Actually with a set of 1 this would not have mattered. I think the problem is not with the sticky sessions...
On Mon, Apr 27, 2020 at 9:43 PM Ami Goldenberg <[email protected]> wrote: > Great idea Andy > > I reduced the scale to 1 and it is still doing the same redirect loop. > I guess the load balancer is hitting a different node even if sticky is > set up? Even if eventually the service does clientAffinity maybe the client > IP is not taken correctly? > > What are your thoughts? > > On Mon, Apr 27, 2020 at 9:25 PM Andy LoPresto <[email protected]> > wrote: > >> Can you verify the initial redirect to OIDC and the callback are going to >> the same node in NiFi? I see your LB configs are set to sticky sessions, >> but it may be that if the callback is originating from the OIDC IDP server >> rather than the actual client IP, the session affinity is not being >> applied. Regardless, the error appears to indicate that the JWT provided in >> the request to NiFi isn’t able to be validated, which indicates that the >> key used to sign it isn’t present on that node, which is likely due to the >> request being sent to a node other than the one that signed it. >> >> Quick and easy way to validate this would be to change the stateful set # >> to 1 node and attempt the same sequence of operations. >> >> >> Andy LoPresto >> [email protected] >> *[email protected] <[email protected]>* >> He/Him >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >> >> On Apr 27, 2020, at 8:12 AM, Ami Goldenberg <[email protected]> wrote: >> >> Hi Nathan, >> Indeed, that's the case >> >> On Mon, Apr 27, 2020 at 5:57 PM Nathan Gough <[email protected]> wrote: >> >>> Hi Ami, >>> >>> Just to confirm, the OAuth Client ID redirect URL in OIDC is set to " >>> https://${nifi.hostname}:${nifi.port}/nifi-api/access/oidc/callback"; >>> and the NiFi property is set "nifi.security.user.oidc.discovery.url= >>> https://accounts.google.com/.well-known/openid-configuration";. >>> >>> Nathan >>> >>> On Mon, Apr 27, 2020 at 12:37 AM Ami Goldenberg <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> We are trying to deploy NiFi on kubernetes after successfully using it >>>> for a while. >>>> The issue we are having is that every time we enter our nifi URL it >>>> will redirect us to Google and once we sign in we just get redirected >>>> again. >>>> >>>> *The error I see on users.log is:* >>>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) >>>> GET https://XXX.XXX.XXXX/nifi-api/flow/current-user >>>> <https://xxx.xxx.xxxx/nifi-api/flow/current-user> (source ip: >>>> 172.32.34.99) >>>> 2020-04-25T19:48:06.256605759Z 2020-04-25 19:48:05,983 ERROR [NiFi >>>> Web Server-16] o.a.nifi.web.security.jwt.JwtService There was an error >>>> validating the JWT >>>> 2020-04-25T19:48:06.256610178Z 2020-04-25 19:48:05,983 ERROR [NiFi Web >>>> Server-16] o.a.nifi.web.security.jwt.JwtService Unable to validate >>>> the access token. >>>> 2020-04-25T19:48:06.256613727Z Caused by: JWT signature does not >>>> match locally computed signature. JWT validity cannot be asserted and >>>> should not be trusted. >>>> 2020-04-25T19:48:06.256617124Z 2020-04-25 19:48:05,984 WARN [NiFi Web >>>> Server-16] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web >>>> api:Unable to validate the access token. >>>> >>>> *We're trying to follow practices from blogs and pvillard's repo:* >>>> >>>> - >>>> >>>> https://github.com/pvillard31/nifi-gcp-terraform/tree/master/gcp-cluster-secured-nifi-oidc >>>> - >>>> https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect >>>> - >>>> https://medium.com/swlh/operationalising-nifi-on-kubernetes-1a8e0ae16a6c >>>> >>>> *Our set up is as such:* >>>> >>>> - OIDC provider is Google >>>> - TLS-toolkit running in server mode inside k8s >>>> - StatefulSet of 3 replicas >>>> - Zookeeper in K8s >>>> - Ingress that is set up to create a load balancer in AWS - with >>>> sticky sessions (based on cookie) >>>> - Service that is set up with sessionAffinity: ClientIP >>>> >>>> >>>> Any idea which direction I should be checking next?anks! >>>> >>> >>
