Re: Insufficient permissions on initial start up (NiFi 2.0)
ache.nifi.authorization.StandardManagedAuthorizer >>>>> file-access-policy-provider >>>>> >>>>> >>>>> >>>>> >>>>> Here is my authorizations.xml (nifi creates at first startup): >>>>> >>>>> >>>>> >>>>> >>>>> >>>> resource="/flow" action="R"> >>>>> >>>>> >>>>> >>>> resource="/data/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" >>>>> action="R"> >>>>> >>>>> >>>>> >>>> resource="/data/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" >>>>> action="W"> >>>>> >>>>> >>>>> >>>> resource="/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" >>>>> action="R"> >>>>> >>>>> >>>>> >>>> resource="/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" >>>>> action="W"> >>>>> >>>>> >>>>> >>>> resource="/restricted-components" action="W"> >>>>> >>>>> >>>>> >>>> resource="/tenants" action="R"> >>>>> >>>>> >>>>> >>>> resource="/tenants" action="W"> >>>>> >>>>> >>>>> >>>> resource="/policies" action="R"> >>>>> >>>>> >>>>> >>>> resource="/policies" action="W"> >>>>> >>>>> >>>>> >>>> resource="/controller" action="R"> >>>>> >>>>> >>>>> >>>> resource="/controller" action="W"> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Here is my users.xml (nifi creates at first startup): >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> identity="C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN >>>>> = admin2"/> >>>>> >>>>> >>>>> >>>>> >>>>> On Wed, Apr 24, 2024 at 8:21 AM James McMahon >>>>> wrote: >>>>> >>>>>> I'll review this closely once again when I get back to this system >>>>>> tonight - thanks very much for your reply, Isha. >>>>>> >>>>>> I also feel I need to look more closely in nifi.properties, at values >>>>>> I have set for keys nifi.security.identity.mapping.[value, transform, >>>>>> pattern].CN1 >>>>>> >>>>>> I noticed some odd behavior and suspect it is a reflection of an >>>>>> issue I have not set properly in my configuration: >>>>>> The first time I started my 2.0 instance with my Initial Admin >>>>>> Identity defined as shown, the UI in my browser actually presented me >>>>>> with >>>>>> a list (of one) Personal cert to select from - the cert for admin2. I was >>>>>> in a happy place: *finally*, nifi and the browser appeared to be in synch >>>>>> for the Subject name in the cert. >>>>>> >>>>>> I selected this cert, but then was crushed by the rejection mentioned >>>>>> above: >>>>>> Unable to view the user interface. Contact the system >>>>>> administrator. >>>>>> Insufficient Permissions home >>>>>> >>>>>> I restarted nifi so I could "tail -f" nifi-app.log. >>>>>> After restart, I once again tried to hit my NiFi URL. >>>>>> This time though, the browser failed to present the admin2 cert for >>>>>> selection. Shouldn't it have still presented that to me in the browser >>>>>> fro >>>>>> my selection? >>>>>> Do you have any thoughts why this behavior is occurring? >>>>>> >>>>>> Would you say it is it advisable to manually create by hand an >>>>>> authorizations.xml file should I continue to experience Insufficient >>>>>> Permissions problems? I recall reading that users.xml and >>>>>> authorizations.xml - if absent at initial startup - should be created by >>>>>> nifi from info in authorizers.xml. But this Insufficient Permissions >>>>>> makes >>>>>> me suspect something is missing from authorizations. >>>>>> >>>>>> Jim >>>>>> >>>>>> On Wed, Apr 24, 2024 at 5:33 AM Isha Lamboo < >>>>>> isha.lam...@virtualsciences.nl> wrote: >>>>>> >>>>>>> Hi James, >>>>>>> >>>>>>> >>>>>>> >>>>>>> Have you changed these settings in authorizers.xml since you first >>>>>>> started NiFi? If so, you may need to delete users.xml and >>>>>>> authorizations.xml. >>>>>>> >>>>>>> A new admin user will not be created if those files already exist. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Otherwise, the trickiest part is usually that the user DN needs to >>>>>>> match **exactly** with that specified. Capitals and whitespace >>>>>>> matter. Since you are getting insufficient permissions instead of >>>>>>> unknown >>>>>>> user, I don’t think that’s your problem here. Still, it may be worth >>>>>>> checking for a mismatch in the initial admin identity vs initial user >>>>>>> identity vs certificate. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> >>>>>>> >>>>>>> Isha >>>>>>> >>>>>>> >>>>>>> >>>>>>> *Van:* James McMahon >>>>>>> *Verzonden:* woensdag 24 april 2024 02:14 >>>>>>> *Aan:* users >>>>>>> *Onderwerp:* Insufficient permissions on initial start up (NiFi 2.0) >>>>>>> >>>>>>> >>>>>>> >>>>>>> I am trying to start my new NiFi 2.0 installation. I have a user >>>>>>> admin2 that has a cert. The nifi server also has a cert. Both are >>>>>>> signed by >>>>>>> the same CA. >>>>>>> >>>>>>> >>>>>>> >>>>>>> At start up in my browser I am denied due to insufficient privileges: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Unable to view the user interface. Contact the system administrator. >>>>>>> >>>>>>> Insufficient Permissions home >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> My authorizors.xml has been configured as follows: >>>>>>> >>>>>>> >>>>>>> >>>>>>> file-user-group-provider >>>>>>> >>>>>>> org.apache.nifi.authorization.FileUserGroupProvider >>>>>>> /opt/nifi/config_resources/users.xml >>>>>>> >>>>>>> C = US, ST = >>>>>>> Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 >>>>>>> >>>>>>> >>>>>>> file-access-policy-provider >>>>>>> >>>>>>> org.apache.nifi.authorization.FileAccessPolicyProvider >>>>>>> file-user-group-provider >>>>>>> /opt/nifi/config_resources/authorizations.xml >>>>>>> C = US, ST = >>>>>>> Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> managed-authorizer >>>>>>> >>>>>>> org.apache.nifi.authorization.StandardManagedAuthorizer >>>>>>> file-access-policy-provider >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> I read that at start up, authorizations.xml and users.xml would be >>>>>>> created by NiFi - those files are not to be hand jammed. >>>>>>> >>>>>>> >>>>>>> >>>>>>> So how do I actually get in with my admin2 user? >>>>>>> >>>>>>> What have I overlooked on this magical mystery tour? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>
Re: Insufficient permissions on initial start up (NiFi 2.0)
99f7d9e48e" action="W"> >>>> >>>> >>>> >>> resource="/restricted-components" action="W"> >>>> >>>> >>>> >>> resource="/tenants" action="R"> >>>> >>>> >>>> >>> resource="/tenants" action="W"> >>>> >>>> >>>> >>> resource="/policies" action="R"> >>>> >>>> >>>> >>> resource="/policies" action="W"> >>>> >>>> >>>> >>> resource="/controller" action="R"> >>>> >>>> >>>> >>> resource="/controller" action="W"> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> Here is my users.xml (nifi creates at first startup): >>>> >>>> >>>> >>>> >>>> >>>> >>> identity="C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN >>>> = admin2"/> >>>> >>>> >>>> >>>> >>>> On Wed, Apr 24, 2024 at 8:21 AM James McMahon >>>> wrote: >>>> >>>>> I'll review this closely once again when I get back to this system >>>>> tonight - thanks very much for your reply, Isha. >>>>> >>>>> I also feel I need to look more closely in nifi.properties, at values >>>>> I have set for keys nifi.security.identity.mapping.[value, transform, >>>>> pattern].CN1 >>>>> >>>>> I noticed some odd behavior and suspect it is a reflection of an issue >>>>> I have not set properly in my configuration: >>>>> The first time I started my 2.0 instance with my Initial Admin >>>>> Identity defined as shown, the UI in my browser actually presented me with >>>>> a list (of one) Personal cert to select from - the cert for admin2. I was >>>>> in a happy place: *finally*, nifi and the browser appeared to be in synch >>>>> for the Subject name in the cert. >>>>> >>>>> I selected this cert, but then was crushed by the rejection mentioned >>>>> above: >>>>> Unable to view the user interface. Contact the system >>>>> administrator. >>>>> Insufficient Permissions home >>>>> >>>>> I restarted nifi so I could "tail -f" nifi-app.log. >>>>> After restart, I once again tried to hit my NiFi URL. >>>>> This time though, the browser failed to present the admin2 cert for >>>>> selection. Shouldn't it have still presented that to me in the browser >>>>> fro >>>>> my selection? >>>>> Do you have any thoughts why this behavior is occurring? >>>>> >>>>> Would you say it is it advisable to manually create by hand an >>>>> authorizations.xml file should I continue to experience Insufficient >>>>> Permissions problems? I recall reading that users.xml and >>>>> authorizations.xml - if absent at initial startup - should be created by >>>>> nifi from info in authorizers.xml. But this Insufficient Permissions makes >>>>> me suspect something is missing from authorizations. >>>>> >>>>> Jim >>>>> >>>>> On Wed, Apr 24, 2024 at 5:33 AM Isha Lamboo < >>>>> isha.lam...@virtualsciences.nl> wrote: >>>>> >>>>>> Hi James, >>>>>> >>>>>> >>>>>> >>>>>> Have you changed these settings in authorizers.xml since you first >>>>>> started NiFi? If so, you may need to delete users.xml and >>>>>> authorizations.xml. >>>>>> >>>>>> A new admin user will not be created if those files already exist. >>>>>> >>>>>> >>>>>> >>>>>> Otherwise, the trickiest part is usually that the user DN needs to >>>>>> match **exactly** with that specified. Capitals and whitespace >>>>>> matter. Since you are getting insufficient permissions instead of unknown >>>>>> user, I don’t think that’s your problem here. Still, it may be worth >>>>>> checking for a mismatch in the initial admin identity vs initial user >>>>>> identity vs certificate. >>>>>> >>>>>> >>>>>> >>>>>> Regards, >>>>>> >>>>>> >>>>>> >>>>>> Isha >>>>>> >>>>>> >>>>>> >>>>>> *Van:* James McMahon >>>>>> *Verzonden:* woensdag 24 april 2024 02:14 >>>>>> *Aan:* users >>>>>> *Onderwerp:* Insufficient permissions on initial start up (NiFi 2.0) >>>>>> >>>>>> >>>>>> >>>>>> I am trying to start my new NiFi 2.0 installation. I have a user >>>>>> admin2 that has a cert. The nifi server also has a cert. Both are signed >>>>>> by >>>>>> the same CA. >>>>>> >>>>>> >>>>>> >>>>>> At start up in my browser I am denied due to insufficient privileges: >>>>>> >>>>>> >>>>>> >>>>>> Unable to view the user interface. Contact the system administrator. >>>>>> >>>>>> Insufficient Permissions home >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> My authorizors.xml has been configured as follows: >>>>>> >>>>>> >>>>>> >>>>>> file-user-group-provider >>>>>> >>>>>> org.apache.nifi.authorization.FileUserGroupProvider >>>>>> /opt/nifi/config_resources/users.xml >>>>>> >>>>>> C = US, ST = >>>>>> Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 >>>>>> >>>>>> >>>>>> file-access-policy-provider >>>>>> >>>>>> org.apache.nifi.authorization.FileAccessPolicyProvider >>>>>> file-user-group-provider >>>>>> /opt/nifi/config_resources/authorizations.xml >>>>>> C = US, ST = >>>>>> Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> managed-authorizer >>>>>> >>>>>> org.apache.nifi.authorization.StandardManagedAuthorizer >>>>>> file-access-policy-provider >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> I read that at start up, authorizations.xml and users.xml would be >>>>>> created by NiFi - those files are not to be hand jammed. >>>>>> >>>>>> >>>>>> >>>>>> So how do I actually get in with my admin2 user? >>>>>> >>>>>> What have I overlooked on this magical mystery tour? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>
Re: Insufficient permissions on initial start up (NiFi 2.0)
; the Subject name in the cert. >>>> >>>> I selected this cert, but then was crushed by the rejection mentioned >>>> above: >>>> Unable to view the user interface. Contact the system >>>> administrator. >>>> Insufficient Permissions home >>>> >>>> I restarted nifi so I could "tail -f" nifi-app.log. >>>> After restart, I once again tried to hit my NiFi URL. >>>> This time though, the browser failed to present the admin2 cert for >>>> selection. Shouldn't it have still presented that to me in the browser fro >>>> my selection? >>>> Do you have any thoughts why this behavior is occurring? >>>> >>>> Would you say it is it advisable to manually create by hand an >>>> authorizations.xml file should I continue to experience Insufficient >>>> Permissions problems? I recall reading that users.xml and >>>> authorizations.xml - if absent at initial startup - should be created by >>>> nifi from info in authorizers.xml. But this Insufficient Permissions makes >>>> me suspect something is missing from authorizations. >>>> >>>> Jim >>>> >>>> On Wed, Apr 24, 2024 at 5:33 AM Isha Lamboo < >>>> isha.lam...@virtualsciences.nl> wrote: >>>> >>>>> Hi James, >>>>> >>>>> >>>>> >>>>> Have you changed these settings in authorizers.xml since you first >>>>> started NiFi? If so, you may need to delete users.xml and >>>>> authorizations.xml. >>>>> >>>>> A new admin user will not be created if those files already exist. >>>>> >>>>> >>>>> >>>>> Otherwise, the trickiest part is usually that the user DN needs to >>>>> match **exactly** with that specified. Capitals and whitespace >>>>> matter. Since you are getting insufficient permissions instead of unknown >>>>> user, I don’t think that’s your problem here. Still, it may be worth >>>>> checking for a mismatch in the initial admin identity vs initial user >>>>> identity vs certificate. >>>>> >>>>> >>>>> >>>>> Regards, >>>>> >>>>> >>>>> >>>>> Isha >>>>> >>>>> >>>>> >>>>> *Van:* James McMahon >>>>> *Verzonden:* woensdag 24 april 2024 02:14 >>>>> *Aan:* users >>>>> *Onderwerp:* Insufficient permissions on initial start up (NiFi 2.0) >>>>> >>>>> >>>>> >>>>> I am trying to start my new NiFi 2.0 installation. I have a user >>>>> admin2 that has a cert. The nifi server also has a cert. Both are signed >>>>> by >>>>> the same CA. >>>>> >>>>> >>>>> >>>>> At start up in my browser I am denied due to insufficient privileges: >>>>> >>>>> >>>>> >>>>> Unable to view the user interface. Contact the system administrator. >>>>> >>>>> Insufficient Permissions home >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> My authorizors.xml has been configured as follows: >>>>> >>>>> >>>>> >>>>> file-user-group-provider >>>>> >>>>> org.apache.nifi.authorization.FileUserGroupProvider >>>>> /opt/nifi/config_resources/users.xml >>>>> >>>>> C = US, ST = >>>>> Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 >>>>> >>>>> >>>>> file-access-policy-provider >>>>> >>>>> org.apache.nifi.authorization.FileAccessPolicyProvider >>>>> file-user-group-provider >>>>> /opt/nifi/config_resources/authorizations.xml >>>>> C = US, ST = Virginia, >>>>> L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 >>>>> >>>>> >>>>> >>>>> >>>>> managed-authorizer >>>>> >>>>> org.apache.nifi.authorization.StandardManagedAuthorizer >>>>> file-access-policy-provider >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> I read that at start up, authorizations.xml and users.xml would be >>>>> created by NiFi - those files are not to be hand jammed. >>>>> >>>>> >>>>> >>>>> So how do I actually get in with my admin2 user? >>>>> >>>>> What have I overlooked on this magical mystery tour? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>
Re: Insufficient permissions on initial start up (NiFi 2.0)
n I try to hit my secure URL, but >>> is immediately replaced with this rejection message. >>> >>> There is no error or warning in nifi-app.log >>> >>> Has anyone experienced a similar problem? >>> >>> >>> Here is my authorizers.xml: >>> >>> >>> >>> file-user-group-provider >>> >>> org.apache.nifi.authorization.FileUserGroupProvider >>> /opt/nifi/config_resources/users.xml >>> >>> C = US, ST = Virginia, >>> L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 >>> >>> >>> file-access-policy-provider >>> >>> org.apache.nifi.authorization.FileAccessPolicyProvider >>> file-user-group-provider >>> /opt/nifi/config_resources/authorizations.xml >>> C = US, ST = Virginia, L >>> = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 >>> >>> >>> >>> >>> managed-authorizer >>> >>> org.apache.nifi.authorization.StandardManagedAuthorizer >>> file-access-policy-provider >>> >>> >>> >>> >>> Here is my authorizations.xml (nifi creates at first startup): >>> >>> >>> >>> >>> >> resource="/flow" action="R"> >>> >>> >>> >> resource="/data/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" >>> action="R"> >>> >>> >>> >> resource="/data/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" >>> action="W"> >>> >>> >>> >> resource="/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" action="R"> >>> >>> >>> >> resource="/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" action="W"> >>> >>> >>> >> resource="/restricted-components" action="W"> >>> >>> >>> >> resource="/tenants" action="R"> >>> >>> >>> >> resource="/tenants" action="W"> >>> >>> >>> >> resource="/policies" action="R"> >>> >>> >>> >> resource="/policies" action="W"> >>> >>> >>> >> resource="/controller" action="R"> >>> >>> >>> >> resource="/controller" action="W"> >>> >>> >>> >>> >>> >>> >>> >>> Here is my users.xml (nifi creates at first startup): >>> >>> >>> >>> >>> >>> >> identity="C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN >>> = admin2"/> >>> >>> >>> >>> >>> On Wed, Apr 24, 2024 at 8:21 AM James McMahon >>> wrote: >>> >>>> I'll review this closely once again when I get back to this system >>>> tonight - thanks very much for your reply, Isha. >>>> >>>> I also feel I need to look more closely in nifi.properties, at values I >>>> have set for keys nifi.security.identity.mapping.[value, transform, >>>> pattern].CN1 >>>> >>>> I noticed some odd behavior and suspect it is a reflection of an issue >>>> I have not set properly in my configuration: >>>> The first time I started my 2.0 instance with my Initial Admin Identity >>>> defined as shown, the UI in my browser actually presented me with a list >>>> (of one) Personal cert to select from - the cert for admin2. I was in a >>>> happy place: *finally*, nifi and the browser appeared to be in synch for >>>> the Subject name in the cert. >>>> >>>> I selected this cert, but then was crushed by the rejection mentioned >>>> above: >>>> Unable to view the user interface. Contact the system >>>> adminis
Re: Insufficient permissions on initial start up (NiFi 2.0)
>> C = US, ST = Virginia, L >> = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 >> >> >> >> >> managed-authorizer >> >> org.apache.nifi.authorization.StandardManagedAuthorizer >> file-access-policy-provider >> >> >> >> >> Here is my authorizations.xml (nifi creates at first startup): >> >> >> >> >> > resource="/flow" action="R"> >> >> >> > resource="/data/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" >> action="R"> >> >> >> > resource="/data/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" >> action="W"> >> >> >> > resource="/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" action="R"> >> >> >> > resource="/process-groups/ca7090bc-018e-1000-6a92-e199f7d9e48e" action="W"> >> >> >> > resource="/restricted-components" action="W"> >> >> >> > resource="/tenants" action="R"> >> >> >> > resource="/tenants" action="W"> >> >> >> > resource="/policies" action="R"> >> >> >> > resource="/policies" action="W"> >> >> >> > resource="/controller" action="R"> >> >> >> > resource="/controller" action="W"> >> >> >> >> >> >> >> >> Here is my users.xml (nifi creates at first startup): >> >> >> >> >> >> > identity="C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN >> = admin2"/> >> >> >> >> >> On Wed, Apr 24, 2024 at 8:21 AM James McMahon >> wrote: >> >>> I'll review this closely once again when I get back to this system >>> tonight - thanks very much for your reply, Isha. >>> >>> I also feel I need to look more closely in nifi.properties, at values I >>> have set for keys nifi.security.identity.mapping.[value, transform, >>> pattern].CN1 >>> >>> I noticed some odd behavior and suspect it is a reflection of an issue I >>> have not set properly in my configuration: >>> The first time I started my 2.0 instance with my Initial Admin Identity >>> defined as shown, the UI in my browser actually presented me with a list >>> (of one) Personal cert to select from - the cert for admin2. I was in a >>> happy place: *finally*, nifi and the browser appeared to be in synch for >>> the Subject name in the cert. >>> >>> I selected this cert, but then was crushed by the rejection mentioned >>> above: >>> Unable to view the user interface. Contact the system administrator. >>> Insufficient Permissions home >>> >>> I restarted nifi so I could "tail -f" nifi-app.log. >>> After restart, I once again tried to hit my NiFi URL. >>> This time though, the browser failed to present the admin2 cert for >>> selection. Shouldn't it have still presented that to me in the browser fro >>> my selection? >>> Do you have any thoughts why this behavior is occurring? >>> >>> Would you say it is it advisable to manually create by hand an >>> authorizations.xml file should I continue to experience Insufficient >>> Permissions problems? I recall reading that users.xml and >>> authorizations.xml - if absent at initial startup - should be created by >>> nifi from info in authorizers.xml. But this Insufficient Permissions makes >>> me suspect something is missing from authorizations. >>> >>> Jim >>> >>> On Wed, Apr 24, 2024 at 5:33 AM Isha Lamboo < >>> isha.lam...@virtualsciences.nl> wrote: >>> >>>> Hi James, >>>> >>>> >>>> >>>> Have you changed these settings in authorizers.xml since you first >>>> started NiFi? If so, you may need to delete users.xml and >>>>
Re: Insufficient permissions on initial start up (NiFi 2.0)
gt;> Do you have any thoughts why this behavior is occurring? >> >> Would you say it is it advisable to manually create by hand an >> authorizations.xml file should I continue to experience Insufficient >> Permissions problems? I recall reading that users.xml and >> authorizations.xml - if absent at initial startup - should be created by >> nifi from info in authorizers.xml. But this Insufficient Permissions makes >> me suspect something is missing from authorizations. >> >> Jim >> >> On Wed, Apr 24, 2024 at 5:33 AM Isha Lamboo < >> isha.lam...@virtualsciences.nl> wrote: >> >>> Hi James, >>> >>> >>> >>> Have you changed these settings in authorizers.xml since you first >>> started NiFi? If so, you may need to delete users.xml and >>> authorizations.xml. >>> >>> A new admin user will not be created if those files already exist. >>> >>> >>> >>> Otherwise, the trickiest part is usually that the user DN needs to match >>> **exactly** with that specified. Capitals and whitespace matter. Since >>> you are getting insufficient permissions instead of unknown user, I don’t >>> think that’s your problem here. Still, it may be worth checking for a >>> mismatch in the initial admin identity vs initial user identity vs >>> certificate. >>> >>> >>> >>> Regards, >>> >>> >>> >>> Isha >>> >>> >>> >>> *Van:* James McMahon >>> *Verzonden:* woensdag 24 april 2024 02:14 >>> *Aan:* users >>> *Onderwerp:* Insufficient permissions on initial start up (NiFi 2.0) >>> >>> >>> >>> I am trying to start my new NiFi 2.0 installation. I have a user admin2 >>> that has a cert. The nifi server also has a cert. Both are signed by the >>> same CA. >>> >>> >>> >>> At start up in my browser I am denied due to insufficient privileges: >>> >>> >>> >>> Unable to view the user interface. Contact the system administrator. >>> >>> Insufficient Permissions home >>> >>> >>> >>> >>> >>> My authorizors.xml has been configured as follows: >>> >>> >>> >>> file-user-group-provider >>> >>> org.apache.nifi.authorization.FileUserGroupProvider >>> /opt/nifi/config_resources/users.xml >>> >>> C = US, ST = Virginia, >>> L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 >>> >>> >>> file-access-policy-provider >>> >>> org.apache.nifi.authorization.FileAccessPolicyProvider >>> file-user-group-provider >>> /opt/nifi/config_resources/authorizations.xml >>> C = US, ST = Virginia, L >>> = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 >>> >>> >>> >>> >>> managed-authorizer >>> >>> org.apache.nifi.authorization.StandardManagedAuthorizer >>> file-access-policy-provider >>> >>> >>> >>> >>> >>> I read that at start up, authorizations.xml and users.xml would be >>> created by NiFi - those files are not to be hand jammed. >>> >>> >>> >>> So how do I actually get in with my admin2 user? >>> >>> What have I overlooked on this magical mystery tour? >>> >>> >>> >>> >>> >>
Re: Insufficient permissions on initial start up (NiFi 2.0)
I still cannot access my own NiFi 2.0 instance. I continue to get this rejection: Insufficient Permissions - home Unable to view the user interface. Contact the system administrator. The canvas flashes for an instant when I try to hit my secure URL, but is immediately replaced with this rejection message. There is no error or warning in nifi-app.log Has anyone experienced a similar problem? Here is my authorizers.xml: file-user-group-provider org.apache.nifi.authorization.FileUserGroupProvider /opt/nifi/config_resources/users.xml C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 file-access-policy-provider org.apache.nifi.authorization.FileAccessPolicyProvider file-user-group-provider /opt/nifi/config_resources/authorizations.xml C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 managed-authorizer org.apache.nifi.authorization.StandardManagedAuthorizer file-access-policy-provider Here is my authorizations.xml (nifi creates at first startup): Here is my users.xml (nifi creates at first startup): On Wed, Apr 24, 2024 at 8:21 AM James McMahon wrote: > I'll review this closely once again when I get back to this system tonight > - thanks very much for your reply, Isha. > > I also feel I need to look more closely in nifi.properties, at values I > have set for keys nifi.security.identity.mapping.[value, transform, > pattern].CN1 > > I noticed some odd behavior and suspect it is a reflection of an issue I > have not set properly in my configuration: > The first time I started my 2.0 instance with my Initial Admin Identity > defined as shown, the UI in my browser actually presented me with a list > (of one) Personal cert to select from - the cert for admin2. I was in a > happy place: *finally*, nifi and the browser appeared to be in synch for > the Subject name in the cert. > > I selected this cert, but then was crushed by the rejection mentioned > above: > Unable to view the user interface. Contact the system administrator. > Insufficient Permissions home > > I restarted nifi so I could "tail -f" nifi-app.log. > After restart, I once again tried to hit my NiFi URL. > This time though, the browser failed to present the admin2 cert for > selection. Shouldn't it have still presented that to me in the browser fro > my selection? > Do you have any thoughts why this behavior is occurring? > > Would you say it is it advisable to manually create by hand an > authorizations.xml file should I continue to experience Insufficient > Permissions problems? I recall reading that users.xml and > authorizations.xml - if absent at initial startup - should be created by > nifi from info in authorizers.xml. But this Insufficient Permissions makes > me suspect something is missing from authorizations. > > Jim > > On Wed, Apr 24, 2024 at 5:33 AM Isha Lamboo < > isha.lam...@virtualsciences.nl> wrote: > >> Hi James, >> >> >> >> Have you changed these settings in authorizers.xml since you first >> started NiFi? If so, you may need to delete users.xml and >> authorizations.xml. >> >> A new admin user will not be created if those files already exist. >> >> >> >> Otherwise, the trickiest part is usually that the user DN needs to match * >> *exactly** with that specified. Capitals and whitespace matter. Since >> you are getting insufficient permissions instead of unknown user, I don’t >> think that’s your problem here. Still, it may be worth checking for a >> mismatch in the initial admin identity vs initial user identity vs >> certificate. >> >> >> >> Regards, >> >> >> >> Isha >> >> >> >> *Van:* James McMahon >> *Verzonden:* woensdag 24 april 2024 02:14 >> *Aan:* users >> *Onderwerp:* Insufficient permissions on initial start up (NiFi 2.0) >> >> >> >> I am trying to start my new NiFi 2.0 installation. I have a user admin2 >> that has a cert. The nifi server also has a cert. Both are signed by the >> same CA. >> >> >> >> At start up in my browser I am denied due to insufficient privileges: >> >> >> >> Unab
Re: Insufficient permissions on initial start up (NiFi 2.0)
I'll review this closely once again when I get back to this system tonight - thanks very much for your reply, Isha. I also feel I need to look more closely in nifi.properties, at values I have set for keys nifi.security.identity.mapping.[value, transform, pattern].CN1 I noticed some odd behavior and suspect it is a reflection of an issue I have not set properly in my configuration: The first time I started my 2.0 instance with my Initial Admin Identity defined as shown, the UI in my browser actually presented me with a list (of one) Personal cert to select from - the cert for admin2. I was in a happy place: *finally*, nifi and the browser appeared to be in synch for the Subject name in the cert. I selected this cert, but then was crushed by the rejection mentioned above: Unable to view the user interface. Contact the system administrator. Insufficient Permissions home I restarted nifi so I could "tail -f" nifi-app.log. After restart, I once again tried to hit my NiFi URL. This time though, the browser failed to present the admin2 cert for selection. Shouldn't it have still presented that to me in the browser fro my selection? Do you have any thoughts why this behavior is occurring? Would you say it is it advisable to manually create by hand an authorizations.xml file should I continue to experience Insufficient Permissions problems? I recall reading that users.xml and authorizations.xml - if absent at initial startup - should be created by nifi from info in authorizers.xml. But this Insufficient Permissions makes me suspect something is missing from authorizations. Jim On Wed, Apr 24, 2024 at 5:33 AM Isha Lamboo wrote: > Hi James, > > > > Have you changed these settings in authorizers.xml since you first started > NiFi? If so, you may need to delete users.xml and authorizations.xml. > > A new admin user will not be created if those files already exist. > > > > Otherwise, the trickiest part is usually that the user DN needs to match * > *exactly** with that specified. Capitals and whitespace matter. Since you > are getting insufficient permissions instead of unknown user, I don’t think > that’s your problem here. Still, it may be worth checking for a mismatch in > the initial admin identity vs initial user identity vs certificate. > > > > Regards, > > > > Isha > > > > *Van:* James McMahon > *Verzonden:* woensdag 24 april 2024 02:14 > *Aan:* users > *Onderwerp:* Insufficient permissions on initial start up (NiFi 2.0) > > > > I am trying to start my new NiFi 2.0 installation. I have a user admin2 > that has a cert. The nifi server also has a cert. Both are signed by the > same CA. > > > > At start up in my browser I am denied due to insufficient privileges: > > > > Unable to view the user interface. Contact the system administrator. > > Insufficient Permissions home > > > > > > My authorizors.xml has been configured as follows: > > > > file-user-group-provider > org.apache.nifi.authorization.FileUserGroupProvider > /opt/nifi/config_resources/users.xml > > C = US, ST = Virginia, L > = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 > > > file-access-policy-provider > > org.apache.nifi.authorization.FileAccessPolicyProvider > file-user-group-provider > /opt/nifi/config_resources/authorizations.xml > C = US, ST = Virginia, L = > Reston, O = C4 Rampart, OU = NIFI, CN = admin2 > > > > > managed-authorizer > > org.apache.nifi.authorization.StandardManagedAuthorizer > file-access-policy-provider > > > > > > I read that at start up, authorizations.xml and users.xml would be created > by NiFi - those files are not to be hand jammed. > > > > So how do I actually get in with my admin2 user? > > What have I overlooked on this magical mystery tour? > > > > >
RE: Insufficient permissions on initial start up (NiFi 2.0)
Hi James, Have you changed these settings in authorizers.xml since you first started NiFi? If so, you may need to delete users.xml and authorizations.xml. A new admin user will not be created if those files already exist. Otherwise, the trickiest part is usually that the user DN needs to match *exactly* with that specified. Capitals and whitespace matter. Since you are getting insufficient permissions instead of unknown user, I don’t think that’s your problem here. Still, it may be worth checking for a mismatch in the initial admin identity vs initial user identity vs certificate. Regards, Isha Van: James McMahon Verzonden: woensdag 24 april 2024 02:14 Aan: users Onderwerp: Insufficient permissions on initial start up (NiFi 2.0) I am trying to start my new NiFi 2.0 installation. I have a user admin2 that has a cert. The nifi server also has a cert. Both are signed by the same CA. At start up in my browser I am denied due to insufficient privileges: Unable to view the user interface. Contact the system administrator. Insufficient Permissions home My authorizors.xml has been configured as follows: file-user-group-provider org.apache.nifi.authorization.FileUserGroupProvider /opt/nifi/config_resources/users.xml C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 file-access-policy-provider org.apache.nifi.authorization.FileAccessPolicyProvider file-user-group-provider /opt/nifi/config_resources/authorizations.xml C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 managed-authorizer org.apache.nifi.authorization.StandardManagedAuthorizer file-access-policy-provider I read that at start up, authorizations.xml and users.xml would be created by NiFi - those files are not to be hand jammed. So how do I actually get in with my admin2 user? What have I overlooked on this magical mystery tour?
Insufficient permissions on initial start up (NiFi 2.0)
I am trying to start my new NiFi 2.0 installation. I have a user admin2 that has a cert. The nifi server also has a cert. Both are signed by the same CA. At start up in my browser I am denied due to insufficient privileges: Unable to view the user interface. Contact the system administrator. Insufficient Permissions home My authorizors.xml has been configured as follows: file-user-group-provider org.apache.nifi.authorization.FileUserGroupProvider /opt/nifi/config_resources/users.xml C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 file-access-policy-provider org.apache.nifi.authorization.FileAccessPolicyProvider file-user-group-provider /opt/nifi/config_resources/authorizations.xml C = US, ST = Virginia, L = Reston, O = C4 Rampart, OU = NIFI, CN = admin2 managed-authorizer org.apache.nifi.authorization.StandardManagedAuthorizer file-access-policy-provider I read that at start up, authorizations.xml and users.xml would be created by NiFi - those files are not to be hand jammed. So how do I actually get in with my admin2 user? What have I overlooked on this magical mystery tour?