The video shows appears to show certificate based access. When I set the NiFi Identity 1 for a Kerberos scheme should it follow the [email protected] format? If it does, would the NiFi Identity 1 for localhost be nifi@LOCALHOST?
On Mon, Aug 5, 2019 at 1:47 PM Bryan Bende <[email protected]> wrote: > Hello, > > I believe the video should cover this, but did you add a user > representing your NiFi instance and grant it the permissions for proxy > and read all buckets? > > That is what "NiFi Identity 1" would have done, but that only gets > used on initial setup, so you would do it from the UI now. > > -Bryan > > On Mon, Aug 5, 2019 at 1:30 PM Nathan Maynes <[email protected]> > wrote: > > > > Hopefully I can get some guidance on configuring secure communication > between NiFi and NiFi-Registry. The Error I have been trying to resolve > occurs when trying to send a processor group to NiFi-Registry for > versioning. Below is the error message displayed in the NiFi UI. > > > > "Unable to obtain listing of buckets: > org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all > buckets: An Authentication object was not found in the SecurityContext > Contact the system administrator. " > > > > I started out by watching the tutorial video "Setting Up a Secure NiFi > to Integrate with a Secure NiFi Registry" posted on the Registry home page. > I am using a Kerberos file-based authentication scheme with the initial > admin and initial user set to the same value, eg "[email protected]." (This > is a sanitized value and is used in the configuration example below) It is > based on the configuration we are using for NiFi. My > nifi-registry.properties file has the following relevant values set. > > > > # security properties # > > nifi.registry.security.keystore=/etc/ssl/nifi2019.p12 > > nifi.registry.security.keystoreType=pkcs12 > > nifi.registry.security.keystorePasswd=XXXXXX > > nifi.registry.security.keyPasswd=XXXXXX > > nifi.registry.security.truststore=/path/to/cacerts > > nifi.registry.security.truststoreType=jks > > nifi.registry.security.truststorePasswd=XXXXXX > > nifi.registry.security.needClientAuth=false > > > nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml > > nifi.registry.security.authorizer=managed-authorizer > > > nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml > > nifi.registry.security.identity.provider=kerberos-identity-provider > > > > ... > > > > # kerberos properties # > > nifi.registry.kerberos.krb5.file=/etc/krb5.conf > > nifi.registry.kerberos.spnego.principal=svcnififsaccess/DOMAIN.COM > > nifi.registry.kerberos.spnego.keytab.location=/etc/ssl/example.keytab > > nifi.registry.kerberos.spnego.authentication.expiration=2 hours > > > > And in authorizers.xml I have: > > > > <userGroupProvider> > > <identifier>file-user-group-provider</identifier> > > > > <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> > > <property name="Users File">./conf/users.xml</property> > > <property name="Initial User Identity 1">[email protected] > </property> > > </userGroupProvider> > > > > <accessPolicyProvider> > > <identifier>file-access-policy-provider</identifier> > > > > <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> > > <property name="User Group > Provider">file-user-group-provider</property> > > <property name="Authorizations > File">./conf/authorizations.xml</property> > > <property name="Initial Admin Identity">[email protected] > </property> > > <property name="NiFi Identity 1"></property> > > </accessPolicyProvider> > > <authorizer> > > <identifier>managed-authorizer</identifier> > > > > <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> > > <property name="Access Policy > Provider">file-access-policy-provider</property> > > </authorizer> > > > > The SSL configuration appears to be correctly set. I am able to access > via username and password, the NiFi Registry UI. Despite my best efforts to > read the documentation, I am unclear on the following points. > > > > Do I need to set the <property name="NiFi Identity 1"></property>? > > Is there any special considerations I need to be aware of if I run NiFi > and the NiFi Registry from the same box and use the same domain name? > > > > Any guidance you may be able to share would be appreciated. > > > > > > -- > > Nathan Maynes > > @nathanmaynes > -- Nathan Maynes <http://bit.ly/115hXAt> @nathanmaynes
