[
https://issues.apache.org/jira/browse/NIFI-3480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954806#comment-15954806
]
Misha Wakerman edited comment on NIFI-3480 at 4/4/17 8:29 AM:
--------------------------------------------------------------
Hey folks, possibly not the right place to raise this but I just spent the good
part of two days trying to get nifi v1.1.1 running secured with anonymous user
access. The docs were criminally misleading prior to the change involved in
this ticket but are still dangerously misleading and it was only this ticket
and the line "The only way to configure a secured instance with anonymous
access is via LDAP or Kerberos and configuration of the authorizer to
explicitly allow anonymous access" that made me realise I was chasing a wild
goose.
Specifically (not all from the nifi docs):
* -{{nifi.security.truststore}} - Filename of the Truststore that will be used
to authorize those connecting to NiFi. If not set, all who attempt to connect
will be provided access as the Anonymous user.- Now fixed.
* `nifi.security.needClientAuth` | Specifies whether or not connecting clients
must authenticate themselves. Specifically this property is used by the NiFi
cluster protocol. If the Truststore properties are not set, this must be false.
Otherwise, a value of true indicates that nodes in the cluster will be
authenticated and must have certificates that are trusted by the Truststores.
* Mentioned in
https://docs.hortonworks.com/HDPDocuments/HDF1/HDF-1.2/bk_AdminGuide/content/system_properties.html
and
https://docs.hortonworks.com/HDPDocuments/HDF1/HDF-1.2/bk_AdminGuide/content/security-configuration.html
but not in NiFi admin guide: {{nifi.security.anonymous.authorities}} | This
indicates what roles to grant to anonymous users accessing NiFi over HTTPS. It
is blank by default, but could be set to any combination of ROLE_MONITOR,
ROLE_DFM, ROLE_ADMIN, ROLE_PROVENANCE, ROLE_NIFI. Leaving this property blank
will require that users accessing NiFi over HTTPS be authenticated either using
a client certificate or their credentials against the configured log identity
provider.
Anyway, if the docs simply had the line quoted above in them then it would be
much more obvious that Anonymous SSL access is not possible with a
FileAuthorizer (aware that this might not always be the case NIFI-2730)
was (Author: [email protected]):
Hey folks, possibly not the right place to raise this but I just spent the good
part of two days trying to get nifi v1.1.1 running secured with anonymous user
access. The docs were criminally misleading prior to the change involved in
this ticket but are still dangerously misleading and it was only this ticket
and the line "The only way to configure a secured instance with anonymous
access is via LDAP or Kerberos and configuration of the authorizer to
explicitly allow anonymous access" that made me realise I was chasing a wild
goose.
Specifically (not all from the nifi docs):
* -{{nifi.security.truststore}} - Filename of the Truststore that will be used
to authorize those connecting to NiFi. If not set, all who attempt to connect
will be provided access as the Anonymous user.- Now fixed.
* `nifi.security.needClientAuth` | Specifies whether or not connecting clients
must authenticate themselves. Specifically this property is used by the NiFi
cluster protocol. If the Truststore properties are not set, this must be false.
Otherwise, a value of true indicates that nodes in the cluster will be
authenticated and must have certificates that are trusted by the Truststores.
* Mentioned in
https://docs.hortonworks.com/HDPDocuments/HDF1/HDF-1.2/bk_AdminGuide/content/system_properties.html
and
https://docs.hortonworks.com/HDPDocuments/HDF1/HDF-1.2/bk_AdminGuide/content/security-configuration.html
but not in NiFi admin guide: {{nifi.security.anonymous.authorities}} | This
indicates what roles to grant to anonymous users accessing NiFi over HTTPS. It
is blank by default, but could be set to any combination of ROLE_MONITOR,
ROLE_DFM, ROLE_ADMIN, ROLE_PROVENANCE, ROLE_NIFI. Leaving this property blank
will require that users accessing NiFi over HTTPS be authenticated either using
a client certificate or their credentials against the configured log identity
provider.
Anyway, if the docs simply had the line quoted above in them then it would be
much more obvious that Anonymous SSL access is not possible with a
FileAuthorizer.
> Fix incorrect Admin Guide documentation regarding anonymous access
> ------------------------------------------------------------------
>
> Key: NIFI-3480
> URL: https://issues.apache.org/jira/browse/NIFI-3480
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Documentation & Website
> Affects Versions: 1.1.1
> Reporter: Andy LoPresto
> Assignee: Andrew Lim
> Priority: Trivial
> Labels: documentation, security
>
> The Admin Guide *Security Configuration* section states
> {quote}
> {{nifi.security.truststore}}
> Filename of the Truststore that will be used to authorize those connecting to
> NiFi. If not set, all who attempt to connect will be provided access as the
> *Anonymous* user.
> {quote}
> This is incorrect and misleading. The only way to configure a secured
> instance with anonymous access is via LDAP or Kerberos and configuration of
> the authorizer to explicitly allow anonymous access. Configuring a secured
> instance with no truststore will simply refuse all incoming connections.
> With {{nifi.security.needClientAuth}} set to {{true}} or empty (default):
> {code}
> 2017-02-14 12:03:05,546 WARN [Thread-1]
> org.apache.nifi.web.server.JettyServer Failed to stop web server
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'flowService': FactoryBean threw exception on object creation;
> nested exception is org.springframework.beans.factory.BeanCreationException:
> Error creating bean with name 'flowController': FactoryBean threw exception
> on object creation; nested exception is
> org.apache.nifi.framework.security.util.SslContextCreationException: Need
> client auth is set to 'true', but no truststore properties are configured.
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175)
> ~[na:na]
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
> ~[na:na]
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585)
> ~[na:na]
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:254)
> ~[na:na]
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
> ~[na:na]
> at
> org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060)
> ~[na:na]
> at
> org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextDestroyed(ApplicationStartupContextListener.java:103)
> ~[na:na]
> at
> org.eclipse.jetty.server.handler.ContextHandler.callContextDestroyed(ContextHandler.java:845)
> ~[na:na]
> at
> org.eclipse.jetty.servlet.ServletContextHandler.callContextDestroyed(ServletContextHandler.java:546)
> ~[na:na]
> at
> org.eclipse.jetty.server.handler.ContextHandler.stopContext(ContextHandler.java:826)
> ~[na:na]
> at
> org.eclipse.jetty.servlet.ServletContextHandler.stopContext(ServletContextHandler.java:356)
> ~[na:na]
> at
> org.eclipse.jetty.webapp.WebAppContext.stopWebapp(WebAppContext.java:1410)
> ~[na:na]
> at
> org.eclipse.jetty.webapp.WebAppContext.stopContext(WebAppContext.java:1374)
> ~[na:na]
> at
> org.eclipse.jetty.server.handler.ContextHandler.doStop(ContextHandler.java:874)
> ~[na:na]
> at
> org.eclipse.jetty.servlet.ServletContextHandler.doStop(ServletContextHandler.java:272)
> ~[na:na]
> at
> org.eclipse.jetty.webapp.WebAppContext.doStop(WebAppContext.java:544) ~[na:na]
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:89)
> ~[na:na]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.stop(ContainerLifeCycle.java:143)
> ~[na:na]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStop(ContainerLifeCycle.java:161)
> ~[na:na]
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStop(AbstractHandler.java:73)
> ~[na:na]
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:89)
> ~[na:na]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.stop(ContainerLifeCycle.java:143)
> ~[na:na]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStop(ContainerLifeCycle.java:161)
> ~[na:na]
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStop(AbstractHandler.java:73)
> ~[na:na]
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:89)
> ~[na:na]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.stop(ContainerLifeCycle.java:143)
> ~[na:na]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStop(ContainerLifeCycle.java:161)
> ~[na:na]
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStop(AbstractHandler.java:73)
> ~[na:na]
> at org.eclipse.jetty.server.Server.doStop(Server.java:482) ~[na:na]
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:89)
> ~[na:na]
> at org.apache.nifi.web.server.JettyServer.stop(JettyServer.java:854)
> ~[na:na]
> at org.apache.nifi.NiFi.shutdownHook(NiFi.java:188)
> [nifi-runtime-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
> at org.apache.nifi.NiFi$2.run(NiFi.java:89)
> [nifi-runtime-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101]
> Caused by: org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'flowController': FactoryBean threw exception on
> object creation; nested exception is
> org.apache.nifi.framework.security.util.SslContextCreationException: Need
> client auth is set to 'true', but no truststore properties are configured.
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175)
> ~[na:na]
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
> ~[na:na]
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585)
> ~[na:na]
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:254)
> ~[na:na]
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
> ~[na:na]
> at
> org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060)
> ~[na:na]
> at
> org.apache.nifi.spring.StandardFlowServiceFactoryBean.getObject(StandardFlowServiceFactoryBean.java:48)
> ~[na:na]
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
> ~[na:na]
> ... 33 common frames omitted
> Caused by:
> org.apache.nifi.framework.security.util.SslContextCreationException: Need
> client auth is set to 'true', but no truststore properties are configured.
> at
> org.apache.nifi.framework.security.util.SslContextFactory.createSslContext(SslContextFactory.java:66)
> ~[na:na]
> at
> org.apache.nifi.controller.FlowController.<init>(FlowController.java:440)
> ~[na:na]
> at
> org.apache.nifi.controller.FlowController.createStandaloneInstance(FlowController.java:375)
> ~[na:na]
> at
> org.apache.nifi.spring.FlowControllerFactoryBean.getObject(FlowControllerFactoryBean.java:74)
> ~[na:na]
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
> ~[na:na]
> ... 40 common frames omitted
> 2017-02-14 12:03:05,547 INFO [Thread-1] org.apache.nifi.NiFi Jetty web server
> shutdown completed (nicely or otherwise).
> {code}
> With {{nifi.security.needClientAuth}} explicitly set to {{false}}: no errors
> in {{logs/nifi-app.log}} but the browser will not be able to make a
> connection and will get the {{ERR_CONNECTION_REFUSED}} response.
> The Admin Guide should be updated to reflect the correct information.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
