Re: Nifi authentication through Kerberos issues
That was it! I pulled out the line "renew_lifetime = 7d" and it worked! Thank you so much. On Thu, Apr 1, 2021 at 7:40 AM Bryan Bende wrote: > The important part is: > > Caused by: sun.security.krb5.internal.KrbApErrException: Message stream > modified (41) > > The code that produces this exception looks like this: > > // Reply to a renewable request should be renewable, but if request does > // not contain renewable, KDC is free to issue a renewable ticket (for > // example, if ticket_lifetime is too big). > if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) && > !rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) { > throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); > } > > From googling, a possible solution here: > https://bugs.centos.org/view.php?id=17000 > > On Wed, Mar 31, 2021 at 6:57 PM Derek Richardson wrote: > > > > It doesn't look like anything to me, but here's the stacktrace for when > > logback.xml has all of the user_file stuff in debug mode: > > > > 2021-03-31 22:54:13,670 INFO [NiFi Web Server-22] > > o.a.n.w.a.c.IllegalArgumentExceptionMapper > > java.lang.IllegalArgumentException: The supplied username and password > are > > not valid.. Returning Bad Request response. > > 2021-03-31 22:54:13,672 DEBUG [NiFi Web Server-22] > > o.a.n.w.a.c.IllegalArgumentExceptionMapper > > java.lang.IllegalArgumentException: The supplied username and password > are > > not valid. > > at > > > org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:734) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > > > org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76) > > at > > > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148) > > at > > > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191) > > at > > > org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200) > > at > > > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103) > > at > > > org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493) > > at > > > org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415) > > at > > > org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104) > > at > org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277) > > at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272) > > at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268) > > at org.glassfish.jersey.internal.Errors.process(Errors.java:316) > > at org.glassfish.jersey.internal.Errors.process(Errors.java:298) > > at org.glassfish.jersey.internal.Errors.process(Errors.java:268) > > at > > > org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289) > > at > org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256) > > at > > > org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703) > > at > > > org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416) > > at > org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370) > > at > > > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389) > > at > > > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342) > > at > > > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229) > > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865) > > at > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655) > > at > org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66) > > at > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > > at > > > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208) > > at > > > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) > > at > > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) > > at > > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) > > at > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > > at
Re: Nifi authentication through Kerberos issues
The important part is: Caused by: sun.security.krb5.internal.KrbApErrException: Message stream modified (41) The code that produces this exception looks like this: // Reply to a renewable request should be renewable, but if request does // not contain renewable, KDC is free to issue a renewable ticket (for // example, if ticket_lifetime is too big). if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) && !rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) { throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); } >From googling, a possible solution here: https://bugs.centos.org/view.php?id=17000 On Wed, Mar 31, 2021 at 6:57 PM Derek Richardson wrote: > > It doesn't look like anything to me, but here's the stacktrace for when > logback.xml has all of the user_file stuff in debug mode: > > 2021-03-31 22:54:13,670 INFO [NiFi Web Server-22] > o.a.n.w.a.c.IllegalArgumentExceptionMapper > java.lang.IllegalArgumentException: The supplied username and password are > not valid.. Returning Bad Request response. > 2021-03-31 22:54:13,672 DEBUG [NiFi Web Server-22] > o.a.n.w.a.c.IllegalArgumentExceptionMapper > java.lang.IllegalArgumentException: The supplied username and password are > not valid. > at > org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:734) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76) > at > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148) > at > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191) > at > org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200) > at > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103) > at > org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493) > at > org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415) > at > org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104) > at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277) > at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272) > at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268) > at org.glassfish.jersey.internal.Errors.process(Errors.java:316) > at org.glassfish.jersey.internal.Errors.process(Errors.java:298) > at org.glassfish.jersey.internal.Errors.process(Errors.java:268) > at > org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289) > at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256) > at > org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703) > at > org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416) > at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370) > at > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389) > at > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342) > at > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229) > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655) > at org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > at > org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634) > at >
Re: Nifi authentication through Kerberos issues
It doesn't look like anything to me, but here's the stacktrace for when logback.xml has all of the user_file stuff in debug mode: 2021-03-31 22:54:13,670 INFO [NiFi Web Server-22] o.a.n.w.a.c.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The supplied username and password are not valid.. Returning Bad Request response. 2021-03-31 22:54:13,672 DEBUG [NiFi Web Server-22] o.a.n.w.a.c.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The supplied username and password are not valid. at org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:734) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268) at org.glassfish.jersey.internal.Errors.process(Errors.java:316) at org.glassfish.jersey.internal.Errors.process(Errors.java:298) at org.glassfish.jersey.internal.Errors.process(Errors.java:268) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703) at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416) at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655) at org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634) at org.apache.nifi.web.security.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:47) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.apache.nifi.web.server.JettyServer$2.doFilter(JettyServer.java:1048) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at
Re: Nifi authentication through Kerberos issues
Correct. # kinit admin@MY.REALM Password for admin@MY.REALM: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@MY.REALM Valid starting Expires Service principal 03/31/2021 22:42:10 04/01/2021 22:42:10 krbtgt/MY.REALM@MY.REALM On Wed, Mar 31, 2021, 1:13 PM Bryan Bende wrote: > So from a terminal on the nifi server, you can run "kinit > admin@MY.REALM" and enter the password and it works, and this same > principal and password entered into NiFi's login screen does not work? > > On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson wrote: > > > > I'm working on transitioning a nifi instance we deploy with Kerberos and > > I'm having some trouble authenticating. Everything looks correct, but > when > > I try to log in with any of my created users, I get an error message: > > > > The supplied username and password are not valid. > > > > Everything on nifi without https was working, and everything I've created > > on the Kerberos side looks and works as expected, I just haven't been > able > > to get a user to log in to the Nifi UI. > > > > Here are some of my config files, is there anything I'm missing or have > > incorrect? > > > > --- > > > > Authorizers.xml: > > > > > > > > file-user-group-provider > > > org.apache.nifi.authorization.FileUserGroupProvider > > ./conf/users.xml > > > > > > > > > > > > > > file-access-policy-provider > > > > org.apache.nifi.authorization.FileAccessPolicyProvider > > file-user-group-provider > > ./conf/authorizations.xml > > admin@MY.REALM > > > > > > > > > > > > > > > managed-authorizer > > > > org.apache.nifi.authorization.StandardManagedAuthorizer > > file-access-policy-provider > > > > > > > > file-provider > > org.apache.nifi.authorization.FileAuthorizer > > ./conf/authorizations.xml > > ./conf/users.xml > > admin@MY.REALM > > > > > > > > > > > > > > > - > > > > Relevant nifi.properties: > > nifi.security.user.authorizer=file-provider > > nifi.security.user.login.identity.provider=kerberos-provider > > # kerberos # > > nifi.kerberos.krb5.file= /etc/krb5.conf > > nifi.kerberos.service.principal=admin@MY.REALM > > nifi.kerberos.service.keytab.location=/etc/kadm5.keytab > > > > - > > > > Login-identity-provider.xml > > > > > > kerberos-provider > > org.apache.nifi.kerberos.KerberosProvider > > MY.REALM > > 12 hours > > > > > > > > --- > > > > /etc/krb5.conf: > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > ticket_lifetime = 24h > > renew_lifetime = 7d > > forwardable = true > > default_realm = MY.REALM > > > > [realms] > > RO.INTERNAL = { > > kdc = nifi-djr5.ro.internal:88 > > admin_server = nifi-djr5.my.realm:749 > > default_domain = my.realm > > } > > > > [domain_realm] > > .my.realm = MY.REALM > > my.realm = MY.REALM > > > > [kdc] > > profile = /var/kerberos/krb5kdc/kdc.conf > > > > --- > > > > Any help would be greatly appreciated! >
Re: Nifi authentication through Kerberos issues
So from a terminal on the nifi server, you can run "kinit admin@MY.REALM" and enter the password and it works, and this same principal and password entered into NiFi's login screen does not work? On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson wrote: > > I'm working on transitioning a nifi instance we deploy with Kerberos and > I'm having some trouble authenticating. Everything looks correct, but when > I try to log in with any of my created users, I get an error message: > > The supplied username and password are not valid. > > Everything on nifi without https was working, and everything I've created > on the Kerberos side looks and works as expected, I just haven't been able > to get a user to log in to the Nifi UI. > > Here are some of my config files, is there anything I'm missing or have > incorrect? > > --- > > Authorizers.xml: > > > > file-user-group-provider > org.apache.nifi.authorization.FileUserGroupProvider > ./conf/users.xml > > > > > > > file-access-policy-provider > > org.apache.nifi.authorization.FileAccessPolicyProvider > file-user-group-provider > ./conf/authorizations.xml > admin@MY.REALM > > > > > > > managed-authorizer > > org.apache.nifi.authorization.StandardManagedAuthorizer > file-access-policy-provider > > > > file-provider > org.apache.nifi.authorization.FileAuthorizer > ./conf/authorizations.xml > ./conf/users.xml > admin@MY.REALM > > > > > > > - > > Relevant nifi.properties: > nifi.security.user.authorizer=file-provider > nifi.security.user.login.identity.provider=kerberos-provider > # kerberos # > nifi.kerberos.krb5.file= /etc/krb5.conf > nifi.kerberos.service.principal=admin@MY.REALM > nifi.kerberos.service.keytab.location=/etc/kadm5.keytab > > - > > Login-identity-provider.xml > > > kerberos-provider > org.apache.nifi.kerberos.KerberosProvider > MY.REALM > 12 hours > > > > --- > > /etc/krb5.conf: > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > default_realm = MY.REALM > > [realms] > RO.INTERNAL = { > kdc = nifi-djr5.ro.internal:88 > admin_server = nifi-djr5.my.realm:749 > default_domain = my.realm > } > > [domain_realm] > .my.realm = MY.REALM > my.realm = MY.REALM > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > --- > > Any help would be greatly appreciated!
Nifi authentication through Kerberos issues
I'm working on transitioning a nifi instance we deploy with Kerberos and I'm having some trouble authenticating. Everything looks correct, but when I try to log in with any of my created users, I get an error message: The supplied username and password are not valid. Everything on nifi without https was working, and everything I've created on the Kerberos side looks and works as expected, I just haven't been able to get a user to log in to the Nifi UI. Here are some of my config files, is there anything I'm missing or have incorrect? --- Authorizers.xml: file-user-group-provider org.apache.nifi.authorization.FileUserGroupProvider ./conf/users.xml file-access-policy-provider org.apache.nifi.authorization.FileAccessPolicyProvider file-user-group-provider ./conf/authorizations.xml admin@MY.REALM managed-authorizer org.apache.nifi.authorization.StandardManagedAuthorizer file-access-policy-provider file-provider org.apache.nifi.authorization.FileAuthorizer ./conf/authorizations.xml ./conf/users.xml admin@MY.REALM - Relevant nifi.properties: nifi.security.user.authorizer=file-provider nifi.security.user.login.identity.provider=kerberos-provider # kerberos # nifi.kerberos.krb5.file= /etc/krb5.conf nifi.kerberos.service.principal=admin@MY.REALM nifi.kerberos.service.keytab.location=/etc/kadm5.keytab - Login-identity-provider.xml kerberos-provider org.apache.nifi.kerberos.KerberosProvider MY.REALM 12 hours --- /etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_realm = MY.REALM [realms] RO.INTERNAL = { kdc = nifi-djr5.ro.internal:88 admin_server = nifi-djr5.my.realm:749 default_domain = my.realm } [domain_realm] .my.realm = MY.REALM my.realm = MY.REALM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf --- Any help would be greatly appreciated!