Apache Nifi: Unable to locate initial admin to seed policies

1
votes

I'm trying to configure ldap authentication on Apache Nifi 1.7.1. The TLS is configured, ldap connection works when I'm not trying to configure an initial admin (obviously I can manage nifi).

Server fails to startup with the following error:

Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin adehay to seed policies
        at org.apache.nifi.authorization.FileAccessPolicyProvider.populateInitialAdmin(FileAccessPolicyProvider.java:569)
        at org.apache.nifi.authorization.FileAccessPolicyProvider.load(FileAccessPolicyProvider.java:512)
        at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:225)
        ... 104 common frames omitted

I've removed the users.xml and authorizations.xml between each test, like described in https://community.hortonworks.com/articles/81184/understanding-the-initial-admin-identity-access-po.html but I'm still stuck.

The login-identity-provider.xml, configured like the following, works fine when I'm not trying to configure a initial admin (I can connect on the nifi login page but I get Insufficient Permissions error):

 <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">uid=fau_bind,cn=users,cn=accounts,dc=soft,dc=fau</property>
        <property name="Manager Password">xxx</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>

        <property name="Referral Strategy">IGNORE</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://xxx:389</property>
        <property name="User Search Base">cn=users,cn=accounts,dc=soft,dc=fau</property>
        <property name="User Search Filter">uid={0}</property>

        <property name="Identity Strategy">USE_USERNAME</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

My authorizers.xml (remaining unchanged from installation):

<accessPolicyProvider>
    <identifier>file-access-policy-provider</identifier>
    <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
    <property name="User Group Provider">file-user-group-provider</property>
    <property name="Authorizations File">./conf/authorizations.xml</property>
    <property name="Initial Admin Identity">adehay</property>
    <property name="Legacy Authorized Users File"></property>   
</accessPolicyProvider>

I've tried replacing "adehay" by the LDAP DN with no luck.

The mapping in nifi.properties (does not work with or without that):

nifi.security.identity.mapping.pattern.dn=^uid=(.*?),cn=users,cn=accounts,dc=soft,dc=fau$
nifi.security.identity.mapping.value.dn=$1

I must have missed something but I can's see what.

Thanks for any help.

1
authorizationapache-nifi

1 Answers

3
votes

There are two separate parts here, authentication and authorization.

The login-identity-providers.xml is for authenticating users against LDAP.

The authorizers.xml is for configuring an authorizer to authorize authenticated users which may or may not have come from LDAP.

The current problem is that you are telling the access-policy-provider that your initial admin is 'adehay', but the access-policy-provider doesn't know anything about your login-identity-provider, it only knows about the user-group-providers defined in authorizers.xml.

You could either define a file-based user-group-provider in authorizers.xml where you manually define your user 'adehay', see the "Initial User Identity 1" example here:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity

The second way, which makes more sense for your case, is to define an LDAP user-group-provider in your authorizers.xml, see the example in the same section linked above that says "Here is an example loading users and groups from LDAP."