The below links does not work. Have they moved somewhere else? https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html https://blog.rosander.ninja/nifi/toolkit/tls/2016/ 09/20/tls-toolkit-standalone-multi.html
Thanks Anil On Thu, Feb 1, 2018 at 10:35 AM, Anil Rai <[email protected]> wrote: > Thanks Andy. It did resolve my issue. I got it working. > Thanks again for all the links. Very helpful. > > Cheers > Anil > > > On Thu, Feb 1, 2018 at 10:14 AM, Andy LoPresto <[email protected]> > wrote: > >> Hi Anil, >> >> In addition to Bryan’s explanation, there are a number of blog posts and >> articles covering this topic: >> >> * Authorization and Multi-Tenancy by Bryan Bende [1] >> * Secured Cluster Setup by Pierre Villard [2] >> * TLS Generation Toolkit section of Apache NiFi Admin Guide [3] >> * Initial Admin Identity section of Apache NiFi Admin Guide [4] >> * Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5] >> * Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan >> Rosander [6] >> >> The sequence “dc=example,dc=com” in your current user DN (Distinguished >> Name) is incorrect and not present in the DN of the certificate. I imagine >> you copied this from an example posted online. “dc=“ is a sequence used in >> DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is >> the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com” >> would be the parent DN. But when you generated the certificate, you did not >> provide this information, so the DNs do not match, and NiFi correctly >> asserts that this is not a valid certificate identifying the user DN you >> specified in your XML files. Removing “dc=example,dc=com” from that >> definition as Bryan suggested will resolve your issue. >> >> [1] https://bryanbende.com/development/2016/08/17/apache-nif >> i-1-0-0-authorization-and-multi-tenancy >> [2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-s >> ecured-cluster-setup/ >> [3] https://nifi.apache.org/docs/nifi-docs/html/administrati >> on-guide.html#tls-generation-toolkit >> [4] https://nifi.apache.org/docs/nifi-docs/html/administrati >> on-guide.html#initial-admin-identity >> [5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/ >> tls-toolkit-intro.html >> [6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/ >> tls-toolkit-standalone-multi.html >> [7] https://en.wikipedia.org/wiki/Lightweight_Directory_Acce >> ss_Protocol#Directory_structure >> >> Andy LoPresto >> [email protected] >> *[email protected] <[email protected]>* >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >> >> On Jan 31, 2018, at 7:32 PM, Bryan Bende <[email protected]> wrote: >> >> It’s the same problem, your initial admin should be: >> >> CN=TC, OU=NIFI >> >> Not >> >> CN=TC,OU=NIFI,dc=example,dc=com >> >> The first one is the DN of your client cert, the second one is not. >> >> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <[email protected]> wrote: >> >> Hi Bryan, >> >> Thanks for the quick reply. I did followed your steps. But I am seeing the >> same error. >> Now the entry looks like >> <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example, >> dc=com</property> >> >> Also what does dc stand for after CN and OU. Is that a problem. >> Is there a blog that talks about installing and making it https using >> toolkit?. I did not find any good post that talks end to end from >> installing to making it secure using tls toolkit. >> >> Any help is appreciated. >> >> Thanks >> Anil >> >> >> >> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <[email protected]> wrote: >> >> Hello, >> >> The identity in authorizers.xml for your initial admin does not match the >> identity of your client cert. >> >> You should be putting “CN=TC, OU=NIFI” as the initial admin because that >> >> is >> >> the DN of your client cert. >> >> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and >> authorizations.xml, and start back up. >> >> Thanks, >> >> Bryan >> >> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <[email protected]> wrote: >> >> All, >> >> I am trying to install nifi 1.5 and making it https. Below is the steps >> followed and the error i am getting. Below is the config and log files >> content. Please help >> >> 1. Installed nifi 1.5 >> 2. Installed nifi toolkit 1.5 >> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C >> 'CN=TC,OU=NIFI' -O -o ../security_output >> 4. Copied generated keystore, truststore and nifi properties to >> >> nifi/config >> >> folder >> 5. Imported the generated certificate to chrome browser >> 6. Modified authorizers.xml as attached. >> 7. With required restarts. Now when i enter the below url in the >> >> browser, I >> >> see the below error. >> >> https://localhost:9443/nifi/ >> >> Insufficient Permissions >> >> - home >> >> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system >> administrator. >> >> >> authorizers.xml >> -------------------- >> <userGroupProvider> >> <identifier>file-user-group-provider</identifier> >> <class>org.apache.nifi.authorization. >> >> FileUserGroupProvider</class> >> >> <property name="Users File">./conf/users.xml</property> >> <property name="Legacy Authorized Users File"></property> >> >> <property name="Initial User Identity >> 1">cn=TC,ou=NIFI,dc=example,dc=com</property> >> </userGroupProvider> >> >> <accessPolicyProvider> >> <identifier>file-access-policy-provider</identifier> >> >> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >> <property name="User Group >> Provider">file-user-group-provider</property> >> <property name="Authorizations >> File">./conf/authorizations.xml</property> >> <property name="Initial Admin >> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property> >> <property name="Legacy Authorized Users File"></property> >> >> <property name="Node Identity 1"></property> >> </accessPolicyProvider> >> ------------------------ >> >> nifi-user.log >> ----------------------- >> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider >> >> Creating >> >> new users file at >> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml >> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider >> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018 >> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider >> Creating new authorizations file at >> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/ >> >> authorizations.xml >> >> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider >> Populating authorizations for Initial Admin: >> cn=TC,ou=NIFI,dc=example,dc=com >> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider >> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018 >> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28] >> o.a.n.w.a.c.IllegalStateExceptionMapper >> >> java.lang.IllegalStateException: >> >> Kerberos ticket login not supported by this NiFi.. Returning Conflict >> response. >> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67] >> o.a.n.w.a.c.IllegalStateExceptionMapper >> >> java.lang.IllegalStateException: >> >> OpenId Connect is not configured.. Returning Conflict response. >> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27] >> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC, >> >> OU=NIFI) >> >> GET https://localhost:9443/nifi-api/flow/current-user (source ip: >> 127.0.0.1) >> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27] >> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC, >> OU=NIFI >> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27] >> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI], >> >> groups[] >> >> does not have permission to access the requested resource. Unknown user >> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response. >> ------------------------------ >> >> Generated users.xml >> -------------------------------- >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> <tenants> >> <groups/> >> <users> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4" >> identity="cn=TC,ou=NIFI,dc=example,dc=com"/> >> </users> >> </tenants> >> -------------------------------- >> >> Generated authorizations.xml >> -------------------------- >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> <authorizations> >> <policies> >> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" >> resource="/flow" action="R"> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >> </policy> >> <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847" >> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" >> action="R"> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >> </policy> >> <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66" >> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" >> action="W"> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >> </policy> >> <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc" >> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" >> >> action="R"> >> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >> </policy> >> <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23" >> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" >> >> action="W"> >> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >> </policy> >> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" >> resource="/restricted-components" action="W"> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >> </policy> >> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" >> resource="/tenants" action="R"> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >> </policy> >> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" >> resource="/tenants" action="W"> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >> </policy> >> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" >> resource="/policies" action="R"> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >> </policy> >> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" >> resource="/policies" action="W"> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >> </policy> >> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" >> resource="/controller" action="R"> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >> </policy> >> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" >> resource="/controller" action="W"> >> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >> </policy> >> </policies> >> </authorizations> >> ------------------------------------ >> >> nifi.properties >> ---------------------------- >> # web properties # >> nifi.web.war.directory=./lib >> nifi.web.http.host= >> nifi.web.http.port= >> nifi.web.http.network.interface.default= >> nifi.web.https.host=localhost >> nifi.web.https.port=9443 >> nifi.web.https.network.interface.default= >> nifi.web.jetty.working.directory=./work/jetty >> nifi.web.jetty.threads=200 >> nifi.web.max.header.size=16 KB >> nifi.web.proxy.context.path= >> >> # security properties # >> nifi.sensitive.props.key= >> nifi.sensitive.props.key.protected= >> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL >> nifi.sensitive.props.provider=BC >> nifi.sensitive.props.additional.keys= >> >> nifi.security.keystore=./conf/keystore.jks >> nifi.security.keystoreType=jks >> >> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI >> >> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI >> nifi.security.truststore=./conf/truststore.jks >> nifi.security.truststoreType=jks >> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3 >> >> ZHZyqI4 >> >> nifi.security.needClientAuth= >> nifi.security.user.authorizer=managed-authorizer >> nifi.security.user.login.identity.provider= >> nifi.security.ocsp.responder.url= >> nifi.security.ocsp.responder.certificate= >> ---------------------- >> >> >> >> Please help. >> >> Regards >> Anil >> >> -- >> Sent from Gmail Mobile >> >> >> -- >> Sent from Gmail Mobile >> >> >> >
