moustafa created NIFI-9665:
------------------------------
Summary: can't use cli.sh (nifi toolkit) for connect with
certificats
Key: NIFI-9665
URL: https://issues.apache.org/jira/browse/NIFI-9665
Project: Apache NiFi
Issue Type: Bug
Components: Tools and Build
Affects Versions: 1.15.3
Reporter: moustafa
I can't connect to nifi with toolkit cli using certificate.
Command used
/opt/nifi-toolkit/nifi-toolkit-current/bin/cli.sh nifi get-root-id --baseUrl
https://nifi-cia.training.XXX.com:8443 -ks /opt/certs/nifi_training_XX.jks -kst
JKS -ksp xxx-xxx -kp xxxx-xxx --truststore
/opt/certs/nifi_training_xxxtruststore.jks --truststoreType JKS
--truststorePasswd -xxxxxxx --verbose
I see this logs :
___________________________________________________________________________
ERROR: Error executing command 'get-root-id' : Error retrieving process group
flow: Anonymous authentication has not been configured.
org.apache.nifi.toolkit.cli.api.CommandException: Error executing command
'get-root-id' : Error retrieving process group flow: Anonymous authentication
has not been configured.
at
org.apache.nifi.toolkit.cli.impl.command.nifi.AbstractNiFiCommand.doExecute(AbstractNiFiCommand.java:65)
at
org.apache.nifi.toolkit.cli.impl.command.AbstractPropertyCommand.execute(AbstractPropertyCommand.java:74)
at
org.apache.nifi.toolkit.cli.impl.command.CommandProcessor.processCommand(CommandProcessor.java:252)
at
org.apache.nifi.toolkit.cli.impl.command.CommandProcessor.processGroupCommand(CommandProcessor.java:233)
at
org.apache.nifi.toolkit.cli.impl.command.CommandProcessor.process(CommandProcessor.java:188)
at
org.apache.nifi.toolkit.cli.CLIMain.runSingleCommand(CLIMain.java:145)
at org.apache.nifi.toolkit.cli.CLIMain.main(CLIMain.java:72)
Caused by: org.apache.nifi.toolkit.cli.impl.client.nifi.NiFiClientException:
Error retrieving process group flow: Anonymous authentication has not been
configured.
at
org.apache.nifi.toolkit.cli.impl.client.nifi.impl.AbstractJerseyClient.executeAction(AbstractJerseyClient.java:90)
at
org.apache.nifi.toolkit.cli.impl.client.nifi.impl.JerseyFlowClient.getProcessGroup(JerseyFlowClient.java:87)
at
org.apache.nifi.toolkit.cli.impl.client.nifi.impl.JerseyFlowClient.getRootGroupId(JerseyFlowClient.java:77)
at
org.apache.nifi.toolkit.cli.impl.command.nifi.flow.GetRootId.doExecute(GetRootId.java:46)
at
org.apache.nifi.toolkit.cli.impl.command.nifi.flow.GetRootId.doExecute(GetRootId.java:31)
at
org.apache.nifi.toolkit.cli.impl.command.nifi.AbstractNiFiCommand.doExecute(AbstractNiFiCommand.java:63)
... 6 more
Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
at
org.glassfish.jersey.client.JerseyInvocation.convertToException(JerseyInvocation.java:910)
at
org.glassfish.jersey.client.JerseyInvocation.translate(JerseyInvocation.java:723)
at
org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$1(JerseyInvocation.java:643)
at
org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:665)
at
org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocation.java:659)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:205)
at
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:390)
at
org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:659)
at
org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:642)
at
org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:417)
at
org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:313)
at
org.apache.nifi.toolkit.cli.impl.client.nifi.impl.JerseyFlowClient.lambda$getProcessGroup$1(JerseyFlowClient.java:92)
at
org.apache.nifi.toolkit.cli.impl.client.nifi.impl.AbstractJerseyClient.executeAction(AbstractJerseyClient.java:76)
... 11 more
__________________________________________________________________________
I see also on nifi-user.log ( DEBUG)
--------------------------------------------------------------------------------------
2022-02-09 18:30:30,638 DEBUG [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-02-09 18:30:30,638 DEBUG [NiFi Web Server-26]
o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.
2022-02-09 18:30:30,638 DEBUG [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-02-09 18:30:30,638 DEBUG [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-02-09 18:30:30,639 INFO [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.23.91.86
[<anonymous>] GET
https://nifi-cia.training.xxxxx.com:8443/nifi-api/flow/process-groups/root
2022-02-09 18:30:30,639 WARN [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.23.91.86 GET
https://nifi-cia.training.xxxxx.com:8443/nifi-api/flow/process-groups/root
[Anonymous authentication has not been configured.]
2022-02-09 18:30:30,639 DEBUG [NiFi Web Server-26]
o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed
org.apache.nifi.web.security.InvalidAuthenticationException: Anonymous
authentication has not been configured.
at
org.apache.nifi.web.security.anonymous.NiFiAnonymousAuthenticationProvider.authenticate(NiFiAnonymousAuthenticationProvider.java:46)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)
at
org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:73)
at
org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at
org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94)
at
org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at
org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:121)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at
org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94)
----------------------------------------------------------------------------------
I tested with sample curl ( using cert/key used for create jks) and it works :
curl -k --cert /opt/certs/nifi-cia_training_xxxxxx_com.pem --key
/opt/certs/nifi-cia_training_xxxxx_com.key
https://nifi-cia.training.xxxxxx.com:8443/nifi-api/flow/process-groups/root
{"permissions":\{"canRead":false,"canWrite":false},"processGroupFlow":\{"id":"dd746fc4-017e-1000-5591-6ff67d62a0e1","uri":"https://nifi-cia.training.xxxxxx.com:8443/nifi-api/flow/process-groups/dd746fc4-017e-1000-5591-6ff67d62a0e1","breadcrumb":{"id":"dd746fc4-017e-1000-5591-6ff67d62a0e1","permissions":{"canRead":false,"canWrite":false}},"flow":\{"processGroups":[],"remoteProcessGroups":[],"processors":[],"inputPorts":[],"outputPorts":[],"connections":[],"labels":[],"funnels":[]},"lastRefreshed":"18:34:43
CET"}}
the same jks is working with nifi/nifi toolkit 1.12.1
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
