But now, I have NiFi and Registry with secure access (LDAP + SSL)

I need to find out how to configure the Registry in NiFi, because for now I
did not have to specify login.
And even if my first bucket is Public, it is not accessible from NiFi.


Le mar. 30 juin 2020 à 11:29, Etienne Jouvin <lapinoujou...@gmail.com> a
écrit :

> Hi Josef.
>
> No I did not try that.
> And well done, with that I can access the UI, and can connect with LDAP
> identity.
>
> Thanks a lot.
>
> Cheers
>
> Etienne
>
>
>
> Le mar. 30 juin 2020 à 11:15, <josef.zahn...@swisscom.com> a écrit :
>
>> Hi Etienne
>>
>>
>>
>> Did you tried the following in «nifi-registry.properties»:
>>
>> nifi.registry.security.needClientAuth=false
>>
>>
>>
>> Cheers Josef
>>
>>
>>
>>
>>
>> *From: *Etienne Jouvin <lapinoujou...@gmail.com>
>> *Reply to: *"users@nifi.apache.org" <users@nifi.apache.org>
>> *Date: *Tuesday, 30 June 2020 at 10:46
>> *To: *"users@nifi.apache.org" <users@nifi.apache.org>
>> *Subject: *Need help SSL LDAP Nifi Registry
>>
>>
>>
>> Hello all.
>>
>>
>>
>> I am trying to setup LDAP authentication on NiFi Registry.
>>
>> I followed some links, like
>> https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753
>>
>>
>>
>> But each time, it requires that a certificate is installed on client
>> side. I had this "problem" for NiFi but because I did not provided
>> the nifi.security.user.login.identity.provider
>>
>>
>>
>> But for the registry, I remember that and did it.
>>
>>
>>
>> For summary, what I have in nifi-registry.properties
>>
>> nifi.registry.security.keystore=./conf/keystore.jks
>> nifi.registry.security.keystoreType=jks
>> nifi.registry.security.keystorePasswd=password
>> nifi.registry.security.keyPasswd=password
>> nifi.registry.security.truststore=./conf/truststore.jks
>> nifi.registry.security.truststoreType=jks
>> nifi.registry.security.truststorePasswd=password
>>
>>
>>
>> (All of those informations were given by the tls-toolkit, when executed
>> for NiFi)
>>
>> Then I put this
>>
>> #nifi.registry.security.identity.provider=
>> nifi.registry.security.identity.provider=ldap-identity-provider
>>
>>
>>
>> In the file identity-providers.xml
>>
>> I setup the LDAP provider
>>
>>     <provider>
>>         <identifier>ldap-identity-provider</identifier>
>>
>> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
>>         <property name="Authentication Strategy">SIMPLE</property>
>>
>>         <property name="Manager DN">uid=admin,ou=system</property>
>>         <property name="Manager Password">secret</property>
>>
>>         <property name="TLS - Keystore"></property>
>>         <property name="TLS - Keystore Password"></property>
>>         <property name="TLS - Keystore Type"></property>
>>         <property name="TLS - Truststore"></property>
>>         <property name="TLS - Truststore Password"></property>
>>         <property name="TLS - Truststore Type"></property>
>>         <property name="TLS - Client Auth"></property>
>>         <property name="TLS - Protocol"></property>
>>         <property name="TLS - Shutdown Gracefully"></property>
>>
>>         <property name="Referral Strategy">FOLLOW</property>
>>         <property name="Connect Timeout">10 secs</property>
>>         <property name="Read Timeout">10 secs</property>
>>
>>         <property name="Url">ldap://localhost:10389</property>
>>         <property name="User Search
>> Base">ou=users,dc=test,dc=ch</property>
>>         <property name="User Search Filter">uid={0}</property>
>>
>>         <property name="Identity Strategy">USE_DN</property>
>>         <property name="Authentication Expiration">12 hours</property>
>>     </provider>
>>
>>
>>
>> And finally in authorizers.xml
>>
>>     <userGroupProvider>
>>         <identifier>file-user-group-provider</identifier>
>>
>> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
>>         <property name="Users File">./conf/users.xml</property>
>>         <property name="Initial User Identity 1">uid=firstuser,
>> ou=users,dc=test,dc=ch</property>
>>     </userGroupProvider>
>>
>>
>>
>>     <accessPolicyProvider>
>>         <identifier>file-access-policy-provider</identifier>
>>
>> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
>>         <property name="User Group
>> Provider">file-user-group-provider</property>
>>         <property name="Authorizations
>> File">./conf/authorizations.xml</property>
>>         <property name="Initial Admin Identity"> uid=firstuser,
>> ou=users,dc=test,dc=ch </property>
>>         <property name="NiFi Group Name"></property>
>>
>>         <!--<property name="NiFi Identity 1"></property>-->
>>     </accessPolicyProvider>
>>
>>
>>
>>
>>
>> Starting Registry is OK.
>>
>>
>>
>> But when I want to access throw Chrome, I have a certificate error
>> : ERR_BAD_SSL_CLIENT_AUTH_CERT
>>
>>
>>
>> How can I force the authentication to not request a client side
>> certificate ?
>>
>>
>>
>> Thanks for any input.
>>
>>
>>
>> Etienne Jouvin
>>
>>
>>
>

Reply via email to