Issue with azure.AzureGraphUserGroupProvider

[chlopak]

Hi Ben,

I've found this guide really useful but but I hit a wall and was wanting help to check if the azure class referenced in the example authorizers.xml shown is a custom extension or is this something coming?? I am a complete noob so if you can let me know what you need from me I'll get it for you. I've attached the logs and some of the configs. Let me know if there is anything else I can do to help!

Nifi.zip

Cheers!
chlopak

[debugaftercoffee]

@benkelly @sjyang18 Thank you for the documentation, it is very clear! I am using NiFi 1.13.2 on my Mac installed by HomeBrew. I think I am getting the same issue as @chlopak and my NiFi instance cannot find the AzureGraphUserGroupProvider class. Is there an additional JAR file I need to include to use this authorizer?
java.lang.Exception: The specified user group provider class 'org.apache.nifi.authorization.azure.AzureGraphUserGroupProvider' is not known to this nifi

[sjyang18]

@debugaftercoffee, and @chlopak. Thanks for your interest in my contribution to NIFI.
The feature (apache/nifi#4367) was recently merged and it is not included in any nifi release yet. You may take the PR and build the custom NIFI distribution.

Or, you may just build nifi-azure-bundle and replaced the two *.nar from the the bundle.

[debugaftercoffee]

@chlopak I was able to build your PR and include it in my NiFi setup. In my aad-user-group-provider I am providing a Group Filter Prefix for a list of AAD Groups that I am a member of. When I run NiFi it fails with the error below. If I change Group Filter Prefix to use only AAD Groups that I am not a member of, NiFi is able to load and I can login with my Microsoft Login credentials. Any ideas about what could be wrong?

ERROR [main] o.s.web.context.ContextLoader Context initialization failed org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is org.springframework.beans.factory.BeanExpressionException: Expression parsing failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setJwtAuthenticationProvider' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: Found multiple users/user groups with identity '<REDACTED>'. at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:666) at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:87) at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:366) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1269) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:551) '.

[sjyang18]

@debugaftercoffee my PR depends on nifi 1.14.0-SNAPSHOT and above. Ignore my previous comment of just copying nar files to your existing nifi instance. After you build from the top of nifi source, you will find the build artifact in nifi-assembly/target. grab the *.tar.gz, unzip it, and modify the authorizer.xml in the unzipped one. There is the example configuration commented in the xml.

Another thing I noticed from your error message is that REDACTED identity is defined in multiple user/user group providers. Check if you have another usergroupprovider who has REDACTED.

And, another thing you may check if property names. In the final PR, they asked me to change the property names to match with LDAP provider, thus you may check to see if your definition matches the final property names (https://github.com/apache/nifi/pull/4367/files#diff-6769a8d7bb1a09f60788643e411e820a5cd843eb4910b9ec01f85e8c9e8e1b00), like 'Directory ID', 'Application ID', 'Client Secret", etc. If you have the small number of group you want to import from AAD, just use 'Group List Inclusion' for simplicity.

[debugaftercoffee]

@sjyang18 I was able to work through the issue. In the example on the README.MD there is the file-user-group-provider that has SYS_ADMIN_AAD_UPN added as a user. When I remove the file-user-group-provider and only use aad-user-group-provide it works. NiFi doesn't like that the SYS_ADMIN_AAD_UPN is defined in both the file-user-group-provider and the aad-user-group-provider.

<userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">SYS_ADMIN_AAD_UPN</property>
    </userGroupProvider>

[wmeneses]

Thanks, but in my case:

Failed to instantiate [org.apache.nifi.web.security.oidc.OidcService]: Factory method 'oidcService' threw exception; nested exception is java.lang.RuntimeException: OpenId Connect support cannot be enabled if the Login Identity Provider or Apache Knox SSO is configured.

Suggestions?

In a single user i don't have problems, the certified it's ok....I have last stable version

[sjyang18]

I haven't worked on this project a couple of years, but, the error message seems to share some info you may try out. Your configuration might have an another login identity provider or apache knox sso.

When I tested last year for 1.14.0 release, I disabled SingleUserLoginIdentityProvider by commenting out it in conf/authorizers.xml. You may have to do the similar things, depending on the current code base.

<!--
    <authorizer>
        <identifier>single-user-authorizer</identifier>
        <class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class>
    </authorizer>
-->

[wmeneses]

I haven't worked on this project a couple of years, but, the error message seems to share some info you may try out. Your configuration might have an another login identity provider or apache knox sso.

When I tested last year for 1.14.0 release, I disabled SingleUserLoginIdentityProvider by commenting out it in conf/authorizers.xml. You may have to do the similar things, depending on the current code base.

<!--
    <authorizer>
        <identifier>single-user-authorizer</identifier>
        <class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class>
    </authorizer>
-->

Thank you very much, I am using the latest version available, I had already removed that part of the .xml. it still doesn't work.

I have a doubt in the file nifi.propierties

how should be the parameter "nifi.security.user.authorizer=" and
"nifi.security.user.login.identity.provider="

I have tried with managed-authorizer, but the error persists

Thank you very much again for replying.

[sjyang18]

looking at my last test environment, I also set authorizer to 'managed-authorizer'. Hope this will help.

'''
nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=
'''

[wmeneses]

@sjyang18

"nifi.security.user.login.identity.provider="

with this empty parameter, it worked for me.

Thanks a billion!