So from a terminal on the nifi server, you can run "kinit
admin@MY.REALM" and enter the password and it works, and this same
principal and password entered into NiFi's login screen does not work?
On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson <djr...@gmail.com> wrote:
>
> I'm working on transitioning a nifi instance we deploy with Kerberos and
> I'm having some trouble authenticating. Everything looks correct, but when
> I try to log in with any of my created users, I get an error message:
>
> The supplied username and password are not valid.
>
> Everything on nifi without https was working, and everything I've created
> on the Kerberos side looks and works as expected, I just haven't been able
> to get a user to log in to the Nifi UI.
>
> Here are some of my config files, is there anything I'm missing or have
> incorrect?
>
> ---------------------------
>
> Authorizers.xml:
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizers>
> <userGroupProvider>
> <identifier>file-user-group-provider</identifier>
> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
> <property name="Users File">./conf/users.xml</property>
> <property name="Legacy Authorized Users File"></property>
>
> <property name="Initial User Identity 1"></property>
> </userGroupProvider>
>
> <accessPolicyProvider>
> <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> <property name="User Group
> Provider">file-user-group-provider</property>
> <property name="Authorizations
> File">./conf/authorizations.xml</property>
> <property name="Initial Admin Identity">admin@MY.REALM</property>
> <property name="Legacy Authorized Users File"></property>
> <property name="Node Identity 1"></property>
> <property name="Node Group"></property>
> </accessPolicyProvider>
>
> <authorizer>
> <identifier>managed-authorizer</identifier>
>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
> <property name="Access Policy
> Provider">file-access-policy-provider</property>
> </authorizer>
>
> <authorizer>
> <identifier>file-provider</identifier>
> <class>org.apache.nifi.authorization.FileAuthorizer</class>
> <property name="Authorizations
> File">./conf/authorizations.xml</property>
> <property name="Users File">./conf/users.xml</property>
> <property name="Initial Admin Identity">admin@MY.REALM</property>
> <property name="Legacy Authorized Users File"></property>
>
> <property name="Node Identity 1"></property>
> </authorizer>
> </authorizers>
>
> -------------------------------------
>
> Relevant nifi.properties:
> nifi.security.user.authorizer=file-provider
> nifi.security.user.login.identity.provider=kerberos-provider
> # kerberos #
> nifi.kerberos.krb5.file= /etc/krb5.conf
> nifi.kerberos.service.principal=admin@MY.REALM
> nifi.kerberos.service.keytab.location=/etc/kadm5.keytab
>
> -------------------------------------
>
> Login-identity-provider.xml
> <loginIdentityProviders>
> <provider>
> <identifier>kerberos-provider</identifier>
> <class>org.apache.nifi.kerberos.KerberosProvider</class>
> <property name="Default Realm">MY.REALM</property>
> <property name="Authentication Expiration">12 hours</property>
> </provider>
> </loginIdentityProviders>
>
> ---------------------------------------
>
> /etc/krb5.conf:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> default_realm = MY.REALM
>
> [realms]
> RO.INTERNAL = {
> kdc = nifi-djr5.ro.internal:88
> admin_server = nifi-djr5.my.realm:749
> default_domain = my.realm
> }
>
> [domain_realm]
> .my.realm = MY.REALM
> my.realm = MY.REALM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> -------------------------------------------
>
> Any help would be greatly appreciated!
