You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@nifi.apache.org by "Perko, Ralph J" <ra...@pnnl.gov> on 2016/07/26 16:47:23 UTC

authentication problem

Hi – whenever we restart Nifi half the accounts are disabled with this message:

INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized with configured provider: <user-id>. Disabling account...

The users are in the authorized-users.xml file.  Is this a configuration issue on our part or a bug?  It is curious that not all the accounts get disabled only some and it is always the same accounts.

To re-enable the accounts I go into the users page, select the disabled user (click the little pencil) and click ‘apply’ with no changes - the account is re-enabled.

Details:
Nifi 0.6.1
authority-providers.xml: default file provider
login-identy-management.xml: kerberos-provider (corporate system – everyone is in it)
authorized-users.xml:setup for each user

Thanks,
Ralph

Re: authentication problem

Posted by Matt Gilman <ma...@gmail.com>.

Ralph,

Based on the details in your email, it sounds like it should be working. At
start up, it will go through the users database to re-verify each user with
the configured provider. The authorizations for a user are cache in this
database for a configurable time. The re-verification is done to ensure the
cached authorizations were correct in the event that an admin changed the
configured authority provider.

Looking at the code there should be some additional logging about the issue
that occurred while attempting to verify the user in question. Are you
seeing anything else in the logs?

Matt

On Tue, Jul 26, 2016 at 12:47 PM, Perko, Ralph J <ra...@pnnl.gov>
wrote:

> Hi – whenever we restart Nifi half the accounts are disabled with this
> message:
>
> INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized
> with configured provider: <user-id>. Disabling account...
>
> The users are in the authorized-users.xml file.  Is this a configuration
> issue on our part or a bug?  It is curious that not all the accounts get
> disabled only some and it is always the same accounts.
>
> To re-enable the accounts I go into the users page, select the disabled
> user (click the little pencil) and click ‘apply’ with no changes - the
> account is re-enabled.
>
> Details:
> Nifi 0.6.1
> authority-providers.xml: default file provider
> login-identy-management.xml: kerberos-provider (corporate system –
> everyone is in it)
> authorized-users.xml:setup for each user
>
> Thanks,
> Ralph
>
>

Re: authentication problem

Posted by "Perko, Ralph J" <ra...@pnnl.gov>.

Matt,

The issue looks to be on our end with certain files (including authorized-users.xml) being clobbered by some configuration management services .  Nifi seems to be working correctly – as you have described.   We have straightened out this issue and will see if anything else crops up.

Thanks!
Ralph


From: Matt Gilman <ma...@gmail.com>>
Reply-To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Date: Tuesday, July 26, 2016 at 11:09 AM
To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Subject: Re: authentication problem

Ralph,

I'm guessing that every user is not disabled since you said that you are manually adding them back in through the UI. Is there anything in common with the user's that are being revoked?

To follow up on Clarke's comment... As your updating the users through the UI, the authorized-users.xml file should be updated to reflect those changes. Are you seeing any errors logged there? Can you confirm that the authorized-users.xml is accurate at that point?

Matt

On Tue, Jul 26, 2016 at 1:31 PM, Perko, Ralph J <ra...@pnnl.gov>> wrote:
Thanks for the responses.

Matt Clarke: The permissions look fine.  Nifi runs as user “nifi” and all files are owned by “nifi” (with write permissions of course)

Matt Gilman:
As far as additional logging here is what I found – No errors of any sort:

016-07-25 16:10:59,420 INFO [main] o.a.nifi.admin.UserDataSourceFactoryBean Existing database found and connected to at: jdbc:h2:./database_repository/nifi-users;AUTOCOMMIT=OFF;DB_CLOSE_ON_EXIT=FALSE;LOCK_MODE=3;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE
2016-07-25 16:10:59,473 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created: <enabled user 1>. Updating authorities...
2016-07-25 16:10:59,485 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created: <enabled user 2>. Updating authorities...
2016-07-25 16:10:59,487 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created: <enabled user 3>. Updating authorities...
2016-07-25 16:10:59,492 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created: <enabled user 4>. Updating authorities...
2016-07-25 16:10:59,494 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created:<enabled user 5>. Updating authorities…
..
2016-07-25 16:10:59,508 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized with configured provider: <disabled user 1>. Disabling account...
2016-07-25 16:10:59,509 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized with configured provider: <disabled user 2>. Disabling account...
…

From: Matthew Clarke <ma...@gmail.com>>
Reply-To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Date: Tuesday, July 26, 2016 at 10:03 AM
To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Subject: Re: authentication problem


Verify the user running your nifi has the correct permissions to read and edit all the database files in the NiFi database repository directory. Also make sure the user running NiFi had permissions to edit the authorized-users.xml file. This file is only read on start-up. After nifi is running it operates solely from the memory and DBs. My guess is here that nifi can not update the authorized-users.xml file with the changes you are making in the User management UI.

Thanks,
Matt

On Jul 26, 2016 12:47 PM, "Perko, Ralph J" <ra...@pnnl.gov>> wrote:
Hi – whenever we restart Nifi half the accounts are disabled with this message:

INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized with configured provider: <user-id>. Disabling account...

The users are in the authorized-users.xml file.  Is this a configuration issue on our part or a bug?  It is curious that not all the accounts get disabled only some and it is always the same accounts.

To re-enable the accounts I go into the users page, select the disabled user (click the little pencil) and click ‘apply’ with no changes - the account is re-enabled.

Details:
Nifi 0.6.1
authority-providers.xml: default file provider
login-identy-management.xml: kerberos-provider (corporate system – everyone is in it)
authorized-users.xml:setup for each user

Thanks,
Ralph

Re: authentication problem

Posted by Matt Gilman <ma...@gmail.com>.

Ralph,

I'm guessing that every user is not disabled since you said that you are
manually adding them back in through the UI. Is there anything in common
with the user's that are being revoked?

To follow up on Clarke's comment... As your updating the users through the
UI, the authorized-users.xml file should be updated to reflect those
changes. Are you seeing any errors logged there? Can you confirm that the
authorized-users.xml is accurate at that point?

Matt

On Tue, Jul 26, 2016 at 1:31 PM, Perko, Ralph J <ra...@pnnl.gov>
wrote:

> Thanks for the responses.
>
> Matt Clarke: The permissions look fine.  Nifi runs as user “nifi” and all
> files are owned by “nifi” (with write permissions of course)
>
> Matt Gilman:
> As far as additional logging here is what I found – No errors of any sort:
>
> 016-07-25 16:10:59,420 INFO [main]
> o.a.nifi.admin.UserDataSourceFactoryBean Existing database found and
> connected to at:
> jdbc:h2:./database_repository/nifi-users;AUTOCOMMIT=OFF;DB_CLOSE_ON_EXIT=FALSE;LOCK_MODE=3;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE
> 2016-07-25 16:10:59,473 INFO [main]
> o.a.n.a.s.action.SeedUserAccountsAction User account already created:
> <enabled user 1>. Updating authorities...
> 2016-07-25 16:10:59,485 INFO [main]
> o.a.n.a.s.action.SeedUserAccountsAction User account already
> created: <enabled user 2>. Updating authorities...
> 2016-07-25 16:10:59,487 INFO [main]
> o.a.n.a.s.action.SeedUserAccountsAction User account already
> created: <enabled user 3>. Updating authorities...
> 2016-07-25 16:10:59,492 INFO [main]
> o.a.n.a.s.action.SeedUserAccountsAction User account already
> created: <enabled user 4>. Updating authorities...
> 2016-07-25 16:10:59,494 INFO [main]
> o.a.n.a.s.action.SeedUserAccountsAction User account already
> created:<enabled user 5>. Updating authorities…
> ..
> 2016-07-25 16:10:59,508 INFO [main]
> o.a.n.a.s.action.SeedUserAccountsAction User not authorized with configured
> provider: <disabled user 1>. Disabling account...
> 2016-07-25 16:10:59,509 INFO [main]
> o.a.n.a.s.action.SeedUserAccountsAction User not authorized with configured
> provider: <disabled user 2>. Disabling account...
> …
>
> From: Matthew Clarke <ma...@gmail.com>
> Reply-To: "users@nifi.apache.org" <us...@nifi.apache.org>
> Date: Tuesday, July 26, 2016 at 10:03 AM
> To: "users@nifi.apache.org" <us...@nifi.apache.org>
> Subject: Re: authentication problem
>
> Verify the user running your nifi has the correct permissions to read and
> edit all the database files in the NiFi database repository directory. Also
> make sure the user running NiFi had permissions to edit the
> authorized-users.xml file. This file is only read on start-up. After nifi
> is running it operates solely from the memory and DBs. My guess is here
> that nifi can not update the authorized-users.xml file with the changes you
> are making in the User management UI.
>
> Thanks,
> Matt
>
> On Jul 26, 2016 12:47 PM, "Perko, Ralph J" <ra...@pnnl.gov> wrote:
>
> Hi – whenever we restart Nifi half the accounts are disabled with this
> message:
>
> INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized
> with configured provider: <user-id>. Disabling account...
>
> The users are in the authorized-users.xml file.  Is this a configuration
> issue on our part or a bug?  It is curious that not all the accounts get
> disabled only some and it is always the same accounts.
>
> To re-enable the accounts I go into the users page, select the disabled
> user (click the little pencil) and click ‘apply’ with no changes - the
> account is re-enabled.
>
> Details:
> Nifi 0.6.1
> authority-providers.xml: default file provider
> login-identy-management.xml: kerberos-provider (corporate system –
> everyone is in it)
> authorized-users.xml:setup for each user
>
> Thanks,
> Ralph
>
>
>

Re: authentication problem

Posted by "Perko, Ralph J" <ra...@pnnl.gov>.

Thanks for the responses.

Matt Clarke: The permissions look fine.  Nifi runs as user “nifi” and all files are owned by “nifi” (with write permissions of course)

Matt Gilman:
As far as additional logging here is what I found – No errors of any sort:

016-07-25 16:10:59,420 INFO [main] o.a.nifi.admin.UserDataSourceFactoryBean Existing database found and connected to at: jdbc:h2:./database_repository/nifi-users;AUTOCOMMIT=OFF;DB_CLOSE_ON_EXIT=FALSE;LOCK_MODE=3;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE
2016-07-25 16:10:59,473 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created: <enabled user 1>. Updating authorities...
2016-07-25 16:10:59,485 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created: <enabled user 2>. Updating authorities...
2016-07-25 16:10:59,487 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created: <enabled user 3>. Updating authorities...
2016-07-25 16:10:59,492 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created: <enabled user 4>. Updating authorities...
2016-07-25 16:10:59,494 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User account already created:<enabled user 5>. Updating authorities…
..
2016-07-25 16:10:59,508 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized with configured provider: <disabled user 1>. Disabling account...
2016-07-25 16:10:59,509 INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized with configured provider: <disabled user 2>. Disabling account...
…

From: Matthew Clarke <ma...@gmail.com>>
Reply-To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Date: Tuesday, July 26, 2016 at 10:03 AM
To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Subject: Re: authentication problem


Verify the user running your nifi has the correct permissions to read and edit all the database files in the NiFi database repository directory. Also make sure the user running NiFi had permissions to edit the authorized-users.xml file. This file is only read on start-up. After nifi is running it operates solely from the memory and DBs. My guess is here that nifi can not update the authorized-users.xml file with the changes you are making in the User management UI.

Thanks,
Matt

On Jul 26, 2016 12:47 PM, "Perko, Ralph J" <ra...@pnnl.gov>> wrote:
Hi – whenever we restart Nifi half the accounts are disabled with this message:

INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized with configured provider: <user-id>. Disabling account...

The users are in the authorized-users.xml file.  Is this a configuration issue on our part or a bug?  It is curious that not all the accounts get disabled only some and it is always the same accounts.

To re-enable the accounts I go into the users page, select the disabled user (click the little pencil) and click ‘apply’ with no changes - the account is re-enabled.

Details:
Nifi 0.6.1
authority-providers.xml: default file provider
login-identy-management.xml: kerberos-provider (corporate system – everyone is in it)
authorized-users.xml:setup for each user

Thanks,
Ralph

Re: authentication problem

Posted by Matthew Clarke <ma...@gmail.com>.

Verify the user running your nifi has the correct permissions to read and
edit all the database files in the NiFi database repository directory. Also
make sure the user running NiFi had permissions to edit the
authorized-users.xml file. This file is only read on start-up. After nifi
is running it operates solely from the memory and DBs. My guess is here
that nifi can not update the authorized-users.xml file with the changes you
are making in the User management UI.

Thanks,
Matt

On Jul 26, 2016 12:47 PM, "Perko, Ralph J" <ra...@pnnl.gov> wrote:

Hi – whenever we restart Nifi half the accounts are disabled with this
message:

INFO [main] o.a.n.a.s.action.SeedUserAccountsAction User not authorized
with configured provider: <user-id>. Disabling account...

The users are in the authorized-users.xml file.  Is this a configuration
issue on our part or a bug?  It is curious that not all the accounts get
disabled only some and it is always the same accounts.

To re-enable the accounts I go into the users page, select the disabled
user (click the little pencil) and click ‘apply’ with no changes - the
account is re-enabled.

Details:
Nifi 0.6.1
authority-providers.xml: default file provider
login-identy-management.xml: kerberos-provider (corporate system – everyone
is in it)
authorized-users.xml:setup for each user

Thanks,
Ralph