I tried with and without the quotes. I am getting the same error. Do I need to be restarting NiFi or using a clean browser session each time I make an update? My intuition says no since the authentication should be happening server side but wondering if I am missing something.
On Wed, Aug 7, 2019 at 10:13 AM Bryan Bende <[email protected]> wrote: > I don't think there should be quotes around the NiFi identity... > > You have: > > identity=""CN=nifi.example.com, L=Anytown, ST=IN, C=US"" > > It should be: > > identity="CN=nifi.example.com, L=Anytown, ST=IN, C=US" > > On Wed, Aug 7, 2019 at 10:02 AM Nathan Maynes <[email protected]> > wrote: > > > > Thanks for that information Nathan. I went ahead and updated the > Nifi-Registry user to have the name "CN=nifi.example.com, L=Anytown, > ST=IN, C=US", which was copied out of the certificate that NiFi is using as > its keystore, as defined in nifi.properties -> nifi.security.keystore. The > error persisted. For good measure, I went ahead and restarted the Registry. > I then checked the users.xml file and found that the user string had been > added. There is an entry for me, and one for the DN string I expect from > NiFi. See sanitized example below. > > > > <users> > > <user identifier="guid-1" identity="[email protected]"/> > > <user identifier="guid-2" identity=""CN=nifi.example.com, > L=Anytown, ST=IN, C=US""/> > > </users> > > > > I checked the nifi-registry-app.log to see if it contained extra > information. Here is what I found, > > > > INFO [NiFi Registry Web Server-14] > o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated > due to: > org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: > An Authentication object was not found in the SecurityContext Returning 401 > response. > > > > I am not sure what to check at this point. > > > > On Tue, Aug 6, 2019 at 3:11 PM Nathan Gough <[email protected]> wrote: > >> > >> Nathan, > >> > >> You would need to create a user in NiFi registry with the exact DN of > the NiFi certificate being used to access NiFi registry. > >> > >> From your example, you would create a user in NiFi registry with the > exact string "CN=nifi.example.com, L=Anytown, ST=IN, C=US" and apply the > read buckets and proxy user permissions. > >> > >> Cheers, > >> Nathan > >> > >> On Tue, Aug 6, 2019 at 2:22 PM Nathan Maynes <[email protected]> > wrote: > >>> > >>> Thanks for pointing this out Bryan. To be sure I was entering the > information correctly I used the Java Keytool to examine the certificate > contents. Here is what the sanitized output looks like. > >>> > >>> $ keytool -list -v -keystore nifi.jks > >>> > >>> Keystore type: jks > >>> Keystore provider: SUN > >>> > >>> Your keystore contains 1 entry > >>> > >>> Alias name: nifi-https > >>> Creation date: Jun 20, 2019 > >>> Entry type: PrivateKeyEntry > >>> Certificate chain length: 3 > >>> Certificate[1]: > >>> Owner: CN=nifi.example.com, L=Anytown, ST=IN, C=US > >>> Issuer: CN=Internal Intermediate CA (2015), DC=EXAMPLE, DC=com > >>> Serial number: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > >>> Valid from: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > >>> > >>> ...[two more certs in chain] > >>> > >>> > >>> The user I create for the registry has the following value: > >>> > >>> "CN=nifi.example.com, OU=NIFI" > >>> > >>> I then granted that user permission to read buckets and proxy user > requests. I am not sure the organizational unit, OU in the example above, > is NIFI. I have created a number of other users with slight variations on > the CN and OU values but any attempt to connect the two services fails. > Still getting the error, "Unable to obtain listing of buckets: > org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all > buckets: An Authentication object was not found in the SecurityContext > Contact the system administrator." > >>> > >>> I am trying to use the certificate issued to the NiFi server. Do I > need to create a unique certificate for authentication between the two > services? > >>> > >>> On Mon, Aug 5, 2019 at 3:12 PM Bryan Bende <[email protected]> wrote: > >>>> > >>>> Your NiFi identity will always be the DN of the server certificate > >>>> that NiFi is using which is specified in nifi.security.keystore in > >>>> nifi.properties. > >>>> > >>>> Kerberos is only for the end-users that use the NiFi web application. > >>>> > >>>> In the video around 6:45 where a user is added to registry like > >>>> "CN=localhost, OU=NIFI", you would do the same thing, except it would > >>>> be the value coming from your NiFi server cert, so it would have your > >>>> hostname and possibly a different OU. > >>>> > >>>> On Mon, Aug 5, 2019 at 2:57 PM Nathan Maynes <[email protected]> > wrote: > >>>> > > >>>> > The video shows appears to show certificate based access. When I > set the NiFi Identity 1 for a Kerberos scheme should it follow the > [email protected] format? If it does, would the NiFi Identity 1 for > localhost be nifi@LOCALHOST? > >>>> > > >>>> > On Mon, Aug 5, 2019 at 1:47 PM Bryan Bende <[email protected]> > wrote: > >>>> >> > >>>> >> Hello, > >>>> >> > >>>> >> I believe the video should cover this, but did you add a user > >>>> >> representing your NiFi instance and grant it the permissions for > proxy > >>>> >> and read all buckets? > >>>> >> > >>>> >> That is what "NiFi Identity 1" would have done, but that only gets > >>>> >> used on initial setup, so you would do it from the UI now. > >>>> >> > >>>> >> -Bryan > >>>> >> > >>>> >> On Mon, Aug 5, 2019 at 1:30 PM Nathan Maynes < > [email protected]> wrote: > >>>> >> > > >>>> >> > Hopefully I can get some guidance on configuring secure > communication between NiFi and NiFi-Registry. The Error I have been trying > to resolve occurs when trying to send a processor group to NiFi-Registry > for versioning. Below is the error message displayed in the NiFi UI. > >>>> >> > > >>>> >> > "Unable to obtain listing of buckets: > org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all > buckets: An Authentication object was not found in the SecurityContext > Contact the system administrator. " > >>>> >> > > >>>> >> > I started out by watching the tutorial video "Setting Up a > Secure NiFi to Integrate with a Secure NiFi Registry" posted on the > Registry home page. I am using a Kerberos file-based authentication scheme > with the initial admin and initial user set to the same value, eg " > [email protected]." (This is a sanitized value and is used in the > configuration example below) It is based on the configuration we are using > for NiFi. My nifi-registry.properties file has the following relevant > values set. > >>>> >> > > >>>> >> > # security properties # > >>>> >> > nifi.registry.security.keystore=/etc/ssl/nifi2019.p12 > >>>> >> > nifi.registry.security.keystoreType=pkcs12 > >>>> >> > nifi.registry.security.keystorePasswd=XXXXXX > >>>> >> > nifi.registry.security.keyPasswd=XXXXXX > >>>> >> > nifi.registry.security.truststore=/path/to/cacerts > >>>> >> > nifi.registry.security.truststoreType=jks > >>>> >> > nifi.registry.security.truststorePasswd=XXXXXX > >>>> >> > nifi.registry.security.needClientAuth=false > >>>> >> > > nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml > >>>> >> > nifi.registry.security.authorizer=managed-authorizer > >>>> >> > > nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml > >>>> >> > > nifi.registry.security.identity.provider=kerberos-identity-provider > >>>> >> > > >>>> >> > ... > >>>> >> > > >>>> >> > # kerberos properties # > >>>> >> > nifi.registry.kerberos.krb5.file=/etc/krb5.conf > >>>> >> > nifi.registry.kerberos.spnego.principal=svcnififsaccess/ > DOMAIN.COM > >>>> >> > > nifi.registry.kerberos.spnego.keytab.location=/etc/ssl/example.keytab > >>>> >> > nifi.registry.kerberos.spnego.authentication.expiration=2 hours > >>>> >> > > >>>> >> > And in authorizers.xml I have: > >>>> >> > > >>>> >> > <userGroupProvider> > >>>> >> > <identifier>file-user-group-provider</identifier> > >>>> >> > > > <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> > >>>> >> > <property name="Users File">./conf/users.xml</property> > >>>> >> > <property name="Initial User Identity 1">[email protected] > </property> > >>>> >> > </userGroupProvider> > >>>> >> > > >>>> >> > <accessPolicyProvider> > >>>> >> > <identifier>file-access-policy-provider</identifier> > >>>> >> > > > <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> > >>>> >> > <property name="User Group > Provider">file-user-group-provider</property> > >>>> >> > <property name="Authorizations > File">./conf/authorizations.xml</property> > >>>> >> > <property name="Initial Admin Identity">[email protected] > </property> > >>>> >> > <property name="NiFi Identity 1"></property> > >>>> >> > </accessPolicyProvider> > >>>> >> > <authorizer> > >>>> >> > <identifier>managed-authorizer</identifier> > >>>> >> > > > <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> > >>>> >> > <property name="Access Policy > Provider">file-access-policy-provider</property> > >>>> >> > </authorizer> > >>>> >> > > >>>> >> > The SSL configuration appears to be correctly set. I am able to > access via username and password, the NiFi Registry UI. Despite my best > efforts to read the documentation, I am unclear on the following points. > >>>> >> > > >>>> >> > Do I need to set the <property name="NiFi Identity > 1"></property>? > >>>> >> > Is there any special considerations I need to be aware of if I > run NiFi and the NiFi Registry from the same box and use the same domain > name? > >>>> >> > > >>>> >> > Any guidance you may be able to share would be appreciated. > >>>> >> > > >>>> >> > > >>>> >> > -- > >>>> >> > Nathan Maynes > >>>> >> > @nathanmaynes > >>>> > > >>>> > > >>>> > > >>>> > -- > >>>> > Nathan Maynes > >>>> > @nathanmaynes > >>> > >>> > >>> > >>> -- > >>> Nathan Maynes > >>> @nathanmaynes > > > > > > > > -- > > Nathan Maynes > > @nathanmaynes > -- Nathan Maynes <http://bit.ly/115hXAt> @nathanmaynes
