Hello Ryan, Looks like you need to provision NiFi public cert into Knox keystore that should do it.
On Wed, Mar 7, 2018 at 7:12 PM, Ryan H <ryan.howell.developm...@gmail.com> wrote: > Hi All, > > I seem to be having a really tough time getting Knox to work with a secure > NiFi cluster set up. I have tried to get this working two different ways. > Both ways have basically the same set up for knoxsso, where it uses cloud > foundry UAA as an external identity provider (currently configured for > OpenID, with the /.well-known/openid-configuration prepended to the UAA > instance url). I'm not sure if OpenID connect is the correct way to go, I > believe there are other options with UAA; this is just the route I went as > I initially was going to configure NiFi OpenID properties with my UAA > instance. I have since decided (based on other factors) that Knox would be > a better way to go. I have been focusing on option 1 below, as I think this > is the preferred way. However, I tried option 2 below just to see if I > could get around the error temporarily. I've included the errors I am > running into below as well as relevant config. Any help is greatly > appreciated. > > versions: NiFi 1.6 and Knox 1.1.0 > > *1. Users will always access NiFi thru Knox (preferred)* > *Issue Facing: Getting "PKIX path building failed: unable to find valid > certification path to requested target"* > > *knoxsso.xml* > <topology> > <gateway> > <provider> > <role>webappsec</role> > <name>WebAppSec</name> > <enabled>true</enabled> > <param><name>xframe.options.enabled</name><value>true</ > value></param> > </provider> > <provider> > <role>federation</role> > <name>pac4j</name> > <enabled>true</enabled> > <param> > <name>pac4j.session.store</name> > <value>J2ESessionStore</value> > </param> > <param> > <name>pac4j.callbackUrl</name> > <value>https://my-knox-host:8443/gateway/knoxsso/api/v1/websso > </value> > </param> > <param> > <name>clientName</name> > <value>OidcClient</value> > </param> > <param> > <name>oidc.id</name> > <value>some_client_id</value> > </param> > <param> > <name>oidc.secret</name> > <value>some_client_secret</value> > </param> > <param> > <name>oidc.discoveryUri</name> > <value>https://my-uaa-host:443/.well-known/openid-configuration > </value> > </param> > <param> > <name>oidc.preferredJwsAlgorithm</name> > <value>RS256</value> > </param> > </provider> > </gateway> > > <application> > <name>knoxauth</name> > </application> > <service> > <role>KNOXSSO</role> > <param> > <name>knoxsso.cookie.secure.only</name> > <value>false</value> > </param> > <param> > <name>knoxsso.enable.session</name> > <value>true</value> > </param> > <param> > <name>knoxsso.cookie.max.age</name> > <value>session</value> > </param> > <param> > <name>knoxsso.token.ttl</name> > <value>3600000</value> > </param> > <param> > <name>knoxsso.redirect.whitelist.regex</name> > <value>^https?:\/\/(localhost|10\.227\.85\.2|[0-9] > {1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}||127\.0\.0\.1|0:0: > 0:0:0:0:0:1|::1):[0-9].*$</value> > </param> > </service> > </topology> > > *sandbox.xml* > <provider> > <role>federation</role> > <name>SSOCookieProvider</name> > <enabled>true</enabled> > <param> > <name>sso.authentication.provider.url</name> > <value>https://my-knox-host:8443/gateway/knoxsso/api/v1/websso > </value> > </param> > </provider> > > > <provider> > <role>identity-assertion</role> > <name>Default</name> > <enabled>true</enabled> > </provider> > > <provider> > <role>hostmap</role> > <name>static</name> > <enabled>true</enabled> > </provider> > > </gateway> > > <service> > <role>NIFI</role> > <url>https://my-nifi-host:8443</url> > <param name="useTwoWaySsl" value="false" /> > </service> > > *Stacktrace from Knox:* > knox.gateway (DefaultDispatch.java:executeOutboundRequest(147)) - > Connection exception dispatching request: https://my-nifi-host:8443/ > nifi?user.name=ba2d3b04-6bbd-4473-80f4-c2f528cb1d72 > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: > PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) > at sun.security.ssl.ClientHandshaker.serverCertificate( > ClientHandshaker.java:1614) > at sun.security.ssl.ClientHandshaker.processMessage( > ClientHandshaker.java:216) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake( > SSLSocketImpl.java:1385) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) > at org.apache.http.conn.ssl.SSLConnectionSocketFactory. > createLayeredSocket(SSLConnectionSocketFactory.java:396) > at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket( > SSLConnectionSocketFactory.java:355) > at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect( > DefaultHttpClientConnectionOperator.java:142) > at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect( > PoolingHttpClientConnectionManager.java:359) > at org.apache.http.impl.execchain.MainClientExec. > establishRoute(MainClientExec.java:381) > at org.apache.http.impl.execchain.MainClientExec. > execute(MainClientExec.java:237) > at org.apache.http.impl.execchain.ProtocolExec. > execute(ProtocolExec.java:185) > at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) > at org.apache.http.impl.execchain.RedirectExec. > execute(RedirectExec.java:111) > at org.apache.http.impl.client.InternalHttpClient.doExecute( > InternalHttpClient.java:185) > at org.apache.http.impl.client.CloseableHttpClient.execute( > CloseableHttpClient.java:83) > at org.apache.http.impl.client.CloseableHttpClient.execute( > CloseableHttpClient.java:108) > at org.apache.http.impl.client.CloseableHttpClient.execute( > CloseableHttpClient.java:56) > at org.apache.knox.gateway.dispatch.DefaultDispatch. > executeOutboundRequest(DefaultDispatch.java:130) > at org.apache.knox.gateway.dispatch.NiFiDispatch. > executeRequest(NiFiDispatch.java:39) > at org.apache.knox.gateway.dispatch.DefaultDispatch. > doGet(DefaultDispatch.java:278) > at org.apache.knox.gateway.dispatch.GatewayDispatchFilter$ > GetAdapter.doMethod(GatewayDispatchFilter.java:122) > at org.apache.knox.gateway.dispatch.GatewayDispatchFilter.doFilter( > GatewayDispatchFilter.java:105) > at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter( > AbstractGatewayFilter.java:61) > at org.apache.knox.gateway.GatewayFilter$Holder.doFilter( > GatewayFilter.java:377) > at org.apache.knox.gateway.GatewayFilter$Chain.doFilter( > GatewayFilter.java:277) > at org.apache.knox.gateway.identityasserter.common.filter. > AbstractIdentityAssertionFilter.doFilterInternal( > AbstractIdentityAssertionFilter.java:196) > at org.apache.knox.gateway.identityasserter.common.filter. > AbstractIdentityAssertionFilter.continueChainAsPrincipal( > AbstractIdentityAssertionFilter.java:153) > at org.apache.knox.gateway.identityasserter.common.filter. > CommonIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter. > java:90) > at org.apache.knox.gateway.GatewayFilter$Holder.doFilter( > GatewayFilter.java:377) > at org.apache.knox.gateway.GatewayFilter$Chain.doFilter( > GatewayFilter.java:277) > at org.apache.knox.gateway.filter.rewrite.api.UrlRewriteServletFilter. > doFilter(UrlRewriteServletFilter.java:60) > at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter( > AbstractGatewayFilter.java:61) > at org.apache.knox.gateway.GatewayFilter$Holder.doFilter( > GatewayFilter.java:377) > at org.apache.knox.gateway.GatewayFilter$Chain.doFilter( > GatewayFilter.java:277) > at org.apache.knox.gateway.provider.federation.jwt. > filter.AbstractJWTFilter$1.run(AbstractJWTFilter.java:202) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at org.apache.knox.gateway.provider.federation.jwt. > filter.AbstractJWTFilter.continueWithEstablishedSecurit > yContext(AbstractJWTFilter.java:197) > at org.apache.knox.gateway.provider.federation.jwt.filter. > SSOCookieFederationFilter.doFilter(SSOCookieFederationFilter.java:112) > at org.apache.knox.gateway.GatewayFilter$Holder.doFilter( > GatewayFilter.java:377) > at org.apache.knox.gateway.GatewayFilter$Chain.doFilter( > GatewayFilter.java:277) > at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter( > XForwardedHeaderFilter.java:30) > at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter( > AbstractGatewayFilter.java:61) > at org.apache.knox.gateway.GatewayFilter$Holder.doFilter( > GatewayFilter.java:377) > at org.apache.knox.gateway.GatewayFilter$Chain.doFilter( > GatewayFilter.java:277) > at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171) > at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94) > at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:141) > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) > at org.eclipse.jetty.servlet.ServletHandler.doHandle( > ServletHandler.java:587) > at org.eclipse.jetty.server.handler.ScopedHandler.handle( > ScopedHandler.java:143) > at org.eclipse.jetty.security.SecurityHandler.handle( > SecurityHandler.java:577) > at org.eclipse.jetty.server.session.SessionHandler. > doHandle(SessionHandler.java:223) > at org.eclipse.jetty.server.handler.ContextHandler. > doHandle(ContextHandler.java:1127) > at org.eclipse.jetty.servlet.ServletHandler.doScope( > ServletHandler.java:515) > at org.eclipse.jetty.server.session.SessionHandler. > doScope(SessionHandler.java:185) > at org.eclipse.jetty.server.handler.ContextHandler. > doScope(ContextHandler.java:1061) > at org.eclipse.jetty.server.handler.ScopedHandler.handle( > ScopedHandler.java:141) > at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle( > ContextHandlerCollection.java:215) > at org.eclipse.jetty.server.handler.HandlerWrapper.handle( > HandlerWrapper.java:97) > at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51) > at org.eclipse.jetty.server.handler.HandlerWrapper.handle( > HandlerWrapper.java:97) > at org.apache.knox.gateway.filter.CorrelationHandler. > handle(CorrelationHandler.java:39) > at org.eclipse.jetty.servlets.gzip.GzipHandler.handle( > GzipHandler.java:479) > at org.eclipse.jetty.server.handler.HandlerWrapper.handle( > HandlerWrapper.java:97) > at org.apache.knox.gateway.filter.PortMappingHelperHandler.handle( > PortMappingHelperHandler.java:152) > at org.eclipse.jetty.server.handler.HandlerCollection. > handle(HandlerCollection.java:110) > at org.eclipse.jetty.server.handler.HandlerWrapper.handle( > HandlerWrapper.java:97) > at org.eclipse.jetty.server.Server.handle(Server.java:499) > at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) > at org.eclipse.jetty.server.HttpConnection.onFillable( > HttpConnection.java:257) > at org.eclipse.jetty.io.AbstractConnection$2.run( > AbstractConnection.java:544) > at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob( > QueuedThreadPool.java:635) > at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run( > QueuedThreadPool.java:555) > at java.lang.Thread.run(Thread.java:748) > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > at sun.security.validator.PKIXValidator.engineValidate( > PKIXValidator.java:302) > at sun.security.validator.Validator.validate(Validator.java:260) > at sun.security.ssl.X509TrustManagerImpl.validate( > X509TrustManagerImpl.java:324) > at sun.security.ssl.X509TrustManagerImpl.checkTrusted( > X509TrustManagerImpl.java:229) > at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted( > X509TrustManagerImpl.java:124) > at sun.security.ssl.ClientHandshaker.serverCertificate( > ClientHandshaker.java:1596) > ... 78 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at sun.security.provider.certpath.SunCertPathBuilder. > build(SunCertPathBuilder.java:141) > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild( > SunCertPathBuilder.java:126) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > ... 84 more > 2018-03-07 23:44:23,276 ERROR knox.gateway > (AbstractGatewayFilter.java:doFilter(63)) > - Failed to execute filter: java.io.IOException: Service connectivity error. > 2018-03-07 23:44:23,276 ERROR knox.gateway > (AbstractGatewayFilter.java:doFilter(63)) > - Failed to execute filter: java.io.IOException: Service connectivity error. > 2018-03-07 23:44:23,276 ERROR knox.gateway > (AbstractGatewayFilter.java:doFilter(63)) > - Failed to execute filter: java.io.IOException: Service connectivity error. > 2018-03-07 23:44:23,276 ERROR knox.gateway (GatewayFilter.java:doFilter(173)) > - Gateway processing failed: java.io.IOException: Service connectivity > error. > java.io.IOException: Service connectivity error. > ... > > > > *2. User will access NiFi directly. NiFi will be configured to use KnoxSSO > for auth (in nifi.properties).* > *Issue facing: getting stuck in infinite callback loop* > > *nifi.properties (relevant config only)* > # Apache Knox SSO Properties # > nifi.security.user.knox.url=https://my-knox-host:8443/ > gateway/knoxsso/api/v1/websso > nifi.security.user.knox.publicKey=/opt/certs/knox.pem > nifi.security.user.knox.cookieName=hadoop-jwt > nifi.security.user.knox.audiences= > > > > *Stacktrace from Knox (this is repeated):* > 2018-03-07 23:36:16,250 WARN service.knoxsso > (WebSSOResource.java:init(106)) - The SSO cookie SecureOnly flag is set > to FALSE and is therefore insecure. > 2018-03-07 23:36:16,250 INFO service.knoxsso > (WebSSOResource.java:init(113)) - The cookie max age is being set to: > session. > 2018-03-07 23:36:16,250 WARN service.knoxsso > (WebSSOResource.java:init(117)) - The SSO cookie max age configuration is > invalid: session - using default. > 2018-03-07 23:36:16,251 INFO service.knoxsso > (WebSSOResource.java:getCookieValue(330)) > - Unable to find cookie with name: original-url > 2018-03-07 23:36:16,252 INFO service.knoxsso > (WebSSOResource.java:addJWTHadoopCookie(304)) > - JWT cookie successfully added. > 2018-03-07 23:36:16,252 INFO service.knoxsso > (WebSSOResource.java:getAuthenticationToken(214)) > - About to redirect to original URL: https://my-nifi-host:8443/ > nifi-api/access/knox/callback > > *Log info from NiFi:* > 2018-03-07 23:21:35,733 INFO [NiFi Web Server-100] > o.a.n.w.a.c.AccessDeniedExceptionMapper > identity[anonymous], groups[none] does not have permission to access the > requested resource. Unknown user with identity 'anonymous'. Returning > Unauthorized response. > 2018-03-07 23:21:38,955 INFO [NiFi Web Server-20] > o.a.n.w.a.c.IllegalStateExceptionMapper > java.lang.IllegalStateException: Kerberos ticket login not supported by > this NiFi.. Returning Conflict response. > 2018-03-07 23:21:39,075 INFO [NiFi Web Server-16] > o.a.n.w.a.c.IllegalStateExceptionMapper > java.lang.IllegalStateException: OpenId Connect is not configured.. > Returning Conflict response. > 2018-03-07 23:21:39,144 INFO [NiFi Web Server-17] > o.a.n.w.a.c.AccessDeniedExceptionMapper > identity[anonymous], groups[none] does not have permission to access the > requested resource. Unknown user with identity 'anonymous'. Returning > Unauthorized response. > 2018-03-07 23:21:41,183 INFO [NiFi Web Server-16] > o.a.n.w.a.c.IllegalStateExceptionMapper > java.lang.IllegalStateException: Kerberos ticket login not supported by > this NiFi.. Returning Conflict response. > 2018-03-07 23:21:41,275 INFO [NiFi Web Server-17] > o.a.n.w.a.c.IllegalStateExceptionMapper > java.lang.IllegalStateException: OpenId Connect is not configured.. > Returning Conflict response. > >