Re: Nifi authentication through Kerberos issues
That was it! I pulled out the line "renew_lifetime = 7d" and it worked! Thank you so much. On Thu, Apr 1, 2021 at 7:40 AM Bryan Bende wrote: > The important part is: > > Caused by: sun.security.krb5.internal.KrbApErrException: Message stream > modified (41) > > The code that produces this exception looks like this: > > // Reply to a renewable request should be renewable, but if request does > // not contain renewable, KDC is free to issue a renewable ticket (for > // example, if ticket_lifetime is too big). > if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) && > !rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) { > throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); > } > > From googling, a possible solution here: > https://bugs.centos.org/view.php?id=17000 > > On Wed, Mar 31, 2021 at 6:57 PM Derek Richardson wrote: > > > > It doesn't look like anything to me, but here's the stacktrace for when > > logback.xml has all of the user_file stuff in debug mode: > > > > 2021-03-31 22:54:13,670 INFO [NiFi Web Server-22] > > o.a.n.w.a.c.IllegalArgumentExceptionMapper > > java.lang.IllegalArgumentException: The supplied username and password > are > > not valid.. Returning Bad Request response. > > 2021-03-31 22:54:13,672 DEBUG [NiFi Web Server-22] > > o.a.n.w.a.c.IllegalArgumentExceptionMapper > > java.lang.IllegalArgumentException: The supplied username and password > are > > not valid. > > at > > > org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:734) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > > > org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76) > > at > > > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148) > > at > > > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191) > > at > > > org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200) > > at > > > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103) > > at > > > org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493) > > at > > > org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415) > > at > > > org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104) > > at > org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277) > > at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272) > > at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268) > > at org.glassfish.jersey.internal.Errors.process(Errors.java:316) > > at org.glassfish.jersey.internal.Errors.process(Errors.java:298) > > at org.glassfish.jersey.internal.Errors.process(Errors.java:268) > > at > > > org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289) > > at > org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256) > > at > > > org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703) > > at > > > org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416) > > at > org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370) > > at > > > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389) > > at > > > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342) > > at > > > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229) > > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865) > > at > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655) > > at > org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66) > > at > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) >
Re: Nifi authentication through Kerberos issues
Richardson wrote: > Correct. > > # kinit admin@MY.REALM > Password for admin@MY.REALM: > > # klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin@MY.REALM > > Valid starting Expires Service principal > 03/31/2021 22:42:10 04/01/2021 22:42:10 krbtgt/MY.REALM@MY.REALM > > On Wed, Mar 31, 2021, 1:13 PM Bryan Bende wrote: > >> So from a terminal on the nifi server, you can run "kinit >> admin@MY.REALM" and enter the password and it works, and this same >> principal and password entered into NiFi's login screen does not work? >> >> On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson >> wrote: >> > >> > I'm working on transitioning a nifi instance we deploy with Kerberos and >> > I'm having some trouble authenticating. Everything looks correct, but >> when >> > I try to log in with any of my created users, I get an error message: >> > >> > The supplied username and password are not valid. >> > >> > Everything on nifi without https was working, and everything I've >> created >> > on the Kerberos side looks and works as expected, I just haven't been >> able >> > to get a user to log in to the Nifi UI. >> > >> > Here are some of my config files, is there anything I'm missing or have >> > incorrect? >> > >> > --- >> > >> > Authorizers.xml: >> > >> > >> > >> > file-user-group-provider >> > >> org.apache.nifi.authorization.FileUserGroupProvider >> > ./conf/users.xml >> > >> > >> > >> > >> > >> > >> > file-access-policy-provider >> > >> > org.apache.nifi.authorization.FileAccessPolicyProvider >> > file-user-group-provider >> > ./conf/authorizations.xml >> > admin@MY.REALM >> >> > >> > >> > >> > >> > >> > >> > managed-authorizer >> > >> > org.apache.nifi.authorization.StandardManagedAuthorizer >> > file-access-policy-provider >> > >> > >> > >> > file-provider >> > org.apache.nifi.authorization.FileAuthorizer >> > ./conf/authorizations.xml >> > ./conf/users.xml >> > admin@MY.REALM >> >> > >> > >> > >> > >> > >> > >> > - >> > >> > Relevant nifi.properties: >> > nifi.security.user.authorizer=file-provider >> > nifi.security.user.login.identity.provider=kerberos-provider >> > # kerberos # >> > nifi.kerberos.krb5.file= /etc/krb5.conf >> > nifi.kerberos.service.principal=admin@MY.REALM >> > nifi.kerberos.service.keytab.location=/etc/kadm5.keytab >> > >> > - >> > >> > Login-identity-provider.xml >> > >> > >> > kerberos-provider >> > org.apache.nifi.kerberos.KerberosProvider >> > MY.REALM >> > 12 hours >> > >> > >> > >> > --- >> > >> > /etc/krb5.conf: >> > [logging] >> > default = FILE:/var/log/krb5libs.log >> > kdc = FILE:/var/log/krb5kdc.log >> > admin_server = FILE:/var/log/kadmind.log >> > >> > [libdefaults] >> > ticket_lifetime = 24h >> > renew_lifetime = 7d >> > forwardable = true >> > default_realm = MY.REALM >> > >> > [realms] >> > RO.INTERNAL = { >> > kdc = nifi-djr5.ro.internal:88 >> > admin_server = nifi-djr5.my.realm:749 >> > default_domain = my.realm >> > } >> > >> > [domain_realm] >> > .my.realm = MY.REALM >> > my.realm = MY.REALM >> > >> > [kdc] >> > profile = /var/kerberos/krb5kdc/kdc.conf >> > >> > --- >> > >> > Any help would be greatly appreciated! >> >
Re: Nifi authentication through Kerberos issues
Correct. # kinit admin@MY.REALM Password for admin@MY.REALM: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@MY.REALM Valid starting Expires Service principal 03/31/2021 22:42:10 04/01/2021 22:42:10 krbtgt/MY.REALM@MY.REALM On Wed, Mar 31, 2021, 1:13 PM Bryan Bende wrote: > So from a terminal on the nifi server, you can run "kinit > admin@MY.REALM" and enter the password and it works, and this same > principal and password entered into NiFi's login screen does not work? > > On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson wrote: > > > > I'm working on transitioning a nifi instance we deploy with Kerberos and > > I'm having some trouble authenticating. Everything looks correct, but > when > > I try to log in with any of my created users, I get an error message: > > > > The supplied username and password are not valid. > > > > Everything on nifi without https was working, and everything I've created > > on the Kerberos side looks and works as expected, I just haven't been > able > > to get a user to log in to the Nifi UI. > > > > Here are some of my config files, is there anything I'm missing or have > > incorrect? > > > > --- > > > > Authorizers.xml: > > > > > > > > file-user-group-provider > > > org.apache.nifi.authorization.FileUserGroupProvider > > ./conf/users.xml > > > > > > > > > > > > > > file-access-policy-provider > > > > org.apache.nifi.authorization.FileAccessPolicyProvider > > file-user-group-provider > > ./conf/authorizations.xml > > admin@MY.REALM > > > > > > > > > > > > > > > managed-authorizer > > > > org.apache.nifi.authorization.StandardManagedAuthorizer > > file-access-policy-provider > > > > > > > > file-provider > > org.apache.nifi.authorization.FileAuthorizer > > ./conf/authorizations.xml > > ./conf/users.xml > > admin@MY.REALM > > > > > > > > > > > > > > > - > > > > Relevant nifi.properties: > > nifi.security.user.authorizer=file-provider > > nifi.security.user.login.identity.provider=kerberos-provider > > # kerberos # > > nifi.kerberos.krb5.file= /etc/krb5.conf > > nifi.kerberos.service.principal=admin@MY.REALM > > nifi.kerberos.service.keytab.location=/etc/kadm5.keytab > > > > - > > > > Login-identity-provider.xml > > > > > > kerberos-provider > > org.apache.nifi.kerberos.KerberosProvider > > MY.REALM > > 12 hours > > > > > > > > --- > > > > /etc/krb5.conf: > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > ticket_lifetime = 24h > > renew_lifetime = 7d > > forwardable = true > > default_realm = MY.REALM > > > > [realms] > > RO.INTERNAL = { > > kdc = nifi-djr5.ro.internal:88 > > admin_server = nifi-djr5.my.realm:749 > > default_domain = my.realm > > } > > > > [domain_realm] > > .my.realm = MY.REALM > > my.realm = MY.REALM > > > > [kdc] > > profile = /var/kerberos/krb5kdc/kdc.conf > > > > --- > > > > Any help would be greatly appreciated! >
Nifi authentication through Kerberos issues
I'm working on transitioning a nifi instance we deploy with Kerberos and I'm having some trouble authenticating. Everything looks correct, but when I try to log in with any of my created users, I get an error message: The supplied username and password are not valid. Everything on nifi without https was working, and everything I've created on the Kerberos side looks and works as expected, I just haven't been able to get a user to log in to the Nifi UI. Here are some of my config files, is there anything I'm missing or have incorrect? --- Authorizers.xml: file-user-group-provider org.apache.nifi.authorization.FileUserGroupProvider ./conf/users.xml file-access-policy-provider org.apache.nifi.authorization.FileAccessPolicyProvider file-user-group-provider ./conf/authorizations.xml admin@MY.REALM managed-authorizer org.apache.nifi.authorization.StandardManagedAuthorizer file-access-policy-provider file-provider org.apache.nifi.authorization.FileAuthorizer ./conf/authorizations.xml ./conf/users.xml admin@MY.REALM - Relevant nifi.properties: nifi.security.user.authorizer=file-provider nifi.security.user.login.identity.provider=kerberos-provider # kerberos # nifi.kerberos.krb5.file= /etc/krb5.conf nifi.kerberos.service.principal=admin@MY.REALM nifi.kerberos.service.keytab.location=/etc/kadm5.keytab - Login-identity-provider.xml kerberos-provider org.apache.nifi.kerberos.KerberosProvider MY.REALM 12 hours --- /etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_realm = MY.REALM [realms] RO.INTERNAL = { kdc = nifi-djr5.ro.internal:88 admin_server = nifi-djr5.my.realm:749 default_domain = my.realm } [domain_realm] .my.realm = MY.REALM my.realm = MY.REALM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf --- Any help would be greatly appreciated!