Users Menu Option Not Showing on NiFi GUI

["Snyder, David B." <DA...@saic.com>]

Hello -

I have a 3 node NiFi cluster up and running.  I am running v 1.19.1

I followed the steps described in the Apache NiFi Walkthroughs i.e., specifically, "Creating and Security a NiFi Cluster with the TLS Toolkit i.e., https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-provided-certificates


 Specifically, I followed the instructions for:  Creating and Securing a NiFi Cluster with the TLS Toolkit.



Per Step 1, I ran the optional command to execute all steps together using the the toolkit pattern syntax:

./bin/tls-toolkit.sh standalone - n 'node[1-3].nifi' -C 'CN=ec2-user' -c 'ca.nifi'



Per step 9, I updated the authorizers.xml file, in the <userGroupProvider> section, I added the line

<property name="Initial User Identity 1">CN=ec2-user</property>

In the <accessPolicyProvider> section, I updated the file as described.  Regarding the Initial Admin Identity, I updated the file as follows:

<property name="Initial Admin Identity">CN=ec2-user</property>



I copied the authorizers.xml file to all 3 nodes.



After starting nifi on all 3 nodes, I then access the GUI and select the imported certificate i.e., CN=ec2-user.p12 which I successfully imported, and I can successfully access the GUI.



I see that on the upper right of the GUI screen, the user is indicated as CN=ec2-user.  But, when I access the menu on the upper right of the screen, I do not receive the users option.



To add:  At step 13, per the walkthrough i.e., NiFi Cluster Using NiFi CA, as described, I stopped each of the nifi instances, i then deleted the authorizations.xml and users.xml file from each node in the nifi/conf directory, and then restarted each node.



And, then I logged onto the NiFi GUI, and still I do not see the users option in the menu...


An update:  So, after starting NiFi, i reviewed the logs in the nifi-user.log file.

This is what was output:

...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/access/kerberos

...NiFi AuthenticationFilter Authentication Success [CN=ec2-user]  xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/access/kerberos

...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/access/oidc/exchange<https://nifi1:9443/nifi-api/access/kerberos>

...NiFi AuthenticationFilter Authentication Success [CN=ec2-user]  xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/access/oidc/exchange<https://nifi1:9443/nifi-api/access/kerberos>

...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/token/expiration<https://nifi1:9443/nifi-api/access/kerberos>

...NiFi AuthenticationFilter Authentication Success [CN=ec2-user]  xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/token/expiration<https://nifi1:9443/nifi-api/access/kerberos>



WARN [NiFi Web Server-37] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:  Access token not found.  Returning Conflict response..


Another update:



I looked in the authorizations.xml file and see that the user ec2-user has the following authorizations:



flow  action "R"

data/process-groups/ action "R"

data/process-groups action "W"

process-groups action "R"

process-groups action "W"

restricted-components "W"

tenants actions "R" and "W"

policies actions "R" and "W"

controller actions "R" and "W"

Has anyone had a similar experience/issue and resolved it?

If so, can you let me know how you resolved this issue?

Thank you!

VR,

Dave
The information contained in this e-mail and any attachments from Science Applications International Corporation ("SAIC") may contain sensitive, privileged and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any attachments.