Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Enabling Google Auth in NiFi Registry

Labels:
avatar
author-rank agrayush
New Contributor

Created ‎06-28-2023 02:43 AM

Hi All,
I am trying to setup google auth in NiFi registry (on my local system), however I am unable to achieve it. Below are the steps that I have done so far:
  1. Downloaded NiFi toolkit to generate keystore and truststore
  2. Downloaded NiFi Registry and added keystore and truststore from Step 1 in 'conf' folder
  3. Setup a secured NiFi Registry instance using the following link
  4. After completing the above three steps, I was able to open NiFi Registry on my local system using https://localhost:18443/nifi-registry/ and username as 'CN=sys_admin, OU=NIFI'
  5. For enabling oidc, I edited the nifi-registry.properties file and provided values for - nifi.registry.security.user.oidc.discovery.url, nifi.registry.security.user.oidc.client.id, nifi.registry.security.user.oidc.client.secret
  6. Next, I deleted the authorizations.xml and users.xml file (automatically created while starting registry in Step 3) from 'conf' folder
  7. Updated the 'Initial Admin Identity' property in authorizers.xml with my email id '****@gmail.com'
  8. Then I restarted nifi-registry. On restart , I am able to open  https://localhost:18443/nifi-registry/ but it didn't ask for google-auth and is still showing 'CN=sys_admin, OU=NIFI' as the username
  9. On checking the nifi-registry-app.log file, I am getting this :
"[NiFi Registry Web Server-18] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[CN=sys_admin, OU=NIFI], groups[] does not have permission to access the requested resource. Unknown user with identity 'CN=sys_admin, OU=NIFI'. Returning Forbidden response.
2023-06-28 14:35:36,830 INFO [NiFi Registry Web Server-21] o.a.n.r.w.m.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The login request identifier was not found in the request. Unable to continue.. Returning Bad Request response."
It would be great if someone can confirm if we google auth is supported in NiFi Registry. If yes, can you help how to achieve this?
I followed the same steps for NiFi and was able to add google auth there
Thanks in advance!
487 Views
0 Kudos
1 REPLY 1

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎06-28-2023 12:31 PM

@agrayush 

Once you secure NiFi and/or NiFi-Registry (configured for HTTPS), MutualTLS based authentication will always be supported.  When you access the HTTPS URL for either service, in the TLS exchange the service (NiFi or NiFi-Registry will "WANT" a client auth certificate).  When a client certificate is NOT provided, the services will attempt to authenticate the user/client via another configured Authentication method.   My guess here is that when you originally secured your NiFi and NiFi-Registry services, you used the TLS toolkit to create your user/client certificate which you then loaded into your browser.  When you accessed the service, the browser presented that client certificate (depending on browser you may have even been prompted by the browser to confirm using the certificate).  At this point the browser retains your certificate. preference for the target URL(s).  Now that you have configured another authentication method, the browser is still going to present that certificate and the service us going to take it.  You can not disable client certificate authentication as it is the only supported auth method for connecting between nodes in a NiFi cluster and NiFi authentication with NiFi-Registry.

I suggest you remove the sys_admin certificate from your browser, clear all cookies/site data from your browser, and and then restart the service again.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

456 Views
0 Kudos
webinar banner
Announcements
Community Announcements
April 2024 Community Highlights
Community Announcements
January 2024 Community Highlights
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
View More Announcements
meetups banner