Hi all, I gave up regarding Kerberos auth from Docker, it is strange issue. I switched after to LDAP auth form Docker container and it works.
I'm using official nifi image and I used 'docker run' command form the site: https://hub.docker.com/r/apache/nifi But still, issue remains...after I login, I cant add new users or modify them. In conf folder I see in authorizations.xml that my Initial admin identitiy user has rights to do that. My conf for authorizers,xml is this: <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Initial User Identity 1">user1</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">user1</property> <property name="NiFi Identity 1"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> In identity-providers.xml everything is good i believe as I can login into Nifi UI. Also when I open user1 properties in Nifi UI I can see privileges of that initial user and it has all the rights to create new users, policies etc. What am I missing? Thanks, Tom On Fri, 8 Feb 2019 at 16:03, Bryan Bende <bbe...@gmail.com> wrote: > Thinking about it more, I guess if you are not trying to do spnego > then that message from the logs is not really an error. The registry > UI always tries the spnego end-point first and if it returns the > conflict response (as the log says) then you get sent to the login > page. > > Maybe try turning on debug logging by editing logback.xml <logger > name="org.apache.nifi.registry" level="INFO"/> and changing to DEBUG. > > On Fri, Feb 8, 2019 at 9:51 AM Tomislav Novosel <to.novo...@gmail.com> > wrote: > > > > Hi Bryan, > > > > I don't have this properties populated in Nifi registry instance > > outside Docker (as a service on linux server), and everything works. > > > > What are this properties up to? > > > > Regards, > > Tom > > > > > > > > On Fri, 8 Feb 2019 at 15:25, Bryan Bende <bbe...@gmail.com> wrote: > >> > >> The message about "Kerberos service ticket login not supported by this > >> NiFi Registry" means that one of the following properties is not > >> populated: > >> > >> nifi.registry.kerberos.spnego.principal= > >> nifi.registry.kerberos.spnego.keytab.location= > >> > >> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel <to.novo...@gmail.com> > wrote: > >> > > >> > Hi Daniel, > >> > > >> > Ok, I see. Thanks for the answer. > >> > > >> > I switched to official Nifi registry image. I succeeded to spin up > registry in docker container and to > >> > setup Kerberos provider in identity-providers.xml. Also I configured > authorizers.xml as per afficial Nifi documentation. > >> > > >> > I already have the same setup with Kerberos, but not in Docker > container. And everything works like a charm. > >> > > >> > When I enter credentials, login does not pass. This is app log: > >> > > >> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14] > o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: > Kerberos service ticket login not supported by this NiFi Registry. > Returning Conflict response. > >> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13] > o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated > due to: > org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: > An Authentication object was not found in the SecurityContext Returning 401 > response. > >> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14] > o.a.n.r.w.m.UnauthorizedExceptionMapper > org.apache.nifi.registry.web.exception.UnauthorizedException: The supplied > client credentials are not valid.. Returning Unauthorized response. > >> > > >> > Not sure what is going on here. > >> > > >> > Regards, > >> > Tom > >> > > >> > > >> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson <chaffel...@gmail.com> > wrote: > >> >> > >> >> Hi Tomislav, > >> >> I created that build a long time ago before the official apache one > was up, and it is out of date sorry. > >> >> Can I suggest you switch to the official apache image that Kevin > mentioned and try again? It is an up to date version and recommended by the > community. > >> >> > >> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel < > to.novo...@gmail.com> wrote: > >> >>> > >> >>> Hi Kevin, > >> >>> > >> >>> I'm using image from Docker hub on this link: > >> >>> https://hub.docker.com/r/chaffelson/nifi-registry > >> >>> > >> >>> I think I know where is the problem. The problem is in config file > where > >> >>> http host and http port property remains even if I manually set > https host and htpps port. > >> >>> I deleted http host and http port to be empty, but when I started > container again, those values are again there. > >> >>> > >> >>> I don't know what the author of image wanted to say with this: > >> >>> > >> >>> The Docker image can be built using the following command: > >> >>> > >> >>> . > ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh > >> >>> > >> >>> What does this commend mean? > >> >>> > >> >>> And this: > >> >>> > >> >>> Note: The default version of NiFi-Registry specified by the > Dockerfile is typically that of one that is unreleased if working from > source. To build an image for a prior released version, one can override > the NIFI_REGISTRY_VERSIONbuild-arg with the following command: > >> >>> > >> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired > NiFi-Registry Version} -t apache/nifi-registry:latest . > >> >>> > >> >>> For this command above you need to have Dockerfile. I tried with > Dockerfile from docker hub, but there are errors in execution on this line: > >> >>> > >> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/ > >> >>> > >> >>> On the other hand, If I manage to get the image with first > command, I will get Nifi registry version 0.1.0 which I don't want. > >> >>> > >> >>> I'm little bit confused here, sorry for longer mail. > >> >>> > >> >>> Thanks. > >> >>> > >> >>> Regards, > >> >>> Tom > >> >>> > >> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran <kdo...@apache.org> wrote: > >> >>>> > >> >>>> Hi Tom, > >> >>>> > >> >>>> Are you using the apache/nifi-registry image or a custom image for > this? > >> >>>> > >> >>>> Have you configured TLS? > >> >>>> Can you share your complete conf dir (removing sensitive values > such as password or domains)? > >> >>>> > >> >>>> Thanks, > >> >>>> Kevin > >> >>>> > >> >>>> > >> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel ( > to.novo...@gmail.com) wrote: > >> >>>> > Hi all, > >> >>>> > > >> >>>> > I'm trying to configure Nifi registry authentication with > Kerberos while > >> >>>> > Nifi registry runs > >> >>>> > inside Docker container. > >> >>>> > > >> >>>> > I configured all security properties in > nifi-registry.properties, login > >> >>>> > identity provider and > >> >>>> > authorizers.xml. Everything the same as for Nifi registry > running as a > >> >>>> > service without Docker container. > >> >>>> > > >> >>>> > When I open UI in browser and type in login data, login dose not > pass. > >> >>>> > > >> >>>> > In /logs/nifi-registry-app.log I see error: > >> >>>> > > >> >>>> > An Authentication object was not found in the SecurityContext > Returning > >> >>>> > 401 response > >> >>>> > java.lang.IllegalStateException: Access tokens are only issued > over HTTPS > >> >>>> > > >> >>>> > nifi.registry.web.https.host property is default because of > Docker: > >> >>>> > ae24ea32faef > >> >>>> > nifi.registry.web.https.port=18080 > >> >>>> > > >> >>>> > How can I resolve this? > >> >>>> > Thanks. > >> >>>> > > >> >>>> > > >> >>>> > BR, > >> >>>> > Tom > >> >>>> > > >> >>>> >