They work for me, perhaps there was a connectivity issue or something?
On Thu, Feb 1, 2018 at 10:56 AM, Anil Rai <[email protected]> wrote: > The below links does not work. Have they moved somewhere else? > > https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy > https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html > https://blog.rosander.ninja/nifi/toolkit/tls/2016/ > 09/20/tls-toolkit-standalone-multi.html > > Thanks > Anil > > On Thu, Feb 1, 2018 at 10:35 AM, Anil Rai <[email protected]> wrote: > >> Thanks Andy. It did resolve my issue. I got it working. >> Thanks again for all the links. Very helpful. >> >> Cheers >> Anil >> >> >> On Thu, Feb 1, 2018 at 10:14 AM, Andy LoPresto <[email protected]> >> wrote: >> >>> Hi Anil, >>> >>> In addition to Bryan’s explanation, there are a number of blog posts and >>> articles covering this topic: >>> >>> * Authorization and Multi-Tenancy by Bryan Bende [1] >>> * Secured Cluster Setup by Pierre Villard [2] >>> * TLS Generation Toolkit section of Apache NiFi Admin Guide [3] >>> * Initial Admin Identity section of Apache NiFi Admin Guide [4] >>> * Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5] >>> * Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan >>> Rosander [6] >>> >>> The sequence “dc=example,dc=com” in your current user DN (Distinguished >>> Name) is incorrect and not present in the DN of the certificate. I imagine >>> you copied this from an example posted online. “dc=“ is a sequence used in >>> DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is >>> the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com” >>> would be the parent DN. But when you generated the certificate, you did not >>> provide this information, so the DNs do not match, and NiFi correctly >>> asserts that this is not a valid certificate identifying the user DN you >>> specified in your XML files. Removing “dc=example,dc=com” from that >>> definition as Bryan suggested will resolve your issue. >>> >>> [1] https://bryanbende.com/development/2016/08/17/apache-nif >>> i-1-0-0-authorization-and-multi-tenancy >>> [2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-s >>> ecured-cluster-setup/ >>> [3] https://nifi.apache.org/docs/nifi-docs/html/administrati >>> on-guide.html#tls-generation-toolkit >>> [4] https://nifi.apache.org/docs/nifi-docs/html/administrati >>> on-guide.html#initial-admin-identity >>> [5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/ >>> tls-toolkit-intro.html >>> [6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/ >>> tls-toolkit-standalone-multi.html >>> [7] https://en.wikipedia.org/wiki/Lightweight_Directory_Acce >>> ss_Protocol#Directory_structure >>> >>> Andy LoPresto >>> [email protected] >>> *[email protected] <[email protected]>* >>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >>> >>> On Jan 31, 2018, at 7:32 PM, Bryan Bende <[email protected]> wrote: >>> >>> It’s the same problem, your initial admin should be: >>> >>> CN=TC, OU=NIFI >>> >>> Not >>> >>> CN=TC,OU=NIFI,dc=example,dc=com >>> >>> The first one is the DN of your client cert, the second one is not. >>> >>> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <[email protected]> wrote: >>> >>> Hi Bryan, >>> >>> Thanks for the quick reply. I did followed your steps. But I am seeing the >>> same error. >>> Now the entry looks like >>> <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example, >>> dc=com</property> >>> >>> Also what does dc stand for after CN and OU. Is that a problem. >>> Is there a blog that talks about installing and making it https using >>> toolkit?. I did not find any good post that talks end to end from >>> installing to making it secure using tls toolkit. >>> >>> Any help is appreciated. >>> >>> Thanks >>> Anil >>> >>> >>> >>> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <[email protected]> wrote: >>> >>> Hello, >>> >>> The identity in authorizers.xml for your initial admin does not match the >>> identity of your client cert. >>> >>> You should be putting “CN=TC, OU=NIFI” as the initial admin because that >>> >>> is >>> >>> the DN of your client cert. >>> >>> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and >>> authorizations.xml, and start back up. >>> >>> Thanks, >>> >>> Bryan >>> >>> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <[email protected]> wrote: >>> >>> All, >>> >>> I am trying to install nifi 1.5 and making it https. Below is the steps >>> followed and the error i am getting. Below is the config and log files >>> content. Please help >>> >>> 1. Installed nifi 1.5 >>> 2. Installed nifi toolkit 1.5 >>> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C >>> 'CN=TC,OU=NIFI' -O -o ../security_output >>> 4. Copied generated keystore, truststore and nifi properties to >>> >>> nifi/config >>> >>> folder >>> 5. Imported the generated certificate to chrome browser >>> 6. Modified authorizers.xml as attached. >>> 7. With required restarts. Now when i enter the below url in the >>> >>> browser, I >>> >>> see the below error. >>> >>> https://localhost:9443/nifi/ >>> >>> Insufficient Permissions >>> >>> - home >>> >>> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system >>> administrator. >>> >>> >>> authorizers.xml >>> -------------------- >>> <userGroupProvider> >>> <identifier>file-user-group-provider</identifier> >>> <class>org.apache.nifi.authorization. >>> >>> FileUserGroupProvider</class> >>> >>> <property name="Users File">./conf/users.xml</property> >>> <property name="Legacy Authorized Users File"></property> >>> >>> <property name="Initial User Identity >>> 1">cn=TC,ou=NIFI,dc=example,dc=com</property> >>> </userGroupProvider> >>> >>> <accessPolicyProvider> >>> <identifier>file-access-policy-provider</identifier> >>> >>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >>> <property name="User Group >>> Provider">file-user-group-provider</property> >>> <property name="Authorizations >>> File">./conf/authorizations.xml</property> >>> <property name="Initial Admin >>> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property> >>> <property name="Legacy Authorized Users File"></property> >>> >>> <property name="Node Identity 1"></property> >>> </accessPolicyProvider> >>> ------------------------ >>> >>> nifi-user.log >>> ----------------------- >>> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider >>> >>> Creating >>> >>> new users file at >>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml >>> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider >>> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018 >>> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider >>> Creating new authorizations file at >>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/ >>> >>> authorizations.xml >>> >>> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider >>> Populating authorizations for Initial Admin: >>> cn=TC,ou=NIFI,dc=example,dc=com >>> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider >>> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018 >>> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28] >>> o.a.n.w.a.c.IllegalStateExceptionMapper >>> >>> java.lang.IllegalStateException: >>> >>> Kerberos ticket login not supported by this NiFi.. Returning Conflict >>> response. >>> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67] >>> o.a.n.w.a.c.IllegalStateExceptionMapper >>> >>> java.lang.IllegalStateException: >>> >>> OpenId Connect is not configured.. Returning Conflict response. >>> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27] >>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC, >>> >>> OU=NIFI) >>> >>> GET https://localhost:9443/nifi-api/flow/current-user (source ip: >>> 127.0.0.1) >>> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27] >>> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC, >>> OU=NIFI >>> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27] >>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI], >>> >>> groups[] >>> >>> does not have permission to access the requested resource. Unknown user >>> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response. >>> ------------------------------ >>> >>> Generated users.xml >>> -------------------------------- >>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >>> <tenants> >>> <groups/> >>> <users> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4" >>> identity="cn=TC,ou=NIFI,dc=example,dc=com"/> >>> </users> >>> </tenants> >>> -------------------------------- >>> >>> Generated authorizations.xml >>> -------------------------- >>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >>> <authorizations> >>> <policies> >>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" >>> resource="/flow" action="R"> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >>> </policy> >>> <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847" >>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" >>> action="R"> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >>> </policy> >>> <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66" >>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" >>> action="W"> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >>> </policy> >>> <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc" >>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" >>> >>> action="R"> >>> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >>> </policy> >>> <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23" >>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" >>> >>> action="W"> >>> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >>> </policy> >>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" >>> resource="/restricted-components" action="W"> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >>> </policy> >>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" >>> resource="/tenants" action="R"> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >>> </policy> >>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" >>> resource="/tenants" action="W"> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >>> </policy> >>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" >>> resource="/policies" action="R"> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >>> </policy> >>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" >>> resource="/policies" action="W"> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >>> </policy> >>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" >>> resource="/controller" action="R"> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >>> </policy> >>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" >>> resource="/controller" action="W"> >>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> >>> </policy> >>> </policies> >>> </authorizations> >>> ------------------------------------ >>> >>> nifi.properties >>> ---------------------------- >>> # web properties # >>> nifi.web.war.directory=./lib >>> nifi.web.http.host= >>> nifi.web.http.port= >>> nifi.web.http.network.interface.default= >>> nifi.web.https.host=localhost >>> nifi.web.https.port=9443 >>> nifi.web.https.network.interface.default= >>> nifi.web.jetty.working.directory=./work/jetty >>> nifi.web.jetty.threads=200 >>> nifi.web.max.header.size=16 KB >>> nifi.web.proxy.context.path= >>> >>> # security properties # >>> nifi.sensitive.props.key= >>> nifi.sensitive.props.key.protected= >>> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL >>> nifi.sensitive.props.provider=BC >>> nifi.sensitive.props.additional.keys= >>> >>> nifi.security.keystore=./conf/keystore.jks >>> nifi.security.keystoreType=jks >>> >>> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI >>> >>> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI >>> nifi.security.truststore=./conf/truststore.jks >>> nifi.security.truststoreType=jks >>> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3 >>> >>> ZHZyqI4 >>> >>> nifi.security.needClientAuth= >>> nifi.security.user.authorizer=managed-authorizer >>> nifi.security.user.login.identity.provider= >>> nifi.security.ocsp.responder.url= >>> nifi.security.ocsp.responder.certificate= >>> ---------------------- >>> >>> >>> >>> Please help. >>> >>> Regards >>> Anil >>> >>> -- >>> Sent from Gmail Mobile >>> >>> >>> -- >>> Sent from Gmail Mobile >>> >>> >>> >>
