Created 08-10-2017 05:46 PM
Hi,
First a couple of things that work :
-Nifi cluster running on 3 nodes (running Apache upstream V1.1.2) on Centos 6
-Login identity provider is kerberos and works A1 using username & password fields in the UI or though the API.
-Once I get an API token using username & password, I can query the API without any issues.
-KDC is Active Directory
-Service is using nifi.kerberos.service.principal as "serviceaccount@DOMAIN.ORG" with corresponding keytab.
Now I'm trying a little POC where I want a script to use the API to interact with some of my flows. Because I don't want to store a username & password for the script to use, I wanted to setup SPNEGO and just use a plain "kinit" with a keytab and fetch the API access token using something like : "curl --negotiate -X POST -v -u : https://myhost.mydomain.org:8989/nifi-api/access/kerberos"
Steps I've taken:
1-Create 3 new accounts in AD with the logon name (principal) named "HTTP/myhost.mydomain.org". One for each of of my machine.
2-Created a keytab for each of those machine by using ktutil. Tested this with a "kinit HTTP/myhost.mydomain.org@DOMAIN.ORG" and they work.
3-Setup the 3 SPNEGO properties in nifi.properties :
-nifi.kerberos.spnego.principal=HTTP/myhost.mydomain.org@DOMAIN.ORG
-nifi.kerberos.spnego.keytab.location=[the_location_of_the_key_tab]
-nifi.kerberos.spnego.authentication.expiration=12 hours
After a service restart, I try to run the curl command mentioned above and I get the following error :
curl --negotiate -X POST -v -u : https://myhost.mydomain.org:8989/nifi-api/access/kerberos * About to connect() to myhost.mydomain.org port 8989 (#0) * Trying [îp address]... connected * Connected to myhost.mydomain.org ([îp address]) port 8989 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: [redacted] CApath: none * NSS: client certificate not found (nickname not specified) * SSL connection using [redacted] * Server certificate: * [redacted] > POST /nifi-api/access/kerberos HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: myhost.mydomain.org:8989 > Accept: */* > < HTTP/1.1 401 Unauthorized < Date: Thu, 10 Aug 2017 17:10:41 GMT * gss_init_sec_context() failed: : Server not found in Kerberos databaseWWW-Authenticate: Negotiate < Content-Type: text/plain < Content-Length: 0 < Server: Jetty(9.3.9.v20160517) < * Connection #0 to host myhost.mydomain.org left intact * Closing connection #0
I was wondering what's missing. DNS and Reverse DNS is setup properly and everything else is working fine (like HUE, also using SPNEGO with the same method).
Any idea?
Created 08-10-2017 07:08 PM
Was about to delete my question (if that's even possible) but I managed to isolate the issue after triple-checking everything so I figure I'd post that here.
Turns out the 3 accounts in AD did not have the SPN set (servicePrincipalName) correctly. Changed them to "HTTP/myhost.mydomain.org" and everything works great now.
Lessons learned : don't eyeball the correctness of properties : copy paste them in an editor and check them there.
Created 08-10-2017 07:08 PM
Was about to delete my question (if that's even possible) but I managed to isolate the issue after triple-checking everything so I figure I'd post that here.
Turns out the 3 accounts in AD did not have the SPN set (servicePrincipalName) correctly. Changed them to "HTTP/myhost.mydomain.org" and everything works great now.
Lessons learned : don't eyeball the correctness of properties : copy paste them in an editor and check them there.