Support Questions

gwrose0 · ‎12-06-2019

Problem: Untrusted Proxy error on first log in to NIFI

Just installed Ambari 2.7.3 on HDF 3.4.1.1-4, and installed two node NIFI 1.9.0 cluster. So we have:

ambari server, Misc server for zookeeper and ambari metrics, and NIFI 1 server and NIFI 2 server.

Used TinyCert to create certificates. Enabled SSL. Now logging straight into NIFI , no load balancer yet, on NIFI 1 using the external IP. All servers are VM instances on Google Cloud.

Login url is: https://{ext IP of VM instance}:9091/nifi

I updated the nifi.web.proxy.host with the IP addresses and ports, and full host names we are using.

We reach the NIFI page, which displays:

Insufficient Permissions

Untrusted Proxy { our full DN string, matching the cert and what is in the NIFI-USER.log}

In the NIFI-USER.log

2019-12-06 12:38:20,386 INFO [NiFi Web Server-2993405] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=xxxxxxxl, OU=NIFI, O=xxxx, L=xxxx, ST=xxx, C=xx
2019-12-06 12:38:20,465 INFO [NiFi Web Server-2841] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<CN=xxxxxxx, OU=NIFI, O=xxxx, L=xxxx, ST=xxxx, C=xx><CN=, OU=NIFI, O=STAQ, L=, ST=, C=>) GET https://FQDN:9091/nifi-api/flow/current-user (source ip: {internal google cloud IP})
2019-12-06 12:38:20,466 WARN [NiFi Web Server-2841] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=, OU=NIFI, O=, L=, ST=, C=

FQDN is fully qualified domain name of NIFI 1 server, as in hostname -f.

The Initial Admin Identity is the full DN name, from the certificate and as it appears in the NIFI-USER.log:

CN=FQDN, OU=NIFI, O=xx, L=xx, ST=xxx, C=US

There are no spaces between comma separated values in this string.

Here is the authorizers.xml

<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">/var/lib/nifi/conf/users.xml</property>
<property name="Legacy Authorized Users File" />
<property name="Initial User Identity 0">CN=FQDN, OU=NIFI, O=xxx, L=xxx, ST=xxx, C=US</property>

<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=FQDN, OU=NIFI, O=xx, L=xx, STxx, C=US</property>
<property name="Legacy Authorized Users File" />

<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>

</authorizers>

-----------------------

The resulting authorizations.xml is missing write on /flow, and it has no policies for /proxy, and I don't know why that is.

authorizations.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/>
</policy>
<policy identifier="f0725755-3d0d-3d9d-ae1e-7f65ffbf8f96" resource="/data/process-groups/7c84501d-d10c-407c-b9f3-1d80e38fe36a" action="R">
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/>
</policy>
<policy identifier="c7d5c857-594d-30f9-91e7-feba235ee798" resource="/data/process-groups/7c84501d-d10c-407c-b9f3-1d80e38fe36a" action="W">
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/>
</policy>
<policy identifier="95e78424-2f26-3ce6-8924-d650c6cd36c1" resource="/process-groups/7c84501d-d10c-407c-b9f3-1d80e38fe36a" action="R">
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/>
</policy>
<policy identifier="a71bf188-f0a0-3995-8577-faca82af5574" resource="/process-groups/7c84501d-d10c-407c-b9f3-1d80e38fe36a" action="W">
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/>
</policy>
</policies>
</authorizations>

-----------------------

users.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0" identity="CN=FQDN, OU=NIFI, O=xx, L=xx, ST=xx, C=US"/>
</users>
</tenants>

-------------------------------------------------------

OK, I just added thismanually to the authorizations.xml on each nifi node:

Now I can reach the first page. Why were /proxy policies missing ?

MattWho · ‎12-09-2019

@gwrose0

Your issue is with your authorizers.xml confihguration

Within the "file-user-group-provider" section you have these two incorrect lines for your nodes:

<property name="Nifi1">CN=FQDN, OU=xx, O=xx L=xxx, ST=xx, C=US</property>
<property name="Nifi2">CN=FQDN, OU=xx, O=xx, L=xxxx, ST=xxxx, C=US</property>

The property names need to be "Initial User Identity 1" and "Initial User Identity 2" instead of "Nifi1" and "Nifi2"

And then in the "file-access-policy-provider" section you have another misconfiguration related to your 2 nodes:

<property name="Nifi1">CN=FQDN, OU=NIFI, O=xx, L=xx, ST=xx, C=US</property>
<property name="Nifi2">CN=FQDN, OU=NIFI, O=xx, L=xx, ST=xx, C=US</property>

Here the property names need to be "Node Identity 1" and "Node Identity 2" instead of "Nifi1" and "Nifi2"

*** NOTE: The authorizers.xml file will only generate the users.xml and authorizations.xml file if they do NOT already exist on your nodes. So if you edit this file, those changes will not be reflected in your existing files, you will need to delete them before restarting your NiFi.

The only reason your manual edited work is because you are using the same certificate on both your NiFi nodes and using it to authenticate in as a user. So you manually authorized that one DN for the additional node policy /proxy that was needed. The node /proxy policy was not created because of config issues outlined above.

Hope this clearly explains what happened for you,

Matt

Support Questions

Initial NIFI login - Insufficient Permissions Untrusted Proxy Error