It’s the same problem, your initial admin should be: CN=TC, OU=NIFI
Not CN=TC,OU=NIFI,dc=example,dc=com The first one is the DN of your client cert, the second one is not. On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <[email protected]> wrote: > Hi Bryan, > > Thanks for the quick reply. I did followed your steps. But I am seeing the > same error. > Now the entry looks like > <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example, > dc=com</property> > > Also what does dc stand for after CN and OU. Is that a problem. > Is there a blog that talks about installing and making it https using > toolkit?. I did not find any good post that talks end to end from > installing to making it secure using tls toolkit. > > Any help is appreciated. > > Thanks > Anil > > > > On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <[email protected]> wrote: > > > Hello, > > > > The identity in authorizers.xml for your initial admin does not match the > > identity of your client cert. > > > > You should be putting “CN=TC, OU=NIFI” as the initial admin because that > is > > the DN of your client cert. > > > > You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and > > authorizations.xml, and start back up. > > > > Thanks, > > > > Bryan > > > > On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <[email protected]> wrote: > > > > > All, > > > > > > I am trying to install nifi 1.5 and making it https. Below is the steps > > > followed and the error i am getting. Below is the config and log files > > > content. Please help > > > > > > 1. Installed nifi 1.5 > > > 2. Installed nifi toolkit 1.5 > > > 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C > > > 'CN=TC,OU=NIFI' -O -o ../security_output > > > 4. Copied generated keystore, truststore and nifi properties to > > nifi/config > > > folder > > > 5. Imported the generated certificate to chrome browser > > > 6. Modified authorizers.xml as attached. > > > 7. With required restarts. Now when i enter the below url in the > > browser, I > > > see the below error. > > > > > > https://localhost:9443/nifi/ > > > > > > Insufficient Permissions > > > > > > - home > > > > > > Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system > > > administrator. > > > > > > > > > authorizers.xml > > > -------------------- > > > <userGroupProvider> > > > <identifier>file-user-group-provider</identifier> > > > <class>org.apache.nifi.authorization. > > FileUserGroupProvider</class> > > > <property name="Users File">./conf/users.xml</property> > > > <property name="Legacy Authorized Users File"></property> > > > > > > <property name="Initial User Identity > > > 1">cn=TC,ou=NIFI,dc=example,dc=com</property> > > > </userGroupProvider> > > > > > > <accessPolicyProvider> > > > <identifier>file-access-policy-provider</identifier> > > > > > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > > > <property name="User Group > > > Provider">file-user-group-provider</property> > > > <property name="Authorizations > > > File">./conf/authorizations.xml</property> > > > <property name="Initial Admin > > > Identity">cn=TC,ou=NIFI,dc=example,dc=com</property> > > > <property name="Legacy Authorized Users File"></property> > > > > > > <property name="Node Identity 1"></property> > > > </accessPolicyProvider> > > > ------------------------ > > > > > > nifi-user.log > > > ----------------------- > > > 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider > > Creating > > > new users file at > > > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml > > > 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider > > > Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018 > > > 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider > > > Creating new authorizations file at > > > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/ > > authorizations.xml > > > 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider > > > Populating authorizations for Initial Admin: > > > cn=TC,ou=NIFI,dc=example,dc=com > > > 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider > > > Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018 > > > 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28] > > > o.a.n.w.a.c.IllegalStateExceptionMapper > java.lang.IllegalStateException: > > > Kerberos ticket login not supported by this NiFi.. Returning Conflict > > > response. > > > 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67] > > > o.a.n.w.a.c.IllegalStateExceptionMapper > java.lang.IllegalStateException: > > > OpenId Connect is not configured.. Returning Conflict response. > > > 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27] > > > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC, > > OU=NIFI) > > > GET https://localhost:9443/nifi-api/flow/current-user (source ip: > > > 127.0.0.1) > > > 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27] > > > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC, > > > OU=NIFI > > > 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27] > > > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI], > > groups[] > > > does not have permission to access the requested resource. Unknown user > > > with identity 'CN=TC, OU=NIFI'. Returning Forbidden response. > > > ------------------------------ > > > > > > Generated users.xml > > > -------------------------------- > > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > > <tenants> > > > <groups/> > > > <users> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4" > > > identity="cn=TC,ou=NIFI,dc=example,dc=com"/> > > > </users> > > > </tenants> > > > -------------------------------- > > > > > > Generated authorizations.xml > > > -------------------------- > > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > > <authorizations> > > > <policies> > > > <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" > > > resource="/flow" action="R"> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > > > </policy> > > > <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847" > > > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" > > > action="R"> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > > > </policy> > > > <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66" > > > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" > > > action="W"> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > > > </policy> > > > <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc" > > > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" > > action="R"> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > > > </policy> > > > <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23" > > > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" > > action="W"> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > > > </policy> > > > <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" > > > resource="/restricted-components" action="W"> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > > > </policy> > > > <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" > > > resource="/tenants" action="R"> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > > > </policy> > > > <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" > > > resource="/tenants" action="W"> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > > > </policy> > > > <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" > > > resource="/policies" action="R"> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > > > </policy> > > > <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" > > > resource="/policies" action="W"> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > > > </policy> > > > <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" > > > resource="/controller" action="R"> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > > > </policy> > > > <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" > > > resource="/controller" action="W"> > > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > > > </policy> > > > </policies> > > > </authorizations> > > > ------------------------------------ > > > > > > nifi.properties > > > ---------------------------- > > > # web properties # > > > nifi.web.war.directory=./lib > > > nifi.web.http.host= > > > nifi.web.http.port= > > > nifi.web.http.network.interface.default= > > > nifi.web.https.host=localhost > > > nifi.web.https.port=9443 > > > nifi.web.https.network.interface.default= > > > nifi.web.jetty.working.directory=./work/jetty > > > nifi.web.jetty.threads=200 > > > nifi.web.max.header.size=16 KB > > > nifi.web.proxy.context.path= > > > > > > # security properties # > > > nifi.sensitive.props.key= > > > nifi.sensitive.props.key.protected= > > > nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL > > > nifi.sensitive.props.provider=BC > > > nifi.sensitive.props.additional.keys= > > > > > > nifi.security.keystore=./conf/keystore.jks > > > nifi.security.keystoreType=jks > > > > nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI > > > nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI > > > nifi.security.truststore=./conf/truststore.jks > > > nifi.security.truststoreType=jks > > > nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3 > > ZHZyqI4 > > > nifi.security.needClientAuth= > > > nifi.security.user.authorizer=managed-authorizer > > > nifi.security.user.login.identity.provider= > > > nifi.security.ocsp.responder.url= > > > nifi.security.ocsp.responder.certificate= > > > ---------------------- > > > > > > > > > > > > Please help. > > > > > > Regards > > > Anil > > > > > -- > > Sent from Gmail Mobile > > > -- Sent from Gmail Mobile
