Hi Stefan,
I see a number of things that are different from our working Kerberos solution,
but one thing in particular: we used a certificate-based user for our initial
admin identity, with the client certificate in the truststore and the DN of
that user in the authorizers file, something like “CN=admin, OU=NiFi,
O=Ourcompany,…” In an LDAP-based setup I had a lot of trouble finding the
correct initial admin setting. It turned out to be the username without any
other part of the DN.
After NiFi starts (and fails), you can check the generated users.xml. It should
contain at least the user that is supposed to become the initial admin, with
some content after the [identity] showing the name it will expect at “initial
admin identity”. The documentation says that any mapping rules will be applied,
but I’m not sure that is the case.
Be sure to delete the users.xml and authorizations.xml after a failed start,
otherwise they will not be filled with the newly configured stuff on the next
start.
I don’t know if the initial admin identity error means all of the Kerberos
stuff is working already or if it occurs before initializing Kerberos beans,
but in case you run into trouble there, these settings in our kerberos setup
are different from yours.
authorizers.xml:
<property name="Initial Admin
Identity">CN=admin,OU=NiFi,O=Ourcompany</property> # this is because we used
certificate
login-identity-provider.xml:
<property name="Default Realm">OURDOMAIN.COM</property>
nifi.properties:
# kerberos service principal #
nifi.kerberos.service.principal=nifi/[email protected]
# kerberos spnego principal #
nifi.kerberos.spnego.principal=HTTP/[email protected]
nifi.kerberos.spnego.keytab.location=/etc/security/keytabs/spnego.service.keytab
# (obviously your path will be different, but we do have one entered here)
I hope this helps you towards a working solution!
Isha
Van: Jakobsson Stefan <[email protected]>
Verzonden: donderdag 4 november 2021 11:06
Aan: [email protected]
Onderwerp: Issues with Kerberos authencation.
HI guys,
As per previous suggestions I have tried to change authentication method to
Kerberos., but I ran into another snag, which looks to me that there is some
configuration issue. I’ve tried everything I can think of, but it’s still a no
go. Anyone who have any ideas?
app.log is attached
authorizers.xml:
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin
Identity">[email protected]/KARBEROS</property<mailto:[email protected]/KARBEROS%3c/property>>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider>
login-identity-provider.xml:
<provider>
<identifier>kerberos-provider</identifier>
<class>org.apache.nifi.kerberos.KerberosProvider</class>
<property name="Default Realm"> URI.OF.OUR.AD/KARBEROS </property>
<property name="Authentication Expiration">12 hours</property>
</provider>
nifi.properties:
nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=kerberos-provider
# kerberos #
nifi.kerberos.krb5.file=/etc/krb5.cnf
# kerberos service principal #
nifi.kerberos.service.principal=nifi/ URI.OF.OUR.AD/KERBEROS
nifi.kerberos.service.keytab.location=/etc/krb5.keytab
# kerberos spnego principal #
nifi.kerberos.spnego.principal=HTTP/[email protected]<mailto:nifi.kerberos.spnego.principal=HTTP/[email protected]>
nifi.kerberos.spnego.keytab.location=
nifi.kerberos.spnego.authentication.expiration=12 hours
Regards,
Stefan Jakobsson
Systems Manager | Scania IT, IACA | Scania CV AB
Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
Forskargatan 20, SE-151 87 Södertälje, Sweden
[email protected]<mailto:[email protected]>
