[
https://issues.apache.org/jira/browse/NIFI-9049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17400169#comment-17400169
]
Chris Sampson commented on NIFI-9049:
-------------------------------------
{quote}
Anonymous authentication has not been configured.
{quote}
is the error I get from the content viewer after:
* Start NiFi
* Login (Username & Password)
* Stop NiFi (observe the brower tab refresh to show the error message about the
NiFi instance being offline)
* Close all browser windows (I'm using latest Google Chrome on Ubuntu 21.04)
* Start NiFi
* Navigate back to NiFi UI (no request for Login)
* Attempt to view content of an existing FlowFile in a queue
NiFi App Logs:
{code:java}
2021-08-17 07:10:00,077 INFO [main] org.apache.nifi.web.server.JettyServer NiFi
has started. The UI is available at the following URLs:
2021-08-17 07:10:00,077 INFO [main] org.apache.nifi.web.server.JettyServer
https://127.0.0.1:8443/nifi
2021-08-17 07:10:00,078 INFO [main] org.apache.nifi.BootstrapListener
Successfully initiated communication with Bootstrap
2021-08-17 07:10:00,078 INFO [main] org.apache.nifi.NiFi Controller
initialization took 18027726871 nanoseconds (18 seconds).
2021-08-17 07:10:14,544 INFO [NiFi Web Server-18]
o.a.n.c.queue.AbstractFlowFileQueue Canceling ListFlowFile Request with ID
52bb5341-017b-1000-47aa-56ab661a0356
2021-08-17 07:10:17,002 INFO [pool-10-thread-1]
o.a.n.c.r.WriteAheadFlowFileRepository Initiating checkpoint of FlowFile
Repository
2021-08-17 07:10:17,002 INFO [pool-10-thread-1]
o.a.n.c.r.WriteAheadFlowFileRepository Successfully checkpointed FlowFile
Repository with 45 records in 0 milliseconds
{code}
Can't see much here other than the cancellation of the content viewer request.
NiFi User Logs:
{code:java}
2021-08-17 07:09:52,200 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups
file loaded at Tue Aug 17 07:09:52 BST 2021
2021-08-17 07:09:52,333 INFO [main] o.a.n.a.FileAccessPolicyProvider
Authorizations file loaded at Tue Aug 17 07:09:52 BST 2021
2021-08-17 07:09:52,341 INFO [main] o.a.n.a.single.user.SingleUserAuthorizer
Initializing Authorizer
2021-08-17 07:09:52,348 INFO [main] o.a.n.a.single.user.SingleUserAuthorizer
Configuring Authorizer
2021-08-17 07:10:05,146 INFO [NiFi Web Server-91]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/current-user (source ip: 127.0.0.1)
2021-08-17 07:10:05,241 INFO [NiFi Web Server-91]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:05,724 INFO [NiFi Web Server-90]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/client-id (source ip: 127.0.0.1)
2021-08-17 07:10:05,724 INFO [NiFi Web Server-29]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/config (source ip: 127.0.0.1)
2021-08-17 07:10:05,726 INFO [NiFi Web Server-29]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:05,727 INFO [NiFi Web Server-90]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:05,747 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/banners (source ip: 127.0.0.1)
2021-08-17 07:10:05,749 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:05,778 INFO [NiFi Web Server-29]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/processor-types (source ip: 127.0.0.1)
2021-08-17 07:10:05,781 INFO [NiFi Web Server-29]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:05,781 INFO [NiFi Web Server-91]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/about (source ip: 127.0.0.1)
2021-08-17 07:10:05,785 INFO [NiFi Web Server-91]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:05,822 INFO [NiFi Web Server-91]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/controller-service-types (source ip:
127.0.0.1)
2021-08-17 07:10:05,824 INFO [NiFi Web Server-91]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:05,860 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/reporting-task-types (source ip: 127.0.0.1)
2021-08-17 07:10:05,862 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:06,109 INFO [NiFi Web Server-25]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/prioritizers (source ip: 127.0.0.1)
2021-08-17 07:10:06,111 INFO [NiFi Web Server-25]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:06,266 INFO [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/controller/bulletins (source ip: 127.0.0.1)
2021-08-17 07:10:06,268 INFO [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:06,269 INFO [NiFi Web Server-89]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/status (source ip: 127.0.0.1)
2021-08-17 07:10:06,271 INFO [NiFi Web Server-89]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:06,275 INFO [NiFi Web Server-24]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/current-user (source ip: 127.0.0.1)
2021-08-17 07:10:06,276 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/process-groups/root (source ip: 127.0.0.1)
2021-08-17 07:10:06,277 INFO [NiFi Web Server-24]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:06,278 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:06,283 INFO [NiFi Web Server-22]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/cluster/summary (source ip: 127.0.0.1)
2021-08-17 07:10:06,286 INFO [NiFi Web Server-22]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:09,627 INFO [NiFi Web Server-90]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/status (source ip: 127.0.0.1)
2021-08-17 07:10:09,627 INFO [NiFi Web Server-20]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/process-groups/49ea3599-017b-1000-1ed9-442334d57bba
(source ip: 127.0.0.1)
2021-08-17 07:10:09,627 INFO [NiFi Web Server-29]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/current-user (source ip: 127.0.0.1)
2021-08-17 07:10:09,628 INFO [NiFi Web Server-25]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/controller/bulletins (source ip: 127.0.0.1)
2021-08-17 07:10:09,629 INFO [NiFi Web Server-20]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:09,631 INFO [NiFi Web Server-24]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/cluster/summary (source ip: 127.0.0.1)
2021-08-17 07:10:09,631 INFO [NiFi Web Server-90]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:09,631 INFO [NiFi Web Server-29]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:09,631 INFO [NiFi Web Server-25]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:09,633 INFO [NiFi Web Server-24]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:13,424 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) POST
https://localhost:8443/nifi-api/flowfile-queues/11fc346a-0015-1510-461e-fbc2cd27044d/listing-requests
(source ip: 127.0.0.1)
2021-08-17 07:10:13,428 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:14,474 INFO [NiFi Web Server-20]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flowfile-queues/11fc346a-0015-1510-461e-fbc2cd27044d/listing-requests/52bb5341-017b-1000-47aa-56ab661a0356
(source ip: 127.0.0.1)
2021-08-17 07:10:14,481 INFO [NiFi Web Server-20]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:14,539 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) DELETE
https://localhost:8443/nifi-api/flowfile-queues/11fc346a-0015-1510-461e-fbc2cd27044d/listing-requests/52bb5341-017b-1000-47aa-56ab661a0356
(source ip: 127.0.0.1)
2021-08-17 07:10:14,541 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:17,023 INFO [NiFi Web Server-20]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<anonymous>) GET
https://localhost:8443/nifi-content-viewer/ (source ip: 127.0.0.1)
2021-08-17 07:10:17,024 WARN [NiFi Web Server-20]
o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Anonymous
authentication has not been configured.
2021-08-17 07:10:22,217 INFO [NiFi Web Server-20]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/process-groups/49ea3599-017b-1000-1ed9-442334d57bba
(source ip: 127.0.0.1)
2021-08-17 07:10:22,217 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/current-user (source ip: 127.0.0.1)
2021-08-17 07:10:22,218 INFO [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/controller/bulletins (source ip: 127.0.0.1)
2021-08-17 07:10:22,218 INFO [NiFi Web Server-89]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/status (source ip: 127.0.0.1)
2021-08-17 07:10:22,220 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:22,220 INFO [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:22,220 INFO [NiFi Web Server-20]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:22,228 INFO [NiFi Web Server-89]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:22,228 INFO [NiFi Web Server-91]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/cluster/summary (source ip: 127.0.0.1)
2021-08-17 07:10:22,230 INFO [NiFi Web Server-91]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
956be35e-2417-4b18-b47f-e1bc0a5ecd45
2021-08-17 07:10:53,232 INFO [NiFi Web Server-24]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/process-groups/49ea3599-017b-1000-1ed9-442334d57bba
(source ip: 127.0.0.1)
2021-08-17 07:10:53,233 INFO [NiFi Web Server-18]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/status (source ip: 127.0.0.1)
2021-08-17 07:10:53,236 INFO [NiFi Web Server-20]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://localhost:8443/nifi-api/flow/controller/bulletins (source ip: 127.0.0.1)
{code}
I note that there are lots of auth successes with a rejection and delete in the
middle (when trying to view content) then lots more successes as the main NiFi
UI tab (presumably) kept refreshing.
> SingleUserAuthorizer allows unauthorised access after NiFi restart (and user
> credentials may be lost)
> -----------------------------------------------------------------------------------------------------
>
> Key: NIFI-9049
> URL: https://issues.apache.org/jira/browse/NIFI-9049
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.14.0
> Reporter: Chris Sampson
> Priority: Major
>
> Having started a new instance of NiFi (using the latest development version
> from {{main}}) with the default SingleUserAuthorizer setup, then restarting
> the instance (after updating an unrelated NAR in the lib/ folder), I was
> still able to access the NiFi UI without re-authenticating through my browser
> *but* I was unable to view any content because "unathorised access has not
> been enabled".
> This is confusing - if I'm unauthorised, how am I able to access the UI at
> all, Stop/Start processors and reconfigure them, etc.?
> I suspect this is something to do with the browser caching a NiFi JWT from
> the initial login for a time, then the UI seeing that I've got a JWT and
> allowing me access, but then denying content-based access when trying to view
> those screens because my JWT is no longer valid (or something like that - but
> this is a guess and with no real evidence to support it).
> *Also* the default username/password is only output to the logs during the
> first startup of the instance. These logs may not be persisted in Docker
> images, so users would not be able to obtain them after a restart and
> therefore would not be able to re-authenticate if they didn't know/think to
> write them down anywhere (but the user/auth configuration has been persisted
> through a restart in an externalised volume along with the {{flow.xml.gz}},
> etc.). Also, even if the log files are persisted (in Docker or on a
> bare-metal install), the log files rotate and delete after a while, so again
> the username/password would be lost (possibly before the default dev user
> credential expire) - this could cause problems for users.
> The authorisation issue also impacts one's ability to download Templates or
> Flow Definitions from the NiFi UI.
> To reproduce:
> * Run NiFi (with default SingleUserAuthorizer)
> * Obtain username/password from logs
> * Login to the NiFi UI
> * Create a basic Flow (e.g. GenerateFlowFile => Funnel) and leave data in a
> queue
> * View FlowFile content from within the queue (List Queue => View)
> * Stop NiFi
> * Wait some time (I'm not sure how long a time is necessary, think I might
> have witnessed this after several hours of my NiFi instance being offline and
> a computer restart before the problem manifested)
> * Restart NiFi
> * Refresh browser tab
> * Stop/Start/reconfigure Flow
> * Attempt to view FlowFile content (observe error message)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
