Hi there!
I've configured Nifi 1.1.1 *Standalone* with Kerberos (FreeIPA) to do AuthN
and AuthZ. Seems everything is OK because:
1.- Initial admin login through Kerberos works.
2.- SSL enabled: Nifi asks for User Cert, just cancel and browser is
redirected to Nifi Login Page where I can introduce a Kerberos user. If I
choose a valid User Cert, browser is redirected to a Nifi authorized canvas.
3.- I can add more users (by using Kerberos configuration) through Nifi UI
Now, I have installed a Apache HTTPd Proxy in front of Nifi by using this
config:
Listen 443 https
....
<VirtualHost _default_:443 >
...
<Location "/nifi">
Header always unset Strict-Transport-Security
RequestHeader add X-ProxyScheme "https"
RequestHeader add X-ProxyHost "my-proxy"
RequestHeader add X-ProxyPort "443"
RequestHeader add X-ProxyContextPath "/nifi"
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "FooBar"
ProxyPass https://my-nifi-standalone:8443/nifi
ProxyPassReverse https://my-nifi-standalone:8443/nifi
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
</Location>
<Location "/nifi-api">
Header always unset Strict-Transport-Security
RequestHeader add X-ProxyScheme "https"
RequestHeader add X-ProxyHost "my-proxy"
RequestHeader add X-ProxyPort "443"
RequestHeader add X-ProxyContextPath "/nifi-api"
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "FooBar"
ProxyPass https://my-nifi-standalone:8443/nifi-api
ProxyPassReverse https://my-nifi-standalone:8443/nifi-api
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
</Location>
<Location "/nifi-docs">
Header always unset Strict-Transport-Security
RequestHeader add X-ProxyScheme "https"
RequestHeader add X-ProxyHost "my-proxy"
RequestHeader add X-ProxyPort "443"
RequestHeader add X-ProxyContextPath "/nifi-docs"
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "FooBar"
ProxyPass https://my-nifi-standalone:8443/nifi-docs
ProxyPassReverse https://my-nifi-standalone:8443/nifi-docs
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
</Location>
<VirtualHost>
Then, when go to https://my-proxy-nifi/nifi and choose the same valid User
Cert, I get a Nifi error page with this message:
Unable to check Access Status
Unable to validate the access token
In Nifi server (nifi-user.log) error log is:
INFO [NiFi Web Server-17] o.a.n.w.a.c.IllegalStateExceptionMapper
java.lang.IllegalStateException: Kerberos ticket login not supported by
this NiFi.. Returning Conflict response.
INFO [NiFi Web Server-17] o.a.n.w.a.c.AccessDeniedExceptionMapper anonymous
does not have permission to access the requested resource. Returning
Unauthorized response.
INFO [NiFi Web Server-17] o.a.nifi.web.security.jwt.JwtService There was an
error validating the JWT
io.jasonwebtoken.JwtException: Unable to validate the access token.
....
Caused by: io.jasonwebtoken.MalformedJwtException: JWT strings must contain
exactly 2 period characters. Found: 0
....
And in the Browser I can see this error through Firefox Developer Plugin:
GET https://my-proxy-nifi/nifi-api/flow/current-user
Status code: 401 Unauthorized
I've used this thread to configure the Apache HTTPd Proxy.
https://mail-archives.apache.org/mod_mbox/nifi-dev/201509.mbox/%3CCAFddr26dJFm4droVjVPOm-swUn0aR-=_vpqpxoixa1mo5mj...@mail.gmail.com%3E
Any help is welcome !!.
Regards.
- wr
