Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

HDF 3.4 NIFI & NIFI Registry Integration (secured)

avatar
author-rank venkii
Contributor

Created on ‎03-27-2020 03:31 PM - last edited on ‎03-27-2020 03:36 PM by Moderator

@MattWho please let me know what is missing 

 

HDF 3.4 NIFI & NIFI Registry Integration (secured)

 

2 node (nifi1.abc.com, nifi2.abc.com) nifi cluster is secured 

1 node (registry.abc.com) nifi registry is secured 

 

generated client certs / server certs for nifi & registtry as below 

 

sh /usr/hdf/current/nifi-toolkit/bin/tls-toolkit.sh standalone -B passwd-C 'CN=nifiadmin, OU=NIFI' -n 'nifi1.abc.com,nifi2.abc.com,registry.abc.com' --nifiDnPrefix 'CN=' --nifiDnSuffix ', OU=NIFI' -o /tmp/certs_ssl/ -K passwd -P passwd-S passwd

 

able to access registry with client cert (CN=nifiadmin, OU=NIFI)

able to access nifi cluster with client cert (CN=nifiadmin, OU=NIFI)

 

created a bucket in the registry 

Added Registry to nifi, but when versioning a processor group getting the below error 

 

 

2020-03-27 19:31:22,367 INFO [NiFi Registry Web Server-19] o.a.n.r.w.s.NiFiRegistrySecurityConfig Identity in proxy chain not trusted to act as a proxy: org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException: Untrusted proxy [CN=nifi1.abc.com, OU=NIFI]. Returning 403 response.

 

2,421 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎03-30-2020 01:20 PM

@venkii 

 

You need to login to your secured NiFi-Registry and make sure all your NiFi nodes have been authorized for both the following "Special Privileges":

1. "Read" for "Can Manage Buckets"
2. "Can proxy user requests"

 

Click on wrench icon in upper right corner to manage your users in NiFi-Registry.
Screen Shot 2020-03-30 at 4.17.30 PM.png
Then find your NiFi nodes in the list of USERS and click on the "manage user" pencil icon to the far right side.
Screen Shot 2020-03-30 at 4.17.16 PM.png

 

Hope this helps,

Matt

View solution in original post

2,363 Views
4 REPLIES 4

avatar
author-rank venkii
Contributor

Created on ‎03-27-2020 08:08 PM - edited ‎03-27-2020 08:09 PM

@MattWho i have added both nifi nodes identities, still same error 

 

2020-03-28 03:01:45,150 INFO [NiFi Registry Web Server-12] o.a.n.r.w.s.NiFiRegistrySecurityConfig Identity in proxy chain not trusted to act as a proxy: org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException: Untrusted proxy [CN=nifi-node1, OU=NIFI]. Returning 403 response.

 


 

Reg_error.JPG

 

2,400 Views
0 Kudos

avatar
author-rank venkii
Contributor

Created ‎03-30-2020 12:09 PM

@MattWho 

I am able to add the SSL registry to nifi [nifi controller settings -> Registry Clients -> added registry URL ]

but when i am trying to version a PG, encountering the below error, screenshot attached

 

please advice 

 

venkii_0-1585595247589.png

 

2,367 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎03-30-2020 01:20 PM

@venkii 

 

You need to login to your secured NiFi-Registry and make sure all your NiFi nodes have been authorized for both the following "Special Privileges":

1. "Read" for "Can Manage Buckets"
2. "Can proxy user requests"

 

Click on wrench icon in upper right corner to manage your users in NiFi-Registry.
Screen Shot 2020-03-30 at 4.17.30 PM.png
Then find your NiFi nodes in the list of USERS and click on the "manage user" pencil icon to the far right side.
Screen Shot 2020-03-30 at 4.17.16 PM.png

 

Hope this helps,

Matt

2,364 Views

avatar
author-rank venkii
Contributor

Created ‎03-30-2020 10:10 PM

Yes @MattWho, you are awesome, adding the node resolved the issue

2,351 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements