question Re: Nifi SSL - Insufficient Permissions : Untrusted proxy in Support Questions

Nifi SSL - Insufficient Permissions : Untrusted proxy

VinceSailor — Thu, 23 Jun 2022 10:15:27 GMT

Hello there,

I'm upgrading a Nifi cluster (managed by ambri) to v1.15.3, therefore I have to secure it and activate ssl. I followed the installation steps from the official documentations, generated certificates (using Ambari Certificate Authority), and configured the Node Identities in Ambari. Still I have the "Untrusted proxy" error when I try to reach Nifi web interface.

Below is my configuration :

Nifi hosts as declared in Ambari :
- nif1.mydomain.com
- nif2.mydomain.com
- nif3.mydomain.com
I'm accessing them (ssh & https) using other FQDNs, which I used to generate the certificates :
- nif1-adm.mydomain.com
- nif2-adm.mydomain.com
- nif3-adm.mydomain.com

authorizers.xml

<authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File" /> <property name="Initial User Identity 0">CN=admin, OU=NIFI</property> <property name="Initial User Identity 1">CN=nif1-adm.mydomain.com, OU=NIFI</property> <property name="Initial User Identity 2">CN=nif2-adm.mydomain.com, OU=NIFI</property> <property name="Initial User Identity 3">CN=nif3-adm.mydomain.com, OU=NIFI</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">CN=admin, OU=NIFI</property> <property name="Legacy Authorized Users File" /> <property name="Node Identity 1">CN=nif1-adm.mydomain.com, OU=NIFI</property> <property name="Node Identity 2">CN=nif2-adm.mydomain.com, OU=NIFI</property> <property name="Node Identity 3">CN=nif3-adm.mydomain.com, OU=NIFI</property> </accessPolicyProvider> <authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer>

users.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e" identity="CN=nif2-adm.mydomain.com, OU=NIFI"/> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7" identity="CN=admin, OU=NIFI"/> <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2" identity="CN=nif3-adm.mydomain.com, OU=NIFI"/> <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85" identity="CN=nif1-adm.mydomain.com, OU=NIFI"/> </users> </tenants>

authorizations.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizations> <policies> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="260562db-2b2b-390b-8145-b5d7c772f16c" resource="/data/process-groups/296adb65-017d-10 00-9a99-58089f2f0766" action="R"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/> <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/> <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/> </policy> <policy identifier="b77d6f8f-ceb3-3131-8973-9cc5c6ccb566" resource="/data/process-groups/296adb65-017d-10 00-9a99-58089f2f0766" action="W"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/> <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/> <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/> </policy> <policy identifier="d9966a39-db8d-3533-b6e5-c4e18045f1d0" resource="/process-groups/296adb65-017d-1000-9a 99-58089f2f0766" action="R"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="68a09709-f44f-3b57-912d-96295e1574bf" resource="/process-groups/296adb65-017d-1000-9a 99-58089f2f0766" action="W"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W"> <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/> <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/> <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/> </policy> </policies> </authorizations>

My 3 hosts have the /proxy Write permission, still I face the error message.

I suspect an issue with the mismatch between hostnames in Ambari and hostnames in Nifi, but can't find a workaround.

Thanks in advance for your support.

Regards.

Vincent.

Re: Nifi SSL - Insufficient Permissions : Untrusted proxy

gtorres — Fri, 24 Jun 2022 20:44:20 GMT

Can you check in nifi-users.xml the authorization error? This will show us the principal which is trying to connect. It should be the owner of the certificate store into keystore.jks. Make sure that matches with the principals that are created into users.xml

Re: Nifi SSL - Insufficient Permissions : Untrusted proxy

araujo — Sat, 25 Jun 2022 04:29:26 GMT

@VinceSailor ,

Could you please share the full "untrusted proxy" message?

Cheers,

André

Re: Nifi SSL - Insufficient Permissions : Untrusted proxy

MattWho — Tue, 28 Jun 2022 18:12:46 GMT

@VinceSailor
Check your nifi.properties file for an identity mapping pattern that contains a Java regex that matches on your DNs. If one does match, the corresponding value is returned and passed to authorizer.

so it might be possible your authorizer is only getting:

nif1-adm.mydomain.com

instead of:

CN=nif1-adm.mydomain.com, OU=NIFI

Thus resulting in your untrusted proxy exception.
That untrusted proxy error should include the exact identity string the authorizer was passed.

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

Re: Nifi SSL - Insufficient Permissions : Untrusted proxy

VinceSailor — Tue, 12 Jul 2022 12:38:01 GMT

Hello,

Sorry did not notice your reply.

nifi-users.log :

nifi-user_2022-06-03.log:2022-06-03 16:33:07,833 WARN [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed x.x.x.x GET https://nif1-adm.mydomain.com:9091/nifi-api/flow/current-user [Untrusted proxy CN=nif1-adm.mydomain.com, OU=NIFI]

I tried with the 3 members of the cluster, resulting in the same error.

Keystore :

keytool -v -list -keystore keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: nifi-key Creation date: Jul 12, 2022 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=nif1-adm.mydomain.com, OU=NIFI Issuer: CN=amb1.mydomain.com, OU=NIFI

Thanks !

Regards.

Re: Nifi SSL - Insufficient Permissions : Untrusted proxy

VinceSailor — Tue, 12 Jul 2022 12:36:56 GMT

Hello André,

Below is the error log :

nifi-user_2022-06-03.log:2022-06-03 16:33:07,833 WARN [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.97.225.179 GET https://nif1-adm.mydomain.com:9091/nifi-api/flow/current-user [Untrusted proxy CN=nif1-adm.mydomain.com, OU=NIFI]

Attached the screenshot :

Kind regards.

Re: Nifi SSL - Insufficient Permissions : Untrusted proxy

VinceSailor — Wed, 13 Jul 2022 12:16:46 GMT

Hello Matt,

Thank you ! this solved the error (now I'm facing another one, but will figure it out 🙂 ). For further reference I had to configure those 3 lines in nifi.properties :

nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)
nifi.security.identity.mapping.transform.dn=NONE
nifi.security.identity.mapping.value.dn=$1@$2

Thanks.

Vince.