Troubleshooting Apache NiFi 1.4.0 Authorizations

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Troubleshooting Apache NiFi 1.4.0 Authorizations

Brian Ghigiarelli
With a clean install of Apache NiFi 1.4.0 using certificate-based
authentication through file providers, I am able to login to the NiFi
canvas, but it is not authorizing me (the Initial Admin Identity) to
perform any tasks. I'm following the first example configuration at
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity.
I
can see that the authorizations.xml file is being generated with the same
UUID as the user that is generated in users.xml, and that user has entries
in the following policies:

   - /flow  (R)
   - /restricted-components (W)
   - /tenants (R)
   - /tenants (W)
   - /policies (R)
   - /policies (W)
   - /controller (R)
   - /controller (W)

Based on the docs, a few pieces of the authorizers.xml file changed from
1.3.0 to 1.4.0, and I changed the nifi.properties
nifi.security.user.authorizer to managed-authorizer. Any ideas what I'm
missing here? Or where to begin debugging?

Thanks,
Brian
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting Apache NiFi 1.4.0 Authorizations

Matt Gilman
Brian,

NiFi will only grant permissions to the components in the canvas if there
is an existing flow.xml.gz in your conf directory. This is due to lifecycle
constraints when clustered. This is described in the link you provided if
you scroll down a little bit and look for the (i) info icon.

Thanks

Matt

On Tue, Oct 10, 2017 at 3:47 PM, Brian Ghigiarelli <[hidden email]>
wrote:

> With a clean install of Apache NiFi 1.4.0 using certificate-based
> authentication through file providers, I am able to login to the NiFi
> canvas, but it is not authorizing me (the Initial Admin Identity) to
> perform any tasks. I'm following the first example configuration at
> https://nifi.apache.org/docs/nifi-docs/html/administration-
> guide.html#initial-admin-identity.
> I
> can see that the authorizations.xml file is being generated with the same
> UUID as the user that is generated in users.xml, and that user has entries
> in the following policies:
>
>    - /flow  (R)
>    - /restricted-components (W)
>    - /tenants (R)
>    - /tenants (W)
>    - /policies (R)
>    - /policies (W)
>    - /controller (R)
>    - /controller (W)
>
> Based on the docs, a few pieces of the authorizers.xml file changed from
> 1.3.0 to 1.4.0, and I changed the nifi.properties
> nifi.security.user.authorizer to managed-authorizer. Any ideas what I'm
> missing here? Or where to begin debugging?
>
> Thanks,
> Brian
>
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting Apache NiFi 1.4.0 Authorizations

Brian Ghigiarelli
Thanks for the quick response, Matt! Unfortunately, it wasn't letting me
update the Policies either, but your response did remind to use Firefox vs.
Chrome. Turns out that when I was clicking on the hamburger menu >
Policies, Chrome was throwing a JS error on nf-canvas-all.js?1.4.0:47:21377
with "undefined is not a function"   Looks like it maps to some
K.resource.startsWith("/policies") line.  Works fine in Firefox, and I can
add all the policies I want through there.

Thanks again,
Brian

On Tue, Oct 10, 2017 at 3:58 PM Matt Gilman <[hidden email]> wrote:

> Brian,
>
> NiFi will only grant permissions to the components in the canvas if there
> is an existing flow.xml.gz in your conf directory. This is due to lifecycle
> constraints when clustered. This is described in the link you provided if
> you scroll down a little bit and look for the (i) info icon.
>
> Thanks
>
> Matt
>
> On Tue, Oct 10, 2017 at 3:47 PM, Brian Ghigiarelli <[hidden email]>
> wrote:
>
> > With a clean install of Apache NiFi 1.4.0 using certificate-based
> > authentication through file providers, I am able to login to the NiFi
> > canvas, but it is not authorizing me (the Initial Admin Identity) to
> > perform any tasks. I'm following the first example configuration at
> > https://nifi.apache.org/docs/nifi-docs/html/administration-
> > guide.html#initial-admin-identity.
> > I
> > can see that the authorizations.xml file is being generated with the same
> > UUID as the user that is generated in users.xml, and that user has
> entries
> > in the following policies:
> >
> >    - /flow  (R)
> >    - /restricted-components (W)
> >    - /tenants (R)
> >    - /tenants (W)
> >    - /policies (R)
> >    - /policies (W)
> >    - /controller (R)
> >    - /controller (W)
> >
> > Based on the docs, a few pieces of the authorizers.xml file changed from
> > 1.3.0 to 1.4.0, and I changed the nifi.properties
> > nifi.security.user.authorizer to managed-authorizer. Any ideas what I'm
> > missing here? Or where to begin debugging?
> >
> > Thanks,
> > Brian
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting Apache NiFi 1.4.0 Authorizations

Matt Gilman
Thanks for replying back. Can you ensure your browser cache is cleared? If
that's not it, it's possible your running an older version of Chrome that
is incompatible.

Matt

On Tue, Oct 10, 2017 at 4:10 PM, Brian Ghigiarelli <[hidden email]>
wrote:

> Thanks for the quick response, Matt! Unfortunately, it wasn't letting me
> update the Policies either, but your response did remind to use Firefox vs.
> Chrome. Turns out that when I was clicking on the hamburger menu >
> Policies, Chrome was throwing a JS error on nf-canvas-all.js?1.4.0:47:
> 21377
> with "undefined is not a function"   Looks like it maps to some
> K.resource.startsWith("/policies") line.  Works fine in Firefox, and I can
> add all the policies I want through there.
>
> Thanks again,
> Brian
>
> On Tue, Oct 10, 2017 at 3:58 PM Matt Gilman <[hidden email]>
> wrote:
>
> > Brian,
> >
> > NiFi will only grant permissions to the components in the canvas if there
> > is an existing flow.xml.gz in your conf directory. This is due to
> lifecycle
> > constraints when clustered. This is described in the link you provided if
> > you scroll down a little bit and look for the (i) info icon.
> >
> > Thanks
> >
> > Matt
> >
> > On Tue, Oct 10, 2017 at 3:47 PM, Brian Ghigiarelli <[hidden email]>
> > wrote:
> >
> > > With a clean install of Apache NiFi 1.4.0 using certificate-based
> > > authentication through file providers, I am able to login to the NiFi
> > > canvas, but it is not authorizing me (the Initial Admin Identity) to
> > > perform any tasks. I'm following the first example configuration at
> > > https://nifi.apache.org/docs/nifi-docs/html/administration-
> > > guide.html#initial-admin-identity.
> > > I
> > > can see that the authorizations.xml file is being generated with the
> same
> > > UUID as the user that is generated in users.xml, and that user has
> > entries
> > > in the following policies:
> > >
> > >    - /flow  (R)
> > >    - /restricted-components (W)
> > >    - /tenants (R)
> > >    - /tenants (W)
> > >    - /policies (R)
> > >    - /policies (W)
> > >    - /controller (R)
> > >    - /controller (W)
> > >
> > > Based on the docs, a few pieces of the authorizers.xml file changed
> from
> > > 1.3.0 to 1.4.0, and I changed the nifi.properties
> > > nifi.security.user.authorizer to managed-authorizer. Any ideas what I'm
> > > missing here? Or where to begin debugging?
> > >
> > > Thanks,
> > > Brian
> > >
> >
>