I'm not sure you are even making it as far as authorization because I think you would see unauthorized messages in the logs if that were the case.
If you request the UI from your browser using the ELB URL, what page is displayed? If you do the same thing using the direct URL to the registry, is it any different? Also, what values do you have set for nifi.registry.web.https.host= and nifi.registry.security.needClientAuth= ? On Mon, Mar 19, 2018 at 10:50 AM, Scott Howell <[email protected]> wrote: > Thanks Kevin, > > I am just using the ELB to go from the public subnet to the private subnet. I > will not have multiple instances running of registry. > > I will say on my authorizers.xml there is one difference between my nifi > instance. On my nifi instance I am using file-provider for > nifi.security.user.authorizer in my nifi.properties. I don’t think from > reading the documents for nifi-registry that I can use that. If there is a > way that might be my problem. I was running into some issues with my nifi > instance when I was using managed-authorizers instead of file-provider. > > > >> On Mar 19, 2018, at 9:35 AM, Kevin Doran <[email protected]> wrote: >> >> Hey Scott, >> >> Assuming you are using two-way TLS with client certificates for >> authentication, I recommend configuring your ELB for TCP passthrough so that >> the TLS handshake is between the end-client and the NiFi Registry Server (in >> other words, no decryption/termination of the TLS connection happens in the >> ELB). If you are using some other form of authentication (e.g., LDAP), you >> will need to configure your ELB to trust the self-signed key NiFi Registry >> is using. I'm not sure how to do that as I've never run an ELB with that >> configuration before. >> >> Also, just a note about using an ELB with NiFi Registry: >> >> NiFi Registry is currently only supports single-instance use as persisted >> data and in-memory state is not synced between multiple instances. Are you >> hoping to use the ELB for actual load balancing, or is it just to take >> advantage of other ELB features, such as forwarding and security group >> rules? If the plan is to load balance multiple Registry instances, just be >> aware that you will probably run into some unexpected behavior. (As you >> mentioned using authorization, that is one case where I know the in-memory >> cache of the persisted data will not refresh across instances, so even if >> you were using some sort of shared network file system attached to multiple >> Registry instances, such as EFS, it would not work the way you hope.) >> >> Hope this helps, >> Kevin >> >> On 3/19/18, 10:20, "Scott Howell" <[email protected]> wrote: >> >> Thanks for the quick response. >> >> A couple of things I am seeing. >> >> 1. There is no error, I don’t see anything in the logs once the service >> comes up. This is because the health check is not even hitting the instance >> when secure. >> >> 2. Nothing interesting in the nifi-registry-app.logs. That was my concern >> because on my nifi instance I can see the health check hitting the instance >> from the ELB. This does not happen on the nifi-registry instance. I see the >> service startup and it tells me what domain and port I can access the UI but >> nothing else after that. >> >> 3. When I am on an instances in the same private subnet I am able to curl >> to the instance I get the TLS SSL which tells me the keystore is on the >> server. I am using a JKS keystore that is self-signed by the company I work >> for. >> >>> On Mar 19, 2018, at 9:10 AM, Bryan Bende <[email protected]> wrote: >>> >>> Hello, >>> >>> What error are you getting when you cannot access the UI? >>> >>> Is there anything interesting in nifi-registry-app.log regarding >>> authentication/authorization when this happens? >>> >>> Can you access the UI securely without going through the ELB? >>> >>> Thanks, >>> >>> Bryan >>> >>> >>> On Mon, Mar 19, 2018 at 10:05 AM, Scott Howell <[email protected]> >>> wrote: >>>> I was able to stand up nifi-registry behind an AWS ELB non-secure. >>>> Everything was working great and was able to access the UI anonymously. I >>>> set up the authorization just like on my nifi instances along with the >>>> authorizers and identity-provider. The service comes up without errors and >>>> everything looks good but the health check does not pass and I cannot >>>> access the UI to login. I was wondering if anyone else has ran into this >>>> issue using nifi-registry. >> >> >> >> >
