Please show authorizations.xml, thank you. Also, you shouldn't really be using wildcard certs - https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#wildcard_certificates
On Tue, Sep 3, 2019 at 5:32 AM Dweep Sharma <dweep.sha...@redbus.com> wrote: > > Can someone take a peek at this - what could be wrong? Thanks > > -Dweep > > On Fri, Aug 30, 2019 at 4:52 PM Dweep Sharma <dweep.sha...@redbus.com> wrote: >> >> Hi All, >> >> I am receiving an error while setting up a 2 node cluster (external zk) >> using Google Auth [OpenID connect] >> >> Insufficient Permissions >> Untrusted proxy CN=*.dummy.com, OU=NIFI >> >> >> We have used nifi toolkit to generate the certificates: >> ./bin/tls-toolkit.sh standalone -n '*.dummy.com' >> >> >> Details from authorizers and users xml >> >> authorizers.xml: >> <authorizers> >> <userGroupProvider> >> <identifier>file-user-group-provider</identifier> >> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> >> <property name="Users File">./conf/users.xml</property> >> <property name="Legacy Authorized Users File"></property> >> >> <property name="Initial User Identity 1">vidy...@dummy.com</property> >> </userGroupProvider> >> <accessPolicyProvider> >> <identifier>file-access-policy-provider</identifier> >> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >> <property name="User Group Provider">file-user-group-provider</property> >> <property name="Authorizations File">./conf/authorizations.xml</property> >> <property name="Initial Admin Identity">vidy...@dummy.com</property> >> <property name="Legacy Authorized Users File"></property> >> <property name="Node Identity 1">CN=dpdum1.dummy.com, OU=NIFI</property> >> <property name="Node Identity 2">CN=dpdum2.dummy.com, OU=NIFI</property> >> <property name="Node Group"></property> >> </accessPolicyProvider> >> <authorizer> >> <identifier>managed-authorizer</identifier> >> >> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> >> <property name="Access Policy >> Provider">file-access-policy-provider</property> >> </authorizer> >> </authorizers> >> >> >> >> Users.xml >> ?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> <tenants> >> <groups> >> <group identifier="ae4a4221-016c-1000-a933-2243c2e28888" >> name="admin"> >> <user identifier="ae4b298b-016c-1000-ed39-d2066a60f947"/> >> <user identifier="bcdd9a36-5b3d-3158-b48b-7fc6ec71b436"/> >> </group> >> <group identifier="ae4a9755-016c-1000-4425-4df789a817eb" >> name="readonly"> >> <user identifier="ae4fba22-016c-1000-de8b-579daa5f7a5f"/> >> <user identifier="bcdd9a36-5b3d-3158-b48b-7fc6ec71b436"/> >> </group> >> </groups> >> <users> >> <user identifier="ae4b298b-016c-1000-ed39-d2066a60f947" >> identity="dweep.sha...@dummy.com"/> >> </users> >> </tenants> >> >> >> >> Can someone point out what could be wrong. Also if any further info is >> required to diagnose this >> >> Also, this is hosted on AWS. Is there any way to use ACM as our certificate >> manage ? >> >> >> >> > > ::DISCLAIMER:: > ---------------------------------------------------------------------------------------------------------------------------------------------------- > > The contents of this e-mail and any attachments are confidential and intended > for the named recipient(s) only.E-mail transmission is not guaranteed to be > secure or error-free as information could be intercepted, corrupted,lost, > destroyed, arrive late or incomplete, or may contain viruses in transmission. > The e mail and its contents(with or without referred errors) shall therefore > not attach any liability on the originator or redBus.com. Views or opinions, > if any, presented in this email are solely those of the author and may not > necessarily reflect the views or opinions of redBus.com. Any form of > reproduction, dissemination, copying, disclosure, modification,distribution > and / or publication of this message without the prior written consent of > authorized representative of redbus.com is strictly prohibited. If you have > received this email in error please delete it and notify the sender > immediately.Before opening any email and/or attachments, please check them > for viruses and other defects.