subject:"Nifi authentication through Kerberos issues"

Re: Nifi authentication through Kerberos issues

2021-04-01 Thread Derek Richardson

That was it! I pulled out the line "renew_lifetime = 7d" and it worked!
Thank you so much.

On Thu, Apr 1, 2021 at 7:40 AM Bryan Bende  wrote:

> The important part is:
>
> Caused by: sun.security.krb5.internal.KrbApErrException: Message stream
> modified (41)
>
> The code that produces this exception looks like this:
>
> // Reply to a renewable request should be renewable, but if request does
> // not contain renewable, KDC is free to issue a renewable ticket (for
> // example, if ticket_lifetime is too big).
> if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) &&
> !rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {
> throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
> }
>
> From googling, a possible solution here:
> https://bugs.centos.org/view.php?id=17000
>
> On Wed, Mar 31, 2021 at 6:57 PM Derek Richardson  wrote:
> >
> > It doesn't look like anything to me, but here's the stacktrace for when
> > logback.xml has all of the user_file stuff in debug mode:
> >
> > 2021-03-31 22:54:13,670 INFO [NiFi Web Server-22]
> > o.a.n.w.a.c.IllegalArgumentExceptionMapper
> > java.lang.IllegalArgumentException: The supplied username and password
> are
> > not valid.. Returning Bad Request response.
> > 2021-03-31 22:54:13,672 DEBUG [NiFi Web Server-22]
> > o.a.n.w.a.c.IllegalArgumentExceptionMapper
> > java.lang.IllegalArgumentException: The supplied username and password
> are
> > not valid.
> > at
> >
> org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:734)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:498)
> > at
> >
> org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
> > at
> >
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
> > at
> >
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
> > at
> >
> org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
> > at
> >
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
> > at
> >
> org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
> > at
> >
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
> > at
> >
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)
> > at
> org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
> > at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)
> > at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)
> > at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
> > at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
> > at org.glassfish.jersey.internal.Errors.process(Errors.java:268)
> > at
> >
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)
> > at
> org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)
> > at
> >
> org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)
> > at
> >
> org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)
> > at
> org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)
> > at
> >
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)
> > at
> >
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)
> > at
> >
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)
> > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)
> > at
> >
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
> > at
> org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66)
> > at
> >
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
> > at
> >
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> > at

Re: Nifi authentication through Kerberos issues

2021-04-01 Thread Bryan Bende

The important part is:

Caused by: sun.security.krb5.internal.KrbApErrException: Message stream
modified (41)

The code that produces this exception looks like this:

// Reply to a renewable request should be renewable, but if request does
// not contain renewable, KDC is free to issue a renewable ticket (for
// example, if ticket_lifetime is too big).
if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) &&
!rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {
throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
}

>From googling, a possible solution here:
https://bugs.centos.org/view.php?id=17000

On Wed, Mar 31, 2021 at 6:57 PM Derek Richardson  wrote:
>
> It doesn't look like anything to me, but here's the stacktrace for when
> logback.xml has all of the user_file stuff in debug mode:
>
> 2021-03-31 22:54:13,670 INFO [NiFi Web Server-22]
> o.a.n.w.a.c.IllegalArgumentExceptionMapper
> java.lang.IllegalArgumentException: The supplied username and password are
> not valid.. Returning Bad Request response.
> 2021-03-31 22:54:13,672 DEBUG [NiFi Web Server-22]
> o.a.n.w.a.c.IllegalArgumentExceptionMapper
> java.lang.IllegalArgumentException: The supplied username and password are
> not valid.
> at
> org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:734)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
> at
> org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)
> at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:268)
> at
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)
> at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)
> at
> org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)
> at
> org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)
> at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)
> at
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)
> at
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)
> at
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
> at org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> at
> org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634)
> at
>

Re: Nifi authentication through Kerberos issues

2021-03-31 Thread Derek Richardson

It doesn't look like anything to me, but here's the stacktrace for when
logback.xml has all of the user_file stuff in debug mode:

2021-03-31 22:54:13,670 INFO [NiFi Web Server-22]
o.a.n.w.a.c.IllegalArgumentExceptionMapper
java.lang.IllegalArgumentException: The supplied username and password are
not valid.. Returning Bad Request response.
2021-03-31 22:54:13,672 DEBUG [NiFi Web Server-22]
o.a.n.w.a.c.IllegalArgumentExceptionMapper
java.lang.IllegalArgumentException: The supplied username and password are
not valid.
at
org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:734)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
at
org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)
at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
at org.glassfish.jersey.internal.Errors.process(Errors.java:268)
at
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)
at
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)
at
org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
at org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at
org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634)
at
org.apache.nifi.web.security.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:47)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at org.apache.nifi.web.server.JettyServer$2.doFilter(JettyServer.java:1048)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
at

Re: Nifi authentication through Kerberos issues

2021-03-31 Thread Derek Richardson

Correct.

# kinit admin@MY.REALM
Password for admin@MY.REALM:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@MY.REALM

Valid starting   Expires  Service principal
03/31/2021 22:42:10  04/01/2021 22:42:10  krbtgt/MY.REALM@MY.REALM

On Wed, Mar 31, 2021, 1:13 PM Bryan Bende  wrote:

> So from a terminal on the nifi server, you can run "kinit
> admin@MY.REALM" and enter the password and it works, and this same
> principal and password entered into NiFi's login screen does not work?
>
> On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson  wrote:
> >
> > I'm working on transitioning a nifi instance we deploy with Kerberos and
> > I'm having some trouble authenticating. Everything looks correct, but
> when
> > I try to log in with any of my created users, I get an error message:
> >
> > The supplied username and password are not valid.
> >
> > Everything on nifi without https was working, and everything I've created
> > on the Kerberos side looks and works as expected, I just haven't been
> able
> > to get a user to log in to the Nifi UI.
> >
> > Here are some of my config files, is there anything I'm missing or have
> > incorrect?
> >
> > ---
> >
> > Authorizers.xml:
> > 
> > 
> > 
> > file-user-group-provider
> >
>  org.apache.nifi.authorization.FileUserGroupProvider
> > ./conf/users.xml
> > 
> >
> > 
> > 
> >
> > 
> > file-access-policy-provider
> >
> > org.apache.nifi.authorization.FileAccessPolicyProvider
> > file-user-group-provider
> > ./conf/authorizations.xml
> > admin@MY.REALM
> 
> > 
> > 
> > 
> > 
> >
> > 
> > managed-authorizer
> >
> > org.apache.nifi.authorization.StandardManagedAuthorizer
> > file-access-policy-provider
> > 
> >
> > 
> > file-provider
> > org.apache.nifi.authorization.FileAuthorizer
> > ./conf/authorizations.xml
> > ./conf/users.xml
> > admin@MY.REALM
> 
> > 
> >
> > 
> > 
> > 
> >
> > -
> >
> > Relevant nifi.properties:
> > nifi.security.user.authorizer=file-provider
> > nifi.security.user.login.identity.provider=kerberos-provider
> > # kerberos #
> > nifi.kerberos.krb5.file= /etc/krb5.conf
> > nifi.kerberos.service.principal=admin@MY.REALM
> > nifi.kerberos.service.keytab.location=/etc/kadm5.keytab
> >
> > -
> >
> > Login-identity-provider.xml
> > 
> > 
> > kerberos-provider
> > org.apache.nifi.kerberos.KerberosProvider
> > MY.REALM
> > 12 hours
> > 
> > 
> >
> > ---
> >
> > /etc/krb5.conf:
> > [logging]
> >  default = FILE:/var/log/krb5libs.log
> >  kdc = FILE:/var/log/krb5kdc.log
> >  admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> >  ticket_lifetime = 24h
> >  renew_lifetime = 7d
> >  forwardable = true
> >  default_realm = MY.REALM
> >
> > [realms]
> >  RO.INTERNAL = {
> >   kdc = nifi-djr5.ro.internal:88
> >   admin_server = nifi-djr5.my.realm:749
> >   default_domain = my.realm
> >  }
> >
> > [domain_realm]
> >  .my.realm = MY.REALM
> >  my.realm = MY.REALM
> >
> > [kdc]
> >  profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > ---
> >
> > Any help would be greatly appreciated!
>

Re: Nifi authentication through Kerberos issues

2021-03-31 Thread Bryan Bende

So from a terminal on the nifi server, you can run "kinit
admin@MY.REALM" and enter the password and it works, and this same
principal and password entered into NiFi's login screen does not work?

On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson  wrote:
>
> I'm working on transitioning a nifi instance we deploy with Kerberos and
> I'm having some trouble authenticating. Everything looks correct, but when
> I try to log in with any of my created users, I get an error message:
>
> The supplied username and password are not valid.
>
> Everything on nifi without https was working, and everything I've created
> on the Kerberos side looks and works as expected, I just haven't been able
> to get a user to log in to the Nifi UI.
>
> Here are some of my config files, is there anything I'm missing or have
> incorrect?
>
> ---
>
> Authorizers.xml:
> 
> 
> 
> file-user-group-provider
> org.apache.nifi.authorization.FileUserGroupProvider
> ./conf/users.xml
> 
>
> 
> 
>
> 
> file-access-policy-provider
>
> org.apache.nifi.authorization.FileAccessPolicyProvider
> file-user-group-provider
> ./conf/authorizations.xml
> admin@MY.REALM
> 
> 
> 
> 
>
> 
> managed-authorizer
>
> org.apache.nifi.authorization.StandardManagedAuthorizer
> file-access-policy-provider
> 
>
> 
> file-provider
> org.apache.nifi.authorization.FileAuthorizer
> ./conf/authorizations.xml
> ./conf/users.xml
> admin@MY.REALM
> 
>
> 
> 
> 
>
> -
>
> Relevant nifi.properties:
> nifi.security.user.authorizer=file-provider
> nifi.security.user.login.identity.provider=kerberos-provider
> # kerberos #
> nifi.kerberos.krb5.file= /etc/krb5.conf
> nifi.kerberos.service.principal=admin@MY.REALM
> nifi.kerberos.service.keytab.location=/etc/kadm5.keytab
>
> -
>
> Login-identity-provider.xml
> 
> 
> kerberos-provider
> org.apache.nifi.kerberos.KerberosProvider
> MY.REALM
> 12 hours
> 
> 
>
> ---
>
> /etc/krb5.conf:
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  default_realm = MY.REALM
>
> [realms]
>  RO.INTERNAL = {
>   kdc = nifi-djr5.ro.internal:88
>   admin_server = nifi-djr5.my.realm:749
>   default_domain = my.realm
>  }
>
> [domain_realm]
>  .my.realm = MY.REALM
>  my.realm = MY.REALM
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> ---
>
> Any help would be greatly appreciated!

Nifi authentication through Kerberos issues

2021-03-31 Thread Derek Richardson

I'm working on transitioning a nifi instance we deploy with Kerberos and
I'm having some trouble authenticating. Everything looks correct, but when
I try to log in with any of my created users, I get an error message:

The supplied username and password are not valid.

Everything on nifi without https was working, and everything I've created
on the Kerberos side looks and works as expected, I just haven't been able
to get a user to log in to the Nifi UI.

Here are some of my config files, is there anything I'm missing or have
incorrect?

---

Authorizers.xml:



file-user-group-provider
org.apache.nifi.authorization.FileUserGroupProvider
./conf/users.xml






file-access-policy-provider

org.apache.nifi.authorization.FileAccessPolicyProvider
file-user-group-provider
./conf/authorizations.xml
admin@MY.REALM






managed-authorizer

org.apache.nifi.authorization.StandardManagedAuthorizer
file-access-policy-provider



file-provider
org.apache.nifi.authorization.FileAuthorizer
./conf/authorizations.xml
./conf/users.xml
admin@MY.REALM






-

Relevant nifi.properties:
nifi.security.user.authorizer=file-provider
nifi.security.user.login.identity.provider=kerberos-provider
# kerberos #
nifi.kerberos.krb5.file= /etc/krb5.conf
nifi.kerberos.service.principal=admin@MY.REALM
nifi.kerberos.service.keytab.location=/etc/kadm5.keytab

-

Login-identity-provider.xml


kerberos-provider
org.apache.nifi.kerberos.KerberosProvider
MY.REALM
12 hours



---

/etc/krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_realm = MY.REALM

[realms]
 RO.INTERNAL = {
  kdc = nifi-djr5.ro.internal:88
  admin_server = nifi-djr5.my.realm:749
  default_domain = my.realm
 }

[domain_realm]
 .my.realm = MY.REALM
 my.realm = MY.REALM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

---

Any help would be greatly appreciated!

Re: Nifi authentication through Kerberos issues

Re: Nifi authentication through Kerberos issues

Re: Nifi authentication through Kerberos issues

Re: Nifi authentication through Kerberos issues

Re: Nifi authentication through Kerberos issues

Nifi authentication through Kerberos issues

6 matches

Site Navigation

Mail list logo

Footer information