David. Did not have time this morning to test. But it may be something really "stupid", my fault. It seems I made a mistake while generating certificates on nodes, regarding the CA....
Hope to have time this afternoon and I will return. Etienne Le mer. 25 nov. 2020 à 14:18, David Handermann <exceptionfact...@gmail.com> a écrit : > I am not as familiar with the LDAP user group provider, but based on the > "Untrusted proxy" message you are seeing, it sounds like the nodes are not > being identified properly as members of the "nodes" group from LDAP. Just > for testing purposes, you could try specifying the node distinguished names > in the "Node Identity N" properties of the access policy provider, using > "Node Identity 1", "Node Identity 2" and "Node Identity 3" to specify each > node DN. If that works, then it sounds like a configuration issue with the > Node Group, either on the LDAP server, or in the way NiFi is attempting to > query LDAP. > > Regards, > David Handermann > > On Wed, Nov 25, 2020 at 5:19 AM Etienne Jouvin <lapinoujou...@gmail.com> > wrote: > >> Just for information, did not have time to test it from now. >> I was not able to get this Walk Throughs documentation. >> https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html >> >> Hope I will find the error I have about certificate (I have a little idea) >> >> Etienne >> >> >> >> >> Le mer. 25 nov. 2020 à 08:36, Etienne Jouvin <lapinoujou...@gmail.com> a >> écrit : >> >>> Hello. >>> >>> I made some progress yesterday. >>> I did setup in LDAP groups and person >>> >>> >>> >>> >>> >>> Groups : >>> cn=administrators,ou=groups,ou=nifi,dc=amexio,dc=ch : for administrators >>> cn=supervisors,ou=groups,ou=nifi,dc=amexio,dc=ch : for supervisors >>> cn=nodes,ou=groups,ou=nifi,dc=amexio,dc=ch : group where I put all >>> "person" representing NiFi nodes. >>> >>> Users : >>> cn=migX.amexio.ch,ou=users,ou=nifi,dc=amexio,dc=ch : for each node, >>> replacing X by the index, and with object class person >>> uid=mig-admin,ou=users,ou=nifi,dc=amexio,dc=ch : example of "real" user >>> used to connect on the platform, with object class inetOrgperson >>> >>> In NiFi configuration. >>> I did activate a userGroupProvider linked to the LDAP >>> <userGroupProvider> >>> <identifier>amexio-ldap-user-group-provider</identifier> >>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> >>> <property name="Authentication Strategy">SIMPLE</property> >>> >>> <property name="Manager DN">uid=admin,ou=system</property> >>> <property name="Manager Password">secret</property> >>> >>> <property name="TLS - Keystore"></property> >>> <property name="TLS - Keystore Password"></property> >>> <property name="TLS - Keystore Type"></property> >>> <property name="TLS - Truststore"></property> >>> <property name="TLS - Truststore Password"></property> >>> <property name="TLS - Truststore Type"></property> >>> <property name="TLS - Client Auth"></property> >>> <property name="TLS - Protocol"></property> >>> <property name="TLS - Shutdown Gracefully"></property> >>> >>> <property name="Referral Strategy">FOLLOW</property> >>> <property name="Connect Timeout">10 secs</property> >>> <property name="Read Timeout">10 secs</property> >>> >>> <property name="Url">ldap://localhost:10389</property> >>> <property name="Page Size">50</property> >>> <!-- <property name="Sync Interval">30 mins</property> --> >>> <property name="Sync Interval">30 seconds</property> >>> <property name="Group Membership - Enforce Case >>> Sensitivity">false</property> >>> >>> <property name="User Search >>> Base">ou=users,ou=nifi,dc=amexio,dc=ch</property> >>> <property name="User Object Class">person</property> >>> <property name="User Search Scope">ONE_LEVEL</property> >>> <property name="User Search Filter"></property> >>> <property name="User Identity Attribute"></property> >>> <property name="User Group Name Attribute"></property> >>> <property name="User Group Name Attribute - Referenced Group >>> Attribute"></property> >>> >>> <property name="Group Search >>> Base">ou=groups,ou=nifi,dc=amexio,dc=ch</property> >>> <property name="Group Object Class">groupOfNames</property> >>> <property name="Group Search Scope">ONE_LEVEL</property> >>> <property name="Group Search Filter"></property> >>> <property name="Group Name Attribute">cn</property> >>> <property name="Group Member Attribute">member</property> >>> <property name="Group Member Attribute - Referenced User >>> Attribute"></property> >>> </userGroupProvider> >>> >>> Of course, register it inside the accessPolicyProvider >>> <accessPolicyProvider> >>> <identifier>file-access-policy-provider</identifier> >>> >>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >>> <!-- <property name="User Group >>> Provider">file-user-group-provider</property> --> >>> <property name="User Group >>> Provider">amexio-ldap-user-group-provider</property> >>> <property name="Authorizations >>> File">./conf/authorizations.xml</property> >>> <!-- <property name="Initial Admin Identity"></property> --> >>> <property name="Initial Admin >>> Identity">uid=mig-admin,ou=users,ou=nifi,dc=amexio,dc=ch</property> >>> <property name="Legacy Authorized Users File"></property> >>> <property name="Node Identity 1"></property> >>> <property name="Node Group">nodes</property> >>> </accessPolicyProvider> >>> >>> I am able to connect with the initial administrator account, when the >>> first node is started. >>> And all nodes are synchronized in the NiFi instance. >>> >>> >>> >>> >>> As soon as I start an additional node, I can not connect to the first >>> node >>> Erreur message >>> Untrusted proxy CN=mig1.amexio.ch, OU=users, OU=nifi, DC=amexio, DC=ch >>> >>> But I can connect on the second node. >>> >>> >>> So all this is about the certificate I guess. >>> for reminder, I use nls-toolkit to generate certificate on all nodes >>> with something like : >>> tls-toolkit.bat standalone -f >>> "C:\nifi-1.12.1\node1\conf\nifi.properties" -o >>> "C:\nifi-1.12.1\node1\conf\secured" -n mig1.amexio.ch --nifiDnPrefix >>> cn= --nifiDnSuffix ou=users,ou=nifi,dc=amexio,dc=ch >>> >>> Proxy is untrusted, ok fine. So may be I should not use the standalone >>> function of toolkit, but using server and client. In that case, I have to >>> stay alive the server from toolkit ? >>> Also, it seems I did not add certificate from node1 inside node2 >>> trutstore, and node2 certificate inside node1 truststore ? >>> But in this case, if I have to add a new node, let's say node4, I would >>> have to push the certificate from node4 inside all existing nodes ? >>> >>> I continue to search, but any idea / input will be appreciated. >>> >>> Etienne >>> >>> >>> Le lun. 23 nov. 2020 à 18:39, Bryan Bende <bbe...@gmail.com> a écrit : >>> >>>> Yes it will be the DN of the server's certificate which comes from the >>>> keystore. >>>> >>>> NiFi will get an incoming request, see that there is an X509 cert, >>>> take the DN and go to the user group provider and ask for the user >>>> with this identity. >>>> >>>> On Mon, Nov 23, 2020 at 12:01 PM Etienne Jouvin < >>>> lapinoujou...@gmail.com> wrote: >>>> > >>>> > Hum OK, >>>> > >>>> > I will give it a try. >>>> > But one more thing... >>>> > >>>> > If I only set the group node; >>>> > How NiFi will connect the node with the nodeId in the LDAP ? >>>> > Where does it take the nodeid value ? >>>> > Is it the value we set in the keystore / truststore, by default >>>> cn=localhost, dc=NIFI (something like this) ? >>>> > >>>> > Etienne >>>> > >>>> > >>>> > Le lun. 23 nov. 2020 à 17:54, Bryan Bende <bbe...@gmail.com> a écrit >>>> : >>>> >> >>>> >> I don't really know the LDAP specifics too well, so I'm not actually >>>> sure. >>>> >> >>>> >> You just need the nodes to come back from the LDAP UserGroupProvider >>>> >> as if they were regular users and members of some group "foo", which >>>> >> you then put "foo" into the "Node Group". >>>> >> >>>> >> On Mon, Nov 23, 2020 at 11:50 AM Etienne Jouvin < >>>> lapinoujou...@gmail.com> wrote: >>>> >> > >>>> >> > Thanks Bryan. >>>> >> > >>>> >> > With your answer.... I will go to the Node Group and assign node >>>> identities. >>>> >> > Better for deployment and setup on the fly, I guess. >>>> >> > >>>> >> > One more point, you said "creating ldap entries for your nodes and >>>> assigning them group membership in ldap". What type of objectClass would >>>> you assign to the node in LDAP ? >>>> >> > This is not inetOrgPerson. The node should not have password. >>>> >> > If I create groupOfMembers for each node, is it correct ? >>>> >> > >>>> >> > >>>> >> > Thanks >>>> >> > >>>> >> > Etienne >>>> >> > >>>> >> > >>>> >> > >>>> >> > Le lun. 23 nov. 2020 à 17:27, Bryan Bende <bbe...@gmail.com> a >>>> écrit : >>>> >> >> >>>> >> >> Hello, >>>> >> >> >>>> >> >> "Node Identity" is similar to the "Initial Admin" concept, in >>>> that it >>>> >> >> sets up the policies for the initial nodes to have permissions to >>>> >> >> proxy. >>>> >> >> >>>> >> >> If you are creating ldap entries for your nodes and assigning them >>>> >> >> group membership in ldap, then yes you could put that group name >>>> as >>>> >> >> the "Node Group" and then you don't need to specify the "Node >>>> >> >> Identities". >>>> >> >> >>>> >> >> If you are creating the node users in NiFi's file-based user group >>>> >> >> provider then you need to use node identities, and when adding a >>>> new >>>> >> >> node to the cluster you'd have to add the user first through the >>>> >> >> UI/REST API and grant it proxy, then actually connect it to the >>>> >> >> cluster. >>>> >> >> >>>> >> >> Thanks, >>>> >> >> >>>> >> >> Bryan >>>> >> >> >>>> >> >> >>>> >> >> On Mon, Nov 23, 2020 at 7:58 AM Etienne Jouvin < >>>> lapinoujou...@gmail.com> wrote: >>>> >> >> > >>>> >> >> > Hello all. >>>> >> >> > >>>> >> >> > >>>> >> >> > I am currently setting up a NiFi, 1.12.1, Cluster with LDAP >>>> authentication. >>>> >> >> > For now the accessPolicyProvider is the default one with the >>>> configuration template : >>>> >> >> > <accessPolicyProvider> >>>> >> >> > <identifier>file-access-policy-provider</identifier> >>>> >> >> > >>>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >>>> >> >> > <property name="User Group >>>> Provider">file-user-group-provider</property> >>>> >> >> > <property name="Authorizations >>>> File">./conf/authorizations.xml</property> >>>> >> >> > <property name="Initial Admin Identity"></property> >>>> >> >> > <property name="Legacy Authorized Users >>>> File"></property> >>>> >> >> > <property name="Node Identity 1"></property> >>>> >> >> > <property name="Node Group"></property> >>>> >> >> > </accessPolicyProvider> >>>> >> >> > >>>> >> >> > But I do not really understand the purpose of the Node Identity >>>> X property. >>>> >> >> > If I well understood, all nodes should have the same >>>> configuration file, and I should register all nodes identity. >>>> >> >> > >>>> >> >> > But what about if I want to add a new node in the cluster on >>>> the fly ? >>>> >> >> > Should I register a new node identity, and then I should change >>>> all nodes configurations ? >>>> >> >> > The comment, in the configuration file, mentions the >>>> configuration Node Group, The name of a group containing NiFi cluster >>>> nodes. The typical use for this is when nodes are dynamically added/removed >>>> from the cluster. >>>> >> >> > Should I just put a Node group name and this will do the trick ? >>>> >> >> > >>>> >> >> > What should I put ? At the following link, >>>> https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.0.3/bk_administration/content/cluster-node-identities.html, >>>> it is said something like : cn=nifi-1,ou=people,dc=example,dc=com >>>> >> >> > In that case, what should be the obejct class for the node >>>> cn=nifi-1 in the LDAP ? >>>> >> >> > >>>> >> >> > Any documentation links will be appreciated. >>>> >> >> > >>>> >> >> > Regards. >>>> >> >> > >>>> >> >> > Etienne Jouvin >>>> >>>
