2018-03-30 15:32:42,268 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://localhost:8443/nifi-api/flow/current-user (source ip: 10.10.2.214) 2018-03-30 15:32:42,270 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for uid=scott,ou=users,dc={redacted},dc=com 2018-03-30 15:32:42,325 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<uid=scott,ou=users,dc={redacted},dc=com><CN="nifi-2.dev.{redacted}.com, OU=Nifi">) GET https://nifi-2.dev.mobilgov.com:8443/nifi-api/flow/current-user (source ip: 10.10.20.32) 2018-03-30 15:32:42,325 WARN [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN="nifi-2.dev.{redacted}.com, OU=Nifi"
> On Mar 30, 2018, at 10:06 AM, Pierre Villard <pierre.villard...@gmail.com> > wrote: > > Can you copy/paste what you exactly have in the nifi-users.log when you face > this error? > Just want to double check there is not some typo somewhere. > > 2018-03-30 16:50 GMT+02:00 Scott Howell <scotthow...@mobilgov.com > <mailto:scotthow...@mobilgov.com>>: > Here is my authorizations.xml > > <authorizations> > <policies> > <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" > resource="/flow" action="R"> > <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> > </policy> > <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" > resource="/restricted-components" action="W"> > <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> > </policy> > <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" > resource="/tenants" action="R"> > <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> > </policy> > <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" > resource="/tenants" action="W"> > <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> > </policy> > <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" > resource="/policies" action="R"> > <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> > </policy> > <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" > resource="/policies" action="W"> > <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> > </policy> > <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" > resource="/controller" action="R"> > <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> > </policy> > <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" > resource="/controller" action="W"> > <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> > </policy> > <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" > resource="/proxy" action="W"> > <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"/> > <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"/> > <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"/> > </policy> > </policies> > </authorizations> > >> On Mar 30, 2018, at 9:48 AM, Pierre Villard <pierre.villard...@gmail.com >> <mailto:pierre.villard...@gmail.com>> wrote: >> >> Hi Scott, >> >> Can you have a look at the authorizations.xml file? (and share the content >> of it to confirm that node users are given the proxy authorizations?) >> >> Thanks! >> >> 2018-03-30 16:15 GMT+02:00 Scott Howell <scotthow...@mobilgov.com >> <mailto:scotthow...@mobilgov.com>>: >> I am nearing the finish line of setting up a cluster using a self-signed >> cert. >> >> When trying to login to the cluster after the cluster comes up I am able to >> see in the logs that my initial admin user is able to login. >> >> Once that takes place I get an “Untrusted proxy” error on both the UI and in >> the nifi-user.log. >> >> This is what I see in the UI: Untrusted proxy CN="nifi-2.dev.{redacted}.com, >> OU=Nifi” >> >> In my authorizers.xml I have this: >> <authorizers> >> <authorizer> >> <identifier>file-provider</identifier> >> <class>org.apache.nifi.authorization.FileAuthorizer</class> >> <property name="Authorizations >> File">/opt/config/authorizations.xml</property> >> <property name="Users File">/opt/config/users.xml</property> >> <property name="Initial Admin >> Identity">uid=scott,ou=users,dc={redacted},dc=com</property> >> <property name="Legacy Authorized Users File"></property> >> >> <property name="Node Identity 1">CN=nifi-1.dev.{redacted}.com, >> OU=Nifi</property> >> <property name="Node Identity 2">CN=nifi-2.dev.{redacted}.com, >> OU=Nifi</property> >> <property name="Node Identity 3">CN=nifi-3.dev.{redacted}.com, >> OU=Nifi</property> >> </authorizer> >> </authorizers> >> >> On the nodes I am seeing this in my user.xml >> <tenants> >> <groups/> >> <users> >> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53" >> identity="uid=scott,ou=users,dc={redacted},dc=com"/> >> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425" >> identity="CN=nifi-1.dev.{redacted}.com, OU=Nifi"/> >> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9" >> identity="CN=nifi-2.dev.{redacted}.com, OU=Nifi"/> >> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe" >> identity="CN=nifi-3.dev.{redacted}.com, OU=Nifi"/> >> </users> >> </tenants> >> >> I believe the issue is with where the “ is in my error "Untrusted proxy >> CN="nifi-2.dev.mobilgov.com <http://nifi-2.dev.mobilgov.com/>, OU=Nifi”” but >> I am not able to figure out where that quotation is coming from because I >> can’t find it in anywhere. >> >> Was wondering if anyone has had issues with this before. >> >> Scott >> > >
