Hi ,
In the file login-identity-providers.xml configuration is mentioned below , but
in case of Nifi 1.9.2 also it is configured as same .
<provider>
<identifier>kerberos-provider</identifier>
<class>org.apache.nifi.kerberos.KerberosProvider</class>
<property name="Default Realm">NIFI.COM</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
And below is the complete back trace of the issue .
er java.lang.IllegalArgumentException: The supplied username and password are
not valid.}. Returning Bad Request} response."}
java.lang.IllegalArgumentException: The supplied username and password are not
valid.
at
org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:735)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
at
org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
at
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by:
org.apache.nifi.authentication.exception.InvalidLoginCredentialsException:
Kerberos authentication failed
at
org.apache.nifi.kerberos.KerberosProvider.authenticate(KerberosProvider.java:125)
at
org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean$1.authenticate(LoginIdentityProviderFactoryBean.java:315)
at
org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:729)
... 84 common frames omitted
Caused by: org.springframework.security.authentication.BadCredentialsException:
Kerberos authentication failed
at
org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:66)
at
org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider.authenticate(KerberosAuthenticationProvider.java:40)
at
org.apache.nifi.kerberos.KerberosProvider.authenticate(KerberosProvider.java:117)
... 86 common frames omitted
Caused by: javax.security.auth.login.LoginException: Cannot locate KDC
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782)
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
at
java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at
java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
at
java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
at
org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:59)
... 88 common frames omitted
Caused by: sun.security.krb5.KrbException: Cannot locate KDC
at
java.security.jgss/sun.security.krb5.Config.getKDCList(Config.java:1259)
at java.security.jgss/sun.security.krb5.KdcComm.send(KdcComm.java:218)
at java.security.jgss/sun.security.krb5.KdcComm.send(KdcComm.java:200)
at
java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:343)
at
java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447)
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:744)
... 96 common frames omitted
Caused by: sun.security.krb5.KrbException: Generic error (description in
e-text) (60) - Unable to locate KDC for realm NIFI.COM
at
java.security.jgss/sun.security.krb5.Config.getKDCFromDNS(Config.java:1356)
at
java.security.jgss/sun.security.krb5.Config.getKDCList(Config.java:1232)
... 101 common frames omitted
Thanks & Regards,
Ganesh.B
-----Original Message-----
From: Bryan Bende <bbe...@gmail.com>
Sent: Friday, April 17, 2020 8:53 PM
To: dev@nifi.apache.org
Subject: Re: Nifi with kerberos(kdc) is not working in Nifi 1.11.4
Check your Default Realm in login-identity-providers.xml
On Fri, Apr 17, 2020 at 11:05 AM Shawn Weeks <swe...@weeksconsulting.us>
wrote:
> For some reason NiFi is trying to use the realm NIFI.COM. I'd search
> through your config files and your Kerberos Credential Service and see
> where that's coming from.
>
> Thanks
>
> On 4/17/20, 7:49 AM, "Ganesh, B (Nokia - IN/Bangalore)" <
> b.gan...@nokia.com> wrote:
>
> Hi ,
>
> no ,
> default_realm = NOKIA.COM
>
>
>
> -----Original Message-----
> From: Shawn Weeks <swe...@weeksconsulting.us>
> Sent: Friday, April 17, 2020 5:43 PM
> To: dev@nifi.apache.org
> Subject: Re: Nifi with kerberos(kdc) is not working in Nifi 1.11.4
>
> Can you verify that your KDC Realm is really NIFI.COM and that
> it's defined in /etc/krb5.conf?
>
> Thanks
> Shawn
>
> On 4/17/20, 5:14 AM, "Ganesh, B (Nokia - IN/Bangalore)" <
> b.gan...@nokia.com> wrote:
>
> Hi ,
>
> I am facing issue with Nifi 1.11.4 in Kerberos mode ,
> whereas nifi 1.9.2 not seeing this issue .
> I am using kdc version as 2.2.5
>
> Can anybody help me on this ?
>
> REST call to
> 'https://10.75.156.102:30088/nifi-api/flow/client-id
> is failed with below error
>
> java.lang.IllegalArgumentException: The supplied username and
> password are not valid.}. Returning Bad Request} response."}
> java.lang.IllegalArgumentException: The supplied username and
> password are not valid.
> at
> org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:735)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at java.base/java.lang.Thread.run(Thread.java:834)
> Caused by:
> org.apache.nifi.authentication.exception.InvalidLoginCredentialsException:
> Kerberos authentication failed
> ... 84 common frames omitted
> Caused by:
> org.springframework.security.authentication.BadCredentialsException:
> Kerberos authentication failed
> at
> org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:66)
> ... 86 common frames omitted
> Caused by: javax.security.auth.login.LoginException: Cannot
> locate KDC
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782)
> .java:59)
> ... 88 common frames omitted
> Caused by: sun.security.krb5.KrbException: Cannot locate KDC
> at
> java.security.jgss/sun.security.krb5.Config.getKDCList(Config.java:125
> 9)
>
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:744)
> ... 96 common frames omitted
> Caused by: sun.security.krb5.KrbException: Generic error
> (description in e-text) (60) - Unable to locate KDC for realm NIFI.COM
> at
> java.security.jgss/sun.security.krb5.Config.getKDCFromDNS(Config.java:1356)
> at
> java.security.jgss/sun.security.krb5.Config.getKDCList(Config.java:1232)
> ... 101 common frames omitted
>
>
>
>
>
>
>
>
