But now, I have NiFi and Registry with secure access (LDAP + SSL) I need to find out how to configure the Registry in NiFi, because for now I did not have to specify login. And even if my first bucket is Public, it is not accessible from NiFi.
Le mar. 30 juin 2020 à 11:29, Etienne Jouvin <[email protected]> a écrit : > Hi Josef. > > No I did not try that. > And well done, with that I can access the UI, and can connect with LDAP > identity. > > Thanks a lot. > > Cheers > > Etienne > > > > Le mar. 30 juin 2020 à 11:15, <[email protected]> a écrit : > >> Hi Etienne >> >> >> >> Did you tried the following in «nifi-registry.properties»: >> >> nifi.registry.security.needClientAuth=false >> >> >> >> Cheers Josef >> >> >> >> >> >> *From: *Etienne Jouvin <[email protected]> >> *Reply to: *"[email protected]" <[email protected]> >> *Date: *Tuesday, 30 June 2020 at 10:46 >> *To: *"[email protected]" <[email protected]> >> *Subject: *Need help SSL LDAP Nifi Registry >> >> >> >> Hello all. >> >> >> >> I am trying to setup LDAP authentication on NiFi Registry. >> >> I followed some links, like >> https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753 >> >> >> >> But each time, it requires that a certificate is installed on client >> side. I had this "problem" for NiFi but because I did not provided >> the nifi.security.user.login.identity.provider >> >> >> >> But for the registry, I remember that and did it. >> >> >> >> For summary, what I have in nifi-registry.properties >> >> nifi.registry.security.keystore=./conf/keystore.jks >> nifi.registry.security.keystoreType=jks >> nifi.registry.security.keystorePasswd=password >> nifi.registry.security.keyPasswd=password >> nifi.registry.security.truststore=./conf/truststore.jks >> nifi.registry.security.truststoreType=jks >> nifi.registry.security.truststorePasswd=password >> >> >> >> (All of those informations were given by the tls-toolkit, when executed >> for NiFi) >> >> Then I put this >> >> #nifi.registry.security.identity.provider= >> nifi.registry.security.identity.provider=ldap-identity-provider >> >> >> >> In the file identity-providers.xml >> >> I setup the LDAP provider >> >> <provider> >> <identifier>ldap-identity-provider</identifier> >> >> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class> >> <property name="Authentication Strategy">SIMPLE</property> >> >> <property name="Manager DN">uid=admin,ou=system</property> >> <property name="Manager Password">secret</property> >> >> <property name="TLS - Keystore"></property> >> <property name="TLS - Keystore Password"></property> >> <property name="TLS - Keystore Type"></property> >> <property name="TLS - Truststore"></property> >> <property name="TLS - Truststore Password"></property> >> <property name="TLS - Truststore Type"></property> >> <property name="TLS - Client Auth"></property> >> <property name="TLS - Protocol"></property> >> <property name="TLS - Shutdown Gracefully"></property> >> >> <property name="Referral Strategy">FOLLOW</property> >> <property name="Connect Timeout">10 secs</property> >> <property name="Read Timeout">10 secs</property> >> >> <property name="Url">ldap://localhost:10389</property> >> <property name="User Search >> Base">ou=users,dc=test,dc=ch</property> >> <property name="User Search Filter">uid={0}</property> >> >> <property name="Identity Strategy">USE_DN</property> >> <property name="Authentication Expiration">12 hours</property> >> </provider> >> >> >> >> And finally in authorizers.xml >> >> <userGroupProvider> >> <identifier>file-user-group-provider</identifier> >> >> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> >> <property name="Users File">./conf/users.xml</property> >> <property name="Initial User Identity 1">uid=firstuser, >> ou=users,dc=test,dc=ch</property> >> </userGroupProvider> >> >> >> >> <accessPolicyProvider> >> <identifier>file-access-policy-provider</identifier> >> >> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> >> <property name="User Group >> Provider">file-user-group-provider</property> >> <property name="Authorizations >> File">./conf/authorizations.xml</property> >> <property name="Initial Admin Identity"> uid=firstuser, >> ou=users,dc=test,dc=ch </property> >> <property name="NiFi Group Name"></property> >> >> <!--<property name="NiFi Identity 1"></property>--> >> </accessPolicyProvider> >> >> >> >> >> >> Starting Registry is OK. >> >> >> >> But when I want to access throw Chrome, I have a certificate error >> : ERR_BAD_SSL_CLIENT_AUTH_CERT >> >> >> >> How can I force the authentication to not request a client side >> certificate ? >> >> >> >> Thanks for any input. >> >> >> >> Etienne Jouvin >> >> >> >
