You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Nicolas Delsaux <ni...@gmx.fr> on 2019/09/02 12:55:40 UTC
In nifi-registry, why can't I edit other users privileges
Hi all
I'm still trying to connect nifi to registry with both of them using
authentication.
So far, i've understood that, like in Nifi, I have to set
identity-providers.xml and authorizers.xml to have connection to ldap
configured.
And I can connect to the registry using my ldap, so it works (to a
certain extend).
*However*, it seems like my user is not really an admin, as I can't
manage other users.
To say things more clearly, nifi-registry UI allow me to view my user
privileges, but I can't edit my permissions, and I can edit none of the
other users permissions. I can no more add/remove users.
Which is weird, cosnidering I'm the initial admin of nifi-registry.
Is there smothing I forgot ?
Here is my authorizers.xml for nifi-registry
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers> <userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Initial User Identity
1">cn=nifi-runner.mycompany.com, ou=0008 43120727, ou=ssl infra server,
o=mycompany, c=fr</property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">LDAPS</property>
<property name="Manager
DN">uid=dont-ask-me,ou=applicationAccounts,o=mycompany.com</property>
<property name="Manager Password">YOU_KIDDIN___DO_YOU</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
<property name="TLS - Truststore Password">pfeblelep</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol">TLSv1</property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property
name="Url">ldaps://ldapserver.my.company.com:636</property>
<property name="Page Size"></property>
<property name="Sync Interval">30 mins</property>
<property name="User Search Base"></property>
<property name="User Object Class"></property>
<property name="User Search Scope">OBJECT</property>
<property name="User Search Filter"></property>
<property name="User Identity Attribute"></property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group
Attribute"></property>
<property name="Group Search
Base">cn=NIFI-ADMIN,ou=DATAou=applicationRole,ou=role,ou=OU,o=mycompany.com</property>
<property name="Group Object Class">groupofuniquenames</property>
<property name="Group Search Scope">SUBTREE</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">uniqueMember</property>
<property name="Group Member Attribute - Referenced User
Attribute"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class>
<property name="User Group Provider
1">ldap-user-group-provider</property>
<property name="User Group Provider
2">file-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
<property name="User Group
Provider">composite-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin
Identity">uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com</property>
<property name="Nifi Identity 1">cn=nifi-psh.adeo.com, ou=0002
421206079, ou=ssl infra server, o=adeo services, c=fr</property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
Thanks for your help
Re: In nifi-registry, why can't I edit other users privileges
Posted by Kevin Doran <kd...@apache.org>.
Ouch. That is understandably frustrating, and can be improved. I’ll look into replacing that with a case-insensitive match, as well as logging warnings for unrecognized properties.
Sorry for the difficultly you experienced in getting this working. Thanks for sharing the resolution. Let me know if you have any other questions.
________________________________
From: Nicolas Delsaux <ni...@gmx.fr>
Sent: Thursday, September 5, 2019 2:47 AM
To: users@nifi.apache.org
Subject: Re: In nifi-registry, why can't I edit other users privileges
Well, in fact, I had a number of issues with configuration files.
So I took the time to verify all those files, and I took the time to
understand Nifi registry UI for permissions (which is as user-friendly
as nifi one). And I finally understood what problem I had.
In fact, the worst part came when I tried to understand why my nifi
runner couldn't connect to nifi registry.
Which was simply due to the fact that, on nifi registry side, in
authorizers.xml, I used a property called "Nifi identify 1", whereas I
should have used "NiFi Identity 1". Can you spot the difference ?
For me, it took one phase of reading authorization code, then running
the regexp for that property in an online editor.
TO my mind, this would deserve a bug, because really, using property
names this way is really too much error-prone.
I would at least add code to detect nearby texts (through Levenshtein
distance, as an example) and show a BIG warning to explain the user what
is wrong.
But I'm only a user ;-) (a little grumpy, this morning, indeed)
Le 04/09/2019 à 18:59, Kevin Doran a écrit :
> Hi Nicolas,
>
> Is it possible you changed the initial admin identity at some point?
> If so, you will need to delete authorizations.xml and restart NiFi
> Registry to allow it to be recreated with the new initial admin.
>
> Also, nifi registry never allows modifying the permissions for the
> current user. you would have to login as another admin to change your
> permissions.
>
> Hope this helps,
> Kevin
>
> On Mon, Sep 2, 2019 at 8:56 AM Nicolas Delsaux <ni...@gmx.fr> wrote:
>> Hi all
>>
>> I'm still trying to connect nifi to registry with both of them using
>> authentication.
>>
>> So far, i've understood that, like in Nifi, I have to set
>> identity-providers.xml and authorizers.xml to have connection to ldap
>> configured.
>>
>> And I can connect to the registry using my ldap, so it works (to a
>> certain extend).
>>
>> *However*, it seems like my user is not really an admin, as I can't
>> manage other users.
>>
>> To say things more clearly, nifi-registry UI allow me to view my user
>> privileges, but I can't edit my permissions, and I can edit none of the
>> other users permissions. I can no more add/remove users.
>>
>> Which is weird, cosnidering I'm the initial admin of nifi-registry.
>>
>> Is there smothing I forgot ?
>>
>>
>> Here is my authorizers.xml for nifi-registry
>>
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <authorizers> <userGroupProvider>
>> <identifier>file-user-group-provider</identifier>
>> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
>> <property name="Users File">./conf/users.xml</property>
>> <property name="Initial User Identity
>> 1">cn=nifi-runner.mycompany.com, ou=0008 43120727, ou=ssl infra server,
>> o=mycompany, c=fr</property>
>> </userGroupProvider>
>> <userGroupProvider>
>> <identifier>ldap-user-group-provider</identifier>
>> <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
>> <property name="Authentication Strategy">LDAPS</property>
>>
>> <property name="Manager
>> DN">uid=dont-ask-me,ou=applicationAccounts,o=mycompany.com</property>
>> <property name="Manager Password">YOU_KIDDIN___DO_YOU</property>
>>
>> <property name="TLS - Keystore"></property>
>> <property name="TLS - Keystore Password"></property>
>> <property name="TLS - Keystore Type"></property>
>> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
>> <property name="TLS - Truststore Password">pfeblelep</property>
>> <property name="TLS - Truststore Type">JKS</property>
>> <property name="TLS - Client Auth"></property>
>> <property name="TLS - Protocol">TLSv1</property>
>> <property name="TLS - Shutdown Gracefully"></property>
>>
>> <property name="Referral Strategy">FOLLOW</property>
>> <property name="Connect Timeout">10 secs</property>
>> <property name="Read Timeout">10 secs</property>
>>
>> <property
>> name="Url">ldaps://ldapserver.my.company.com:636</property>
>> <property name="Page Size"></property>
>> <property name="Sync Interval">30 mins</property>
>>
>> <property name="User Search Base"></property>
>> <property name="User Object Class"></property>
>> <property name="User Search Scope">OBJECT</property>
>> <property name="User Search Filter"></property>
>> <property name="User Identity Attribute"></property>
>> <property name="User Group Name Attribute"></property>
>> <property name="User Group Name Attribute - Referenced Group
>> Attribute"></property>
>>
>> <property name="Group Search
>> Base">cn=NIFI-ADMIN,ou=DATAou=applicationRole,ou=role,ou=OU,o=mycompany.com</property>
>> <property name="Group Object Class">groupofuniquenames</property>
>> <property name="Group Search Scope">SUBTREE</property>
>> <property name="Group Search Filter"></property>
>> <property name="Group Name Attribute">cn</property>
>> <property name="Group Member Attribute">uniqueMember</property>
>> <property name="Group Member Attribute - Referenced User
>> Attribute"></property>
>> </userGroupProvider>
>> <userGroupProvider>
>> <identifier>composite-user-group-provider</identifier>
>> <class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class>
>> <property name="User Group Provider
>> 1">ldap-user-group-provider</property>
>> <property name="User Group Provider
>> 2">file-user-group-provider</property>
>> </userGroupProvider>
>> <accessPolicyProvider>
>> <identifier>file-access-policy-provider</identifier>
>> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
>> <property name="User Group
>> Provider">composite-user-group-provider</property>
>> <property name="Authorizations
>> File">./conf/authorizations.xml</property>
>> <property name="Initial Admin
>> Identity">uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com</property>
>> <property name="Nifi Identity 1">cn=nifi-psh.adeo.com, ou=0002
>> 421206079, ou=ssl infra server, o=adeo services, c=fr</property>
>> </accessPolicyProvider>
>> <authorizer>
>> <identifier>managed-authorizer</identifier>
>> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
>> <property name="Access Policy
>> Provider">file-access-policy-provider</property>
>> </authorizer>
>> </authorizers>
>>
>> Thanks for your help
>>
Re: In nifi-registry, why can't I edit other users privileges
Posted by Nicolas Delsaux <ni...@gmx.fr>.
Well, in fact, I had a number of issues with configuration files.
So I took the time to verify all those files, and I took the time to
understand Nifi registry UI for permissions (which is as user-friendly
as nifi one). And I finally understood what problem I had.
In fact, the worst part came when I tried to understand why my nifi
runner couldn't connect to nifi registry.
Which was simply due to the fact that, on nifi registry side, in
authorizers.xml, I used a property called "Nifi identify 1", whereas I
should have used "NiFi Identity 1". Can you spot the difference ?
For me, it took one phase of reading authorization code, then running
the regexp for that property in an online editor.
TO my mind, this would deserve a bug, because really, using property
names this way is really too much error-prone.
I would at least add code to detect nearby texts (through Levenshtein
distance, as an example) and show a BIG warning to explain the user what
is wrong.
But I'm only a user ;-) (a little grumpy, this morning, indeed)
Le 04/09/2019 à 18:59, Kevin Doran a écrit :
> Hi Nicolas,
>
> Is it possible you changed the initial admin identity at some point?
> If so, you will need to delete authorizations.xml and restart NiFi
> Registry to allow it to be recreated with the new initial admin.
>
> Also, nifi registry never allows modifying the permissions for the
> current user. you would have to login as another admin to change your
> permissions.
>
> Hope this helps,
> Kevin
>
> On Mon, Sep 2, 2019 at 8:56 AM Nicolas Delsaux <ni...@gmx.fr> wrote:
>> Hi all
>>
>> I'm still trying to connect nifi to registry with both of them using
>> authentication.
>>
>> So far, i've understood that, like in Nifi, I have to set
>> identity-providers.xml and authorizers.xml to have connection to ldap
>> configured.
>>
>> And I can connect to the registry using my ldap, so it works (to a
>> certain extend).
>>
>> *However*, it seems like my user is not really an admin, as I can't
>> manage other users.
>>
>> To say things more clearly, nifi-registry UI allow me to view my user
>> privileges, but I can't edit my permissions, and I can edit none of the
>> other users permissions. I can no more add/remove users.
>>
>> Which is weird, cosnidering I'm the initial admin of nifi-registry.
>>
>> Is there smothing I forgot ?
>>
>>
>> Here is my authorizers.xml for nifi-registry
>>
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <authorizers> <userGroupProvider>
>> <identifier>file-user-group-provider</identifier>
>> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
>> <property name="Users File">./conf/users.xml</property>
>> <property name="Initial User Identity
>> 1">cn=nifi-runner.mycompany.com, ou=0008 43120727, ou=ssl infra server,
>> o=mycompany, c=fr</property>
>> </userGroupProvider>
>> <userGroupProvider>
>> <identifier>ldap-user-group-provider</identifier>
>> <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
>> <property name="Authentication Strategy">LDAPS</property>
>>
>> <property name="Manager
>> DN">uid=dont-ask-me,ou=applicationAccounts,o=mycompany.com</property>
>> <property name="Manager Password">YOU_KIDDIN___DO_YOU</property>
>>
>> <property name="TLS - Keystore"></property>
>> <property name="TLS - Keystore Password"></property>
>> <property name="TLS - Keystore Type"></property>
>> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
>> <property name="TLS - Truststore Password">pfeblelep</property>
>> <property name="TLS - Truststore Type">JKS</property>
>> <property name="TLS - Client Auth"></property>
>> <property name="TLS - Protocol">TLSv1</property>
>> <property name="TLS - Shutdown Gracefully"></property>
>>
>> <property name="Referral Strategy">FOLLOW</property>
>> <property name="Connect Timeout">10 secs</property>
>> <property name="Read Timeout">10 secs</property>
>>
>> <property
>> name="Url">ldaps://ldapserver.my.company.com:636</property>
>> <property name="Page Size"></property>
>> <property name="Sync Interval">30 mins</property>
>>
>> <property name="User Search Base"></property>
>> <property name="User Object Class"></property>
>> <property name="User Search Scope">OBJECT</property>
>> <property name="User Search Filter"></property>
>> <property name="User Identity Attribute"></property>
>> <property name="User Group Name Attribute"></property>
>> <property name="User Group Name Attribute - Referenced Group
>> Attribute"></property>
>>
>> <property name="Group Search
>> Base">cn=NIFI-ADMIN,ou=DATAou=applicationRole,ou=role,ou=OU,o=mycompany.com</property>
>> <property name="Group Object Class">groupofuniquenames</property>
>> <property name="Group Search Scope">SUBTREE</property>
>> <property name="Group Search Filter"></property>
>> <property name="Group Name Attribute">cn</property>
>> <property name="Group Member Attribute">uniqueMember</property>
>> <property name="Group Member Attribute - Referenced User
>> Attribute"></property>
>> </userGroupProvider>
>> <userGroupProvider>
>> <identifier>composite-user-group-provider</identifier>
>> <class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class>
>> <property name="User Group Provider
>> 1">ldap-user-group-provider</property>
>> <property name="User Group Provider
>> 2">file-user-group-provider</property>
>> </userGroupProvider>
>> <accessPolicyProvider>
>> <identifier>file-access-policy-provider</identifier>
>> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
>> <property name="User Group
>> Provider">composite-user-group-provider</property>
>> <property name="Authorizations
>> File">./conf/authorizations.xml</property>
>> <property name="Initial Admin
>> Identity">uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com</property>
>> <property name="Nifi Identity 1">cn=nifi-psh.adeo.com, ou=0002
>> 421206079, ou=ssl infra server, o=adeo services, c=fr</property>
>> </accessPolicyProvider>
>> <authorizer>
>> <identifier>managed-authorizer</identifier>
>> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
>> <property name="Access Policy
>> Provider">file-access-policy-provider</property>
>> </authorizer>
>> </authorizers>
>>
>> Thanks for your help
>>
Re: In nifi-registry, why can't I edit other users privileges
Posted by Kevin Doran <kd...@apache.org>.
Hi Nicolas,
Is it possible you changed the initial admin identity at some point?
If so, you will need to delete authorizations.xml and restart NiFi
Registry to allow it to be recreated with the new initial admin.
Also, nifi registry never allows modifying the permissions for the
current user. you would have to login as another admin to change your
permissions.
Hope this helps,
Kevin
On Mon, Sep 2, 2019 at 8:56 AM Nicolas Delsaux <ni...@gmx.fr> wrote:
>
> Hi all
>
> I'm still trying to connect nifi to registry with both of them using
> authentication.
>
> So far, i've understood that, like in Nifi, I have to set
> identity-providers.xml and authorizers.xml to have connection to ldap
> configured.
>
> And I can connect to the registry using my ldap, so it works (to a
> certain extend).
>
> *However*, it seems like my user is not really an admin, as I can't
> manage other users.
>
> To say things more clearly, nifi-registry UI allow me to view my user
> privileges, but I can't edit my permissions, and I can edit none of the
> other users permissions. I can no more add/remove users.
>
> Which is weird, cosnidering I'm the initial admin of nifi-registry.
>
> Is there smothing I forgot ?
>
>
> Here is my authorizers.xml for nifi-registry
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizers> <userGroupProvider>
> <identifier>file-user-group-provider</identifier>
> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
> <property name="Users File">./conf/users.xml</property>
> <property name="Initial User Identity
> 1">cn=nifi-runner.mycompany.com, ou=0008 43120727, ou=ssl infra server,
> o=mycompany, c=fr</property>
> </userGroupProvider>
> <userGroupProvider>
> <identifier>ldap-user-group-provider</identifier>
> <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
> <property name="Authentication Strategy">LDAPS</property>
>
> <property name="Manager
> DN">uid=dont-ask-me,ou=applicationAccounts,o=mycompany.com</property>
> <property name="Manager Password">YOU_KIDDIN___DO_YOU</property>
>
> <property name="TLS - Keystore"></property>
> <property name="TLS - Keystore Password"></property>
> <property name="TLS - Keystore Type"></property>
> <property name="TLS - Truststore">/opt/certs/cacerts.jks</property>
> <property name="TLS - Truststore Password">pfeblelep</property>
> <property name="TLS - Truststore Type">JKS</property>
> <property name="TLS - Client Auth"></property>
> <property name="TLS - Protocol">TLSv1</property>
> <property name="TLS - Shutdown Gracefully"></property>
>
> <property name="Referral Strategy">FOLLOW</property>
> <property name="Connect Timeout">10 secs</property>
> <property name="Read Timeout">10 secs</property>
>
> <property
> name="Url">ldaps://ldapserver.my.company.com:636</property>
> <property name="Page Size"></property>
> <property name="Sync Interval">30 mins</property>
>
> <property name="User Search Base"></property>
> <property name="User Object Class"></property>
> <property name="User Search Scope">OBJECT</property>
> <property name="User Search Filter"></property>
> <property name="User Identity Attribute"></property>
> <property name="User Group Name Attribute"></property>
> <property name="User Group Name Attribute - Referenced Group
> Attribute"></property>
>
> <property name="Group Search
> Base">cn=NIFI-ADMIN,ou=DATAou=applicationRole,ou=role,ou=OU,o=mycompany.com</property>
> <property name="Group Object Class">groupofuniquenames</property>
> <property name="Group Search Scope">SUBTREE</property>
> <property name="Group Search Filter"></property>
> <property name="Group Name Attribute">cn</property>
> <property name="Group Member Attribute">uniqueMember</property>
> <property name="Group Member Attribute - Referenced User
> Attribute"></property>
> </userGroupProvider>
> <userGroupProvider>
> <identifier>composite-user-group-provider</identifier>
> <class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class>
> <property name="User Group Provider
> 1">ldap-user-group-provider</property>
> <property name="User Group Provider
> 2">file-user-group-provider</property>
> </userGroupProvider>
> <accessPolicyProvider>
> <identifier>file-access-policy-provider</identifier>
> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
> <property name="User Group
> Provider">composite-user-group-provider</property>
> <property name="Authorizations
> File">./conf/authorizations.xml</property>
> <property name="Initial Admin
> Identity">uid=20008203,ou=people,ou=go-lm,o=corp.leroymerlin.com</property>
> <property name="Nifi Identity 1">cn=nifi-psh.adeo.com, ou=0002
> 421206079, ou=ssl infra server, o=adeo services, c=fr</property>
> </accessPolicyProvider>
> <authorizer>
> <identifier>managed-authorizer</identifier>
> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
> <property name="Access Policy
> Provider">file-access-policy-provider</property>
> </authorizer>
> </authorizers>
>
> Thanks for your help
>