Support Questions

Find answers, ask questions, and share your expertise

Authorization problem in Nifi

avatar
Explorer

Hi ,

I am configuration the user authorization in nifi and have the following error:

... 66 common frames omitted Caused by: javax.naming.ServiceUnavailableException: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C090FB4, comment: Error initializing SSL/TLS, data 0, v2580] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3201) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3261) at javax.naming.ldap.InitialLdapContext.extendedOperation(InitialLdapContext.java:184) at org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation(AbstractTlsDirContextAuthenticationStrategy.java:132) at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:143)

the configuration of the property Authentication Strategy in login-identity-providers.xml must be:

<property name="Authentication Strategy">START_TLS</property>

or

<property name="Authentication Strategy">SIMPLE</property>

because Authentication Strategy= SIMPLE presente other error:

[NiFi Web Server-31] o.a.n.w.a.c.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The supplied username and password are not valid.. Returning Bad Request response.

My configuration:

<provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Authentication Strategy">START_TLS</property> <property name="Manager DN">cn=OTECEL\user,dc=otecel,dc=com,dc=ec</property> <property name="Manager Password">clave</property> <property name="TLS - Keystore">/root/scripts/cert.p12</property> <property name="TLS - Keystore Password">hadoop</property> <property name="TLS - Keystore Type">PKCS12</property> <property name="TLS - Truststore">/root/scripts/cacert.jks</property> <property name="TLS - Truststore Password">hadoop</property> <property name="TLS - Truststore Type">JKS</property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol">TLS</property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://direccion:389</property> <property name="User Search Base">dc=otecel,dc=com,dc=ec</property> <property name="User Search Filter">cn=*</property> <property name="Identity Strategy">USE_USERNAME</property> <property name="Authentication Expiration">12 hours</property> </provider>

Other question:

Should the security certificate be signed? because running the following command:

curl -v https://10.112.152.181:8443/nifi/login

present the following:

* About to connect() to 10.112.152.181 port 8443 (#0) * Trying 10.112.152.181... * Connected to 10.112.152.181 (10.112.152.181) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: L=Quito,C=EC,CN=otecelbdatayhdp * start date: Jun 20 23:07:15 2017 GMT * expire date: Jun 20 23:07:15 2018 GMT * common name: otecelbdatayhdp * issuer: L=Quito,C=EC,CN=otecelbdatayhdp * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER) * Peer's certificate issuer has been marked as not trusted by the user. * Closing connection 0 curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
1 ACCEPTED SOLUTION

avatar
@Julio Cedeno

First, if you want to use START_TLS authentication strategy, then your LDAP URL should look like ldaps://direccion:636.

If you use SIMPLE, then the URL you have will work.

How were the keystore and truststore generated?

Have you configured NiFi to use the ldap-provider you configured in the login-idenitity-providers.xml file?

View solution in original post

3 REPLIES 3

avatar
Explorer

Error nifi-user.log

2017-06-21 11:49:36,725 INFO [NiFi Web Server-58] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response. 2017-06-21 11:49:36,780 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper anonymous does not have permission to access the requested resource. Not authorized for the requested resource. Returning Unauthorized response. 2017-06-21 11:52:42,757 INFO [NiFi Web Server-55] o.a.n.w.a.c.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The supplied username and password are not valid.. Returning Bad Request response. 2017-06-21 11:55:46,030 INFO [main] o.a.nifi.authorization.FileAuthorizer Creating new users file at /RGenerator/nifi2/nifi-1.2.0.3.0.0.0-453/./conf/users.xml 2017-06-21 11:55:46,046 INFO [main] o.a.nifi.authorization.FileAuthorizer Creating new authorizations file at /RGenerator/nifi2/nifi-1.2.0.3.0.0.0-453/./conf/authorizations.xml 2017-06-21 11:55:46,070 INFO [main] o.a.nifi.authorization.FileAuthorizer Authorizations file loaded at Wed Jun 21 11:55:46 ECT 2017

avatar
@Julio Cedeno

First, if you want to use START_TLS authentication strategy, then your LDAP URL should look like ldaps://direccion:636.

If you use SIMPLE, then the URL you have will work.

How were the keystore and truststore generated?

Have you configured NiFi to use the ldap-provider you configured in the login-idenitity-providers.xml file?

avatar
Explorer

Thank you @Wynner . I already can execute NIFI with authentication user with ldap-provider