "view the user interface" from the
global policies in the top-right menu.

-Bryan

On Mon, Sep 26, 2016 at 11:43 AM, Provenzano Nicolas <
nicolas.provenzano@gfi.fr> wrote:

> Hi all,
>
>
>
> I configured an 1.0.0 NIFI instance to use Kerberos services for
> authentication.
>
>
>
> I can connect to the UI using the certificate corresponding to the user
> declared in the Initial Admin Identity.
>
>
>
> However, when I try to connect using a user declared in the Kerberos
> server :
>
>
>
> 1.       Based on some docs, I should be able to submit a request to get
> access to the UI. It’s not the case.
>
> 2.       Using the initial admin user, I created a user in Nifi and add
> in some profiles.
>
>
>
> However, I still have the following message :
>
>
>
> *“Access Denied*
>
> *Unable to perform the desired action due to insufficient permissions.
> Contact the system administrator.”*
>
>
>
> The user is correctly declared in the Kerberos server. When it is not, a
> pop-up displays :
>
> *The supplied username and password are not valid.*
>
> Have someone already met this issue ?
>
>
>
> Thanks in advance
>
>
>
> BR
>
>
>
> Nicolas
>