Hi Kevin, Thank you for your suggestions. I succeeded to get everything working now. As you described, now is everything exectly like that in files you mentioned.
One strange thing. At first stratup of container, I can login into UI without problems, but I cannot add new users and policies. After I refreshed UI in browser, I was able to do that. So just after refreshing. ?? And also, Im not able to modify my initial admin and user privileges, I mean for myself, but for new added user I can. I read on some forums that it can be slow snyc beetwen Nifi and AD. Im on my company's domain and there are couple of hundreds users. BR, Tom On Wed, 13 Feb 2019, 15:29 Kevin Doran <[email protected] wrote: > Hi Tom, > > How are you configuring the various config files? Through the docker > container's environment variables, or through modifying those files > directly? If modifying those files, are you injecting them through a volume > or something like that? Trying to determine if there is something else at > play here overwritting your settings on startup... > > It sounds like you are able to configure authentication/login > successfully, and are just running into a snag on the authorization / > initial admin side of things. > > Try this: > > 1. In authorizers.xml, set the "Initial User Identity 1" and "Initial > Admin Identity" properties to exactly match the user identity recognized by > NiFi (the one you see in the upper-right corner of the UI after logging > in). Make sure whitespace and capitalization all agree. > > 2. Delete users.xml and authorizations.xml files and restart NiFI Registry. > > If all goes successfully, your users.xml file should be regenerated to > hold a user with an identity matching "Initial User Identity 1", and > authorizations.xml should be regenerated to hold the policies for the > "Initial Admin Identity". > > If you get that working, you can improve things a bit by configuring the > LdapUserGroupProvider to sync users and groups from LDAP, letting you set > policies in the UI without having to manually create users that match the > LDAP directory users. > > Hope this helps, > Kevin > > > On February 13, 2019 at 03:56:52, Tomislav Novosel ([email protected]) > wrote: > > Also, FYI. > > > > If I set for INITIAL_ADMIN_IDENTITY my user's full DN, > cn=...,ou=...,dc=... > > I can also login into UI, but there is no properties button upper right > in > > the UI. > > > > [image: 1.PNG] > > > > If I set only USERNEMA to be u21g46, I can see properties button, but I > > can't add new users. > > > > BR, > > Tom > > > > On Fri, 8 Feb 2019 at 16:03, Bryan Bende wrote: > > > > > Thinking about it more, I guess if you are not trying to do spnego > > > then that message from the logs is not really an error. The registry > > > UI always tries the spnego end-point first and if it returns the > > > conflict response (as the log says) then you get sent to the login > > > page. > > > > > > Maybe try turning on debug logging by editing logback.xml > > > name="org.apache.nifi.registry" level="INFO"/> and changing to DEBUG. > > > > > > On Fri, Feb 8, 2019 at 9:51 AM Tomislav Novosel > > > wrote: > > > > > > > > Hi Bryan, > > > > > > > > I don't have this properties populated in Nifi registry instance > > > > outside Docker (as a service on linux server), and everything works. > > > > > > > > What are this properties up to? > > > > > > > > Regards, > > > > Tom > > > > > > > > > > > > > > > > On Fri, 8 Feb 2019 at 15:25, Bryan Bende wrote: > > > >> > > > >> The message about "Kerberos service ticket login not supported by > this > > > >> NiFi Registry" means that one of the following properties is not > > > >> populated: > > > >> > > > >> nifi.registry.kerberos.spnego.principal= > > > >> nifi.registry.kerberos.spnego.keytab.location= > > > >> > > > >> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel > > > wrote: > > > >> > > > > >> > Hi Daniel, > > > >> > > > > >> > Ok, I see. Thanks for the answer. > > > >> > > > > >> > I switched to official Nifi registry image. I succeeded to spin up > > > registry in docker container and to > > > >> > setup Kerberos provider in identity-providers.xml. Also I > configured > > > authorizers.xml as per afficial Nifi documentation. > > > >> > > > > >> > I already have the same setup with Kerberos, but not in Docker > > > container. And everything works like a charm. > > > >> > > > > >> > When I enter credentials, login does not pass. This is app log: > > > >> > > > > >> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14] > > > o.a.n.r.w.m.IllegalStateExceptionMapper > java.lang.IllegalStateException: > > > Kerberos service ticket login not supported by this NiFi Registry. > > > Returning Conflict response. > > > >> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13] > > > o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be > authenticated > > > due to: > > > > org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: > > > > An Authentication object was not found in the SecurityContext > Returning 401 > > > response. > > > >> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14] > > > o.a.n.r.w.m.UnauthorizedExceptionMapper > > > org.apache.nifi.registry.web.exception.UnauthorizedException: The > supplied > > > client credentials are not valid.. Returning Unauthorized response. > > > >> > > > > >> > Not sure what is going on here. > > > >> > > > > >> > Regards, > > > >> > Tom > > > >> > > > > >> > > > > >> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson > > > wrote: > > > >> >> > > > >> >> Hi Tomislav, > > > >> >> I created that build a long time ago before the official apache > one > > > was up, and it is out of date sorry. > > > >> >> Can I suggest you switch to the official apache image that Kevin > > > mentioned and try again? It is an up to date version and recommended > by the > > > community. > > > >> >> > > > >> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel < > > > [email protected]> wrote: > > > >> >>> > > > >> >>> Hi Kevin, > > > >> >>> > > > >> >>> I'm using image from Docker hub on this link: > > > >> >>> https://hub.docker.com/r/chaffelson/nifi-registry > > > >> >>> > > > >> >>> I think I know where is the problem. The problem is in config > file > > > where > > > >> >>> http host and http port property remains even if I manually set > > > https host and htpps port. > > > >> >>> I deleted http host and http port to be empty, but when I > started > > > container again, those values are again there. > > > >> >>> > > > >> >>> I don't know what the author of image wanted to say with this: > > > >> >>> > > > >> >>> The Docker image can be built using the following command: > > > >> >>> > > > >> >>> . > > > > ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh > > > > >> >>> > > > >> >>> What does this commend mean? > > > >> >>> > > > >> >>> And this: > > > >> >>> > > > >> >>> Note: The default version of NiFi-Registry specified by the > > > Dockerfile is typically that of one that is unreleased if working from > > > source. To build an image for a prior released version, one can > override > > > the NIFI_REGISTRY_VERSIONbuild-arg with the following command: > > > >> >>> > > > >> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired > > > NiFi-Registry Version} -t apache/nifi-registry:latest . > > > >> >>> > > > >> >>> For this command above you need to have Dockerfile. I tried with > > > Dockerfile from docker hub, but there are errors in execution on this > line: > > > >> >>> > > > >> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/ > > > >> >>> > > > >> >>> On the other hand, If I manage to get the image with first > > > command, I will get Nifi registry version 0.1.0 which I don't want. > > > >> >>> > > > >> >>> I'm little bit confused here, sorry for longer mail. > > > >> >>> > > > >> >>> Thanks. > > > >> >>> > > > >> >>> Regards, > > > >> >>> Tom > > > >> >>> > > > >> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran wrote: > > > >> >>>> > > > >> >>>> Hi Tom, > > > >> >>>> > > > >> >>>> Are you using the apache/nifi-registry image or a custom image > for > > > this? > > > >> >>>> > > > >> >>>> Have you configured TLS? > > > >> >>>> Can you share your complete conf dir (removing sensitive values > > > such as password or domains)? > > > >> >>>> > > > >> >>>> Thanks, > > > >> >>>> Kevin > > > >> >>>> > > > >> >>>> > > > >> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel ( > > > [email protected]) wrote: > > > >> >>>> > Hi all, > > > >> >>>> > > > > >> >>>> > I'm trying to configure Nifi registry authentication with > > > Kerberos while > > > >> >>>> > Nifi registry runs > > > >> >>>> > inside Docker container. > > > >> >>>> > > > > >> >>>> > I configured all security properties in > > > nifi-registry.properties, login > > > >> >>>> > identity provider and > > > >> >>>> > authorizers.xml. Everything the same as for Nifi registry > > > running as a > > > >> >>>> > service without Docker container. > > > >> >>>> > > > > >> >>>> > When I open UI in browser and type in login data, login dose > not > > > pass. > > > >> >>>> > > > > >> >>>> > In /logs/nifi-registry-app.log I see error: > > > >> >>>> > > > > >> >>>> > An Authentication object was not found in the SecurityContext > > > Returning > > > >> >>>> > 401 response > > > >> >>>> > java.lang.IllegalStateException: Access tokens are only > issued > > > over HTTPS > > > >> >>>> > > > > >> >>>> > nifi.registry.web.https.host property is default because of > > > Docker: > > > >> >>>> > ae24ea32faef > > > >> >>>> > nifi.registry.web.https.port=18080 > > > >> >>>> > > > > >> >>>> > How can I resolve this? > > > >> >>>> > Thanks. > > > >> >>>> > > > > >> >>>> > > > > >> >>>> > BR, > > > >> >>>> > Tom > > > >> >>>> > > > > >> >>>> > > > > > > >
