问题
I have installed secured Nifi installation and wanted to authenticate using secured client certificate. Authentication went fine but it failed at authorization
AccessDeniedExceptionMapper identity[CN=nifi-admin, OU=NIFI], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.
Please note that it is fresh installation and the idea is to use the nipyapi for automating admin tasks. (without logging into UI)
I have created certifcates using following command
bin/tls-toolkit.sh standalone -n {FQDN} -C "CN=nifi-admin,OU=NIFI"
Also, I have added same CN in authorizers.xml file like this.
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=nifi-admin,OU=NIFI</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider>
And
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">CN=nifi-admin,OU=NIFI</property>
</userGroupProvider>
After making these changes, i started nifi and tried to connect using nipyapi code. I could see authentication sucess but authorization failed.
2019-08-11 05:08:04,014 DEBUG [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: CN=nifi-admin, OU=NIFI
2019-08-11 05:08:04,014 DEBUG [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: CN=nifi-admin, OU=NIFI
2019-08-11 05:08:04,014 DEBUG [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: CN=nifi-admin, OU=NIFI
2019-08-11 05:08:04,014 DEBUG [NiFi Web Server-16] o.a.n.w.s.a.NiFiAnonymousUserFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'CN=nifi-admin, OU=NIFI'
2019-08-11 05:08:04,016 INFO [NiFi Web Server-16] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=nifi-admin, OU=NIFI], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.
In addition, here is user.xml and authorizations.xml
<tenants>
<groups/>
<users>
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c" identity="CN=nifi-admin,OU=NIFI"/>
</users>
</tenants>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
</policy>
<policy identifier="bb8f03ca-de27-3f4a-9499-562a6c743fb0" resource="/data/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="R">
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
</policy>
<policy identifier="395c506d-1368-3989-b2f2-6ea7218eb46e" resource="/data/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="W">
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
</policy>
<policy identifier="ee1b66ee-7dac-3f09-8090-2b6803bd15c1" resource="/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="R">
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
</policy>
<policy identifier="033157d8-93bd-3eea-8660-e3764d1017a2" resource="/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="W">
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
<user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
</policy>
</policies>
</authorizations>
来源:https://stackoverflow.com/questions/57447542/nifi-client-certificate-authorization-error