Your NiFi identity will always be the DN of the server certificate that NiFi is using which is specified in nifi.security.keystore in nifi.properties.
Kerberos is only for the end-users that use the NiFi web application. In the video around 6:45 where a user is added to registry like "CN=localhost, OU=NIFI", you would do the same thing, except it would be the value coming from your NiFi server cert, so it would have your hostname and possibly a different OU. On Mon, Aug 5, 2019 at 2:57 PM Nathan Maynes <[email protected]> wrote: > > The video shows appears to show certificate based access. When I set the NiFi > Identity 1 for a Kerberos scheme should it follow the [email protected] format? > If it does, would the NiFi Identity 1 for localhost be nifi@LOCALHOST? > > On Mon, Aug 5, 2019 at 1:47 PM Bryan Bende <[email protected]> wrote: >> >> Hello, >> >> I believe the video should cover this, but did you add a user >> representing your NiFi instance and grant it the permissions for proxy >> and read all buckets? >> >> That is what "NiFi Identity 1" would have done, but that only gets >> used on initial setup, so you would do it from the UI now. >> >> -Bryan >> >> On Mon, Aug 5, 2019 at 1:30 PM Nathan Maynes <[email protected]> wrote: >> > >> > Hopefully I can get some guidance on configuring secure communication >> > between NiFi and NiFi-Registry. The Error I have been trying to resolve >> > occurs when trying to send a processor group to NiFi-Registry for >> > versioning. Below is the error message displayed in the NiFi UI. >> > >> > "Unable to obtain listing of buckets: >> > org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving >> > all buckets: An Authentication object was not found in the SecurityContext >> > Contact the system administrator. " >> > >> > I started out by watching the tutorial video "Setting Up a Secure NiFi to >> > Integrate with a Secure NiFi Registry" posted on the Registry home page. I >> > am using a Kerberos file-based authentication scheme with the initial >> > admin and initial user set to the same value, eg "[email protected]." (This >> > is a sanitized value and is used in the configuration example below) It is >> > based on the configuration we are using for NiFi. My >> > nifi-registry.properties file has the following relevant values set. >> > >> > # security properties # >> > nifi.registry.security.keystore=/etc/ssl/nifi2019.p12 >> > nifi.registry.security.keystoreType=pkcs12 >> > nifi.registry.security.keystorePasswd=XXXXXX >> > nifi.registry.security.keyPasswd=XXXXXX >> > nifi.registry.security.truststore=/path/to/cacerts >> > nifi.registry.security.truststoreType=jks >> > nifi.registry.security.truststorePasswd=XXXXXX >> > nifi.registry.security.needClientAuth=false >> > nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml >> > nifi.registry.security.authorizer=managed-authorizer >> > nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml >> > nifi.registry.security.identity.provider=kerberos-identity-provider >> > >> > ... >> > >> > # kerberos properties # >> > nifi.registry.kerberos.krb5.file=/etc/krb5.conf >> > nifi.registry.kerberos.spnego.principal=svcnififsaccess/DOMAIN.COM >> > nifi.registry.kerberos.spnego.keytab.location=/etc/ssl/example.keytab >> > nifi.registry.kerberos.spnego.authentication.expiration=2 hours >> > >> > And in authorizers.xml I have: >> > >> > <userGroupProvider> >> > <identifier>file-user-group-provider</identifier> >> > >> > <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> >> > <property name="Users File">./conf/users.xml</property> >> > <property name="Initial User Identity 1">[email protected]</property> >> > </userGroupProvider> >> > >> > <accessPolicyProvider> >> > <identifier>file-access-policy-provider</identifier> >> > >> > <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> >> > <property name="User Group >> > Provider">file-user-group-provider</property> >> > <property name="Authorizations >> > File">./conf/authorizations.xml</property> >> > <property name="Initial Admin Identity">[email protected]</property> >> > <property name="NiFi Identity 1"></property> >> > </accessPolicyProvider> >> > <authorizer> >> > <identifier>managed-authorizer</identifier> >> > >> > <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> >> > <property name="Access Policy >> > Provider">file-access-policy-provider</property> >> > </authorizer> >> > >> > The SSL configuration appears to be correctly set. I am able to access via >> > username and password, the NiFi Registry UI. Despite my best efforts to >> > read the documentation, I am unclear on the following points. >> > >> > Do I need to set the <property name="NiFi Identity 1"></property>? >> > Is there any special considerations I need to be aware of if I run NiFi >> > and the NiFi Registry from the same box and use the same domain name? >> > >> > Any guidance you may be able to share would be appreciated. >> > >> > >> > -- >> > Nathan Maynes >> > @nathanmaynes > > > > -- > Nathan Maynes > @nathanmaynes
