You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nifi.apache.org by "Sim, Yoosuk" <yo...@bell.ca.INVALID> on 2021/03/05 14:35:54 UTC

Weird behavior while setting up NiFi-Registry with LDAP

Hello dev,

I have observed an odd behavior that I do not know the exact cause or solutions to.
Currently, I am setting up NiFi and NiFi-Registry docker containers, deployed to OpenShift, to work with LDAP. Both containers were modified to allow files to have Group 0 ownership.
NiFi worked as expected, and I intended to replicate the setup on NiFi-Registry. NiFi-Registry had other ideas, apparently.

The first sign was that when I first logged in with my username, which was set as Initial Admin Identity, it would authenticate me but would not grant me any power other than view. When checking logs, it shows that my username was indeed authenticated, complete with my group information, but it would complain that I was not given any permission to access the material and therefore forbidden. I added debug flags to ldap-related classes into logback.xml and observed more. It shows that a set of usernames, including my own, was indeed imported, along with the groups users belong to. Still, it would not recognize me as the Initial Admin Identity. I then checked my authorizers.xml and realized there was no value entry for Initial Admin Identity.

At this point, I thought I made a dumb mistake of not having put any value in there. Just to be sure, I double checked my configmap that supplied the authorizers.xml, and the story started to become weird. Turns out, I did supply the correct authorizers.xml, complete with the Initial Admin Identity with my username on it. The said file does get populated as expected into the conf/authorizers.xml. But when ../scripts/start.sh is ran, at some point in time, the Initial Admin Identity disappears. Even more a boggle, that's apparently the only value that gets blanked out: every other settings were left intact that way I had supplied them.

So I am confused. Why is my NiFi-Registry deleting a value at Initial Admin Identity specifically, and what can I do to stop this and make it identity the username as the admin? Attached is the authorizers.xml file. Please let me know if you need more information.

Cheers,

Tony Sim

conf/authorizers.xml (edited) :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">cn=manager,ou=My Users,ou=Mygroup,ou=Bigger Group,dc=company,dc=name,dc=thingie,dc=ca</property>
        <property name="Manager Password">some password</property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldaps://xxx.xxx.xxx.xxx</property>
        <property name="Page Size"></property>
        <property name="Sync Interval">30 mins</property>
        <property name="Group Membership - Enforce Case Sensitivity">false</property>

        <property name="User Search Base"> ou=Mygroup,ou=Bigger Group,dc=company,dc=name,dc=thingie,dc=ca </property>
        <property name="User Object Class">person</property>
        <property name="User Search Scope">SUBTREE</property>
        <property name="User Search Filter">(|(memberOf=CN=Specific Group 1,OU=More Groups, ,ou=Bigger Group,dc=company,dc=name,dc=thingie,dc=ca)(memberOf= CN=Specific Group 2,OU=More Groups, ,ou=Bigger Group,dc=company,dc=name,dc=thingie,dc=ca))</property>
        <property name="User Identity Attribute">CN</property>
        <property name="User Group Name Attribute">memberOf</property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base"> OU=More Groups, ,ou=Bigger Group,dc=company,dc=name,dc=thingie,dc=ca </property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">SUBTREE</property>
        <property name="Group Search Filter">(cn=Specific Group*)</property>
        <property name="Group Name Attribute">CN</property>
        <property name="Group Member Attribute">member</property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
        <property name="User Group Provider">ldap-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">myusername</property> <!-this value gets blanked out on the file after the ../scripts/start.sh -->
        <!--<property name="NiFi Group Name"></property>-->

        <property name="NiFi Identity 1"></property>
    </accessPolicyProvider>

    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

</authorizers>

Re: Weird behavior while setting up NiFi-Registry with LDAP

Posted by Chris Sampson <ch...@naimuri.com.INVALID>.

start.sh calls secure.sh (for secure installations), which would appear to
always update the authorizers.xml file with the INITIAL_ADMIN_IDENTITY env
var value[1] - have you set that env var in your deployment, if not, I'm
guessing that's why it's being removed from the file you're injecting (i.e.
the start script is overwriting the value in your file with a blank value).

[1]
https://github.com/apache/nifi-registry/blob/main/nifi-registry-docker-maven/dockermaven/sh/secure.sh#L56

---
*Chris Sampson*
IT Consultant
chris.sampson@naimuri.com
<https://www.naimuri.com/>


On Fri, 5 Mar 2021 at 14:37, Sim, Yoosuk <yo...@bell.ca.invalid> wrote:

> Hello dev,
>
> I have observed an odd behavior that I do not know the exact cause or
> solutions to.
> Currently, I am setting up NiFi and NiFi-Registry docker containers,
> deployed to OpenShift, to work with LDAP. Both containers were modified to
> allow files to have Group 0 ownership.
> NiFi worked as expected, and I intended to replicate the setup on
> NiFi-Registry. NiFi-Registry had other ideas, apparently.
>
> The first sign was that when I first logged in with my username, which was
> set as Initial Admin Identity, it would authenticate me but would not grant
> me any power other than view. When checking logs, it shows that my username
> was indeed authenticated, complete with my group information, but it would
> complain that I was not given any permission to access the material and
> therefore forbidden. I added debug flags to ldap-related classes into
> logback.xml and observed more. It shows that a set of usernames, including
> my own, was indeed imported, along with the groups users belong to. Still,
> it would not recognize me as the Initial Admin Identity. I then checked my
> authorizers.xml and realized there was no value entry for Initial Admin
> Identity.
>
> At this point, I thought I made a dumb mistake of not having put any value
> in there. Just to be sure, I double checked my configmap that supplied the
> authorizers.xml, and the story started to become weird. Turns out, I did
> supply the correct authorizers.xml, complete with the Initial Admin
> Identity with my username on it. The said file does get populated as
> expected into the conf/authorizers.xml. But when ../scripts/start.sh is
> ran, at some point in time, the Initial Admin Identity disappears. Even
> more a boggle, that's apparently the only value that gets blanked out:
> every other settings were left intact that way I had supplied them.
>
> So I am confused. Why is my NiFi-Registry deleting a value at Initial
> Admin Identity specifically, and what can I do to stop this and make it
> identity the username as the admin? Attached is the authorizers.xml file.
> Please let me know if you need more information.
>
> Cheers,
>
> Tony Sim
>
> conf/authorizers.xml (edited) :
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizers>
>     <userGroupProvider>
>         <identifier>ldap-user-group-provider</identifier>
>
> <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
>         <property name="Authentication Strategy">SIMPLE</property>
>
>         <property name="Manager DN">cn=manager,ou=My
> Users,ou=Mygroup,ou=Bigger
> Group,dc=company,dc=name,dc=thingie,dc=ca</property>
>         <property name="Manager Password">some password</property>
>
>         <property name="Referral Strategy">FOLLOW</property>
>         <property name="Connect Timeout">10 secs</property>
>         <property name="Read Timeout">10 secs</property>
>
>         <property name="Url">ldaps://xxx.xxx.xxx.xxx</property>
>         <property name="Page Size"></property>
>         <property name="Sync Interval">30 mins</property>
>         <property name="Group Membership - Enforce Case
> Sensitivity">false</property>
>
>         <property name="User Search Base"> ou=Mygroup,ou=Bigger
> Group,dc=company,dc=name,dc=thingie,dc=ca </property>
>         <property name="User Object Class">person</property>
>         <property name="User Search Scope">SUBTREE</property>
>         <property name="User Search Filter">(|(memberOf=CN=Specific Group
> 1,OU=More Groups, ,ou=Bigger
> Group,dc=company,dc=name,dc=thingie,dc=ca)(memberOf= CN=Specific Group
> 2,OU=More Groups, ,ou=Bigger
> Group,dc=company,dc=name,dc=thingie,dc=ca))</property>
>         <property name="User Identity Attribute">CN</property>
>         <property name="User Group Name Attribute">memberOf</property>
>         <property name="User Group Name Attribute - Referenced Group
> Attribute"></property>
>
>         <property name="Group Search Base"> OU=More Groups, ,ou=Bigger
> Group,dc=company,dc=name,dc=thingie,dc=ca </property>
>         <property name="Group Object Class">group</property>
>         <property name="Group Search Scope">SUBTREE</property>
>         <property name="Group Search Filter">(cn=Specific
> Group*)</property>
>         <property name="Group Name Attribute">CN</property>
>         <property name="Group Member Attribute">member</property>
>         <property name="Group Member Attribute - Referenced User
> Attribute"></property>
>     </userGroupProvider>
>
>     <accessPolicyProvider>
>         <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
>         <property name="User Group
> Provider">ldap-user-group-provider</property>
>         <property name="Authorizations
> File">./conf/authorizations.xml</property>
>         <property name="Initial Admin Identity">myusername</property>
> <!-this value gets blanked out on the file after the ../scripts/start.sh -->
>         <!--<property name="NiFi Group Name"></property>-->
>
>         <property name="NiFi Identity 1"></property>
>     </accessPolicyProvider>
>
>     <authorizer>
>         <identifier>managed-authorizer</identifier>
>
> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
>         <property name="Access Policy
> Provider">file-access-policy-provider</property>
>     </authorizer>
>
> </authorizers>
>