Reputation: 53
Apache Nifi: Unable to locate initial admin to seed policies
I'm trying to configure ldap authentication on Apache Nifi 1.7.1. The TLS is configured, ldap connection works when I'm not trying to configure an initial admin (obviously I can manage nifi).
Server fails to startup with the following error:
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin adehay to seed policies
at org.apache.nifi.authorization.FileAccessPolicyProvider.populateInitialAdmin(FileAccessPolicyProvider.java:569)
at org.apache.nifi.authorization.FileAccessPolicyProvider.load(FileAccessPolicyProvider.java:512)
at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:225)
... 104 common frames omitted
I've removed the users.xml and authorizations.xml between each test, like described in https://community.hortonworks.com/articles/81184/understanding-the-initial-admin-identity-access-po.html but I'm still stuck.
The login-identity-provider.xml, configured like the following, works fine when I'm not trying to configure a initial admin (I can connect on the nifi login page but I get Insufficient Permissions error):
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">uid=fau_bind,cn=users,cn=accounts,dc=soft,dc=fau</property>
<property name="Manager Password">xxx</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">IGNORE</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://xxx:389</property>
<property name="User Search Base">cn=users,cn=accounts,dc=soft,dc=fau</property>
<property name="User Search Filter">uid={0}</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
My authorizers.xml (remaining unchanged from installation):
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">adehay</property>
<property name="Legacy Authorized Users File"></property>
</accessPolicyProvider>
I've tried replacing "adehay" by the LDAP DN with no luck.
The mapping in nifi.properties (does not work with or without that):
nifi.security.identity.mapping.pattern.dn=^uid=(.*?),cn=users,cn=accounts,dc=soft,dc=fau$
nifi.security.identity.mapping.value.dn=$1
I must have missed something but I can's see what.
Thanks for any help.
Upvotes: 3
Views: 6310
Answers (2)
Reputation: 2355
I was dealing with this problem while migrating from the legacy Active Directory to the new one. The root cause of the issue was improper user identifier setting. In AD users are likely using sAMAccountName to login, while in NiFi config some other property was set by default. In my case legacy config was using CN (was the same as sAMaccountName) but in the new AD those were different. So make sure the below configs are set in line with whatever identifier users use to login:
# in login-identity-provider.xml
<property name="User Search Filter">sAMAccountName={0}</property>
# in authorizers.xml
<property name="User Identity Attribute">sAMAccountName</property>
Upvotes: 0
Reputation: 18660
There are two separate parts here, authentication and authorization.
The login-identity-providers.xml is for authenticating users against LDAP.
The authorizers.xml is for configuring an authorizer to authorize authenticated users which may or may not have come from LDAP.
The current problem is that you are telling the access-policy-provider that your initial admin is 'adehay', but the access-policy-provider doesn't know anything about your login-identity-provider, it only knows about the user-group-providers defined in authorizers.xml.
You could either define a file-based user-group-provider in authorizers.xml where you manually define your user 'adehay', see the "Initial User Identity 1" example here:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity
The second way, which makes more sense for your case, is to define an LDAP user-group-provider in your authorizers.xml, see the example in the same section linked above that says "Here is an example loading users and groups from LDAP."
Upvotes: 4
Related Questions
- nifi asking for signin after installation
- Nifi - Initial admin unable to add users
- Apache nifi is not starting up
- Apache nifi doesn't start
- NiFi not launching
- Apache Nifi fresh install: No users.xml and authorizations.xml
- Apache NiFi 1.5 Failed to Start - Failed to set permissions
- Nifi won't start
- Apache-nifi not starting error
- Nifi server start up issues