question Re: Apache Nifi 1.12.1 in Kubernetes with existing certificate and OpenID activated doesn't work in Support Questions

Apache Nifi 1.12.1 in Kubernetes with existing certificate and OpenID activated doesn't work

GuiCaixeta — Thu, 22 Jul 2021 11:03:57 GMT

I have been some issues to configuring Apache Nifi using an existing certificate.

My use case is:

I'm generating the truststore and the keystore from an existing tls.pem and tls.key that my ingress is using, from this I set the referent configurations of TLS and OpenId (I have created a custom image based on the official Nifi's image).

Everything its working, although when I try to access the UI and the redirects to the openId occurs the Nifi throw an exception, these are the last logs shown in the nifi-user.log:

2021-07-22 09:58:05,814 INFO [NiFi Web Server-25] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=MY-HOST) GET https://MY-HOST/nifi-api/flow/current-u
ser (source ip: xx.xxx.xxx.xxx)
2021-07-22 09:58:05,815 INFO [NiFi Web Server-25] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=MY-HOST
2021-07-22 09:58:05,818 INFO [NiFi Web Server-25] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=MY-HOST], groups[] does not have permission to access the requested resource. Unknown user with id
entity 'CN=MY-HOST'. Returning Forbidden response.

Although according the documentation to this documentation:

NiFi’s web server will REQUIRE certificate based client authentication for users accessing the User Interface when not configured with an alternative authentication mechanism which would require one way SSL (for instance LDAP, OpenId Connect, etc). Enabling an alternative authentication mechanism will configure the web server to WANT certificate base client authentication. This will allow it to support users with certificates and those without that may be logging in with credentials. See User Authentication for more details.

This should not happens, someone have just passed for this before? What am I missing?

Re: Apache Nifi 1.12.1 in Kubernetes with existing certificate and OpenID activated doesn't work

DennisJaheruddi — Thu, 22 Jul 2021 14:19:40 GMT

Are you using the version published by Cloudera? Please confirm exactly which platform version and whether this is the on premise variant or in public cloud.

Re: Apache Nifi 1.12.1 in Kubernetes with existing certificate and OpenID activated doesn't work

GuiCaixeta — Thu, 22 Jul 2021 15:23:38 GMT

Hi @DennisJaheruddi,

Thank you for your reply.

About the image, I'm using this one Apache-Nifi.

The Nifi version used is 1.12.1

Is a public cloud: AWS/EKS

Re: Apache Nifi 1.12.1 in Kubernetes with existing certificate and OpenID activated doesn't work

GuiCaixeta — Mon, 26 Jul 2021 08:43:29 GMT

After a lot of headaches and some tries, I finally discover the issue, due the fact that I have a nginx as my ingress some headers are added during each request, and due the headers "x-forward-.*" the request always return an error. Although this is not an acceptable an answer, I need a clear understanding about that before to close this issue.

Re: Apache Nifi 1.12.1 in Kubernetes with existing certificate and OpenID activated doesn't work

DennisJaheruddi — Tue, 03 Aug 2021 21:04:46 GMT

I would always recommend you to use the Cloudera distribution, as people like me are not able to troubleshoot the upstream distributions, and we do note that. it is common that people run into trouble when using upstream versions.

I am not sure about the exact time, but if you are interested in Nifi on K8s, then rather than trying to solve all challenges personally you may also want to look into how the Cloudera Data Platform attacks this challenge for everyone.