A few things to note:

Between NiFi 1.3.0 and NiFi 1.7.0, the authorizer structure changed, as the 
user and group provider was separated from the policy provider. This means 
there are two components (UserGroupProvider) and (AccessPolicyProvider) that 
are defined independently and compose the ManagedAuthorizer. This means that 
for a cluster, the proxies must be defined in two locations in the 
authorizers.xml file (see below).

Also, in NiFi 1.7.1, there were changes to hostname verification and wildcard 
certificates are fixed but wildcard certificates are not supported. If you are 
using wildcard certificates in your cluster, you should convert these to 
unique, explicit certificates for each node. Each node certificate should also 
contain a SubjectAlternativeName entry with the explicit DNS name of the 
service. More information can be found in the Admin Guide [1] or the Migration 
Guidance [2].

Here is an example authorizers.xml file with the proxies defined in both 
locations.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Initial User Identity A">CN=alopresto_NIFI-5370, 
OU=NIFI</property>
        <property name="Initial User Identity 1">CN=node1.nifi.apache.org, 
OU=NIFI</property>
        <property name="Initial User Identity 2">CN=node2.nifi.apache.org, 
OU=NIFI</property>
        <property name="Initial User Identity 3">CN=node3.nifi.apache.org, 
OU=NIFI</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations 
File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">CN=alopresto_NIFI-5370, 
OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Node Identity 1">CN=node1.nifi.apache.org, 
OU=NIFI</property>
        <property name="Node Identity 2">CN=node2.nifi.apache.org, 
OU=NIFI</property>
        <property name="Node Identity 3">CN=node3.nifi.apache.org, 
OU=NIFI</property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy 
Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

[1] 
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit
[2] https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance

Andy LoPresto
[email protected]
[email protected]
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Sep 18, 2018, at 4:55 AM, Peter Wilcsinszky <[email protected]> 
> wrote:
> 
> Hi,
> 
> are your hosts registered in LDAP properly? If you don't want them to come
> from LDAP then they should come from the file-user-group-provider as
> initial user identities in addition to your "Initial User Identity 1".
> 
> Peter
> 
> On Tue, Sep 18, 2018 at 11:54 AM nifi-san <[email protected]> wrote:
> 
>> Hello,
>> 
>> We are trying to integrate Nifi-7.1 with SSL and LDAP.
>> 
>> We have two different Nifi installation,one which is a standalone node and
>> the other which is a three node cluster.
>> 
>> Nifi Standalone:-
>> We were able to successfully integrate the Standalone node with SSL and
>> login to the Nifi UI with the client certificate.
>> 
>> Nifi Cluster:-
>> With the same configurations for authorizers.xml as is for the Nifi
>> standalone, on the Nifi cluster nodes,we get the below error:-
>> 
>> ERROR:-
>> ********************************************
>> Insufficient Permissions
>> Untrusted proxy CN=host1, OU=NIFI
>> ********************************************
>> 
>> The authorizers.xml configurations on the cluster is as follows:-
>> 
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <authorizers>
>>    <userGroupProvider>
>>        <identifier>file-user-group-provider</identifier>
>>        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>>        <property name="Users
>> File">/opt/app/resources/nifi/users.xml</property>
>>        <property name="Legacy Authorized Users File"></property>
>> 
>>        <property name="Initial User Identity 1">CN=NADMIN,
>> OU=NIFI</property>
>>    </userGroupProvider>
>>    <accessPolicyProvider>
>>        <identifier>file-access-policy-provider</identifier>
>> 
>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>>        <property name="User Group
>> Provider">file-user-group-provider</property>
>>        <property name="Authorizations
>> File">/opt/app/resources/nifi/authorizations.xml</property>
>>        <property name="Initial Admin Identity">CN=NADMIN,
>> OU=NIFI</property>
>>        <property name="Legacy Authorized Users File"></property>
>> 
>>        <property
>> name="ohlvnfiap002dd.oh.dev.dat.aws.vz-connect.net"></property>
>>        <property name="Node Identity 1">CN=host1, OU=NIFI</property>
>> <property name="Node Identity 2">CN=host2, OU=NIFI</property>
>> <property name="Node Identity 3">CN=host3, OU=NIFI</property>
>>    </accessPolicyProvider>
>>    <authorizer>
>>        <identifier>managed-authorizer</identifier>
>> 
>> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
>>        <property name="Access Policy
>> Provider">file-access-policy-provider</property>
>>    </authorizer>
>> </authorizers>
>> 
>> We have checked the FQDN and the CN Name of the certificates generated and
>> all other configurations but could not identify anything specifically that
>> could be the root cause of the issue.
>> 
>> Apart from the above error with respect to privilege, we do not see any
>> other error in the logs.
>> 
>> The same configurations worked fine on Nifi-1.3,however, not sure why it
>> does not work on Nifi-1.7.
>> Also, it works fine on the standalone node but not on the cluster.
>> 
>> Appreciate if you could provide any assistance on this as it has already
>> been a while that we have been blocked because of this issue.
>> 
>> 
>> 
>> --
>> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
>> 

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Reply via email to