Hi, 1. I had an usecured NiFi setup running: "Client > https > reverse proxy > http > NiFi"
2. I tried to secure it using the instructions at https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#tls_toolkit. Certificates were generate as follows: a. ./bin/tls-toolkit.sh standalone -n '<my domain name>' b. ./home/scotty/nifi-toolkit-1.9.1/bin/tls-toolkit.sh standalone -C 'CN=my_username,OU=NiFi' 3. added CN=my_username,OU=NiFi in authorizers.xml (users.xml and authorizations.xml appear correct) 4. The response I'm getting at the NiFI URL is 'Insufficient Permissions: Unknown user with identity 'CN=localhost, OU=NIFI'. Contact the system administrator.' 5. I'm getting the same message from whatever computer I try to access the UI from, whether it has the user certificate installed or not. So who's making the request to authenticate? 6. nifi-user.log shows as follows: INFO [NiFi Web Server-84] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=localhost, OU=NIFI) GET https://<my domain name>/nifi-api/flow/current-user (source ip: <ip address>) 2020-08-30 15:43:45,820 INFO [NiFi Web Server-84] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=localhost, OU=NIFI 2020-08-30 15:43:45,831 INFO [NiFi Web Server-84] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=localhost, OU=NIFI], groups [] does not have permission to access the requested resource. Unknown user with identity 'CN=localhost, OU=NIFI'. Returning Forbidden response 7. My NiFI truststore.jks shows the following: keystore contains 1 entry Alias name: nifi-cert Entry type: trustedCertEntry Owner: CN=localhost, OU=NIFI Issuer: CN=localhost, OU=NIFI 8. When I tried to use the X-ProxiedEntitiesChain header in my NGINX config, I got an "untrusted proxy" error when trying to access the NiFI UI. Was I suppsed to secure NiFi without the reverse proxy and then setup the proxy through the NiFI UI (as discussed in the following)? "If NiFi is running securely, any proxy needs to be authorized to proxy user requests. These can be configured in the NiFi UI through the Global Menu. Once these permissions are in place, proxies can begin proxying user requests. The end user identity must be relayed in a HTTP header. For example, if the end user sent a request to the proxy, the proxy must authenticate the user. Following this the proxy can send the request to NiFi. In this request an HTTP header should be added as follows." 9. Was I supposed to generate a certificate for the proxy (as discussed in this Apache Knox tutorial)? https://risdenk.github.io/2018/03/18/apache-knox-proxying-apache-nifi.html Any guiidance appreciated. Thanks. -- Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/
