I don't think there should be quotes around the NiFi identity... You have:
identity=""CN=nifi.example.com, L=Anytown, ST=IN, C=US"" It should be: identity="CN=nifi.example.com, L=Anytown, ST=IN, C=US" On Wed, Aug 7, 2019 at 10:02 AM Nathan Maynes <[email protected]> wrote: > > Thanks for that information Nathan. I went ahead and updated the > Nifi-Registry user to have the name "CN=nifi.example.com, L=Anytown, ST=IN, > C=US", which was copied out of the certificate that NiFi is using as its > keystore, as defined in nifi.properties -> nifi.security.keystore. The error > persisted. For good measure, I went ahead and restarted the Registry. I then > checked the users.xml file and found that the user string had been added. > There is an entry for me, and one for the DN string I expect from NiFi. See > sanitized example below. > > <users> > <user identifier="guid-1" identity="[email protected]"/> > <user identifier="guid-2" identity=""CN=nifi.example.com, > L=Anytown, ST=IN, C=US""/> > </users> > > I checked the nifi-registry-app.log to see if it contained extra information. > Here is what I found, > > INFO [NiFi Registry Web Server-14] o.a.n.r.w.s.NiFiRegistrySecurityConfig > Client could not be authenticated due to: > org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: > An Authentication object was not found in the SecurityContext Returning 401 > response. > > I am not sure what to check at this point. > > On Tue, Aug 6, 2019 at 3:11 PM Nathan Gough <[email protected]> wrote: >> >> Nathan, >> >> You would need to create a user in NiFi registry with the exact DN of the >> NiFi certificate being used to access NiFi registry. >> >> From your example, you would create a user in NiFi registry with the exact >> string "CN=nifi.example.com, L=Anytown, ST=IN, C=US" and apply the read >> buckets and proxy user permissions. >> >> Cheers, >> Nathan >> >> On Tue, Aug 6, 2019 at 2:22 PM Nathan Maynes <[email protected]> wrote: >>> >>> Thanks for pointing this out Bryan. To be sure I was entering the >>> information correctly I used the Java Keytool to examine the certificate >>> contents. Here is what the sanitized output looks like. >>> >>> $ keytool -list -v -keystore nifi.jks >>> >>> Keystore type: jks >>> Keystore provider: SUN >>> >>> Your keystore contains 1 entry >>> >>> Alias name: nifi-https >>> Creation date: Jun 20, 2019 >>> Entry type: PrivateKeyEntry >>> Certificate chain length: 3 >>> Certificate[1]: >>> Owner: CN=nifi.example.com, L=Anytown, ST=IN, C=US >>> Issuer: CN=Internal Intermediate CA (2015), DC=EXAMPLE, DC=com >>> Serial number: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >>> Valid from: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >>> >>> ...[two more certs in chain] >>> >>> >>> The user I create for the registry has the following value: >>> >>> "CN=nifi.example.com, OU=NIFI" >>> >>> I then granted that user permission to read buckets and proxy user >>> requests. I am not sure the organizational unit, OU in the example above, >>> is NIFI. I have created a number of other users with slight variations on >>> the CN and OU values but any attempt to connect the two services fails. >>> Still getting the error, "Unable to obtain listing of buckets: >>> org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all >>> buckets: An Authentication object was not found in the SecurityContext >>> Contact the system administrator." >>> >>> I am trying to use the certificate issued to the NiFi server. Do I need to >>> create a unique certificate for authentication between the two services? >>> >>> On Mon, Aug 5, 2019 at 3:12 PM Bryan Bende <[email protected]> wrote: >>>> >>>> Your NiFi identity will always be the DN of the server certificate >>>> that NiFi is using which is specified in nifi.security.keystore in >>>> nifi.properties. >>>> >>>> Kerberos is only for the end-users that use the NiFi web application. >>>> >>>> In the video around 6:45 where a user is added to registry like >>>> "CN=localhost, OU=NIFI", you would do the same thing, except it would >>>> be the value coming from your NiFi server cert, so it would have your >>>> hostname and possibly a different OU. >>>> >>>> On Mon, Aug 5, 2019 at 2:57 PM Nathan Maynes <[email protected]> >>>> wrote: >>>> > >>>> > The video shows appears to show certificate based access. When I set the >>>> > NiFi Identity 1 for a Kerberos scheme should it follow the >>>> > [email protected] format? If it does, would the NiFi Identity 1 for >>>> > localhost be nifi@LOCALHOST? >>>> > >>>> > On Mon, Aug 5, 2019 at 1:47 PM Bryan Bende <[email protected]> wrote: >>>> >> >>>> >> Hello, >>>> >> >>>> >> I believe the video should cover this, but did you add a user >>>> >> representing your NiFi instance and grant it the permissions for proxy >>>> >> and read all buckets? >>>> >> >>>> >> That is what "NiFi Identity 1" would have done, but that only gets >>>> >> used on initial setup, so you would do it from the UI now. >>>> >> >>>> >> -Bryan >>>> >> >>>> >> On Mon, Aug 5, 2019 at 1:30 PM Nathan Maynes <[email protected]> >>>> >> wrote: >>>> >> > >>>> >> > Hopefully I can get some guidance on configuring secure communication >>>> >> > between NiFi and NiFi-Registry. The Error I have been trying to >>>> >> > resolve occurs when trying to send a processor group to NiFi-Registry >>>> >> > for versioning. Below is the error message displayed in the NiFi UI. >>>> >> > >>>> >> > "Unable to obtain listing of buckets: >>>> >> > org.apache.nifi.registry.client.NiFiRegistryException: Error >>>> >> > retrieving all buckets: An Authentication object was not found in the >>>> >> > SecurityContext Contact the system administrator. " >>>> >> > >>>> >> > I started out by watching the tutorial video "Setting Up a Secure >>>> >> > NiFi to Integrate with a Secure NiFi Registry" posted on the Registry >>>> >> > home page. I am using a Kerberos file-based authentication scheme >>>> >> > with the initial admin and initial user set to the same value, eg >>>> >> > "[email protected]." (This is a sanitized value and is used in the >>>> >> > configuration example below) It is based on the configuration we are >>>> >> > using for NiFi. My nifi-registry.properties file has the following >>>> >> > relevant values set. >>>> >> > >>>> >> > # security properties # >>>> >> > nifi.registry.security.keystore=/etc/ssl/nifi2019.p12 >>>> >> > nifi.registry.security.keystoreType=pkcs12 >>>> >> > nifi.registry.security.keystorePasswd=XXXXXX >>>> >> > nifi.registry.security.keyPasswd=XXXXXX >>>> >> > nifi.registry.security.truststore=/path/to/cacerts >>>> >> > nifi.registry.security.truststoreType=jks >>>> >> > nifi.registry.security.truststorePasswd=XXXXXX >>>> >> > nifi.registry.security.needClientAuth=false >>>> >> > nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml >>>> >> > nifi.registry.security.authorizer=managed-authorizer >>>> >> > nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml >>>> >> > nifi.registry.security.identity.provider=kerberos-identity-provider >>>> >> > >>>> >> > ... >>>> >> > >>>> >> > # kerberos properties # >>>> >> > nifi.registry.kerberos.krb5.file=/etc/krb5.conf >>>> >> > nifi.registry.kerberos.spnego.principal=svcnififsaccess/DOMAIN.COM >>>> >> > nifi.registry.kerberos.spnego.keytab.location=/etc/ssl/example.keytab >>>> >> > nifi.registry.kerberos.spnego.authentication.expiration=2 hours >>>> >> > >>>> >> > And in authorizers.xml I have: >>>> >> > >>>> >> > <userGroupProvider> >>>> >> > <identifier>file-user-group-provider</identifier> >>>> >> > >>>> >> > <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> >>>> >> > <property name="Users File">./conf/users.xml</property> >>>> >> > <property name="Initial User Identity >>>> >> > 1">[email protected]</property> >>>> >> > </userGroupProvider> >>>> >> > >>>> >> > <accessPolicyProvider> >>>> >> > <identifier>file-access-policy-provider</identifier> >>>> >> > >>>> >> > <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> >>>> >> > <property name="User Group >>>> >> > Provider">file-user-group-provider</property> >>>> >> > <property name="Authorizations >>>> >> > File">./conf/authorizations.xml</property> >>>> >> > <property name="Initial Admin >>>> >> > Identity">[email protected]</property> >>>> >> > <property name="NiFi Identity 1"></property> >>>> >> > </accessPolicyProvider> >>>> >> > <authorizer> >>>> >> > <identifier>managed-authorizer</identifier> >>>> >> > >>>> >> > <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> >>>> >> > <property name="Access Policy >>>> >> > Provider">file-access-policy-provider</property> >>>> >> > </authorizer> >>>> >> > >>>> >> > The SSL configuration appears to be correctly set. I am able to >>>> >> > access via username and password, the NiFi Registry UI. Despite my >>>> >> > best efforts to read the documentation, I am unclear on the following >>>> >> > points. >>>> >> > >>>> >> > Do I need to set the <property name="NiFi Identity 1"></property>? >>>> >> > Is there any special considerations I need to be aware of if I run >>>> >> > NiFi and the NiFi Registry from the same box and use the same domain >>>> >> > name? >>>> >> > >>>> >> > Any guidance you may be able to share would be appreciated. >>>> >> > >>>> >> > >>>> >> > -- >>>> >> > Nathan Maynes >>>> >> > @nathanmaynes >>>> > >>>> > >>>> > >>>> > -- >>>> > Nathan Maynes >>>> > @nathanmaynes >>> >>> >>> >>> -- >>> Nathan Maynes >>> @nathanmaynes > > > > -- > Nathan Maynes > @nathanmaynes
