Scott, The original exception is "nested exception is java.security.KeyStoreException: not found”. Can you verify that the keystore you’ve provided is valid using the “keytool” command? In addition, you will need a truststore as well. Try following Pierre's [1] or Bryan’s [2] instructions for setting up a secure cluster.
[1] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/ [2] https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy <https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy> Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Mar 20, 2018, at 11:05 AM, Scott Howell <[email protected]> wrote: > > Thanks for all of the help yesterday I was able to get a secure nifi and > nifi-registry up and communicating. I am now trying to figure out how to > create a secure cluster. I am currently getting this error when I start up > nifi. > > tion; nested exception is > org.springframework.beans.factory.BeanCreationException: Error creating bean > with name 'clusterCoordinationProtocolSenderListener' defined in class path > resource [nifi-cluster-protocol-context.xml]: Cannot resolve reference to > bean 'clusterCoordinationProtocolSender' while setting constructor argument; > nested exception is org.springframework.beans.factory.BeanCreationException: > Error creating bean with name 'clusterCoordinationProtocolSender' defined in > class path resource [nifi-cluster-protocol-context.xml]: Cannot resolve > reference to bean 'protocolSocketConfiguration' while setting constructor > argument; nested exception is > org.springframework.beans.factory.BeanCreationException: Error creating bean > with name 'protocolSocketConfiguration': FactoryBean threw exception on > object creation; nested exception is java.security.KeyStoreException: not > found > at > org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175) > at > org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) > at > org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1634) > at > org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317) > at > org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) > at > org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351) > ... 50 common frames omitted > Caused by: org.springframework.beans.factory.BeanCreationException: Error > creating bean with name 'clusterCoordinationProtocolSenderListener' defined > in class path resource [nifi-cluster-protocol-context.xml]: Cannot resolve > reference to bean 'clusterCoordinationProtocolSender' while setting > constructor argument; nested exception is > org.springframework.beans.factory.BeanCreationException: Error creating bean > with name 'clusterCoordinationProtocolSender' defined in class path resource > [nifi-cluster-protocol-context.xml]: Cannot resolve reference to bean > 'protocolSocketConfiguration' while setting constructor argument; nested > exception is org.springframework.beans.factory.BeanCreationException: Error > creating bean with name 'protocolSocketConfiguration': FactoryBean threw > exception on object creation; nested exception is > java.security.KeyStoreException: not found > at > org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359) > at > org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108) > at > org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648) > at > org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:145) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1193) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1095) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483) > at > org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306) > at > org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) > at > org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302) > at > org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) > at > org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1084) > at > org.apache.nifi.cluster.spring.NodeClusterCoordinatorFactoryBean.getObject(NodeClusterCoordinatorFactoryBean.java:44) > at > org.apache.nifi.cluster.spring.NodeClusterCoordinatorFactoryBean.getObject(NodeClusterCoordinatorFactoryBean.java:34) > at > org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168) > ... 55 common frames omitted > Caused by: org.springframework.beans.factory.BeanCreationException: Error > creating bean with name 'clusterCoordinationProtocolSender' defined in class > path resource [nifi-cluster-protocol-context.xml]: Cannot resolve reference > to bean 'protocolSocketConfiguration' while setting constructor argument; > nested exception is org.springframework.beans.factory.BeanCreationException: > Error creating bean with name 'protocolSocketConfiguration': FactoryBean > threw exception on object creation; nested exception is > java.security.KeyStoreException: not found > at > org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359) > at > org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108) > at > org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648) > at > org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:145) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1193) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1095) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483) > at > org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306) > at > org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) > at > org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302) > at > org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) > at > org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351) > ... 70 common frames omitted > Caused by: org.springframework.beans.factory.BeanCreationException: Error > creating bean with name 'protocolSocketConfiguration': FactoryBean threw > exception on object creation; nested exception is > java.security.KeyStoreException: not found > at > org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175) > at > org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) > at > org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1634) > at > org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317) > at > org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) > at > org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351) > ... 82 common frames omitted > Caused by: java.security.KeyStoreException: not found > at java.security.KeyStore.getInstance(KeyStore.java:851) > at > org.apache.nifi.security.util.KeyStoreUtils.getKeyStore(KeyStoreUtils.java:66) > at > org.apache.nifi.security.util.KeyStoreUtils.getTrustStore(KeyStoreUtils.java:80) > at > org.apache.nifi.io.socket.SSLContextFactory.<init>(SSLContextFactory.java:73) > at > org.apache.nifi.cluster.protocol.spring.SocketConfigurationFactoryBean.getObject(SocketConfigurationFactoryBean.java:45) > at > org.apache.nifi.cluster.protocol.spring.SocketConfigurationFactoryBean.getObject(SocketConfigurationFactoryBean.java:30) > at > org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168) > ... 87 common frames omitted > Caused by: java.security.NoSuchAlgorithmException: KeyStore not available > at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) > at java.security.Security.getImpl(Security.java:695) > at java.security.KeyStore.getInstance(KeyStore.java:848) > ... 93 common frames omitted > > My nifi.properties file is. > > # Licensed to the Apache Software Foundation (ASF) under one or more > # contributor license agreements. See the NOTICE file distributed with > # this work for additional information regarding copyright ownership. > # The ASF licenses this file to You under the Apache License, Version 2.0 > # (the "License"); you may not use this file except in compliance with > # the License. You may obtain a copy of the License at > # > # http://www.apache.org/licenses/LICENSE-2.0 > # > # Unless required by applicable law or agreed to in writing, software > # distributed under the License is distributed on an "AS IS" BASIS, > # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > # See the License for the specific language governing permissions and > # limitations under the License. > > # Core Properties # > nifi.version={{nifi_version}} > nifi.flow.configuration.file=/opt/config/flow.xml.gz > nifi.flow.configuration.archive.enabled=true > nifi.flow.configuration.archive.dir=/opt/config/archive/ > nifi.flow.configuration.archive.max.time=30 days > nifi.flow.configuration.archive.max.storage=500 MB > nifi.flowcontroller.autoResumeState=true > nifi.flowcontroller.graceful.shutdown.period=10 sec > nifi.flowservice.writedelay.interval=500 ms > nifi.administrative.yield.duration=30 sec > # If a component has no work to do (is "bored"), how long should we wait > before checking again for work? > nifi.bored.yield.duration=10 millis > > > nifi.authorizer.configuration.file=/opt/config/authorizers.xml > nifi.login.identity.provider.configuration.file=/opt/config/login-identity-providers.xml > nifi.templates.directory=/opt/config/templates > nifi.ui.banner.text= > nifi.ui.autorefresh.interval=30 sec > nifi.nar.library.directory=/opt/nifi/lib > nifi.nar.library.directory.custom=/opt/config/processors > nifi.nar.working.directory=/opt/nifi/work/nar/ > nifi.documentation.working.directory=./work/docs/components > > #################### > # State Management # > #################### > nifi.state.management.configuration.file=/opt/config/state-management.xml > # The ID of the local state provider > nifi.state.management.provider.local=local-provider > # The ID of the cluster-wide state provider. This will be ignored if NiFi is > not clustered but must be populated if running in a cluster. > nifi.state.management.provider.cluster=zk-provider > # Specifies whether or not this instance of NiFi should run an embedded > ZooKeeper server > nifi.state.management.embedded.zookeeper.start=false > # Properties file that provides the ZooKeeper properties to use if > <nifi.state.management.embedded.zookeeper.start> is set to true > nifi.state.management.embedded.zookeeper.properties=/opt/config/zookeeper.properties > > > # H2 Settings > nifi.database.directory=/opt/database_repository > nifi.h2.url.append=;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE > > # FlowFile Repository > nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository > nifi.flowfile.repository.directory=/opt/flowfile_repository > nifi.flowfile.repository.partitions=256 > nifi.flowfile.repository.checkpoint.interval=2 mins > nifi.flowfile.repository.always.sync=false > > nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager > nifi.queue.swap.threshold=20000 > nifi.swap.in.period=5 sec > nifi.swap.in.threads=1 > nifi.swap.out.period=5 sec > nifi.swap.out.threads=4 > > # Content Repository > nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository > nifi.content.claim.max.appendable.size=10 MB > nifi.content.claim.max.flow.files=100 > nifi.content.repository.directory.default=/opt/content_repository > nifi.content.repository.archive.max.retention.period=12 hours > nifi.content.repository.archive.max.usage.percentage=50% > nifi.content.repository.archive.enabled=true > nifi.content.repository.always.sync=false > nifi.content.viewer.url=/nifi-content-viewer/ > > # Provenance Repository Properties > nifi.provenance.repository.implementation=org.apache.nifi.provenance.PersistentProvenanceRepository > > # Persistent Provenance Repository Properties > nifi.provenance.repository.directory.default=/opt/provenance_repository > nifi.provenance.repository.max.storage.time=24 hours > nifi.provenance.repository.max.storage.size=1 GB > nifi.provenance.repository.rollover.time=30 secs > nifi.provenance.repository.rollover.size=100 MB > nifi.provenance.repository.query.threads=2 > nifi.provenance.repository.index.threads=1 > nifi.provenance.repository.compress.on.rollover=true > nifi.provenance.repository.always.sync=false > nifi.provenance.repository.journal.count=16 > # Comma-separated list of fields. Fields that are not indexed will not be > searchable. Valid fields are: > # EventType, FlowFileUUID, Filename, TransitURI, ProcessorID, > AlternateIdentifierURI, Relationship, Details > nifi.provenance.repository.indexed.fields=EventType, FlowFileUUID, Filename, > ProcessorID, Relationship > # FlowFile Attributes that should be indexed and made searchable. Some > examples to consider are filename, uuid, mime.type > nifi.provenance.repository.indexed.attributes= > # Large values for the shard size will result in more Java heap usage when > searching the Provenance Repository > # but should provide better performance > nifi.provenance.repository.index.shard.size=500 MB > # Indicates the maximum length that a FlowFile attribute can be when > retrieving a Provenance Event from > # the repository. If the length of any attribute exceeds this value, it will > be truncated when the event is retrieved. > nifi.provenance.repository.max.attribute.length=65536 > > # Volatile Provenance Respository Properties > nifi.provenance.repository.buffer.size=100000 > > # Component Status Repository > nifi.components.status.repository.implementation=org.apache.nifi.controller.status.history.VolatileComponentStatusRepository > nifi.components.status.repository.buffer.size=1440 > nifi.components.status.snapshot.frequency=1 min > > # Site to Site properties > nifi.remote.input.host= > nifi.remote.input.secure=false > nifi.remote.input.socket.port=9998 > nifi.remote.input.http.enabled=false > nifi.remote.input.http.transaction.ttl=30 sec > > # web properties # > nifi.web.war.directory=/opt/nifi/lib > nifi.web.http.host= > nifi.web.http.port= > nifi.web.https.host={{redacted}} > nifi.web.https.port=8443 > nifi.web.jetty.working.directory=/opt/nifi/work/jetty > nifi.web.jetty.threads=200 > > # security properties # > nifi.sensitive.props.key=x0KDgO9L8lAhFGLdvu2VEjFVGc6Kg3V0R5I4bYwoqdgL47moo0wApKQtAVu1BvD > nifi.sensitive.props.key.protected= > nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL > nifi.sensitive.props.provider=BC > nifi.sensitive.props.additional.keys= > > nifi.security.keystore=/opt/certs/payit_keystore > nifi.security.keystoreType=JKS > nifi.security.keystorePasswd={{keystore_password}} > nifi.security.keyPasswd= > nifi.security.truststore= > nifi.security.truststoreType= > nifi.security.truststorePasswd= > nifi.security.needClientAuth=false > nifi.security.user.authorizer=file-provider > nifi.security.user.login.identity.provider=ldap-provider > nifi.security.ocsp.responder.url= > nifi.security.ocsp.responder.certificate= > > # Identity Mapping Properties # > # These properties allow normalizing user identities such that identities > coming from different identity providers > # (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. > The following example demonstrates normalizing > # DNs from certificates and principals from Kerberos into a common identity > string: > # > #nifi.security.identity.mapping.pattern.dn=^cn=(.*?),ou=(.*?),dc=(.*?),dc=(.*?),dc=(.*?)$ > #nifi.security.identity.mapping.value.dn=$1 > # nifi.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$ > # nifi.security.identity.mapping.value.kerb=$1@$2 > > # cluster common properties (all nodes must have same values) # > nifi.cluster.protocol.heartbeat.interval=5 sec > nifi.cluster.protocol.is.secure=true > > # cluster node properties (only configure for cluster nodes) # > nifi.cluster.is.node=true > nifi.cluster.node.address=nifi-dev.mobilgov.com > nifi.cluster.node.protocol.port=9999 > nifi.cluster.node.protocol.threads=10 > nifi.cluster.node.event.history.size=25 > nifi.cluster.node.connection.timeout=5 sec > nifi.cluster.node.read.timeout=5 sec > nifi.cluster.firewall.file= > > > # zookeeper properties, used for cluster management # > nifi.zookeeper.connect.string=internal-etcd-dev-EtcdLoadB-3RWA2WEFBBT8-2068560477.us-east-2.elb.amazonaws.com:2181,internal-etcd-dev-EtcdLoadB-3RWA2WEFBBT8-2068560477.us-east-2.elb.amazonaws.com2182,internal-etcd-dev-EtcdLoadB-3RWA2WEFBBT8-2068560477.us-east-2.elb.amazonaws.com:2183 > nifi.zookeeper.connect.timeout=3 secs > nifi.zookeeper.session.timeout=3 secs > nifi.zookeeper.root.node=/nifi > > # kerberos # > nifi.kerberos.krb5.file= > > # kerberos service principle # > nifi.kerberos.service.principal= > nifi.kerberos.service.keytab.location= > > # kerberos spnego principle # > nifi.kerberos.spnego.principal= > nifi.kerberos.spnego.keytab.location= > nifi.kerberos.spnego.authentication.expiration=12 hours > > # external properties files for variable registry > # supports a comma delimited list of file locations > nifi.variable.registry.properties= > > I think I have everything set correctly but I have not been able to start an > instances up. > > Thanks, > > Scott > >> On Mar 19, 2018, at 4:35 PM, Bryan Bende <[email protected]> wrote: >> >> The base file is here for comparison: >> >> https://github.com/apache/nifi-registry/blob/master/nifi-registry-resources/src/main/resources/conf/identity-providers.xml#L23 >> >> On Mon, Mar 19, 2018 at 5:34 PM, Bryan Bende <[email protected]> wrote: >>> For your first file, is what you showed there actually wrapped in >>> <identityProviders> </identityProviders> or is it exactly what you >>> showed? >>> >>> It may just be that you only copied/pasted the one provider, but the >>> root element is not <provider>, so as it is shown there it would not >>> parse. >>> >>> On Mon, Mar 19, 2018 at 2:54 PM, Scott Howell <[email protected]> >>> wrote: >>>> Here is my file >>>> >>>> <provider> >>>> <identifier>ldap-identity-provider</identifier> >>>> <class>org.apache.nifi.registry.security.ldap.LdapProvider</class> >>>> <property name="Authentication Strategy">SIMPLE</property> >>>> >>>> <property name="Manager DN">cn=Manager,dc=mobilgov,dc=com</property> >>>> <property name="Manager Password”>redacted</property> >>>> >>>> >>>> <property name="Referral Strategy">FOLLOW</property> >>>> <property name="Connect Timeout">10 secs</property> >>>> <property name="Read Timeout">10 secs</property> >>>> >>>> <property name="Url”>redacted</property> >>>> <property name="User Search >>>> Base">ou=users,dc=mobilgov,dc=com</property> >>>> <property name="User Search Filter">uid={0}</property> >>>> >>>> <property name="Identity Strategy">USE_DN</property> >>>> <property name="Authentication Expiration">12 hours</property> >>>> </provider> >>>> >>>> Here is my authorizers.xml >>>> >>>> <authorizers> >>>> >>>> <userGroupProvider> >>>> <identifier>file-user-group-provider</identifier> >>>> >>>> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> >>>> <property name="Users File">conf/users.xml</property> >>>> <property name="Legacy Authorized Users File"></property> >>>> <property name="Initial User Identity 1”>redacted</property> >>>> </userGroupProvider> >>>> >>>> <accessPolicyProvider> >>>> <identifier>file-access-policy-provider</identifier> >>>> >>>> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> >>>> <property name="User Group >>>> Provider">file-user-group-provider</property> >>>> <property name="Authorizations >>>> File">conf/authorizations.xml</property> >>>> <property name="Initial Admin Identity”>redacted</property> >>>> <property name="NiFi Identity 1"></property> >>>> </accessPolicyProvider> >>>> >>>> <authorizer> >>>> <identifier>managed-authorizer</identifier> >>>> >>>> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> >>>> <property name="Access Policy >>>> Provider">file-access-policy-provider</property> >>>> </authorizer> >>>> </authorizers> >>>> >>>>> On Mar 19, 2018, at 12:59 PM, Bryan Bende <[email protected]> wrote: >>>>> >>>>> It looks like that error would happen if your identity-providers.xml >>>>> contained invalid XML. >>>>> >>>>> Did you start by modifying the identity-providers.xml file that was >>>>> already there? Can you share the file, or the contents (removing >>>>> anything sensitive)? >>>>> >>>>> On Mon, Mar 19, 2018 at 1:09 PM, Scott Howell <[email protected]> >>>>> wrote: >>>>>> So I was able to get the UI pulled up but now I am hitting a roadblock >>>>>> with my identity-provider.xml. >>>>>> >>>>>> I am getting a number of errors like this: >>>>>> >>>>>> Caused by: org.springframework.beans.factory.BeanCreationException: >>>>>> Error creating bean with name 'getIdentityProvider' defined in class >>>>>> path resource >>>>>> [org/apache/nifi/registry/security/authentication/IdentityProviderFactory.class]: >>>>>> Bean instantiation via factory method failed; nested exception is >>>>>> org.springframework.beans.BeanInstantiationException: Failed to >>>>>> instantiate >>>>>> [org.apache.nifi.registry.security.authentication.IdentityProvider]: >>>>>> Factory method 'getIdentityProvider' threw exception; nested exception >>>>>> is java.lang.Exception: Unable to load the login identity provider >>>>>> configuration file at: >>>>>> /opt/nifi-registry-0.1.0/conf/identity-providers.xml >>>>>> at >>>>>> org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:587) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1250) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1099) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:545) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:502) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:312) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:228) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:310) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:200) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:251) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1135) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1062) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:815) >>>>>> ~[na:na] >>>>>> at >>>>>> org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:721) >>>>>> ~[na:na] >>>>>> ... 43 common frames omitted >>>>>> >>>>>> I know it has to do with the identity-provider.xml but I have my setup >>>>>> just like the documentation ask for. I turned on debug but was not able >>>>>> to see anything different or better explanation from it. >>>>>> >>>>>> >>>>>>> On Mar 19, 2018, at 10:06 AM, Kevin Doran <[email protected]> wrote: >>>>>>> >>>>>>> Ok, that use case should be fine. >>>>>>> >>>>>>> If it were an authorization issue you would see something in the logs >>>>>>> saying that an authorization attempt failed and the server is >>>>>>> responding with a 403. Just to be sure, can you enable debug logging >>>>>>> if you haven't already, i.e., in your nifi-registry/conf/logback.xml >>>>>>> file, change 'org.apache.nifif.registry' to debug: >>>>>>> >>>>>>> <!-- valid logging levels: TRACE, DEBUG, INFO, WARN, ERROR --> >>>>>>> <logger name="org.apache.nifi.registry" level="DEBUG"/> >>>>>>> >>>>>>> If there is nothing being written to nifi-registry-app.log, it points >>>>>>> towards a connection issue, so I would double check your host, port, >>>>>>> and TLS settings. You'll have to get an HTTPS cert from a root CA or >>>>>>> configure your ELB to trust your company's self-signed cert (again, not >>>>>>> sure if/how to do this, but I assume there should be some way to >>>>>>> configure it. It might require settings not exposed in the AWS web >>>>>>> console.) >>>>>>> >>>>>>> On 3/19/18, 10:51, "Scott Howell" <[email protected]> wrote: >>>>>>> >>>>>>> Thanks Kevin, >>>>>>> >>>>>>> I am just using the ELB to go from the public subnet to the private >>>>>>> subnet. I will not have multiple instances running of registry. >>>>>>> >>>>>>> I will say on my authorizers.xml there is one difference between my >>>>>>> nifi instance. On my nifi instance I am using file-provider for >>>>>>> nifi.security.user.authorizer in my nifi.properties. I don’t think from >>>>>>> reading the documents for nifi-registry that I can use that. If there >>>>>>> is a way that might be my problem. I was running into some issues with >>>>>>> my nifi instance when I was using managed-authorizers instead of >>>>>>> file-provider. >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Mar 19, 2018, at 9:35 AM, Kevin Doran <[email protected]> wrote: >>>>>>>> >>>>>>>> Hey Scott, >>>>>>>> >>>>>>>> Assuming you are using two-way TLS with client certificates for >>>>>>>> authentication, I recommend configuring your ELB for TCP passthrough >>>>>>>> so that the TLS handshake is between the end-client and the NiFi >>>>>>>> Registry Server (in other words, no decryption/termination of the TLS >>>>>>>> connection happens in the ELB). If you are using some other form of >>>>>>>> authentication (e.g., LDAP), you will need to configure your ELB to >>>>>>>> trust the self-signed key NiFi Registry is using. I'm not sure how to >>>>>>>> do that as I've never run an ELB with that configuration before. >>>>>>>> >>>>>>>> Also, just a note about using an ELB with NiFi Registry: >>>>>>>> >>>>>>>> NiFi Registry is currently only supports single-instance use as >>>>>>>> persisted data and in-memory state is not synced between multiple >>>>>>>> instances. Are you hoping to use the ELB for actual load balancing, or >>>>>>>> is it just to take advantage of other ELB features, such as forwarding >>>>>>>> and security group rules? If the plan is to load balance multiple >>>>>>>> Registry instances, just be aware that you will probably run into some >>>>>>>> unexpected behavior. (As you mentioned using authorization, that is >>>>>>>> one case where I know the in-memory cache of the persisted data will >>>>>>>> not refresh across instances, so even if you were using some sort of >>>>>>>> shared network file system attached to multiple Registry instances, >>>>>>>> such as EFS, it would not work the way you hope.) >>>>>>>> >>>>>>>> Hope this helps, >>>>>>>> Kevin >>>>>>>> >>>>>>>> On 3/19/18, 10:20, "Scott Howell" <[email protected]> wrote: >>>>>>>> >>>>>>>> Thanks for the quick response. >>>>>>>> >>>>>>>> A couple of things I am seeing. >>>>>>>> >>>>>>>> 1. There is no error, I don’t see anything in the logs once the >>>>>>>> service comes up. This is because the health check is not even hitting >>>>>>>> the instance when secure. >>>>>>>> >>>>>>>> 2. Nothing interesting in the nifi-registry-app.logs. That was my >>>>>>>> concern because on my nifi instance I can see the health check hitting >>>>>>>> the instance from the ELB. This does not happen on the nifi-registry >>>>>>>> instance. I see the service startup and it tells me what domain and >>>>>>>> port I can access the UI but nothing else after that. >>>>>>>> >>>>>>>> 3. When I am on an instances in the same private subnet I am able to >>>>>>>> curl to the instance I get the TLS SSL which tells me the keystore is >>>>>>>> on the server. I am using a JKS keystore that is self-signed by the >>>>>>>> company I work for. >>>>>>>> >>>>>>>>> On Mar 19, 2018, at 9:10 AM, Bryan Bende <[email protected]> wrote: >>>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> What error are you getting when you cannot access the UI? >>>>>>>>> >>>>>>>>> Is there anything interesting in nifi-registry-app.log regarding >>>>>>>>> authentication/authorization when this happens? >>>>>>>>> >>>>>>>>> Can you access the UI securely without going through the ELB? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> Bryan >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Mar 19, 2018 at 10:05 AM, Scott Howell >>>>>>>>> <[email protected]> wrote: >>>>>>>>>> I was able to stand up nifi-registry behind an AWS ELB non-secure. >>>>>>>>>> Everything was working great and was able to access the UI >>>>>>>>>> anonymously. I set up the authorization just like on my nifi >>>>>>>>>> instances along with the authorizers and identity-provider. The >>>>>>>>>> service comes up without errors and everything looks good but the >>>>>>>>>> health check does not pass and I cannot access the UI to login. I >>>>>>>>>> was wondering if anyone else has ran into this issue using >>>>>>>>>> nifi-registry. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>> >
signature.asc
Description: Message signed with OpenPGP using GPGMail
