Re: Apache NiFi 1.0.0-BETA RC1 Release Helper Guide

[Andy LoPresto]

Joe,

I was able to verify all signatures, build, verify the contrib-check, and start 
an unsecured instance and use it as normal.

However, when I attempted to deploy secured instances (using the tool 
contributed in NIFI-2193), I encountered issues with authentication.

Steps to recreate:

1. Build the app as normal.
2. Use the tis-toolkit in “standalone” mode to generate a CA key & certificate, 
generate a node certificate, use the CA key to sign the node certificate, and 
then combine the CA certificate and key into a PKCS12 keystore to use as a 
temporary client certificate to gain access to the UI.
        From the unzipped nifi directory:
                
hw12203:/Users/alopresto/Workspace/scratch/release_verification/nifi-1.0.0-BETA 
(master) alopresto
🔓 5s @ 17:06:16 $ cd 
nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.0.0-BETA-bin/nifi-toolkit-1.0.0-BETA/
hw12203:...toolkit-assembly/target/nifi-toolkit-1.0.0-BETA-bin/nifi-toolkit-1.0.0-BETA
 (master) alopresto
🔓 3s @ 17:06:20 $ ./bin/tls-toolkit.sh standalone -c ca.nifi.apache.org
16/08/05 17:07:00 INFO standalone.TlsToolkitStandaloneCommandLine: No 
nifiPropertiesFile specified, using embedded one.
16/08/05 17:07:00 INFO standalone.TlsToolkitStandalone: Running standalone 
certificate generation with output directory ../nifi-toolkit-1.0.0-BETA and 
hostnames [localhost]
16/08/05 17:07:00 INFO standalone.TlsToolkitStandalone: Successfully generated 
TLS configuration for localhost:10443 in ../nifi-toolkit-1.0.0-BETA/localhost
16/08/05 17:07:00 INFO standalone.TlsToolkitStandalone: Successfully generated 
TLS configuration for all hosts
hw12203:...toolkit-assembly/target/nifi-toolkit-1.0.0-BETA-bin/nifi-toolkit-1.0.0-BETA
 (master) alopresto
🔓 40s @ 17:07:01 $ ossl pkcs12 -export -out client.p12 -inkey nifi-key.key -in 
nifi-cert.pem
Enter Export Password:
Verifying - Enter Export Password:
hw12203:...toolkit-assembly/target/nifi-toolkit-1.0.0-BETA-bin/nifi-toolkit-1.0.0-BETA
 (master) alopresto
🔓 6s @ 17:08:00 $ tl
.
..
├── [2.4K]  client.p12
..
├── [ 170]  localhost/
│   ├── [3.0K]  keystore.jks
│   ├── [8.3K]  nifi.properties
│   └── [ 925]  truststore.jks
├── [1.2K]  nifi-cert.pem
└── [1.6K]  nifi-key.key

5 directories, 36 files
hw12203:...toolkit-assembly/target/nifi-toolkit-1.0.0-BETA-bin/nifi-toolkit-1.0.0-BETA
 (master) alopresto
🔓 5s @ 17:08:05 $

3. Copy the nifi.properties to conf/ and the keystore.jks and truststore.jks to 
the top-level directory for the new instance.
4. Update the authorizers.xml Initial Admin Identity with the DN from the 
client (CA) cert.
        openssl x509 -in nifi-cert.pem -text -noout

<property name="Initial Admin Identity">CN=ca.nifi.apache.org, 
OU=NIFI</property>
5. Start NiFi.

The exception from the nifi-app.log boiled down to:

Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid 
content was found starting with element 'groups'. One of '{policies}' is 
expected.
        at 
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203)
 ~[na:1.8.0_92]
        ... 68 common frames omitted
2016-08-05 16:54:18,621 INFO [Thread-1] org.apache.nifi.NiFi Jetty web server 
shutdown completed (nicely or otherwise).

The content of authorizations.xml is:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <groups/>
    <users/>
    <policies/>
</authorizations>

It seems that it is an element ordering issue? If I put “<policies/>” first, it 
then breaks with:

Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.d: Invalid 
content was found starting with element 'groups'. No child element is expected 
at this point.

Removing both “<groups/>” and “<users/>” allows the application to start up, 
but I cannot connect through the browser using the client certificate. I can 
make a TLS connection using $ openssl s_client -connect localhost:10443 -state 
-debug -CAfile nifi-cert.pem -cert nifi-cert.pem -key nifi-key.key and then 
send ‘HEAD / HTTP/1.1’ in the terminal, which triggers a HTTP 400 status from 
the application:

2016-08-05 17:25:50,242 WARN [NiFi Web Server-21] 
org.eclipse.jetty.http.HttpParser Illegal character 0x20 in 
state=HEADER_IN_NAME for buffer 
HeapByteBuffer@3a3e608d[p=5,l=16,c=17408,r=11]={HEAD <<</ 
HTTP/1.0\n>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2016-08-05 17:25:50,242 WARN [NiFi Web Server-21] 
org.eclipse.jetty.http.HttpParser bad HTTP parsed: 400 Illegal character 0x20 
for HttpChannelOverHttp@105cb966{r=0,c=false,a=IDLE,uri=null}

Am I missing a step in the configuration of a secure instance? So far, I had 
success with configuring the IAI and then performing the rest of the 
configuration using the NiFi UI.



Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Aug 5, 2016, at 1:41 PM, Joe Percivall <joeperciv...@yahoo.com.INVALID> 
> wrote:
> 
> Hello Apache NiFi community,
> 
> Please find the associated guidance to help those interested in 
> validating/verifying the release so they can vote.
> 
> # Download latest KEYS file:
> https://dist.apache.org/repos/dist/dev/nifi/KEYS
> 
> # Import keys file:
> gpg --import KEYS
> 
> # [optional] Clear out local maven artifact repository
> 
> # Pull down nifi-1.0.0-BETA source release artifacts for review:
> 
> wget 
> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.0.0-BETA/nifi-1.0.0-BETA-source-release.zip
> wget 
> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.0.0-BETA/nifi-1.0.0-BETA-source-release.zip.asc
> wget 
> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.0.0-BETA/nifi-1.0.0-BETA-source-release.zip.md5
> wget 
> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.0.0-BETA/nifi-1.0.0-BETA-source-release.zip.sha1
> wget 
> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.0.0-BETA/nifi-1.0.0-BETA-source-release.zip.sha256
> 
> # Verify the signature
> gpg --verify nifi-1.0.0-BETA-source-release.zip.asc
> 
> # Verify the hashes (md5, sha1, sha256) match the source and what was 
> provided in the vote email thread
> md5sum nifi-1.0.0-BETA-source-release.zip
> sha1sum nifi-1.0.0-BETA-source-release.zip
> sha256sum nifi-1.0.0-BETA-source-release.zip
> 
> # Unzip nifi-1.0.0-BETA-source-release.zip
> 
> # Verify the build works including release audit tool (RAT) checks
> cd nifi-1.0.0-BETA
> mvn clean install -Pcontrib-check
> 
> # Verify the contents contain a good README, NOTICE, and LICENSE.
> 
> # Verify the git commit ID is correct
> 
> # Verify the RC was branched off the correct git commit ID
> 
> # Look at the resulting convenience binary as found in nifi-assembly/target
> 
> # Make sure the README, NOTICE, and LICENSE are present and correct
> 
> # Run the resulting convenience binary and make sure it works as expected
> 
> # Send a response to the vote thread indicating a +1, 0, -1 based on your 
> findings.
> 
> Thank you for your time and effort to validate the release!

signature.asc
Description: Message signed with OpenPGP using GPGMail