You need to subscribe to the mailing list[1] to see the replies. Tickets can be filled via the apache jira instance[2], although I'd imagine the current functionality for the docker image is by design but things can always be improved/reworked.
[1] https://nifi.apache.org/mailing_lists.html [2] https://issues.apache.org/jira/projects/NIFI/ Cheers, Chris Sampson On Tue, 9 Mar 2021, 19:31 Sim, Yoosuk, <[email protected]> wrote: > Thanks Chris Sampson for the solution. That indeed solved the issue. That > said, shouldn't this be seen as a bug? If the configuration is set > correctly, then even without the environment variable, I would think it > should work. May I make a Issue/PR on this? > > Cheers, > > Yoosuk Sim > > P.S. For some reason, I didn't get the reply on my email client and only > realized I had a reply when visiting the mailing list archive. Hope this > doesn't break the flow. > > From: Sim, Yoosuk > Sent: March-05-21 9:36 AM > To: '[email protected]' <[email protected]> > Subject: Weird behavior while setting up NiFi-Registry with LDAP > > Hello dev, > > I have observed an odd behavior that I do not know the exact cause or > solutions to. > Currently, I am setting up NiFi and NiFi-Registry docker containers, > deployed to OpenShift, to work with LDAP. Both containers were modified to > allow files to have Group 0 ownership. > NiFi worked as expected, and I intended to replicate the setup on > NiFi-Registry. NiFi-Registry had other ideas, apparently. > > The first sign was that when I first logged in with my username, which was > set as Initial Admin Identity, it would authenticate me but would not grant > me any power other than view. When checking logs, it shows that my username > was indeed authenticated, complete with my group information, but it would > complain that I was not given any permission to access the material and > therefore forbidden. I added debug flags to ldap-related classes into > logback.xml and observed more. It shows that a set of usernames, including > my own, was indeed imported, along with the groups users belong to. Still, > it would not recognize me as the Initial Admin Identity. I then checked my > authorizers.xml and realized there was no value entry for Initial Admin > Identity. > > At this point, I thought I made a dumb mistake of not having put any value > in there. Just to be sure, I double checked my configmap that supplied the > authorizers.xml, and the story started to become weird. Turns out, I did > supply the correct authorizers.xml, complete with the Initial Admin > Identity with my username on it. The said file does get populated as > expected into the conf/authorizers.xml. But when ../scripts/start.sh is > ran, at some point in time, the Initial Admin Identity disappears. Even > more a boggle, that's apparently the only value that gets blanked out: > every other settings were left intact that way I had supplied them. > > So I am confused. Why is my NiFi-Registry deleting a value at Initial > Admin Identity specifically, and what can I do to stop this and make it > identity the username as the admin? Attached is the authorizers.xml file. > Please let me know if you need more information. > > Cheers, > > Tony Sim > > conf/authorizers.xml (edited) : > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <authorizers> > <userGroupProvider> > <identifier>ldap-user-group-provider</identifier> > > <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class> > <property name="Authentication Strategy">SIMPLE</property> > > <property name="Manager DN">cn=manager,ou=My > Users,ou=Mygroup,ou=Bigger > Group,dc=company,dc=name,dc=thingie,dc=ca</property> > <property name="Manager Password">some password</property> > > <property name="Referral Strategy">FOLLOW</property> > <property name="Connect Timeout">10 secs</property> > <property name="Read Timeout">10 secs</property> > > <property name="Url">ldaps://xxx.xxx.xxx.xxx</property> > <property name="Page Size"></property> > <property name="Sync Interval">30 mins</property> > <property name="Group Membership - Enforce Case > Sensitivity">false</property> > > <property name="User Search Base"> ou=Mygroup,ou=Bigger > Group,dc=company,dc=name,dc=thingie,dc=ca </property> > <property name="User Object Class">person</property> > <property name="User Search Scope">SUBTREE</property> > <property name="User Search Filter">(|(memberOf=CN=Specific Group > 1,OU=More Groups, ,ou=Bigger > Group,dc=company,dc=name,dc=thingie,dc=ca)(memberOf= CN=Specific Group > 2,OU=More Groups, ,ou=Bigger > Group,dc=company,dc=name,dc=thingie,dc=ca))</property> > <property name="User Identity Attribute">CN</property> > <property name="User Group Name Attribute">memberOf</property> > <property name="User Group Name Attribute - Referenced Group > Attribute"></property> > > <property name="Group Search Base"> OU=More Groups, ,ou=Bigger > Group,dc=company,dc=name,dc=thingie,dc=ca </property> > <property name="Group Object Class">group</property> > <property name="Group Search Scope">SUBTREE</property> > <property name="Group Search Filter">(cn=Specific > Group*)</property> > <property name="Group Name Attribute">CN</property> > <property name="Group Member Attribute">member</property> > <property name="Group Member Attribute - Referenced User > Attribute"></property> > </userGroupProvider> > > <accessPolicyProvider> > <identifier>file-access-policy-provider</identifier> > > <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> > <property name="User Group > Provider">ldap-user-group-provider</property> > <property name="Authorizations > File">./conf/authorizations.xml</property> > <property name="Initial Admin Identity">myusername</property> > <!-this value gets blanked out on the file after the ../scripts/start.sh --> > <!--<property name="NiFi Group Name"></property>--> > > <property name="NiFi Identity 1"></property> > </accessPolicyProvider> > > <authorizer> > <identifier>managed-authorizer</identifier> > > <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> > <property name="Access Policy > Provider">file-access-policy-provider</property> > </authorizer> > > </authorizers> >
