Thinking about it more, I guess if you are not trying to do spnego then that message from the logs is not really an error. The registry UI always tries the spnego end-point first and if it returns the conflict response (as the log says) then you get sent to the login page.
Maybe try turning on debug logging by editing logback.xml <logger name="org.apache.nifi.registry" level="INFO"/> and changing to DEBUG. On Fri, Feb 8, 2019 at 9:51 AM Tomislav Novosel <[email protected]> wrote: > > Hi Bryan, > > I don't have this properties populated in Nifi registry instance > outside Docker (as a service on linux server), and everything works. > > What are this properties up to? > > Regards, > Tom > > > > On Fri, 8 Feb 2019 at 15:25, Bryan Bende <[email protected]> wrote: >> >> The message about "Kerberos service ticket login not supported by this >> NiFi Registry" means that one of the following properties is not >> populated: >> >> nifi.registry.kerberos.spnego.principal= >> nifi.registry.kerberos.spnego.keytab.location= >> >> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel <[email protected]> wrote: >> > >> > Hi Daniel, >> > >> > Ok, I see. Thanks for the answer. >> > >> > I switched to official Nifi registry image. I succeeded to spin up >> > registry in docker container and to >> > setup Kerberos provider in identity-providers.xml. Also I configured >> > authorizers.xml as per afficial Nifi documentation. >> > >> > I already have the same setup with Kerberos, but not in Docker container. >> > And everything works like a charm. >> > >> > When I enter credentials, login does not pass. This is app log: >> > >> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14] >> > o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: >> > Kerberos service ticket login not supported by this NiFi Registry. >> > Returning Conflict response. >> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13] >> > o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated >> > due to: >> > org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: >> > An Authentication object was not found in the SecurityContext Returning >> > 401 response. >> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14] >> > o.a.n.r.w.m.UnauthorizedExceptionMapper >> > org.apache.nifi.registry.web.exception.UnauthorizedException: The supplied >> > client credentials are not valid.. Returning Unauthorized response. >> > >> > Not sure what is going on here. >> > >> > Regards, >> > Tom >> > >> > >> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson <[email protected]> >> > wrote: >> >> >> >> Hi Tomislav, >> >> I created that build a long time ago before the official apache one was >> >> up, and it is out of date sorry. >> >> Can I suggest you switch to the official apache image that Kevin >> >> mentioned and try again? It is an up to date version and recommended by >> >> the community. >> >> >> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <[email protected]> >> >> wrote: >> >>> >> >>> Hi Kevin, >> >>> >> >>> I'm using image from Docker hub on this link: >> >>> https://hub.docker.com/r/chaffelson/nifi-registry >> >>> >> >>> I think I know where is the problem. The problem is in config file where >> >>> http host and http port property remains even if I manually set https >> >>> host and htpps port. >> >>> I deleted http host and http port to be empty, but when I started >> >>> container again, those values are again there. >> >>> >> >>> I don't know what the author of image wanted to say with this: >> >>> >> >>> The Docker image can be built using the following command: >> >>> >> >>> . >> >>> ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh >> >>> >> >>> What does this commend mean? >> >>> >> >>> And this: >> >>> >> >>> Note: The default version of NiFi-Registry specified by the Dockerfile >> >>> is typically that of one that is unreleased if working from source. To >> >>> build an image for a prior released version, one can override the >> >>> NIFI_REGISTRY_VERSIONbuild-arg with the following command: >> >>> >> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired NiFi-Registry >> >>> Version} -t apache/nifi-registry:latest . >> >>> >> >>> For this command above you need to have Dockerfile. I tried with >> >>> Dockerfile from docker hub, but there are errors in execution on this >> >>> line: >> >>> >> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/ >> >>> >> >>> On the other hand, If I manage to get the image with first command, I >> >>> will get Nifi registry version 0.1.0 which I don't want. >> >>> >> >>> I'm little bit confused here, sorry for longer mail. >> >>> >> >>> Thanks. >> >>> >> >>> Regards, >> >>> Tom >> >>> >> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran <[email protected]> wrote: >> >>>> >> >>>> Hi Tom, >> >>>> >> >>>> Are you using the apache/nifi-registry image or a custom image for this? >> >>>> >> >>>> Have you configured TLS? >> >>>> Can you share your complete conf dir (removing sensitive values such as >> >>>> password or domains)? >> >>>> >> >>>> Thanks, >> >>>> Kevin >> >>>> >> >>>> >> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel >> >>>> ([email protected]) wrote: >> >>>> > Hi all, >> >>>> > >> >>>> > I'm trying to configure Nifi registry authentication with Kerberos >> >>>> > while >> >>>> > Nifi registry runs >> >>>> > inside Docker container. >> >>>> > >> >>>> > I configured all security properties in nifi-registry.properties, >> >>>> > login >> >>>> > identity provider and >> >>>> > authorizers.xml. Everything the same as for Nifi registry running as a >> >>>> > service without Docker container. >> >>>> > >> >>>> > When I open UI in browser and type in login data, login dose not pass. >> >>>> > >> >>>> > In /logs/nifi-registry-app.log I see error: >> >>>> > >> >>>> > An Authentication object was not found in the SecurityContext >> >>>> > Returning >> >>>> > 401 response >> >>>> > java.lang.IllegalStateException: Access tokens are only issued over >> >>>> > HTTPS >> >>>> > >> >>>> > nifi.registry.web.https.host property is default because of Docker: >> >>>> > ae24ea32faef >> >>>> > nifi.registry.web.https.port=18080 >> >>>> > >> >>>> > How can I resolve this? >> >>>> > Thanks. >> >>>> > >> >>>> > >> >>>> > BR, >> >>>> > Tom >> >>>> > >> >>>>
