Thanks for that information Nathan. I went ahead and updated the
Nifi-Registry user to have the name "CN=nifi.example.com, L=Anytown,
ST=IN, C=US", which was copied out of the certificate that NiFi is using as
its keystore, as defined in nifi.properties -> nifi.security.keystore. The
error persisted. For good measure, I went ahead and restarted the Registry.
I then checked the users.xml file and found that the user string had been
added. There is an entry for me, and one for the DN string I expect from
NiFi. See sanitized example below.
<users>
<user identifier="guid-1" identity="[email protected]"/>
<user identifier="guid-2" identity=""CN=nifi.example.com,
L=Anytown, ST=IN, C=US""/>
</users>
I checked the nifi-registry-app.log to see if it contained extra
information. Here is what I found,
INFO [NiFi Registry Web Server-14] o.a.n.r.w.s.NiFiRegistrySecurityConfig
Client could not be authenticated due to:
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
An Authentication object was not found in the SecurityContext Returning 401
response.
I am not sure what to check at this point.
On Tue, Aug 6, 2019 at 3:11 PM Nathan Gough <[email protected]> wrote:
> Nathan,
>
> You would need to create a user in NiFi registry with the exact DN of the
> NiFi certificate being used to access NiFi registry.
>
> From your example, you would create a user in NiFi registry with the exact
> string "CN=nifi.example.com, L=Anytown, ST=IN, C=US" and apply the read
> buckets and proxy user permissions.
>
> Cheers,
> Nathan
>
> On Tue, Aug 6, 2019 at 2:22 PM Nathan Maynes <[email protected]>
> wrote:
>
>> Thanks for pointing this out Bryan. To be sure I was entering the
>> information correctly I used the Java Keytool to examine the certificate
>> contents. Here is what the sanitized output looks like.
>>
>> $ keytool -list -v -keystore nifi.jks
>>
>> Keystore type: jks
>> Keystore provider: SUN
>>
>> Your keystore contains 1 entry
>>
>> Alias name: nifi-https
>> Creation date: Jun 20, 2019
>> Entry type: PrivateKeyEntry
>> Certificate chain length: 3
>> Certificate[1]:
>> Owner: CN=nifi.example.com, L=Anytown, ST=IN, C=US
>> Issuer: CN=Internal Intermediate CA (2015), DC=EXAMPLE, DC=com
>> Serial number: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>> Valid from: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>
>> ...[two more certs in chain]
>>
>>
>> The user I create for the registry has the following value:
>>
>> "CN=nifi.example.com, OU=NIFI"
>>
>> I then granted that user permission to read buckets and proxy user
>> requests. I am not sure the organizational unit, OU in the example above,
>> is NIFI. I have created a number of other users with slight variations on
>> the CN and OU values but any attempt to connect the two services fails.
>> Still getting the error, "Unable to obtain listing of buckets:
>> org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all
>> buckets: An Authentication object was not found in the SecurityContext
>> Contact the system administrator."
>>
>> I am trying to use the certificate issued to the NiFi server. Do I need
>> to create a unique certificate for authentication between the two services?
>>
>> On Mon, Aug 5, 2019 at 3:12 PM Bryan Bende <[email protected]> wrote:
>>
>>> Your NiFi identity will always be the DN of the server certificate
>>> that NiFi is using which is specified in nifi.security.keystore in
>>> nifi.properties.
>>>
>>> Kerberos is only for the end-users that use the NiFi web application.
>>>
>>> In the video around 6:45 where a user is added to registry like
>>> "CN=localhost, OU=NIFI", you would do the same thing, except it would
>>> be the value coming from your NiFi server cert, so it would have your
>>> hostname and possibly a different OU.
>>>
>>> On Mon, Aug 5, 2019 at 2:57 PM Nathan Maynes <[email protected]>
>>> wrote:
>>> >
>>> > The video shows appears to show certificate based access. When I set
>>> the NiFi Identity 1 for a Kerberos scheme should it follow the
>>> [email protected] format? If it does, would the NiFi Identity 1 for
>>> localhost be nifi@LOCALHOST?
>>> >
>>> > On Mon, Aug 5, 2019 at 1:47 PM Bryan Bende <[email protected]> wrote:
>>> >>
>>> >> Hello,
>>> >>
>>> >> I believe the video should cover this, but did you add a user
>>> >> representing your NiFi instance and grant it the permissions for proxy
>>> >> and read all buckets?
>>> >>
>>> >> That is what "NiFi Identity 1" would have done, but that only gets
>>> >> used on initial setup, so you would do it from the UI now.
>>> >>
>>> >> -Bryan
>>> >>
>>> >> On Mon, Aug 5, 2019 at 1:30 PM Nathan Maynes <[email protected]>
>>> wrote:
>>> >> >
>>> >> > Hopefully I can get some guidance on configuring secure
>>> communication between NiFi and NiFi-Registry. The Error I have been trying
>>> to resolve occurs when trying to send a processor group to NiFi-Registry
>>> for versioning. Below is the error message displayed in the NiFi UI.
>>> >> >
>>> >> > "Unable to obtain listing of buckets:
>>> org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all
>>> buckets: An Authentication object was not found in the SecurityContext
>>> Contact the system administrator. "
>>> >> >
>>> >> > I started out by watching the tutorial video "Setting Up a Secure
>>> NiFi to Integrate with a Secure NiFi Registry" posted on the Registry home
>>> page. I am using a Kerberos file-based authentication scheme with the
>>> initial admin and initial user set to the same value, eg "
>>> [email protected]." (This is a sanitized value and is used in the
>>> configuration example below) It is based on the configuration we are using
>>> for NiFi. My nifi-registry.properties file has the following relevant
>>> values set.
>>> >> >
>>> >> > # security properties #
>>> >> > nifi.registry.security.keystore=/etc/ssl/nifi2019.p12
>>> >> > nifi.registry.security.keystoreType=pkcs12
>>> >> > nifi.registry.security.keystorePasswd=XXXXXX
>>> >> > nifi.registry.security.keyPasswd=XXXXXX
>>> >> > nifi.registry.security.truststore=/path/to/cacerts
>>> >> > nifi.registry.security.truststoreType=jks
>>> >> > nifi.registry.security.truststorePasswd=XXXXXX
>>> >> > nifi.registry.security.needClientAuth=false
>>> >> >
>>> nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml
>>> >> > nifi.registry.security.authorizer=managed-authorizer
>>> >> >
>>> nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml
>>> >> > nifi.registry.security.identity.provider=kerberos-identity-provider
>>> >> >
>>> >> > ...
>>> >> >
>>> >> > # kerberos properties #
>>> >> > nifi.registry.kerberos.krb5.file=/etc/krb5.conf
>>> >> > nifi.registry.kerberos.spnego.principal=svcnififsaccess/DOMAIN.COM
>>> >> >
>>> nifi.registry.kerberos.spnego.keytab.location=/etc/ssl/example.keytab
>>> >> > nifi.registry.kerberos.spnego.authentication.expiration=2 hours
>>> >> >
>>> >> > And in authorizers.xml I have:
>>> >> >
>>> >> > <userGroupProvider>
>>> >> > <identifier>file-user-group-provider</identifier>
>>> >> >
>>>
>>> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
>>> >> > <property name="Users File">./conf/users.xml</property>
>>> >> > <property name="Initial User Identity 1">[email protected]
>>> </property>
>>> >> > </userGroupProvider>
>>> >> >
>>> >> > <accessPolicyProvider>
>>> >> > <identifier>file-access-policy-provider</identifier>
>>> >> >
>>>
>>> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
>>> >> > <property name="User Group
>>> Provider">file-user-group-provider</property>
>>> >> > <property name="Authorizations
>>> File">./conf/authorizations.xml</property>
>>> >> > <property name="Initial Admin Identity">[email protected]
>>> </property>
>>> >> > <property name="NiFi Identity 1"></property>
>>> >> > </accessPolicyProvider>
>>> >> > <authorizer>
>>> >> > <identifier>managed-authorizer</identifier>
>>> >> >
>>>
>>> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
>>> >> > <property name="Access Policy
>>> Provider">file-access-policy-provider</property>
>>> >> > </authorizer>
>>> >> >
>>> >> > The SSL configuration appears to be correctly set. I am able to
>>> access via username and password, the NiFi Registry UI. Despite my best
>>> efforts to read the documentation, I am unclear on the following points.
>>> >> >
>>> >> > Do I need to set the <property name="NiFi Identity 1"></property>?
>>> >> > Is there any special considerations I need to be aware of if I run
>>> NiFi and the NiFi Registry from the same box and use the same domain name?
>>> >> >
>>> >> > Any guidance you may be able to share would be appreciated.
>>> >> >
>>> >> >
>>> >> > --
>>> >> > Nathan Maynes
>>> >> > @nathanmaynes
>>> >
>>> >
>>> >
>>> > --
>>> > Nathan Maynes
>>> > @nathanmaynes
>>>
>>
>>
>> --
>> Nathan Maynes <http://bit.ly/115hXAt>
>> @nathanmaynes
>>
>
--
Nathan Maynes <http://bit.ly/115hXAt>
@nathanmaynes
