Hi , Thanks a lot , I will test and post the result .
Thanks & Regards, Ganesh.B -----Original Message----- From: Bryan Bende <bbe...@gmail.com> Sent: Friday, April 17, 2020 11:21 PM To: dev@nifi.apache.org Subject: Re: Nifi with kerberos(kdc) is not working in Nifi 1.11.4 In versions prior to 1.10.0, the Default Realm was never used and that was fixed with this JIRA [1]. So if it was working for you before 1.9.2, that means it was working without a Default Realm, so you should probably remove the NIFI.COM from Default Realm. [1] https://issues.apache.org/jira/browse/NIFI-6224 On Fri, Apr 17, 2020 at 1:48 PM Ganesh, B (Nokia - IN/Bangalore) < b.gan...@nokia.com> wrote: > Hi , > > In the file login-identity-providers.xml configuration is mentioned > below , but in case of Nifi 1.9.2 also it is configured as same . > > <provider> > <identifier>kerberos-provider</identifier> > <class>org.apache.nifi.kerberos.KerberosProvider</class> > <property name="Default Realm">NIFI.COM</property> > <property name="Authentication Expiration">12 hours</property> > </provider> > > > And below is the complete back trace of the issue . > > er java.lang.IllegalArgumentException: The supplied username and > password are not valid.}. Returning Bad Request} response."} > java.lang.IllegalArgumentException: The supplied username and password > are not valid. > at > org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:735) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at > org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76) > at > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148) > at > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191) > at > org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200) > at > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) > at > org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletH > andler.java:1610) > > at java.base/java.lang.Thread.run(Thread.java:834) > Caused by: > org.apache.nifi.authentication.exception.InvalidLoginCredentialsException: > Kerberos authentication failed > at > org.apache.nifi.kerberos.KerberosProvider.authenticate(KerberosProvider.java:125) > at > org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean$1.authenticate(LoginIdentityProviderFactoryBean.java:315) > at > org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:729) > ... 84 common frames omitted > Caused by: > org.springframework.security.authentication.BadCredentialsException: > Kerberos authentication failed > at > org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:66) > at > org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider.authenticate(KerberosAuthenticationProvider.java:40) > at > org.apache.nifi.kerberos.KerberosProvider.authenticate(KerberosProvider.java:117) > ... 86 common frames omitted > Caused by: javax.security.auth.login.LoginException: Cannot locate KDC > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) > at > java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) > at > java.base/java.security.AccessController.doPrivileged(Native > Method) > at > java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) > at > java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) > at > org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:59) > ... 88 common frames omitted > Caused by: sun.security.krb5.KrbException: Cannot locate KDC > at > java.security.jgss/sun.security.krb5.Config.getKDCList(Config.java:1259) > at > java.security.jgss/sun.security.krb5.KdcComm.send(KdcComm.java:218) > at > java.security.jgss/sun.security.krb5.KdcComm.send(KdcComm.java:200) > at > java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:343) > at > java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:744) > ... 96 common frames omitted > Caused by: sun.security.krb5.KrbException: Generic error (description > in > e-text) (60) - Unable to locate KDC for realm NIFI.COM > at > java.security.jgss/sun.security.krb5.Config.getKDCFromDNS(Config.java:1356) > at > java.security.jgss/sun.security.krb5.Config.getKDCList(Config.java:1232) > ... 101 common frames omitted > > > Thanks & Regards, > Ganesh.B > -----Original Message----- > From: Bryan Bende <bbe...@gmail.com> > Sent: Friday, April 17, 2020 8:53 PM > To: dev@nifi.apache.org > Subject: Re: Nifi with kerberos(kdc) is not working in Nifi 1.11.4 > > Check your Default Realm in login-identity-providers.xml > > On Fri, Apr 17, 2020 at 11:05 AM Shawn Weeks > <swe...@weeksconsulting.us> > wrote: > > > For some reason NiFi is trying to use the realm NIFI.COM. I'd search > > through your config files and your Kerberos Credential Service and > > see where that's coming from. > > > > Thanks > > > > On 4/17/20, 7:49 AM, "Ganesh, B (Nokia - IN/Bangalore)" < > > b.gan...@nokia.com> wrote: > > > > Hi , > > > > no , > > default_realm = NOKIA.COM > > > > > > > > -----Original Message----- > > From: Shawn Weeks <swe...@weeksconsulting.us> > > Sent: Friday, April 17, 2020 5:43 PM > > To: dev@nifi.apache.org > > Subject: Re: Nifi with kerberos(kdc) is not working in Nifi > > 1.11.4 > > > > Can you verify that your KDC Realm is really NIFI.COM and that > > it's defined in /etc/krb5.conf? > > > > Thanks > > Shawn > > > > On 4/17/20, 5:14 AM, "Ganesh, B (Nokia - IN/Bangalore)" < > > b.gan...@nokia.com> wrote: > > > > Hi , > > > > I am facing issue with Nifi 1.11.4 in Kerberos mode , > > whereas nifi 1.9.2 not seeing this issue . > > I am using kdc version as 2.2.5 > > > > Can anybody help me on this ? > > > > REST call to > > 'https://10.75.156.102:30088/nifi-api/flow/client-id > > is failed with below error > > > > java.lang.IllegalArgumentException: The supplied username > > and password are not valid.}. Returning Bad Request} response."} > > java.lang.IllegalArgumentException: The supplied username > > and password are not valid. > > at > > > org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResourc > e.java:735) > > at > > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Nati > > ve > > Method) > > at java.base/java.lang.Thread.run(Thread.java:834) > > Caused by: > > > org.apache.nifi.authentication.exception.InvalidLoginCredentialsException: > > Kerberos authentication failed > > ... 84 common frames omitted > > Caused by: > > org.springframework.security.authentication.BadCredentialsException: > > Kerberos authentication failed > > at > > > org.springframework.security.kerberos.authentication.sun.SunJaasKerber > osClient.login(SunJaasKerberosClient.java:66) > > ... 86 common frames omitted > > Caused by: javax.security.auth.login.LoginException: Cannot > > locate KDC > > at > > > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attempt > Authentication(Krb5LoginModule.java:782) > > .java:59) > > ... 88 common frames omitted > > Caused by: sun.security.krb5.KrbException: Cannot locate KDC > > at > > java.security.jgss/sun.security.krb5.Config.getKDCList(Config.java:1 > > 25 > > 9) > > > > at > > > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attempt > Authentication(Krb5LoginModule.java:744) > > ... 96 common frames omitted > > Caused by: sun.security.krb5.KrbException: Generic error > > (description in e-text) (60) - Unable to locate KDC for realm NIFI.COM > > at > > > java.security.jgss/sun.security.krb5.Config.getKDCFromDNS(Config.java: > 1356) > > at > > java.security.jgss/sun.security.krb5.Config.getKDCList(Config.java:1232) > > ... 101 common frames omitted > > > > > > > > > > > > > > > > >
