Re: setting up secure nifi

Wed, 31 Jan 2018 16:24:07 -0800 

Hi Bryan,

Thanks for the quick reply. I did followed your steps. But I am seeing the
same error.
Now the entry looks like
        <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
dc=com</property>

Also what does dc stand for after CN and OU. Is that a problem.
Is there a blog that talks about installing and making it https using
toolkit?. I did not find any good post that talks end to end from
installing to making it secure using tls toolkit.

Any help is appreciated.

Thanks
Anil



On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <bbe...@gmail.com> wrote:

> Hello,
>
> The identity in authorizers.xml for your initial admin does not match the
> identity of your client cert.
>
> You should be putting “CN=TC, OU=NIFI” as the initial admin because that is
> the DN of your client cert.
>
> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
> authorizations.xml, and start back up.
>
> Thanks,
>
> Bryan
>
> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <anilrain...@gmail.com> wrote:
>
> > All,
> >
> > I am trying to install nifi 1.5 and making it https. Below is the steps
> > followed and the error i am getting. Below is the config and log files
> > content. Please help
> >
> > 1. Installed nifi 1.5
> > 2. Installed nifi toolkit 1.5
> > 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
> > 'CN=TC,OU=NIFI' -O -o ../security_output
> > 4. Copied generated keystore, truststore and nifi properties to
> nifi/config
> > folder
> > 5. Imported the generated certificate to chrome browser
> > 6. Modified authorizers.xml as attached.
> > 7. With required restarts. Now when i enter the below url in the
> browser, I
> > see the below error.
> >
> > https://localhost:9443/nifi/
> >
> > Insufficient Permissions
> >
> >    - home
> >
> > Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
> > administrator.
> >
> >
> > authorizers.xml
> > --------------------
> >     <userGroupProvider>
> >         <identifier>file-user-group-provider</identifier>
> >         <class>org.apache.nifi.authorization.
> FileUserGroupProvider</class>
> >         <property name="Users File">./conf/users.xml</property>
> >         <property name="Legacy Authorized Users File"></property>
> >
> >         <property name="Initial User Identity
> > 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
> >     </userGroupProvider>
> >
> >     <accessPolicyProvider>
> >         <identifier>file-access-policy-provider</identifier>
> >
> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> >         <property name="User Group
> > Provider">file-user-group-provider</property>
> >         <property name="Authorizations
> > File">./conf/authorizations.xml</property>
> >         <property name="Initial Admin
> > Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
> >         <property name="Legacy Authorized Users File"></property>
> >
> >         <property name="Node Identity 1"></property>
> >     </accessPolicyProvider>
> > ------------------------
> >
> > nifi-user.log
> > -----------------------
> > 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
> Creating
> > new users file at
> > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
> > 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
> > Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
> > 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > Creating new authorizations file at
> > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
> authorizations.xml
> > 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > Populating authorizations for Initial Admin:
> > cn=TC,ou=NIFI,dc=example,dc=com
> > 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
> > 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
> > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> > Kerberos ticket login not supported by this NiFi.. Returning Conflict
> > response.
> > 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
> > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> > OpenId Connect is not configured.. Returning Conflict response.
> > 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
> > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
> OU=NIFI)
> > GET https://localhost:9443/nifi-api/flow/current-user (source ip:
> > 127.0.0.1)
> > 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
> > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
> > OU=NIFI
> > 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
> > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
> groups[]
> > does not have permission to access the requested resource. Unknown user
> > with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
> > ------------------------------
> >
> > Generated users.xml
> > --------------------------------
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <tenants>
> >     <groups/>
> >     <users>
> >         <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
> > identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
> >     </users>
> > </tenants>
> > --------------------------------
> >
> > Generated authorizations.xml
> > --------------------------
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <authorizations>
> >     <policies>
> >         <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> > resource="/flow" action="R">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
> > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > action="R">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
> > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > action="W">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
> > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="R">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
> > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="W">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> > resource="/restricted-components" action="W">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> > resource="/tenants" action="R">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> > resource="/tenants" action="W">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> > resource="/policies" action="R">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> > resource="/policies" action="W">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> > resource="/controller" action="R">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> > resource="/controller" action="W">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >     </policies>
> > </authorizations>
> > ------------------------------------
> >
> > nifi.properties
> > ----------------------------
> > # web properties #
> > nifi.web.war.directory=./lib
> > nifi.web.http.host=
> > nifi.web.http.port=
> > nifi.web.http.network.interface.default=
> > nifi.web.https.host=localhost
> > nifi.web.https.port=9443
> > nifi.web.https.network.interface.default=
> > nifi.web.jetty.working.directory=./work/jetty
> > nifi.web.jetty.threads=200
> > nifi.web.max.header.size=16 KB
> > nifi.web.proxy.context.path=
> >
> > # security properties #
> > nifi.sensitive.props.key=
> > nifi.sensitive.props.key.protected=
> > nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
> > nifi.sensitive.props.provider=BC
> > nifi.sensitive.props.additional.keys=
> >
> > nifi.security.keystore=./conf/keystore.jks
> > nifi.security.keystoreType=jks
> > nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> > nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> > nifi.security.truststore=./conf/truststore.jks
> > nifi.security.truststoreType=jks
> > nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
> ZHZyqI4
> > nifi.security.needClientAuth=
> > nifi.security.user.authorizer=managed-authorizer
> > nifi.security.user.login.identity.provider=
> > nifi.security.ocsp.responder.url=
> > nifi.security.ocsp.responder.certificate=
> > ----------------------
> >
> >
> >
> > Please help.
> >
> > Regards
> > Anil
> >
> --
> Sent from Gmail Mobile
>

Reply via email to