You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2019/06/05 04:52:21 UTC
[GitHub] [nifi] alopresto commented on issue #3495: NIFI-5973 Adds
ShellUserGroupProvider
alopresto commented on issue #3495: NIFI-5973 Adds ShellUserGroupProvider
URL: https://github.com/apache/nifi/pull/3495#issuecomment-498937726
## Steps to test on Mac OS X 10.14 ##
1. Build the PR as normal
1. Secure the instance using the TLS Toolkit (followed normal procedure to generate certificates/keystores and populate `nifi.properties`
1. Configure the LDAP login identity provider to allow for authentication (used the same resources as when validating NIFI-6085 in PR 3362)
1. Configure the `shell-user-group-provider` in `authorizers.xml` rather than the `file-user-group-provider`
1. Populate user identity mappings in `nifi.properties` to map the LDAP DN (`cn=alopresto,ou=people,dc=nifi,dc=com`) to the OS user (`alopresto`) (see below)
1. Start NiFi
1. Try to log in
Here is where I received a **Unknown user with identity 'alopresto'. Contact the system administrator.** error in the NiFi UI and the below logs in `logs/nifi-user.log`:
```
2019-06-04 16:58:48,616 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=alopresto,ou=people,dc=nifi,dc=com
2019-06-04 16:58:48,618 INFO [NiFi Web Server-21] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=alopresto,ou=people,dc=nifi,dc=com], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=alopresto,ou=people,dc=nifi,dc=com'. Returning Forbidden response.
```
Identity mapping transformations:
```
# Case-insensitive regex to extract only the CN and make that the complete identity
nifi.security.identity.mapping.pattern.dn=(?i)^CN=([^,]*),.*$
nifi.security.identity.mapping.value.dn=$1
```
My (generated by the code in this PR) `authorizations.xml` looks like this, where my OS user `uid` is `502`:
```
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
<user identifier="502"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
<user identifier="502"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<user identifier="502"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<user identifier="502"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<user identifier="502"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<user identifier="502"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
<user identifier="502"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
<user identifier="502"/>
</policy>
</policies>
</authorizations>
```
I don't see any policy for the root process group (usually indicated by 2 `policy` elements with `resource=/process-groups/UUID` and `action=R`/`action=W`). I also note that the authorizer framework believes my user to belong to no groups.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services