Andy LoPresto created NIFI-3480:
-----------------------------------
Summary: Fix incorrect Admin Guide documentation regarding
anonymous access
Key: NIFI-3480
URL: https://issues.apache.org/jira/browse/NIFI-3480
Project: Apache NiFi
Issue Type: Improvement
Components: Documentation & Website
Affects Versions: 1.1.1
Reporter: Andy LoPresto
Priority: Trivial
The Admin Guide *Security Configuration* section states
> nifi.security.truststore
> Filename of the Truststore that will be used to authorize those connecting to
> NiFi. If not set, all who attempt to connect will be provided access as the
> *Anonymous* user.
This is incorrect and misleading. The only way to configure a secured instance
with anonymous access is via LDAP or Kerberos and configuration of the
authorizer to explicitly allow anonymous access. Configuring a secured instance
with no truststore will simply refuse all incoming connections.
With {{nifi.security.needClientAuth}} set to {{true}} or empty (default):
{code}
2017-02-14 12:03:05,546 WARN [Thread-1] org.apache.nifi.web.server.JettyServer
Failed to stop web server
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'flowService': FactoryBean threw exception on object creation; nested
exception is org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'flowController': FactoryBean threw exception on object
creation; nested exception is
org.apache.nifi.framework.security.util.SslContextCreationException: Need
client auth is set to 'true', but no truststore properties are configured.
at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175)
~[na:na]
at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
~[na:na]
at
org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585)
~[na:na]
at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:254)
~[na:na]
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
~[na:na]
at
org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060)
~[na:na]
at
org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextDestroyed(ApplicationStartupContextListener.java:103)
~[na:na]
at
org.eclipse.jetty.server.handler.ContextHandler.callContextDestroyed(ContextHandler.java:845)
~[na:na]
at
org.eclipse.jetty.servlet.ServletContextHandler.callContextDestroyed(ServletContextHandler.java:546)
~[na:na]
at
org.eclipse.jetty.server.handler.ContextHandler.stopContext(ContextHandler.java:826)
~[na:na]
at
org.eclipse.jetty.servlet.ServletContextHandler.stopContext(ServletContextHandler.java:356)
~[na:na]
at
org.eclipse.jetty.webapp.WebAppContext.stopWebapp(WebAppContext.java:1410)
~[na:na]
at
org.eclipse.jetty.webapp.WebAppContext.stopContext(WebAppContext.java:1374)
~[na:na]
at
org.eclipse.jetty.server.handler.ContextHandler.doStop(ContextHandler.java:874)
~[na:na]
at
org.eclipse.jetty.servlet.ServletContextHandler.doStop(ServletContextHandler.java:272)
~[na:na]
at
org.eclipse.jetty.webapp.WebAppContext.doStop(WebAppContext.java:544) ~[na:na]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:89)
~[na:na]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.stop(ContainerLifeCycle.java:143)
~[na:na]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStop(ContainerLifeCycle.java:161)
~[na:na]
at
org.eclipse.jetty.server.handler.AbstractHandler.doStop(AbstractHandler.java:73)
~[na:na]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:89)
~[na:na]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.stop(ContainerLifeCycle.java:143)
~[na:na]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStop(ContainerLifeCycle.java:161)
~[na:na]
at
org.eclipse.jetty.server.handler.AbstractHandler.doStop(AbstractHandler.java:73)
~[na:na]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:89)
~[na:na]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.stop(ContainerLifeCycle.java:143)
~[na:na]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStop(ContainerLifeCycle.java:161)
~[na:na]
at
org.eclipse.jetty.server.handler.AbstractHandler.doStop(AbstractHandler.java:73)
~[na:na]
at org.eclipse.jetty.server.Server.doStop(Server.java:482) ~[na:na]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:89)
~[na:na]
at org.apache.nifi.web.server.JettyServer.stop(JettyServer.java:854)
~[na:na]
at org.apache.nifi.NiFi.shutdownHook(NiFi.java:188)
[nifi-runtime-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
at org.apache.nifi.NiFi$2.run(NiFi.java:89)
[nifi-runtime-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101]
Caused by: org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'flowController': FactoryBean threw exception on object
creation; nested exception is
org.apache.nifi.framework.security.util.SslContextCreationException: Need
client auth is set to 'true', but no truststore properties are configured.
at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175)
~[na:na]
at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
~[na:na]
at
org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585)
~[na:na]
at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:254)
~[na:na]
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
~[na:na]
at
org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060)
~[na:na]
at
org.apache.nifi.spring.StandardFlowServiceFactoryBean.getObject(StandardFlowServiceFactoryBean.java:48)
~[na:na]
at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
~[na:na]
... 33 common frames omitted
Caused by: org.apache.nifi.framework.security.util.SslContextCreationException:
Need client auth is set to 'true', but no truststore properties are configured.
at
org.apache.nifi.framework.security.util.SslContextFactory.createSslContext(SslContextFactory.java:66)
~[na:na]
at
org.apache.nifi.controller.FlowController.<init>(FlowController.java:440)
~[na:na]
at
org.apache.nifi.controller.FlowController.createStandaloneInstance(FlowController.java:375)
~[na:na]
at
org.apache.nifi.spring.FlowControllerFactoryBean.getObject(FlowControllerFactoryBean.java:74)
~[na:na]
at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
~[na:na]
... 40 common frames omitted
2017-02-14 12:03:05,547 INFO [Thread-1] org.apache.nifi.NiFi Jetty web server
shutdown completed (nicely or otherwise).
{code}
With {{nifi.security.needClientAuth}} explicitly set to {{false}}: no errors in
{{logs/nifi-app.log}} but the browser will not be able to make a connection and
will get the {{ERR_CONNECTION_REFUSED}} response.
The Admin Guide should be updated to reflect the correct information.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
