Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Enabled Kerberos and SSL NiFi, authentication is successful but authorization is failing.

Enabled Kerberos and SSL NiFi, authentication is successful but authorization is failing.

New Contributor

Hi Matt,

@Matt Clarke


I have an ambari cluster with one node named master. I have the services HDFS, NIFI, zookeeper, YARN & mapreduce. All the services are running fine.

I have enabled kerberos with existing KDC and it is enabled successfully, the realm name is MASTER.

I have added a principal for nifi with princ name as nifiadmin@MASTER

Then I am trying to enable SSL with existing certificate(CN=nifiadmin@MASTER, OU=NIFI, O=SELF, L=CN, ST=TN, C=IN) that are generated from java toolkit.

These are the details that I have given while enabling SSL:

Initial admin identity: nifiadmin@MASTER

Checked the Enable SSL option.

Mentioned the path to keystore.jks ad truststore.jks

Given the Keystore type as JKS

Node identities: <property name="Node Identity 1">CN=master, OU=NIFI</property>


Then restarted the Nifi service and it started successfully.

Then clicked on the Nifi quick link and I am able to login with nifiadmin@MASTER as username.

After logging in I have seen the below issue:

"

An unexpected error has occurred

javax.net.ssl.SSLPeerUnverifiedException: Hostname master not verified: certificate: sha256/OeYYhOAaTuPpgyqQFLuMVlU= DN: CN=nifiadmin@MASTER, OU=NIFI, O=SELF, L=CN, ST=TN, C=IN subjectAltNames: []

"


And in the nifi-user.log I have seen the below info:

"

INFO [NiFi Web Server-338] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin@MASTER

INFO [NiFi Web Server-340] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], groups[none] does not have permission to access the requested resource. Unknown user with identity 'anonymous'. Returning Unauthorized response.

INFO [NiFi Web Server-338] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://myip:9091/nifi-api/flow/current-user (source ip:My Ip)

"

I am not sure where this is going wrong.

Could you please help me to sort this issue...


Thanks in advance,

Sarath.