Access Denied Exception for /nifi-api

Johnson (US), Joshua R via users Thu, 03 Jul 2025 11:17:05 -0700

Hello,

I am trying to deploy a simple secure nifi cluster to OpenShift using the 
minimal configurations. I have encountered an authorization exception that I 
don't know how to solve or begin to know how to troubleshoot. The deployment 
results in the following exceptions.


*************************************
On nifi-0, logs/nifi-users.log
*************************************
2025-07-03 15:44:45,676 INFO [main] o.a.n.a.single.user.SingleUserAuthorizer 
Initializing Authorizer
2025-07-03 15:44:45,749 INFO [main] o.a.n.a.FileAccessPolicyProvider Added 
mapped node CN=nifi-0.nifi-service-hs.cd088d-test-drive.svc.cluster.local, 
O=nifi (raw node identity 
CN=nifi-0.nifi-service-hs.cd088d-test-drive.svc.cluster.local, O=nifi)
2025-07-03 15:44:45,750 INFO [main] o.a.n.a.FileAccessPolicyProvider Added 
mapped node CN=nifi-2.nifi-service-hs.cd088d-test-drive.svc.cluster.local, 
O=nifi (raw node identity 
CN=nifi-2.nifi-service-hs.cd088d-test-drive.svc.cluster.local, O=nifi)
2025-07-03 15:44:45,750 INFO [main] o.a.n.a.FileAccessPolicyProvider Added 
mapped node CN=nifi-1.nifi-service-hs.cd088d-test-drive.svc.cluster.local, 
O=nifi (raw node identity 
CN=nifi-1.nifi-service-hs.cd088d-test-drive.svc.cluster.local, O=nifi)
2025-07-03 15:44:45,761 INFO [main] o.a.n.a.single.user.SingleUserAuthorizer 
Configuring Authorizer
2025-07-03 15:44:56,189 INFO [main] o.a.n.w.s.c.KeyPairGeneratorConfiguration 
Configured Key Pair Algorithm [Ed25519] for JSON Web Signatures
2025-07-03 15:50:02,258 INFO [NiFi Web Server-27] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.129.3.170 
[OU=nifi, CN=nifi-2.nifi-service-hs.cd088d-test-drive.svc.cluster.local] GET 
https://nifi-0.nifi-service-hs.cd088d-test-drive.svc.cluster.local:8443/nifi-api/controller/nar-manager/nars
2025-07-03 15:50:02,258 INFO [NiFi Web Server-23] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.129.4.133 
[OU=nifi, CN=nifi-1.nifi-service-hs.cd088d-test-drive.svc.cluster.local] GET 
https://nifi-0.nifi-service-hs.cd088d-test-drive.svc.cluster.local:8443/nifi-api/controller/nar-manager/nars
2025-07-03 15:50:02,262 INFO [NiFi Web Server-27] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [OU=nifi, 
CN=nifi-2.nifi-service-hs.cd088d-test-drive.svc.cluster.local] 10.129.3.170 GET 
https://nifi-0.nifi-service-hs.cd088d-test-drive.svc.cluster.local:8443/nifi-api/controller/nar-manager/nars
2025-07-03 15:50:02,350 INFO [NiFi Web Server-23] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [OU=nifi, 
CN=nifi-1.nifi-service-hs.cd088d-test-drive.svc.cluster.local] 10.129.4.133 GET 
https://nifi-0.nifi-service-hs.cd088d-test-drive.svc.cluster.local:8443/nifi-api/controller/nar-manager/nars
2025-07-03 15:50:02,564 INFO [NiFi Web Server-23] 
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[OU=nifi, 
CN=nifi-1.nifi-service-hs.cd088d-test-drive.svc.cluster.local], groups[] does 
not have permission to access the requested resource. Unable to view the 
controller. Returning Forbidden response.
2025-07-03 15:50:02,564 INFO [NiFi Web Server-27] 
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[OU=nifi, 
CN=nifi-2.nifi-service-hs.cd088d-test-drive.svc.cluster.local], groups[] does 
not have permission to access the requested resource. Unable to view the 
controller. Returning Forbidden response.

When trying to access through the UI

2025-07-03 15:53:43,555 INFO [NiFi Web Server-25] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.129.3.170 
[<CN=nifi-client.web.boeing.com, OU=applications, O=Boeing, C=US><OU=nifi, 
CN=nifi-2.nifi-service-hs.cd088d-test-drive.svc.cluster.local>] GET 
https://nifi-0.nifi-service-hs.cd088d-test-drive.svc.cluster.local:8443/nifi-api/flow/current-user
2025-07-03 15:53:43,561 WARN [NiFi Web Server-25] 
o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.129.3.170 GET 
https://nifi-0.nifi-service-hs.cd088d-test-drive.svc.cluster.local:8443/nifi-api/flow/current-user
 [Untrusted proxy OU=nifi, 
CN=nifi-2.nifi-service-hs.cd088d-test-drive.svc.cluster.local]

*************************************
logs/nifi-requests.log
*************************************
10.129.4.133 - "OU=nifi, 
CN=nifi-1.nifi-service-hs.cd088d-test-drive.svc.cluster.local" 
[03/Jul/2025:15:50:01 +0000] "GET /nifi-api/controller/nar-manager/nars 
HTTP/2.0" 403 64 "" "Java-http-client/21.0.7"
10.129.3.170 - "OU=nifi, 
CN=nifi-2.nifi-service-hs.cd088d-test-drive.svc.cluster.local" 
[03/Jul/2025:15:50:01 +0000] "GET /nifi-api/controller/nar-manager/nars 
HTTP/2.0" 403 64 "" "Java-http-client/21.0.7"
10.129.3.170 - - [03/Jul/2025:15:53:43 +0000] "GET /nifi-api/flow/current-user 
HTTP/2.0" 403 40 https://nifi-cd088d.apps.kcs-td-clt.k8s.boeing.com/nifi/ 
"Apache NiFi/2.4.0"

*************************************
Background:
*************************************

  *   Using apache/nifi:2.4.0
  *   3 nifi instances
  *   env
     *   INITIAL_ADMIN_IDENTITY: 'CN=nifi-client.web.boeing.com, 
OU=applications, O=Boeing, C=US'
     *   NIFI_WEB_PROXY_HOST: 
"nifi-cd088d.apps.kcs-td-clt.k8s.boeing.com:8443,nifi-service.cd088d-test-drive.svc.cluster.local:8443,nifi-0.nifi-service-hs.cd088d-test-drive.svc.cluster.local:8443,nifi-1.nifi-service-hs.cd088d-test-drive.svc.cluster.local:8443,nifi-2.nifi-service-hs.cd088d-test-drive.svc.cluster.local:8443,nifi-0.nifi-service-hs.cd088d-test-drive.svc.cluster.local:443,nifi-1.nifi-service-hs.cd088d-test-drive.svc.cluster.local:443,nifi-2.nifi-service-hs.cd088d-test-drive.svc.cluster.local:443"
     *   NIFI_WEB_PROXY_CONTEXT_PATH: "/"
  *   I've overloaded $HOSTNAME to HOSTNAME=$(hostname -f) in 
../scripts/startup.sh
  *   Using a "passthrough" route for the UI
  *   Created certs manually using 
https://nifi.apache.org/nifi-docs/walkthroughs.html#manual-keystore

*************************************
users.xml
**************************************
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="05e6a043-1bfe-3f18-b248-5b17c0318773" 
identity="CN=nifi-1.nifi-service-hs.cd088d-test-drive.svc.cluster.local, 
O=nifi"/>
        <user identifier="06038e21-7b70-39fb-88e4-7215888785ca" 
identity="CN=nifi-0.nifi-service-hs.cd088d-test-drive.svc.cluster.local, 
O=nifi"/>
        <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0" 
identity="CN=nifi-client.web.boeing.com, OU=applications, O=Boeing, C=US"/>
        <user identifier="954a7b0f-6d0b-32a3-8c00-3c403a833277" 
identity="CN=nifi-2.nifi-service-hs.cd088d-test-drive.svc.cluster.local, 
O=nifi"/>
    </users>
</tenants>

*************************************
authorizations.xml
*************************************
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" 
resource="/flow" action="R">
            <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0"/>
        </policy>
        <policy identifier="e7f17356-135f-332e-993a-02c81f934b04" 
resource="/data/process-groups/c25edeb9-0197-1000-8da4-c44ecefcf959" action="R">
            <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0"/>
            <user identifier="05e6a043-1bfe-3f18-b248-5b17c0318773"/>
            <user identifier="06038e21-7b70-39fb-88e4-7215888785ca"/>
            <user identifier="954a7b0f-6d0b-32a3-8c00-3c403a833277"/>
        </policy>
        <policy identifier="d8e66321-09cd-34b2-981a-b5154ddbe8bc" 
resource="/data/process-groups/c25edeb9-0197-1000-8da4-c44ecefcf959" action="W">
            <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0"/>
            <user identifier="05e6a043-1bfe-3f18-b248-5b17c0318773"/>
            <user identifier="06038e21-7b70-39fb-88e4-7215888785ca"/>
            <user identifier="954a7b0f-6d0b-32a3-8c00-3c403a833277"/>
        </policy>
        <policy identifier="551e59a3-023d-3d69-a231-bc01d77fdda8" 
resource="/process-groups/c25edeb9-0197-1000-8da4-c44ecefcf959" action="R">
            <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0"/>
        </policy>
        <policy identifier="1e747c55-2163-33b4-b412-08980e3c769c" 
resource="/process-groups/c25edeb9-0197-1000-8da4-c44ecefcf959" action="W">
            <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0"/>
        </policy>
        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" 
resource="/restricted-components" action="W">
            <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0"/>
        </policy>
        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" 
resource="/tenants" action="R">
            <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0"/>
        </policy>
        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" 
resource="/tenants" action="W">
            <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0"/>
        </policy>
        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" 
resource="/policies" action="R">
            <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0"/>
        </policy>
        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" 
resource="/policies" action="W">
            <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0"/>
        </policy>
        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" 
resource="/controller" action="R">
            <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0"/>
            <user identifier="05e6a043-1bfe-3f18-b248-5b17c0318773"/>
            <user identifier="06038e21-7b70-39fb-88e4-7215888785ca"/>
            <user identifier="954a7b0f-6d0b-32a3-8c00-3c403a833277"/>
        </policy>
        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" 
resource="/controller" action="W">
            <user identifier="6932571d-c7f4-3831-b19f-5b81ddea49a0"/>
        </policy>
        <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" 
resource="/proxy" action="W">
            <user identifier="05e6a043-1bfe-3f18-b248-5b17c0318773"/>
            <user identifier="06038e21-7b70-39fb-88e4-7215888785ca"/>
            <user identifier="954a7b0f-6d0b-32a3-8c00-3c403a833277"/>
        </policy>
    </policies>
</authorizations>

Any and all help is be greatly appreciated!

Joshua Johnson
Mfg. Systems & Simulation Engineer
Boeing Research and Technology
(843) 642-5364

Access Denied Exception for /nifi-api

Reply via email to