Hi All,
I seem to be having a really tough time getting Knox to work with a secure
NiFi cluster set up. I have tried to get this working two different ways.
Both ways have basically the same set up for knoxsso, where it uses cloud
foundry UAA as an external identity provider (currently configured for
OpenID, with the /.well-known/openid-configuration prepended to the UAA
instance url). I'm not sure if OpenID connect is the correct way to go, I
believe there are other options with UAA; this is just the route I went as
I initially was going to configure NiFi OpenID properties with my UAA
instance. I have since decided (based on other factors) that Knox would be
a better way to go. I have been focusing on option 1 below, as I think this
is the preferred way. However, I tried option 2 below just to see if I
could get around the error temporarily. I've included the errors I am
running into below as well as relevant config. Any help is greatly
appreciated.
versions: NiFi 1.6 and Knox 1.1.0
*1. Users will always access NiFi thru Knox (preferred)*
*Issue Facing: Getting "PKIX path building failed: unable to find valid
certification path to requested target"*
*knoxsso.xml*
<topology>
<gateway>
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param><name>xframe.options.enabled</name><value>true</value></param>
</provider>
<provider>
<role>federation</role>
<name>pac4j</name>
<enabled>true</enabled>
<param>
<name>pac4j.session.store</name>
<value>J2ESessionStore</value>
</param>
<param>
<name>pac4j.callbackUrl</name>
<value>https://my-knox-host:8443/gateway/knoxsso/api/v1/websso
</value>
</param>
<param>
<name>clientName</name>
<value>OidcClient</value>
</param>
<param>
<name>oidc.id</name>
<value>some_client_id</value>
</param>
<param>
<name>oidc.secret</name>
<value>some_client_secret</value>
</param>
<param>
<name>oidc.discoveryUri</name>
<value>https://my-uaa-host:443/.well-known/openid-configuration
</value>
</param>
<param>
<name>oidc.preferredJwsAlgorithm</name>
<value>RS256</value>
</param>
</provider>
</gateway>
<application>
<name>knoxauth</name>
</application>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>false</value>
</param>
<param>
<name>knoxsso.enable.session</name>
<value>true</value>
</param>
<param>
<name>knoxsso.cookie.max.age</name>
<value>session</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>3600000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(localhost|10\.227\.85\.2|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}||127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
</param>
</service>
</topology>
*sandbox.xml*
<provider>
<role>federation</role>
<name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>https://my-knox-host:8443/gateway/knoxsso/api/v1/websso
</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
<provider>
<role>hostmap</role>
<name>static</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>NIFI</role>
<url>https://my-nifi-host:8443</url>
<param name="useTwoWaySsl" value="false" />
</service>
*Stacktrace from Knox:*
knox.gateway (DefaultDispatch.java:executeOutboundRequest(147)) -
Connection exception dispatching request:
https://my-nifi-host:8443/nifi?user.name=ba2d3b04-6bbd-4473-80f4-c2f528cb1d72
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at
org.apache.knox.gateway.dispatch.DefaultDispatch.executeOutboundRequest(DefaultDispatch.java:130)
at
org.apache.knox.gateway.dispatch.NiFiDispatch.executeRequest(NiFiDispatch.java:39)
at
org.apache.knox.gateway.dispatch.DefaultDispatch.doGet(DefaultDispatch.java:278)
at
org.apache.knox.gateway.dispatch.GatewayDispatchFilter$GetAdapter.doMethod(GatewayDispatchFilter.java:122)
at
org.apache.knox.gateway.dispatch.GatewayDispatchFilter.doFilter(GatewayDispatchFilter.java:105)
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.doFilterInternal(AbstractIdentityAssertionFilter.java:196)
at
org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.continueChainAsPrincipal(AbstractIdentityAssertionFilter.java:153)
at
org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:90)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.filter.rewrite.api.UrlRewriteServletFilter.doFilter(UrlRewriteServletFilter.java:60)
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter$1.run(AbstractJWTFilter.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter.continueWithEstablishedSecurityContext(AbstractJWTFilter.java:197)
at
org.apache.knox.gateway.provider.federation.jwt.filter.SSOCookieFederationFilter.doFilter(SSOCookieFederationFilter.java:112)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94)
at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:141)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39)
at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandler.java:479)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:152)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
... 78 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 84 more
2018-03-07 23:44:23,276 ERROR knox.gateway
(AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter:
java.io.IOException: Service connectivity error.
2018-03-07 23:44:23,276 ERROR knox.gateway
(AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter:
java.io.IOException: Service connectivity error.
2018-03-07 23:44:23,276 ERROR knox.gateway
(AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter:
java.io.IOException: Service connectivity error.
2018-03-07 23:44:23,276 ERROR knox.gateway
(GatewayFilter.java:doFilter(173)) - Gateway processing failed:
java.io.IOException: Service connectivity error.
java.io.IOException: Service connectivity error.
...
*2. User will access NiFi directly. NiFi will be configured to use KnoxSSO
for auth (in nifi.properties).*
*Issue facing: getting stuck in infinite callback loop*
*nifi.properties (relevant config only)*
# Apache Knox SSO Properties #
nifi.security.user.knox.url=
https://my-knox-host:8443/gateway/knoxsso/api/v1/websso
nifi.security.user.knox.publicKey=/opt/certs/knox.pem
nifi.security.user.knox.cookieName=hadoop-jwt
nifi.security.user.knox.audiences=
*Stacktrace from Knox (this is repeated):*
2018-03-07 23:36:16,250 WARN service.knoxsso
(WebSSOResource.java:init(106)) - The SSO cookie SecureOnly flag is set to
FALSE and is therefore insecure.
2018-03-07 23:36:16,250 INFO service.knoxsso
(WebSSOResource.java:init(113)) - The cookie max age is being set to:
session.
2018-03-07 23:36:16,250 WARN service.knoxsso
(WebSSOResource.java:init(117)) - The SSO cookie max age configuration is
invalid: session - using default.
2018-03-07 23:36:16,251 INFO service.knoxsso
(WebSSOResource.java:getCookieValue(330)) - Unable to find cookie with
name: original-url
2018-03-07 23:36:16,252 INFO service.knoxsso
(WebSSOResource.java:addJWTHadoopCookie(304)) - JWT cookie successfully
added.
2018-03-07 23:36:16,252 INFO service.knoxsso
(WebSSOResource.java:getAuthenticationToken(214)) - About to redirect to
original URL: https://my-nifi-host:8443/nifi-api/access/knox/callback
*Log info from NiFi:*
2018-03-07 23:21:35,733 INFO [NiFi Web Server-100]
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], groups[none]
does not have permission to access the requested resource. Unknown user
with identity 'anonymous'. Returning Unauthorized response.
2018-03-07 23:21:38,955 INFO [NiFi Web Server-20]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
Kerberos ticket login not supported by this NiFi.. Returning Conflict
response.
2018-03-07 23:21:39,075 INFO [NiFi Web Server-16]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
OpenId Connect is not configured.. Returning Conflict response.
2018-03-07 23:21:39,144 INFO [NiFi Web Server-17]
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], groups[none]
does not have permission to access the requested resource. Unknown user
with identity 'anonymous'. Returning Unauthorized response.
2018-03-07 23:21:41,183 INFO [NiFi Web Server-16]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
Kerberos ticket login not supported by this NiFi.. Returning Conflict
response.
2018-03-07 23:21:41,275 INFO [NiFi Web Server-17]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
OpenId Connect is not configured.. Returning Conflict response.
