Nifi - Client Certificate Authorization Error

2019-08-20 17:32发布

站内文章 / 移动开发
36 0 0

问题:

I have installed secured Nifi installation and wanted to authenticate using secured client certificate. Authentication went fine but it failed at authorization

AccessDeniedExceptionMapper identity[CN=nifi-admin, OU=NIFI], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.

Please note that it is fresh installation and the idea is to use the nipyapi for automating admin tasks. (without logging into UI)

I have created certifcates using following command

bin/tls-toolkit.sh standalone -n {FQDN} -C "CN=nifi-admin,OU=NIFI"

Also, I have added same CN in authorizers.xml file like this.

        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">CN=nifi-admin,OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
        <property name="Node Group"></property>
    </accessPolicyProvider>

And 

        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Initial User Identity 1">CN=nifi-admin,OU=NIFI</property>
    </userGroupProvider>

After making these changes, i started nifi and tried to connect using nipyapi code. I could see authentication sucess but authorization failed.

2019-08-11 05:08:04,014 DEBUG [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: CN=nifi-admin, OU=NIFI
2019-08-11 05:08:04,014 DEBUG [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: CN=nifi-admin, OU=NIFI
2019-08-11 05:08:04,014 DEBUG [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: CN=nifi-admin, OU=NIFI
2019-08-11 05:08:04,014 DEBUG [NiFi Web Server-16] o.a.n.w.s.a.NiFiAnonymousUserFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'CN=nifi-admin, OU=NIFI'
2019-08-11 05:08:04,016 INFO [NiFi Web Server-16] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=nifi-admin, OU=NIFI], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.

In addition, here is user.xml and authorizations.xml

<tenants>
    <groups/>
    <users>
        <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c" identity="CN=nifi-admin,OU=NIFI"/>
      </users>
</tenants>

<authorizations>
    <policies>
        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="bb8f03ca-de27-3f4a-9499-562a6c743fb0" resource="/data/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="R">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="395c506d-1368-3989-b2f2-6ea7218eb46e" resource="/data/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="W">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="ee1b66ee-7dac-3f09-8090-2b6803bd15c1" resource="/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="R">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="033157d8-93bd-3eea-8660-e3764d1017a2" resource="/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="W">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
    </policies>
</authorizations>
标签: apache-nifi nipyapi
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~