Support Questions

Find answers, ask questions, and share your expertise

Apache Nifi 2.2.0 version Untrusted proxy error

avatar
Explorer

I set up a 4-node NiFi cluster and generated certificates. When I try to log in using my certificate user nifi_admin, I get the error:
"An unexpected error has occurred. Please check the logs for additional details."
When I checked the logs, I saw that the nodes in the cluster were encountering the following errors when trying to connect to the coordinator node:

The node I connect to the interface:  https://vtmrt3anifit01.x.com:8443/nifi/

The error received in the nifi-user.log file on this machine is as follows:

ERROR [NiFi Web Server-221] o.a.nifi.web.api.config.ThrowableMapper An unexpected error has occurred: java.io.UncheckedIOException: Read Current User Entity failed. Returning Internal Server Error response.
java.io.UncheckedIOException: Read Current User Entity failed
at org.apache.nifi.web.api.FlowResource.readReplicatedCurrentUserEntity(FlowResource.java:446)
at org.apache.nifi.web.api.FlowResource.getCurrentUser(FlowResource.java:421)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189)
.
.
Caused by: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'Authentication': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 16]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:2584)
at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2610)

 

The error received in the nifi-user.log file of other nodes in the cluster is as follows:

WARN [NiFi Web Server-37] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.84.2.184 GET https://vtmrt3anifit01.x.com:8443/nifi-api/flow/current-user [Untrusted proxy CN=vtmrt3anifit04.x.com, OU=NIFI]

nifi.properties

 

.
nifi.sensitive.props.key=6y3hk3TWqOV0E2B1AHHikAqKH8lbqo84
nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.security.autoreload.enabled=false
nifi.security.autoreload.interval=10 secs
nifi.security.keystore=/data/cert/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=UuW0OHTYY+e9OAM9Gs4MTjbR9KF7BWZ7yPZ09FB5lC0
nifi.security.keyPasswd=UuW0OHTYY+e9OAM9Gs4MTjbR9KF7BWZ7yPZ09FB5lC0
nifi.security.truststore=/data/cert/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=1rAfyXpFQvaPys8DCj0+YSH9n4hKSHT4Do0yErt/5ZM
.
.
nifi.web.https.host=vtmrt3anifit01.x.com
nifi.web.https.port=8443
nifi.web.proxy.host=vtmrt3anifit01.x.com:8443,vtmrt3anifit02.x.com:8443,vtmrt3anifit03.x.com:8443,vtmrt3anifit04.x.com:8443

 

authorizers.xml: (It is arranged in the same way for all nodes.)

 
<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">/data/nifi-2.2.0/conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 0">CN=nifi_admin</property>
        <property name="Initial User Identity 1">CN=vtmrt3anifit01.x.com, OU=NIFI</property>
        <property name="Initial User Identity 2">CN=vtmrt3anifit02.x.com, OU=NIFI</property>
        <property name="Initial User Identity 3">CN=vtmrt3anifit03.x.com, OU=NIFI</property>
        <property name="Initial User Identity 4">CN=vtmrt3anifit04.x.com, OU=NIFI</property>
 
    </userGroupProvider>
 
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">/data/nifi-2.2.0/conf/authorizations.xml</property>
        <property name="Initial Admin Identity">CN=nifi_admin</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">CN=vtmrt3anifit01.x.com, OU=NIFI</property>
        <property name="Initial User Identity 2">CN=vtmrt3anifit02.x.com, OU=NIFI</property>
        <property name="Initial User Identity 3">CN=vtmrt3anifit03.x.com, OU=NIFI</property>
        <property name="Initial User Identity 4">CN=vtmrt3anifit04.x.com, OU=NIFI</property>
 
        <property name="Node Group"></property>
    </accessPolicyProvider>
 
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

 

 

nifi_admin.p12

melek6199_1-1747132011898.png

vtmrt3anifit01.x.com  keystore.jks

melek6199_2-1747132213922.png

 

I would appreciate your assistance on this matter.

 

1 ACCEPTED SOLUTION

avatar
Master Mentor

@melek6199 

When you setup an Apache NiFi cluster versus a standalone NiFi instance, the cluster coordinator and zookeeper become part of the setup.  Since a NiFi cluster is a zero master cluster, the UI can be access from any cluster connected node.  So your user authenticates to the specific node you are accessing and then that node proxies the user request (initially that would "access the flow") on behalf of that user to the cluster coordinator that replicates request to all connected nodes.   

The exception means that node with node identity derived from certificate DN "CN=vtmrt3anifit04.x.com, OU=NIFI" was not properly authorized to "proxy user requests".

All your NiFi node identities must be authorized to "proxy user requests".

While it appears that your NiFi authorizers.xml is setup correctly with your 4 node's identities (case sensitivity also correct), I suspect it was only setup correctly after NiFi having already being started before it was configured correctly.

  • The "file-access-policy-provider" will only generate the authorizations.xml during NiFi startup if it does NOT already exist.  It also will not modify an already existing authorizations.xml file.
  • The "file-user-group-provider" will only generate the users.xml during NiFi startup if it does not already exist.  It also will NOT modify an already existing users.xml file.

So I would inspect the users.xml to make sure it contains all 4 node identities (case sensitive correctly) and then verify the authorizations.xml has those node's properly authorized.

So I would start here to make sure above is correct on all 4 nodes.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

1 REPLY 1

avatar
Master Mentor

@melek6199 

When you setup an Apache NiFi cluster versus a standalone NiFi instance, the cluster coordinator and zookeeper become part of the setup.  Since a NiFi cluster is a zero master cluster, the UI can be access from any cluster connected node.  So your user authenticates to the specific node you are accessing and then that node proxies the user request (initially that would "access the flow") on behalf of that user to the cluster coordinator that replicates request to all connected nodes.   

The exception means that node with node identity derived from certificate DN "CN=vtmrt3anifit04.x.com, OU=NIFI" was not properly authorized to "proxy user requests".

All your NiFi node identities must be authorized to "proxy user requests".

While it appears that your NiFi authorizers.xml is setup correctly with your 4 node's identities (case sensitivity also correct), I suspect it was only setup correctly after NiFi having already being started before it was configured correctly.

  • The "file-access-policy-provider" will only generate the authorizations.xml during NiFi startup if it does NOT already exist.  It also will not modify an already existing authorizations.xml file.
  • The "file-user-group-provider" will only generate the users.xml during NiFi startup if it does not already exist.  It also will NOT modify an already existing users.xml file.

So I would inspect the users.xml to make sure it contains all 4 node identities (case sensitive correctly) and then verify the authorizations.xml has those node's properly authorized.

So I would start here to make sure above is correct on all 4 nodes.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt