Conrad,
Unfortunately I think this is a result of the issue you discovered with the
SSLContext not getting created from the properties on the
SiteToSiteClientBuilder...
Whats happening is the spark side is hitting this:
if (siteToSiteSecure) {
if (sslContext == null) {
throw new IOException("Unable to communicate with " + hostname +
":" + port
+ " because it requires Secure Site-to-Site communications,
but this instance is not configured for secure communications");
}
And siteToSiteSecure is true, but the sslContext is null so it can never
get past this point. I submitted a pull request on Friday that should
address the issue [1].
Once we get this merged in you could possibly build the source to get the
fixed SiteToSiteClient code, otherwise you could wait for the 0.7.0 release
to happen.
-Bryan
[1] https://github.com/apache/nifi/pull/457
On Mon, May 23, 2016 at 5:39 AM, Conrad Crampton <
[email protected]> wrote:
> Hi,
> An update to this but still not working
> I have now set keystore and truststore as system properties, and included
> these as part of the SiteToSiteClientConfig building. I have used a cert
> that I have for one of the servers in my cluster as I know they can
> communicate over ssl with NCM as my 6 node cluster works over ssl and has
> remote ports working (as I read from syslog on a primary server then
> distribute to other via remote ports as suggested somewhere else) .
> When I try now to connect to output port via Spark, I get a
> "EndpointConnectionPool[Cluster URL=
> https://yarn-cm1.mis-cds.local:9090/nifi/] Unable to refresh Remote
> Group's peers due to java.io.IOException: Unable to communicate with
> yarn-cm1.mis-cds.local:9870 because it requires Secure Site-to-Site
> communications, but this instance is not configured for secure
> communications"
> Exception even though I know Secure Site-to-Site communication is working
> (9870 being the port set up for remote s2s comms in nifi.properties), so I
> am now really confused!!
>
> Does the port that I wish to read from need to be set up with remote
> process group (conceptually I’m struggling with how to do this for an
> output port), or is it is sufficient to be ‘just an output port’?
>
> I have this working when connecting to an unsecured (http) instance of
> NiFi running on my laptop with Spark and a standard output port. Does it
> make a difference that my production cluster is a cluster and therefore
> needs setting up differently?
>
> So many questions but I’m stuck now so any suggestions welcome.
> Thanks
> Conrad
>
> From: Conrad Crampton <[email protected]>
> Reply-To: "[email protected]" <[email protected]>
> Date: Friday, 20 May 2016 at 09:16
> To: "[email protected]" <[email protected]>
> Subject: SPOOFED: Re: Spark & NiFi question
>
> Thanks for the pointers Bryan, however wrt your first suggestion. I tried
> without setting SSL properties on System properties and get an unable to
> find ssl path error – this gets resolved by doing as I have done (but of
> course this may be a red herring). I initially tried setting on site
> builder but got the same error as below – it appears to make no difference
> as to what is logged in the nifi-users.log if I include SSL props on site
> builder or not, I get the same error viz:
>
> 2016-05-20 08:59:47,082 INFO [NiFi Web Server-29590180]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for
> (<CN=spark-processor.m.xxx, OU=Development, O=Secure Data Europe Ltd,
> L=Maidstone, ST=Kent, C=GB>) GET
> https://yarn-cm1.m.xxxx:9090/nifi-api/controller (source ip: xx.xx.xx.1)
> 2016-05-20 08:59:47,082 INFO [NiFi Web Server-29494759]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for
> (<CN=spark-processor.m.xxx, OU=Development, O=Secure Data Europe Ltd,
> L=Maidstone, ST=Kent, C=GB>) GET
> https://yarn-cm1.m.xxx:9090/nifi-api/controller (source ip: xx.xx.xx.1)
> 2016-05-20 08:59:47,083 INFO [NiFi Web Server-29590180]
> o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Unable to
> verify access for CN=spark-processor.m.xxx, OU=Development, O=Secure Data
> Europe Ltd, L=Maidstone, ST=Kent, C=GB
>
> I am using self signed certs if that makes a difference (but these work
> fine on across the cluster). I am not seeing my spark user appear in the
> list of users to grant access.
>
> I have turned on debug for ssl to see if that is throwing up anything but
> nothing appears obvious – here is the snipet that I would expect errors to
> be shown from that log.
>
> ... no IV derived for this protocol
> %% Server resumed [Session-4, TLS_RSA_WITH_AES_128_CBC_SHA256]
> NiFi Receiver, READ: TLSv1.2 Change Cipher Spec, length = 1
> NiFi Receiver, READ: TLSv1.2 Handshake, length = 80
> *** Finished
> verify_data: { 109, 126, 134, 14, 33, 110, 224, 83, 198, 116, 54, 228 }
> ***
> NiFi Receiver, WRITE: TLSv1.2 Change Cipher Spec, length = 1
> *** Finished
> verify_data: { 83, 120, 49, 158, 181, 136, 127, 219, 30, 194, 58, 167 }
> ***
> NiFi Receiver, WRITE: TLSv1.2 Handshake, length = 80
> NiFi Receiver, WRITE: TLSv1.2 Application Data, length = 240
>
> I don’t really know enough about certificates and how client java apps
> would use them wrt to the host name/ ip address etc. of details is included
> in them. The nifi-user.log is showing access from a specific IP address
> which clearly doesn’t match the CN details in the cert. Just clutching at
> straws here!
>
> Any other suggestions?
>
> Thanks
> Conrad
>
> From: Bryan Bende <[email protected]>
> Reply-To: "[email protected]" <[email protected]>
> Date: Thursday, 19 May 2016 at 17:08
> To: "[email protected]" <[email protected]>
> Subject: Re: Spark & NiFi question
>
> Hi Conrad,
>
> I think there are a couple of things at play here...
>
> One is that the SSL properties need to be set on the
> SiteToSiteClientBuilder, rather than through system properties. There
> should be methods to set the keystore and other values.
>
> In a secured NiFi instance, the certificate you are authenticating with
> (the keystore used by the s2s client) would need to have an account in
> NiFi, and would need to have access to the output port.
> If you attempt to make a request with that cert, and then you go into the
> NiFi UI as another user, you should be able to go into the accounts section
> (top right) and approve the account for that certificate.
>
> Then if you stop your output port, right-click and Configure... and from
> the Access Controls tab started typing the DN from your cert and add that
> user to the Allowed Users list. Hit Apply and started the port again.
>
> We probably need to document this better, or write up an article about it
> somewhere.
>
> Let us know if its still not working.
>
> Thanks,
>
> Bryan
>
>
> On Thu, May 19, 2016 at 11:54 AM, Conrad Crampton <
> [email protected]> wrote:
>
>> Hi,
>> Tried following a couple of blog posts about this [1], [2], but neither
>> of these refer to using NiFi in clustered environment with SSL and I
>> suspect this is where I am hitting problems (but don’t know where).
>>
>> The blogs state that using an output port (in the root process group I.e.
>> on main canvas) which I have done and tried to connect thus..
>>
>> System.setProperty("javax.net.ssl.keyStore", "/spark-processor.jks");
>> System.setProperty("javax.net.ssl.keyStorePassword", *“******");
>> System.setProperty("javax.net.ssl.trustStore", *“*/cacerts.jks");
>>
>> SiteToSiteClientConfig config = new SiteToSiteClient.Builder()
>> .url("https://yarn-cm1.mis-cds.local:9090/nifi";)
>> .portName("Spark test out")
>> .buildConfig();
>>
>> SparkConf sparkConf = new SparkConf().setMaster("local[2]").setAppName("NiFi
>> Spark Log Processor");
>> JavaStreamingContext jssc = new JavaStreamingContext(sparkConf, new
>> Duration(5000));
>> JavaReceiverInputDStream<NiFiDataPacket> packetStream =
>> jssc.receiverStream(new NiFiReceiver(config, StorageLevel.MEMORY_ONLY()));
>>
>> JavaDStream text = packetStream.map(dataPacket -> new
>> String(dataPacket.getContent(), StandardCharsets.UTF_8));
>> text.print();
>> jssc.start();
>> jssc.awaitTermination();
>>
>> The error I am getting is
>>
>> 16/05/19 16:39:03 WARN ReceiverSupervisorImpl: Restarting receiver with
>> delay 2000 ms: Failed to receive data from NiFi
>> java.io.IOException: Server returned HTTP response code: 401 for URL:
>> https://yarn-cm1.mis-cds.local:9090/nifi-api/controller
>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>> at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>> at
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>> at
>> sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1889)
>> at
>> sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1884)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1883)
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1456)
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
>> at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
>> at
>> org.apache.nifi.remote.util.NiFiRestApiUtil.getController(NiFiRestApiUtil.java:69)
>> at
>> org.apache.nifi.remote.client.socket.EndpointConnectionPool.refreshRemoteInfo(EndpointConnectionPool.java:891)
>> at
>> org.apache.nifi.remote.client.socket.EndpointConnectionPool.getPortIdentifier(EndpointConnectionPool.java:878)
>> at
>> org.apache.nifi.remote.client.socket.EndpointConnectionPool.getOutputPortIdentifier(EndpointConnectionPool.java:862)
>> at
>> org.apache.nifi.remote.client.socket.SocketClient.getPortIdentifier(SocketClient.java:81)
>> at
>> org.apache.nifi.remote.client.socket.SocketClient.createTransaction(SocketClient.java:123)
>> at
>> org.apache.nifi.spark.NiFiReceiver$ReceiveRunnable.run(NiFiReceiver.java:149)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: java.io.IOException: Server returned HTTP response code: 401
>> for URL: https://yarn-cm1.mis-cds.local:9090/nifi-api/controller
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1839)
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
>> at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
>> at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
>> at
>> org.apache.nifi.remote.util.NiFiRestApiUtil.getController(NiFiRestApiUtil.java:66)
>> ... 7 more
>>
>> Any pointers would be helpful in getting this working. I don’t know if I
>> have to set up a remote process group with the output port (not sure how
>> this works), or what. When I go to
>> https://yarn-cm1.mis-cds.local:9090/nifi-api/controller in the browser,
>> I get an access denied error.
>> I have created keystore and signed by the RootCA used to sign all the
>> self signed certs for the cluster.
>>
>> Running 0.6.1, 6 node cluster.
>>
>> Thanks
>> Conrad
>>
>> [1[ -
>> https://community.hortonworks.com/articles/12708/nifi-feeding-data-to-spark-streaming.html
>> [2] -
>> https://blogs.apache.org/nifi/entry/stream_processing_nifi_and_spark
>>
>>
>> SecureData, combating cyber threats
>>
>> ------------------------------
>>
>> The information contained in this message or any of its attachments may
>> be privileged and confidential and intended for the exclusive use of the
>> intended recipient. If you are not the intended recipient any disclosure,
>> reproduction, distribution or other dissemination or use of this
>> communications is strictly prohibited. The views expressed in this email
>> are those of the individual and not necessarily of SecureData Europe Ltd.
>> Any prices quoted are only valid if followed up by a formal written quote.
>>
>> SecureData Europe Limited. Registered in England & Wales 04365896.
>> Registered Address: SecureData House, Hermitage Court, Hermitage Lane,
>> Maidstone, Kent, ME16 9NT
>>
>
>
>
> ***This email originated outside SecureData***
>
> Click here
> <https://www.mailcontrol.com/sr/JOj4ovws70LGX2PQPOmvUqa7UuQeNDoM5CPuVUMi!aLghcUmWuJbL8QAhL3vPgRnasXOF8Vdo14NCU1!U1Tbvw==>
> to report this email as spam.
>
