Re: setting up secure nifi

Bryan Bende Wed, 31 Jan 2018 15:43:18 -0800

Hello,

The identity in authorizers.xml for your initial admin does not match the
identity of your client cert.


You should be putting “CN=TC, OU=NIFI” as the initial admin because that is
the DN of your client cert.

You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
authorizations.xml, and start back up.

Thanks,

Bryan

On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <anilrain...@gmail.com> wrote:

> All,
>
> I am trying to install nifi 1.5 and making it https. Below is the steps
> followed and the error i am getting. Below is the config and log files
> content. Please help
>
> 1. Installed nifi 1.5
> 2. Installed nifi toolkit 1.5
> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
> 'CN=TC,OU=NIFI' -O -o ../security_output
> 4. Copied generated keystore, truststore and nifi properties to nifi/config
> folder
> 5. Imported the generated certificate to chrome browser
> 6. Modified authorizers.xml as attached.
> 7. With required restarts. Now when i enter the below url in the browser, I
> see the below error.
>
> https://localhost:9443/nifi/
>
> Insufficient Permissions
>
>    - home
>
> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
> administrator.
>
>
> authorizers.xml
> --------------------
>     <userGroupProvider>
>         <identifier>file-user-group-provider</identifier>
>         <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>         <property name="Users File">./conf/users.xml</property>
>         <property name="Legacy Authorized Users File"></property>
>
>         <property name="Initial User Identity
> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
>     </userGroupProvider>
>
>     <accessPolicyProvider>
>         <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>         <property name="User Group
> Provider">file-user-group-provider</property>
>         <property name="Authorizations
> File">./conf/authorizations.xml</property>
>         <property name="Initial Admin
> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
>         <property name="Legacy Authorized Users File"></property>
>
>         <property name="Node Identity 1"></property>
>     </accessPolicyProvider>
> ------------------------
>
> nifi-user.log
> -----------------------
> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider Creating
> new users file at
> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Creating new authorizations file at
> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/authorizations.xml
> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Populating authorizations for Initial Admin:
> cn=TC,ou=NIFI,dc=example,dc=com
> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> Kerberos ticket login not supported by this NiFi.. Returning Conflict
> response.
> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> OpenId Connect is not configured.. Returning Conflict response.
> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC, OU=NIFI)
> GET https://localhost:9443/nifi-api/flow/current-user (source ip:
> 127.0.0.1)
> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
> OU=NIFI
> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI], groups[]
> does not have permission to access the requested resource. Unknown user
> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
> ------------------------------
>
> Generated users.xml
> --------------------------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <tenants>
>     <groups/>
>     <users>
>         <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
>     </users>
> </tenants>
> --------------------------------
>
> Generated authorizations.xml
> --------------------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizations>
>     <policies>
>         <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> resource="/flow" action="R">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="R">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="W">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" action="R">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" action="W">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> resource="/restricted-components" action="W">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> resource="/tenants" action="R">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> resource="/tenants" action="W">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> resource="/policies" action="R">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> resource="/policies" action="W">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> resource="/controller" action="R">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> resource="/controller" action="W">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>     </policies>
> </authorizations>
> ------------------------------------
>
> nifi.properties
> ----------------------------
> # web properties #
> nifi.web.war.directory=./lib
> nifi.web.http.host=
> nifi.web.http.port=
> nifi.web.http.network.interface.default=
> nifi.web.https.host=localhost
> nifi.web.https.port=9443
> nifi.web.https.network.interface.default=
> nifi.web.jetty.working.directory=./work/jetty
> nifi.web.jetty.threads=200
> nifi.web.max.header.size=16 KB
> nifi.web.proxy.context.path=
>
> # security properties #
> nifi.sensitive.props.key=
> nifi.sensitive.props.key.protected=
> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
> nifi.sensitive.props.provider=BC
> nifi.sensitive.props.additional.keys=
>
> nifi.security.keystore=./conf/keystore.jks
> nifi.security.keystoreType=jks
> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> nifi.security.truststore=./conf/truststore.jks
> nifi.security.truststoreType=jks
> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3ZHZyqI4
> nifi.security.needClientAuth=
> nifi.security.user.authorizer=managed-authorizer
> nifi.security.user.login.identity.provider=
> nifi.security.ocsp.responder.url=
> nifi.security.ocsp.responder.certificate=
> ----------------------
>
>
>
> Please help.
>
> Regards
> Anil
>
-- 
Sent from Gmail Mobile

Re: setting up secure nifi

Reply via email to