I'm working on transitioning a nifi instance we deploy with Kerberos and
I'm having some trouble authenticating. Everything looks correct, but when
I try to log in with any of my created users, I get an error message:
The supplied username and password are not valid.
Everything on nifi without https was working, and everything I've created
on the Kerberos side looks and works as expected, I just haven't been able
to get a user to log in to the Nifi UI.
Here are some of my config files, is there anything I'm missing or have
incorrect?
---------------------------
Authorizers.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1"></property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group
Provider">file-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">admin@MY.REALM</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
<property name="Initial Admin Identity">admin@MY.REALM</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</authorizer>
</authorizers>
-------------------------------------
Relevant nifi.properties:
nifi.security.user.authorizer=file-provider
nifi.security.user.login.identity.provider=kerberos-provider
# kerberos #
nifi.kerberos.krb5.file= /etc/krb5.conf
nifi.kerberos.service.principal=admin@MY.REALM
nifi.kerberos.service.keytab.location=/etc/kadm5.keytab
-------------------------------------
Login-identity-provider.xml
<loginIdentityProviders>
<provider>
<identifier>kerberos-provider</identifier>
<class>org.apache.nifi.kerberos.KerberosProvider</class>
<property name="Default Realm">MY.REALM</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
</loginIdentityProviders>
---------------------------------------
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_realm = MY.REALM
[realms]
RO.INTERNAL = {
kdc = nifi-djr5.ro.internal:88
admin_server = nifi-djr5.my.realm:749
default_domain = my.realm
}
[domain_realm]
.my.realm = MY.REALM
my.realm = MY.REALM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
-------------------------------------------
Any help would be greatly appreciated!
