question Re: nifi registry security - able to login with certs but not geeting login page in Support Questions

nifi registry security - able to login with certs but not geeting login page

Former Member — Sun, 22 Dec 2019 13:46:44 GMT

nifi registry security - able to login with certs but not getting login page when canceling certs

updated login-identity-provider.xml as below not sure what is missing

<identityProviders>
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">xxxxxxxx</property>
<property name="Manager Password">>xxxxxxxx</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://abc:389</property>
<property name="User Search Base">OU=managed,DC=ams,DC=xx,DC=com</property>
<property name="User Search Filter">sAMAccountName={0}</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
<property name="Sync Interval">30 secs</property>
</provider>
</identityProviders>

please let me know what is missing here

Re: nifi registry security - able to login with certs but not geeting login page

MattWho — Mon, 23 Dec 2019 18:24:32 GMT

@Former Member

Simply configuring the ldap-provider in the identity-providers.xml file will not result in NiFi-Registry using it.
Make sure you have set the following property in the nifi-registry.properties file:

nifi.registry.security.identity.provider=ldap-provider

This tells NiFi to use the "ldap-provider" configured in that file.

Also make sure the file is named "identity-providers.xml" and not "login-identity-providers.xml". NiFi-Registry uses the former while NiFi uses the latter identity providers filename.

One other things to consider... If NiFi-Registry is configured to support Spnego:

nifi.registry.kerberos.spnego.authentication.expiration=12 hours nifi.registry.kerberos.spnego.keytab.location= nifi.registry.kerberos.spnego.principal=

Spnego auth will be attempted before any configured identity provider. So all it takes is to have Spnego enabled in your browser and NiFi-Registry to be setup to support Spnego auth and you will not see login page as well. If you do not have Spnego enabled in your browser, then this is not your issue because even if configured if browser does not return Spengo creds, NiFi-Registry will move on to next configured authentication provider.

Hope this helps,

Matt

Re: nifi registry security - able to login with certs but not geeting login page

Former Member — Thu, 26 Dec 2019 02:41:58 GMT

@Former Member

yes, updated nifi-reg.properties file

nifi.registry.security.identity.provider=ldap-provider

but still no luck

# security properties #

nifi.registry.security.keystore=./conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=xxxxxxxx
nifi.registry.security.keyPasswd=xxxxxx
nifi.registry.security.truststore=./conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=xxxxxxxxxxx
nifi.registry.security.user.authorizer=managed-authorizer
#nifi.registry.security.user.login.identity.provider=ldap-identity-provider

nifi.registry.security.needClientAuth=

nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml
nifi.registry.security.authorizer=managed-authorizer
nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml
nifi.registry.security.identity.provider=ldap-provider

Re: nifi registry security - able to login with certs but not geeting login page

Former Member — Thu, 26 Dec 2019 03:33:06 GMT

do i need to configure authorization.xml to get the login page alone?

please advice. Thanks!

Re: nifi registry security - able to login with certs but not geeting login page

MattWho — Thu, 26 Dec 2019 16:38:12 GMT

@Former Member

Make sure you have configured "nifi.registry.security.needClientAuth=false".
When not set it defaults to true.

NeedClientAuth=true tells NiFi that in the TLS handshake it will "require" client to present a client side certificate. If one is not presented, the connection will just close and NiFi-Registry will never try any other authentication method.

This property must be set to false in order for NiFi-Registry to support any authentication method other than TLS.

Hope this gets you going,

Matt

Re: nifi registry security - able to login with certs but not geeting login page

Former Member — Thu, 26 Dec 2019 20:55:37 GMT

@MattWho

this really helps, now i am getting login page once after the setting the value to false

nifi.registry.security.needClientAuth=false

Really Appreciate it.

Can you help to configure file-based user authorizations as well in authorizers.xml

i hope below part should be enough

userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Initial User Identity 1">CN=sys_admin, OU=RegPoc</property>
</userGroupProvider>

<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=sys_admin, OU=RegPoc</property>

</accessPolicyProvider>

what should be the node identity here ?

Re: nifi registry security - able to login with certs but not geeting login page

MattWho — Fri, 27 Dec 2019 15:15:02 GMT

@Former Member

Since you are asking a new question unrelated to the question asked in the original subject, I kindly ask that you start a new question. Would be happy to help. Asking multiple questions in one thread makes a thread harder to follow for other users of this community forum.

If you feel this question subject has been answered, please accept a solution provided to close out this thread.

Thank you,

Matt