Scotty, When you turn an unsecured cluster to secured one, authentication is turned on. You have to configure one of the authentication mechanism (Kerberos, LDAP, OIDC, ClientCertificates) in your nifi.properties.
> On Sep 7, 2020, at 3:28 AM, scotty <yt...@msn.com> wrote: > > Hi, > > 1. I had an usecured NiFi setup running: "Client > https > reverse proxy > > http > NiFi" > > 2. I tried to secure it using the instructions at > https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#tls_toolkit. > Certificates were generate as follows: > > a. ./bin/tls-toolkit.sh standalone -n '<my domain name>' > > b. ./home/scotty/nifi-toolkit-1.9.1/bin/tls-toolkit.sh standalone -C > 'CN=my_username,OU=NiFi' > > 3. added CN=my_username,OU=NiFi in authorizers.xml (users.xml and > authorizations.xml appear correct) > > 4. The response I'm getting at the NiFI URL is 'Insufficient Permissions: > Unknown user with identity 'CN=localhost, OU=NIFI'. Contact the system > administrator.' > > 5. I'm getting the same message from whatever computer I try to access the > UI from, whether it has the user certificate installed or not. So who's > making the request to authenticate? > > 6. nifi-user.log shows as follows: > > INFO [NiFi Web Server-84] o.a.n.w.s.NiFiAuthenticationFilter Attempting > request for (CN=localhost, OU=NIFI) GET https://<my domain > name>/nifi-api/flow/current-user (source ip: <ip address>) > > 2020-08-30 15:43:45,820 INFO [NiFi Web Server-84] > o.a.n.w.s.NiFiAuthenticationFilter > Authentication success for CN=localhost, OU=NIFI > > 2020-08-30 15:43:45,831 INFO [NiFi Web Server-84] > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=localhost, OU=NIFI], > groups [] does not have permission to access the requested resource. Unknown > user with identity 'CN=localhost, OU=NIFI'. Returning Forbidden response > > 7. My NiFI truststore.jks shows the following: > > keystore contains 1 entry > Alias name: nifi-cert > Entry type: trustedCertEntry > Owner: CN=localhost, OU=NIFI > Issuer: CN=localhost, OU=NIFI > > > 8. When I tried to use the X-ProxiedEntitiesChain header in my NGINX config, > I got an "untrusted proxy" error when trying to access the NiFI UI. > > Was I suppsed to secure NiFi without the reverse proxy and then setup the > proxy through the NiFI UI (as discussed in the following)? > > "If NiFi is running securely, any proxy needs to be authorized to proxy user > requests. These can be configured in the NiFi UI through the Global Menu. > Once these permissions are in place, proxies can begin proxying user > requests. The end user identity must be relayed in a HTTP header. For > example, if the end user sent a request to the proxy, the proxy must > authenticate the user. Following this the proxy can send the request to > NiFi. In this request an HTTP header should be added as follows." > > > 9. Was I supposed to generate a certificate for the proxy (as discussed in > this Apache Knox tutorial)? > https://risdenk.github.io/2018/03/18/apache-knox-proxying-apache-nifi.html > > > Any guiidance appreciated. > > Thanks. > > > > > > > > > > -- > Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/
smime.p7s
Description: S/MIME cryptographic signature