A couple comments. Apache NiFi is comprised of a number of web applications. You've mapped to three of them. However, we also support UI extensions for Custom Processor configuration (like UpdateAttribute and JoltTransformJson) and custom data viewers (based on content type) when looking at data through queues and data provenance.
I would suggest mapping a single Location that does not point to any one specific context path. Otherwise, a lot of maintenance would be required to keep your Location's up to date. I've never tried using token based access from behind a proxy. Can you ensure that Bearer token is being included by ensuring the Authorization header is passed along? Matt On Mon, Jan 16, 2017 at 8:41 AM, Wayna Runa <[email protected]> wrote: > Hi there! > > I've configured Nifi 1.1.1 *Standalone* with Kerberos (FreeIPA) to do > AuthN and AuthZ. Seems everything is OK because: > > 1.- Initial admin login through Kerberos works. > 2.- SSL enabled: Nifi asks for User Cert, just cancel and browser is > redirected to Nifi Login Page where I can introduce a Kerberos user. If I > choose a valid User Cert, browser is redirected to a Nifi authorized canvas. > 3.- I can add more users (by using Kerberos configuration) through Nifi UI > > Now, I have installed a Apache HTTPd Proxy in front of Nifi by using this > config: > > Listen 443 https > .... > <VirtualHost _default_:443 > > ... > <Location "/nifi"> > Header always unset Strict-Transport-Security > RequestHeader add X-ProxyScheme "https" > RequestHeader add X-ProxyHost "my-proxy" > RequestHeader add X-ProxyPort "443" > RequestHeader add X-ProxyContextPath "/nifi" > SSLRequireSSL > SSLRequire %{SSL_CLIENT_S_DN_O} eq "FooBar" > ProxyPass https://my-nifi-standalone:8443/nifi > ProxyPassReverse https://my-nifi-standalone:8443/nifi > <LimitExcept GET POST HEAD> > deny from all > </LimitExcept> > </Location> > > <Location "/nifi-api"> > Header always unset Strict-Transport-Security > RequestHeader add X-ProxyScheme "https" > RequestHeader add X-ProxyHost "my-proxy" > RequestHeader add X-ProxyPort "443" > RequestHeader add X-ProxyContextPath "/nifi-api" > SSLRequireSSL > SSLRequire %{SSL_CLIENT_S_DN_O} eq "FooBar" > ProxyPass https://my-nifi-standalone:8443/nifi-api > ProxyPassReverse https://my-nifi-standalone:8443/nifi-api > <LimitExcept GET POST HEAD> > deny from all > </LimitExcept> > </Location> > > <Location "/nifi-docs"> > Header always unset Strict-Transport-Security > RequestHeader add X-ProxyScheme "https" > RequestHeader add X-ProxyHost "my-proxy" > RequestHeader add X-ProxyPort "443" > RequestHeader add X-ProxyContextPath "/nifi-docs" > SSLRequireSSL > SSLRequire %{SSL_CLIENT_S_DN_O} eq "FooBar" > ProxyPass https://my-nifi-standalone:8443/nifi-docs > ProxyPassReverse https://my-nifi-standalone:8443/nifi-docs > <LimitExcept GET POST HEAD> > deny from all > </LimitExcept> > </Location> > <VirtualHost> > > Then, when go to https://my-proxy-nifi/nifi and choose the same valid > User Cert, I get a Nifi error page with this message: > > Unable to check Access Status > Unable to validate the access token > > > In Nifi server (nifi-user.log) error log is: > > INFO [NiFi Web Server-17] o.a.n.w.a.c.IllegalStateExceptionMapper > java.lang.IllegalStateException: Kerberos ticket login not supported by > this NiFi.. Returning Conflict response. > INFO [NiFi Web Server-17] o.a.n.w.a.c.AccessDeniedExceptionMapper > anonymous does not have permission to access the requested resource. > Returning Unauthorized response. > INFO [NiFi Web Server-17] o.a.nifi.web.security.jwt.JwtService There was > an error validating the JWT > io.jasonwebtoken.JwtException: Unable to validate the access token. > .... > Caused by: io.jasonwebtoken.MalformedJwtException: JWT strings must > contain exactly 2 period characters. Found: 0 > .... > > > And in the Browser I can see this error through Firefox Developer Plugin: > > GET https://my-proxy-nifi/nifi-api/flow/current-user > Status code: 401 Unauthorized > > > I've used this thread to configure the Apache HTTPd Proxy. > https://mail-archives.apache.org/mod_mbox/nifi-dev/201509.mbox/% > 3CCAFddr26dJFm4droVjVPOm-swUn0aR-=_vpqpxoixa1mo5mj...@mail.gmail.com%3E > > Any help is welcome !!. > > Regards. > > - wr > > >
