Hi All,
I am receiving this error on my nifi cluster setup
Error -ERROR [NiFi Web Server-16] o.a.nifi.web.security.jwt.JwtService
There was an error validating the JWT
io.jsonwebtoken.JwtException: Unable to validate the access token.
WARN [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Rejecting
access to web api: Untrusted proxy CN=dp1.domain.com, OU=NIFI
I think the request for access token is being served by secondary node
instead of primary and due to this, there is a mismatch in authorizing the
user to primary (1st node)
I am using OpenID Connect for auth following the steps mentioned here ref:
https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect
My cluster setup is 2nodes with open id connect hosted on AWS
I have added open id SSO config in both the nodes.
The problem is if i run it in cluster mode I am getting this error, whereas
if run as individual node, it is working perfectly fine.
NOTE: I am not using any load balancer in this case but I can see nifi-user
logs in both the nodes even if I am trying to connect to one node.
Logs from
2019-09-25 08:24:55,244 INFO [NiFi Web Server-20]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://<domain.com>:8443/nifi-api/flow/current-user (source ip: 10.5.1.182)
2019-09-25 08:24:55,260 INFO [NiFi Web Server-20]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
du...@domain.com
2019-09-25 08:24:55,372 INFO [NiFi Web Server-16]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<du...@domain.com
><CN=<domain.com>, OU=NIFI>) GET
https://domain.com:8443/nifi-api/flow/current-user (source ip: xx.xx.xx.xx)
2019-09-25 08:24:55,375 WARN [NiFi Web Server-16]
o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted
proxy CN=<domain.com>, OU=NIFI
========================
2019-09-25 08:37:32,111 INFO [NiFi Web Server-16]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
https://dp1.domain.com:8443/nifi-api/flow/current-user
<https://www.google.com/url?q=https://dp1.domain.com:8443/nifi-api/flow/current-user&sa=D&source=hangouts&ust=1569488934456000&usg=AFQjCNELOMD_CU-LT6xzclHycXDp1YQVuA>
(source ip: 10.5.1.182)
2019-09-25 08:37:32,135 ERROR [NiFi Web Server-16]
o.a.nifi.web.security.jwt.JwtService There was an error validating the JWT
io.jsonwebtoken.JwtException: *Unable to validate the access token.*
at
org.apache.nifi.web.security.jwt.JwtService.parseTokenFromBase64EncodedString(JwtService.java:106)
at
org.apache.nifi.web.security.jwt.JwtService.getAuthenticationFromToken(JwtService.java:60)
at
org.apache.nifi.web.security.jwt.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:48)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at
org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:78)
at
org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:58)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:99)
at
org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:58)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
Please suggest how to enable stickiness in this case. There was a similar
issue mentioned here -
https://community.cloudera.com/t5/Support-Questions/NIFI-Unable-to-validate-the-access-token-Accessing-GUI/m-p/214525
<https://www.google.com/url?q=https://community.cloudera.com/t5/Support-Questions/NIFI-Unable-to-validate-the-access-token-Accessing-GUI/m-p/214525&sa=D&source=hangouts&ust=1569489517159000&usg=AFQjCNHIEKBDI39TUyo-G4M8I1elqbZq7w>
The difference is, I am not using an external load balancer
Attaching the configuration here
--
*::DISCLAIMER::
----------------------------------------------------------------------------------------------------------------------------------------------------
The contents of this e-mail and any attachments are confidential and
intended for the named recipient(s) only.E-mail transmission is not
guaranteed to be secure or error-free as information could be intercepted,
corrupted,lost, destroyed, arrive late or incomplete, or may contain
viruses in transmission. The e mail and its contents(with or without
referred errors) shall therefore not attach any liability on the originator
or redBus.com. Views or opinions, if any, presented in this email are
solely those of the author and may not necessarily reflect the views or
opinions of redBus.com. Any form of reproduction, dissemination, copying,
disclosure, modification,distribution and / or publication of this message
without the prior written consent of authorized representative of redbus.
<http://redbus.in/>com is strictly prohibited. If you have received this
email in error please delete it and notify the sender immediately.Before
opening any email and/or attachments, please check them for viruses and
other defects.*
{\rtf1\ansi\ansicpg1252\cocoartf1671\cocoasubrtf600
{\fonttbl\f0\froman\fcharset0 Times-Bold;\f1\froman\fcharset0 Times-Roman;}
{\colortbl;\red255\green255\blue255;\red0\green0\blue0;\red0\green0\blue233;}
{\*\expandedcolortbl;;\cssrgb\c0\c0\c0;\cssrgb\c0\c0\c93333;}
\paperw11900\paperh16840\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\deftab720
\pard\pardeftab720\sl280\partightenfactor0
\f0\b\fs24 \cf2 \expnd0\expndtw0\kerning0
\outl0\strokewidth0 \strokec2 authorizers.xml
\f1\b0 : \
\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>\
\
<authorizers>\
\
\'a0 \'a0 <userGroupProvider>\
\'a0 \'a0 \'a0 \'a0 <identifier>file-user-group-provider</identifier>\
\'a0 \'a0 \'a0 \'a0 <class>org.apache.nifi.authorization.FileUserGroupProvider</class>\
\'a0 \'a0 \'a0 \'a0 <property name="Users File">./conf/users.xml</property>\
\'a0 \'a0 \'a0 \'a0 <property name="Legacy Authorized Users File"></property>\
\'a0 \'a0 \'a0 \'a0 <property name="Initial User Identity 1">{\field{\*\fldinst{HYPERLINK "mailto:du...@domain.com"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 du...@domain.com}}</property>\
\'a0 \'a0 </userGroupProvider>\
\
\'a0\
\'a0 \'a0 <accessPolicyProvider>\
\'a0 \'a0 \'a0<identifier>file-access-policy-provider</identifier>\
\'a0 \'a0<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>\
\'a0 \'a0 \'a0<property name="User Group Provider">file-user-group-provider</property>\
\'a0 \'a0 \'a0<property name="Authorizations File">./conf/authorizations.xml</property>\
\'a0 \'a0 \'a0<property name="Initial Admin Identity">{\field{\*\fldinst{HYPERLINK "mailto:du...@domain.com"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 du...@domain.com}}</property>\
\'a0 \'a0 \'a0<property name="Legacy Authorized Users File"></property>\
\'a0 \'a0 \'a0 \'a0 <property name="Node Identity 1">CN={\field{\*\fldinst{HYPERLINK "http://dp1.domain.com/"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 dp1.domain.com}}, OU=NIFI</property>\
\'a0 \'a0 \'a0 \'a0 <property name="Node Identity 2">CN={\field{\*\fldinst{HYPERLINK "http://dp2.domain.com/"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 dp2.domain.com}}, OU=NIFI</property> \'a0 \'a0\
\'a0 \'a0 \'a0 \'a0 </accessPolicyProvider>\
\
\'a0 \'a0 <authorizer>\
\'a0 \'a0 \'a0 \'a0 <identifier>file-provider</identifier>\
\'a0 \'a0 \'a0 \'a0 <class>org.apache.nifi.authorization.FileAuthorizer</class>\
\'a0 \'a0 \'a0 \'a0 <property name="Authorizations File">./conf/authorizations.xml</property>\
\'a0 \'a0 \'a0 \'a0 <property name="Users File">./conf/users.xml</property>\
\'a0 \'a0 \'a0 \'a0 <property name="Initial Admin Identity">{\field{\*\fldinst{HYPERLINK "mailto:du...@domain.com"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 du...@domain.com}}</property>\
\'a0 \'a0 \'a0 \'a0 <property name="Legacy Authorized Users File"></property>\
\'a0 \'a0 \'a0 \'a0 <property name="Node Identity 1">CN={\field{\*\fldinst{HYPERLINK "http://dp1.domain.com/"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 dp1.domain.com}}, OU=NIFI</property>\
\'a0 \'a0 \'a0 \'a0 <property name="Node Identity 2">CN={\field{\*\fldinst{HYPERLINK "http://dp2.domain.com/"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 dp2.domain.com}}, OU=NIFI</property> \'a0 \'a0\
\'a0 \'a0 \'a0 \'a0 /authorizer>\
\
</authorizers>\
\
\
\f0\b nifi.properties:
\f1\b0 \
\
# Site to Site properties\
nifi.remote.input.host={\field{\*\fldinst{HYPERLINK "http://dp1.domain.com/"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 dp1.domain.com}}\
nifi.remote.input.secure=true\
nifi.remote.input.socket.port=9998\
nifi.remote.input.http.enabled=false\
nifi.remote.input.http.transaction.ttl=30 sec\
nifi.remote.contents.cache.expiration=30 secs\
\
# web properties #\
nifi.web.war.directory=./lib\
nifi.web.http.host=\
nifi.web.http.port=\
nifi.web.http.network.interface.default=\
nifi.web.https.host={\field{\*\fldinst{HYPERLINK "http://dp1.domain.com/"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 dp1.domain.com}}\
nifi.web.https.port=8443\
nifi.web.https.network.interface.default=\
nifi.web.jetty.working.directory=./work/jetty\
nifi.web.jetty.threads=200\
nifi.web.max.header.size=16 KB\
nifi.web.proxy.context.path=\
nifi.web.proxy.host=\
\
\
# cluster node properties (only configure for cluster nodes) #\
nifi.cluster.is.node=true\
nifi.cluster.node.address={\field{\*\fldinst{HYPERLINK "http://dp1.domain.com/"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 dp1.domain.com}}\
nifi.cluster.node.protocol.port=9999\
nifi.cluster.node.protocol.threads=10\
nifi.cluster.node.protocol.max.threads=50\
nifi.cluster.node.event.history.size=25\
nifi.cluster.node.connection.timeout=5 sec\
nifi.cluster.node.read.timeout=5 sec\
nifi.cluster.node.max.concurrent.requests=100\
nifi.cluster.firewall.file=\
nifi.cluster.flow.election.max.wait.time=1 mins\
nifi.cluster.flow.election.max.candidates=\
\
\
nifi.security.keystore=./conf/keystore.jks\
nifi.security.keystoreType=jks\
nifi.security.keystorePasswd=xxxxxxxxxxxxxx\
nifi.security.keyPasswd=xxxxxxxxxxxxxx\
nifi.security.truststore=./conf/truststore.jks\
nifi.security.truststoreType=jks\
nifi.security.truststorePasswd=xxxxxxxxxxxxxx+jVC2g6kY\
nifi.security.user.authorizer=file-provider\
#nifi.security.user.login.identity.provider=\
#nifi.security.ocsp.responder.url=\
#nifi.security.ocsp.responder.certificate=\
\
# OpenId Connect SSO Properties #\
nifi.security.user.oidc.discovery.url={\field{\*\fldinst{HYPERLINK "https://accounts.google.com/.well-known/openid-configuration"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 https://accounts.google.com/.well-known/openid-configuration}}\
nifi.security.user.oidc.connect.timeout=5 secs\
nifi.security.user.oidc.read.timeout=5 secs\
\pard\pardeftab720\sl280\partightenfactor0
{\field{\*\fldinst{HYPERLINK "http://nifi.security.user.oidc.client.id/"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 nifi.security.user.oidc.client.id}}={\field{\*\fldinst{HYPERLINK "http://531764168098-xxxxxxxxxxxxxx.apps.googleusercontent.com/"}}{\fldrslt \cf3 \ul \ulc3 \strokec3 531764168098-xxxxxxxxxxxxxx.apps.googleusercontent.com}}\
nifi.security.user.oidc.client.secret=ML-9YyJf-xxxxxxxxxxxxxx-Vj\
nifi.security.user.oidc.preferred.jwsalgorithm=}
