Hello, I believe the video should cover this, but did you add a user representing your NiFi instance and grant it the permissions for proxy and read all buckets?
That is what "NiFi Identity 1" would have done, but that only gets used on initial setup, so you would do it from the UI now. -Bryan On Mon, Aug 5, 2019 at 1:30 PM Nathan Maynes <nathanmay...@gmail.com> wrote: > > Hopefully I can get some guidance on configuring secure communication between > NiFi and NiFi-Registry. The Error I have been trying to resolve occurs when > trying to send a processor group to NiFi-Registry for versioning. Below is > the error message displayed in the NiFi UI. > > "Unable to obtain listing of buckets: > org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all > buckets: An Authentication object was not found in the SecurityContext > Contact the system administrator. " > > I started out by watching the tutorial video "Setting Up a Secure NiFi to > Integrate with a Secure NiFi Registry" posted on the Registry home page. I am > using a Kerberos file-based authentication scheme with the initial admin and > initial user set to the same value, eg "n...@domain.com." (This is a > sanitized value and is used in the configuration example below) It is based > on the configuration we are using for NiFi. My nifi-registry.properties file > has the following relevant values set. > > # security properties # > nifi.registry.security.keystore=/etc/ssl/nifi2019.p12 > nifi.registry.security.keystoreType=pkcs12 > nifi.registry.security.keystorePasswd=XXXXXX > nifi.registry.security.keyPasswd=XXXXXX > nifi.registry.security.truststore=/path/to/cacerts > nifi.registry.security.truststoreType=jks > nifi.registry.security.truststorePasswd=XXXXXX > nifi.registry.security.needClientAuth=false > nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml > nifi.registry.security.authorizer=managed-authorizer > nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml > nifi.registry.security.identity.provider=kerberos-identity-provider > > ... > > # kerberos properties # > nifi.registry.kerberos.krb5.file=/etc/krb5.conf > nifi.registry.kerberos.spnego.principal=svcnififsaccess/DOMAIN.COM > nifi.registry.kerberos.spnego.keytab.location=/etc/ssl/example.keytab > nifi.registry.kerberos.spnego.authentication.expiration=2 hours > > And in authorizers.xml I have: > > <userGroupProvider> > <identifier>file-user-group-provider</identifier> > > <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> > <property name="Users File">./conf/users.xml</property> > <property name="Initial User Identity 1">u...@domain.com</property> > </userGroupProvider> > > <accessPolicyProvider> > <identifier>file-access-policy-provider</identifier> > > <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> > <property name="User Group > Provider">file-user-group-provider</property> > <property name="Authorizations > File">./conf/authorizations.xml</property> > <property name="Initial Admin Identity">u...@domain.com</property> > <property name="NiFi Identity 1"></property> > </accessPolicyProvider> > <authorizer> > <identifier>managed-authorizer</identifier> > > <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> > <property name="Access Policy > Provider">file-access-policy-provider</property> > </authorizer> > > The SSL configuration appears to be correctly set. I am able to access via > username and password, the NiFi Registry UI. Despite my best efforts to read > the documentation, I am unclear on the following points. > > Do I need to set the <property name="NiFi Identity 1"></property>? > Is there any special considerations I need to be aware of if I run NiFi and > the NiFi Registry from the same box and use the same domain name? > > Any guidance you may be able to share would be appreciated. > > > -- > Nathan Maynes > @nathanmaynes
