Support Questions

agrayush · ‎06-28-2023

Hi All,
I am trying to setup google auth in NiFi registry (on my local system), however I am unable to achieve it. Below are the steps that I have done so far:

Downloaded NiFi toolkit to generate keystore and truststore
Downloaded NiFi Registry and added keystore and truststore from Step 1 in 'conf' folder
Setup a secured NiFi Registry instance using the following link
After completing the above three steps, I was able to open NiFi Registry on my local system using https://localhost:18443/nifi-registry/ and username as 'CN=sys_admin, OU=NIFI'
For enabling oidc, I edited the nifi-registry.properties file and provided values for - nifi.registry.security.user.oidc.discovery.url, nifi.registry.security.user.oidc.client.id, nifi.registry.security.user.oidc.client.secret
Next, I deleted the authorizations.xml and users.xml file (automatically created while starting registry in Step 3) from 'conf' folder
Updated the 'Initial Admin Identity' property in authorizers.xml with my email id '****@gmail.com'
Then I restarted nifi-registry. On restart , I am able to open https://localhost:18443/nifi-registry/ but it didn't ask for google-auth and is still showing 'CN=sys_admin, OU=NIFI' as the username
On checking the nifi-registry-app.log file, I am getting this :

"[NiFi Registry Web Server-18] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[CN=sys_admin, OU=NIFI], groups[] does not have permission to access the requested resource. Unknown user with identity 'CN=sys_admin, OU=NIFI'. Returning Forbidden response.
2023-06-28 14:35:36,830 INFO [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The login request identifier was not found in the request. Unable to continue.. Returning Bad Request response."

It would be great if someone can confirm if we google auth is supported in NiFi Registry. If yes, can you help how to achieve this?
I followed the same steps for NiFi and was able to add google auth there
Thanks in advance!

MattWho · ‎06-28-2023

@agrayush

Once you secure NiFi and/or NiFi-Registry (configured for HTTPS), MutualTLS based authentication will always be supported. When you access the HTTPS URL for either service, in the TLS exchange the service (NiFi or NiFi-Registry will "WANT" a client auth certificate). When a client certificate is NOT provided, the services will attempt to authenticate the user/client via another configured Authentication method. My guess here is that when you originally secured your NiFi and NiFi-Registry services, you used the TLS toolkit to create your user/client certificate which you then loaded into your browser. When you accessed the service, the browser presented that client certificate (depending on browser you may have even been prompted by the browser to confirm using the certificate). At this point the browser retains your certificate. preference for the target URL(s). Now that you have configured another authentication method, the browser is still going to present that certificate and the service us going to take it. You can not disable client certificate authentication as it is the only supported auth method for connecting between nodes in a NiFi cluster and NiFi authentication with NiFi-Registry.

I suggest you remove the sys_admin certificate from your browser, clear all cookies/site data from your browser, and and then restart the service again.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

Cloudera Community

Support Questions

Enabling Google Auth in NiFi Registry