Nifi-客户端证书授权错误

时间:2019-08-11 05:27:27

标签: apache-nifi nipyapi

我已经安装了安全的Nifi安装,并想使用安全的客户端证书进行身份验证。身份验证正常,但授权失败

AccessDeniedExceptionMapper identity[CN=nifi-admin, OU=NIFI], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.

请注意,这是全新安装,其想法是使用nipyapi来自动执行管理任务。 (无需登录UI)

我已经使用以下命令创建了证书

bin/tls-toolkit.sh standalone -n {FQDN} -C "CN=nifi-admin,OU=NIFI"

此外,我还像这样在authorizers.xml文件中添加了相同的CN。

        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">CN=nifi-admin,OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
        <property name="Node Group"></property>
    </accessPolicyProvider>

还有

        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Initial User Identity 1">CN=nifi-admin,OU=NIFI</property>
    </userGroupProvider>

进行这些更改后,我启动了nifi并尝试使用nipyapi代码进行连接。我可以看到验证成功,但是授权失败。

2019-08-11 05:08:04,014 DEBUG [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: CN=nifi-admin, OU=NIFI
2019-08-11 05:08:04,014 DEBUG [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: CN=nifi-admin, OU=NIFI
2019-08-11 05:08:04,014 DEBUG [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: CN=nifi-admin, OU=NIFI
2019-08-11 05:08:04,014 DEBUG [NiFi Web Server-16] o.a.n.w.s.a.NiFiAnonymousUserFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'CN=nifi-admin, OU=NIFI'
2019-08-11 05:08:04,016 INFO [NiFi Web Server-16] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=nifi-admin, OU=NIFI], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.

此外,这是user.xml和authorizations.xml

<tenants>
    <groups/>
    <users>
        <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c" identity="CN=nifi-admin,OU=NIFI"/>
      </users>
</tenants>
<authorizations>
    <policies>
        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="bb8f03ca-de27-3f4a-9499-562a6c743fb0" resource="/data/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="R">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="395c506d-1368-3989-b2f2-6ea7218eb46e" resource="/data/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="W">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="ee1b66ee-7dac-3f09-8090-2b6803bd15c1" resource="/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="R">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="033157d8-93bd-3eea-8660-e3764d1017a2" resource="/process-groups/7b350728-016c-1000-8510-e66d31774eed" action="W">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
            <user identifier="94c8e1f5-aec4-3c99-8647-b61482c2ec0c"/>
        </policy>
    </policies>
</authorizations>

0 个答案:

没有答案