Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

[NIFI] Authentication Proxy Server not trusted

Labels:
avatar
author-rank afidos
New Contributor

Created on ‎10-14-2024 02:32 AM - edited ‎10-14-2024 07:49 AM

I made a docker compose to deploy nifi in cluster on my server.
I get the error Authentication Proxy Server not trusted
Here are my configurations
docker-compose

version: '3.8'
x-common-nifi:
  environment: &nifi-env
    NIFI_WEB_HTTPS_PORT: 8443
    NIFI_CLUSTER_IS_NODE: "true"
    NIFI_CLUSTER_NODE_PROTOCOL_PORT: 11444
    NIFI_ZK_CONNECT_STRING: zookeeper:2181
    NIFI_ELECTION_MAX_WAIT: 1 min
    NIFI_ZK_ROOT_NODE: /nifi
    NIFI_SENSITIVE_PROPS_KEY: ${KEY_SENSITIVE}
    NIFI_VARIABLE_REGISTRY_PROPERTIES: http://nifi-registry:18080
    AUTH: ldap
    INITIAL_ADMIN_IDENTITY: 'uid=admin,ou=admins,dc=myhost,dc=dev'
    #LDAP_AUTHENTICATION_STRATEGY: 'LDAPS'
    LDAP_AUTHENTICATION_STRATEGY: 'SIMPLE'
    LDAP_MANAGER_DN: 'cn=admin,dc=myhost,dc=dev'
    LDAP_MANAGER_PASSWORD: ${ADMIN_PASSWORD}
    LDAP_URL: 'ldap://openldap'
    LDAP_USER_SEARCH_BASE: 'dc=myhost,dc=dev'
    LDAP_USER_SEARCH_FILTER: 'uid={0}'
    LDAP_IDENTITY_STRATEGY: 'USE_DN'
    KEYSTORE_TYPE: JKS
    KEYSTORE_PASSWORD: ${KEY_STORE}
    KEYSTORE_PATH: /opt/certs/keystore.jks
    TRUSTSTORE_PATH: /opt/certs/truststore.jks
    TRUSTSTORE_PASSWORD: ${KEY_STORE}
    TRUSTSTORE_TYPE: JKS
    NIFI_WEB_PROXY_HOST: "web.nifiapp.myhost.dev,*.nifiapp.myhost.dev"
    NIFI_JVM_HEAP_INIT: 512m
    NIFI_JVM_HEAP_MAX: 512m
    #NODE_IDENTITY: 'CN=*.nifiapp.myhost.dev'
  networks: &nifi-net
    - nifi_network
  depends_on: &nifi-dep
    - openldap
  entrypoint: &nifi-entry
    - "/bin/bash"
    - "-c"
    - "sed -i 's|<appender-ref ref=\"USER_FILE\"/>|<appender-ref ref=\"CONSOLE\"/>|' conf/logback.xml; ../scripts/start.sh"


services:
  zookeeper:
    image: confluentinc/cp-zookeeper:latest
    hostname: zookeeper
    environment:
      ZOOKEEPER_SERVER_ID: 1
      ZOOKEEPER_SERVERS: server.1=zookeeper:2888:3888
      ZOOKEEPER_CLIENT_PORT: 2181
      JVMFLAGS: -Xmx512m -Xms512m
    ports:
      - "7481:2181"
      - "7499:8080"
    volumes:
      - zookeeper_data:/data
      - zookeeper_datalog:/datalog
    networks:
      - nifi_network

  nifi1:
    image: apache/nifi:latest
    hostname: n1.nifiapp.myhost.dev
    entrypoint: *nifi-entry
    ports:
      - "7498:8443"
      - "7400-7425:7400-7425"
    environment:
      <<: *nifi-env
      NIFI_WEB_HTTPS_HOST: n1.nifiapp.myhost.dev
      NIFI_NODE_IDENTITY: nifi1
    networks: *nifi-net
    depends_on: *nifi-dep
    volumes:
      - nifi1_logs:/opt/nifi/nifi-current/logs
      - nifi1_state:/opt/nifi/nifi-current/state
      - nifi1_conf:/opt/nifi/nifi-current/conf
      - nifi1_database_repository:/opt/nifi/nifi-current/database_repository
      - nifi1_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
      - nifi1_content_repository:/opt/nifi/nifi-current/content_repository
      - nifi1_provenance_repository:/opt/nifi/nifi-current/provenance_repository
      - ./exports:/opt/certs

  nifi2:
    image: apache/nifi:latest
    hostname: n2.nifiapp.myhost.dev
    entrypoint: *nifi-entry
    ports:
      - "7497:8443"
      - "7426-7451:7426-7451"
    environment:
      <<: *nifi-env
      NIFI_WEB_HTTPS_HOST: n2.nifiapp.myhost.dev
      NIFI_NODE_IDENTITY: nifi2
    networks: *nifi-net
    depends_on: *nifi-dep
    volumes:
      - nifi2_logs:/opt/nifi/nifi-current/logs
      - nifi2_state:/opt/nifi/nifi-current/state
      - nifi2_conf:/opt/nifi/nifi-current/conf
      - nifi2_database_repository:/opt/nifi/nifi-current/database_repository
      - nifi2_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
      - nifi2_content_repository:/opt/nifi/nifi-current/content_repository
      - nifi2_provenance_repository:/opt/nifi/nifi-current/provenance_repository
      - ./exports:/opt/certs

  nifi3:
    image: apache/nifi:latest
    hostname: n3.nifiapp.myhost.dev
    entrypoint: *nifi-entry
    ports:
      - "7496:8443"
      - "7452-7475:7452-7475"
    networks: *nifi-net
    depends_on: *nifi-dep
    environment:
      <<: *nifi-env
      NIFI_WEB_HTTPS_HOST: n3.nifiapp.myhost.dev
      NIFI_NODE_IDENTITY: nifi3
    volumes:
      - nifi3_logs:/opt/nifi/nifi-current/logs
      - nifi3_state:/opt/nifi/nifi-current/state
      - nifi3_conf:/opt/nifi/nifi-current/conf
      - nifi3_database_repository:/opt/nifi/nifi-current/database_repository
      - nifi3_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
      - nifi3_content_repository:/opt/nifi/nifi-current/content_repository
      - nifi3_provenance_repository:/opt/nifi/nifi-current/provenance_repository
      - ./exports:/opt/certs


  nifi-registry:
    image: apache/nifi-registry:latest
    ports:
      - "7495:18080"
    volumes:
      - nifi-registry-data:/opt/nifi-registry/data
      - nifi-registry-conf:/opt/nifi-registry/conf
      - nifi-registry-logs:/opt/nifi-registry/logs
    networks:
      - nifi_network
    depends_on:
      - openldap

  openldap:
    image: osixia/openldap:1.5.0
    hostname: openldap
    environment:
      LDAP_ORGANISATION: MY ORG
      LDAP_DOMAIN: myhost.dev
      LDAP_ADMIN_PASSWORD: "${ADMIN_PASSWORD}"
      LDAP_CONFIG_PASSWORD: "${ADMIN_PASSWORD}"
      LDAP_ADMIN_CN: admin
      LDAP_TLS_VERIFY_CLIENT: allow
      LDAP_TLS: "false"
      LDAP_BASE_DN: dc=myhost,dc=dev
    ports:
      - "389:389"  # Port LDAP
    volumes:
      - openldap-data:/var/lib/ldap
      - openldap-config:/etc/ldap/slapd.d
    networks:
      - nifi_network
    command: ["--loglevel", "debug","--copy-service"]

  ldap-user-manager:
    image: wheelybird/ldap-user-manager:v1.5
    environment:
      - LDAP_URI=ldap://openldap
      - LDAP_BASE_DN=dc=myhost,dc=dev
      - LDAP_ADMIN_BIND_DN=cn=admin,dc=myhost,dc=dev
      - LDAP_ADMIN_BIND_PWD=${ADMIN_PASSWORD}
      - LDAP_ADMINS_GROUP=cn=admin,ou=MY ORG,dc=myhost,dc=dev
      - LDAP_REQUIRE_STARTTLS=FALSE
    ports:
      - "7494:80"
      - "7493:443"
    depends_on:
      - openldap
    networks:
      - nifi_network
    platform: linux/amd64

networks:
  nifi_network:
    name: 'nifi_tls_network'

volumes:
  nifi1_logs:
  nifi1_state:
  nifi1_conf:
  nifi1_database_repository:
  nifi1_flowfile_repository:
  nifi1_content_repository:
  nifi1_provenance_repository:
  nifi2_logs:
  nifi2_state:
  nifi2_conf:
  nifi2_database_repository:
  nifi2_flowfile_repository:
  nifi2_content_repository:
  nifi2_provenance_repository:
  nifi3_logs:
  nifi3_state:
  nifi3_conf:
  nifi3_database_repository:
  nifi3_flowfile_repository:
  nifi3_content_repository:
  nifi3_provenance_repository:
  zookeeper_data:
  zookeeper_datalog:
  nifi-registry-data:
  nifi-registry-conf:
  nifi-registry-logs:
  openldap-data:
  openldap-config:
  postgres_data:

 

on my server I use a Nginx that configure below

upstream nifibalancer {
    ip_hash;
    server localhost:7498;
    server localhost:7497;
    server localhost:7486;
}

server {
    listen 443 ssl;
    server_name ~^p(?<port>\d+)\.nifiapp.myhost\.dev$;
    ignore_invalid_headers off;

    # Vérification de l'intervalle de ports autorisés (de 8900 à 8999)


    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        if ($port ~* "^(74[0-8]{1}[0-9]{1})$") {
            proxy_pass http://localhost:$port;
        }
        return 403;  # Refuse les requêtes en dehors de cet intervalle
    }
    access_log /var/log/nginx/nifiapp-listener-app-access.log;
    error_log /var/log/nginx/nifiapp-listener-app-error.log;
    ssl_certificate /etc/letsencrypt/live/nifiapp.myhost.dev/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nifiapp.myhost.dev/privkey.pem;
}

server {
    listen 443 ssl;
    server_name web.nifiapp.myhost.dev;
    ignore_invalid_headers off;

    location / {
       proxy_pass https://nifibalancer/;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-Host $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Original-URI $request_uri;

       proxy_set_header X-ProxyScheme $scheme;
       proxy_set_header X-ProxyHost $host;
       proxy_set_header X-ProxyPort $port;
       #proxy_set_header X-ProxyContextPath /;

       # Add ProxiedEntitiesChain using client certificate's distinguished name (DN)
       proxy_set_header X-ProxiedEntitiesChain $ssl_client_s_dn;
    }
    access_log /var/log/nginx/nifiapp-app-access.log;
    error_log /var/log/nginx/nifiapp-app-error.log;
    ssl_certificate /etc/letsencrypt/live/nifiapp.myhost.dev/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nifiapp.myhost.dev/privkey.pem;
}

server {
    listen 443 ssl;
    server_name zookeeper.nifiapp.myhost.dev;
    ignore_invalid_headers off;

    location / {
        proxy_pass http://localhost:7499;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Original-URI $request_uri;
    }

    error_page 404 =200 /index.html;
    access_log /var/log/nginx/nifiapp-zookeeper-app-access.log;
    error_log /var/log/nginx/nifiapp-zookeeper-app-error.log;
    ssl_certificate /etc/letsencrypt/live/nifiapp.myhost.dev/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nifiapp.myhost.dev/privkey.pem;
}



80 Views
2 REPLIES 2

avatar
author-rank VidyaSargur author-rank
Community Manager

Created ‎10-14-2024 10:34 PM

@afidos, Welcome to our community! To help you get the best possible answer, I have tagged in our NiFi experts @SAMSAL @MattWho  who may be able to assist you further.

Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.


Regards,

Vidya Sargur,
Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
38 Views

avatar
author-rank afidos
New Contributor

Created on ‎10-15-2024 08:24 AM - edited ‎10-15-2024 08:25 AM

I create my first user with this script

#!/bin/bash

group='admins'
username='admin'
uidNumber=1001
gidNumber=1001
firstName='My First'
lastName="My Last"
password="password"

ldapadd -x -D "cn=admin,dc=myhost,dc=dev" -w $password <<EOF
dn: ou=$group,dc=myhost,dc=dev
objectClass: organizationalUnit
ou: $group
EOF

cat <<EOF
     dn: uid=$username,ou=$group,dc=myhost,dc=dev
     objectClass: inetOrgPerson
     objectClass: posixAccount
     uid: $username
     cn: $username
     sn: $lastName
     givenName: $firstName
     uidNumber: $uidNumber
     gidNumber: $gidNumber
     homeDirectory: /home/$username
     loginShell: /bin/bash
     userPassword: $(slappasswd -s $password)
EOF
# Ajouter l'utilisateur via ldapadd
ldapadd -x -D "cn=admin,dc=myhost,dc=dev" -w $password <<EOF
dn: uid=$username,ou=$group,dc=myhost,dc=dev
objectClass: inetOrgPerson
objectClass: posixAccount
uid: $username
cn: $username
sn: $lastName
givenName: $firstName
uidNumber: $uidNumber
gidNumber: $gidNumber
homeDirectory: /home/$username
loginShell: /bin/bash
userPassword: $(slappasswd -s $password)
EOF
19 Views
Announcements
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
What's New @ Cloudera
Updates to the HDFS clusters on AWS environments to add supp...
What's New @ Cloudera
Enhancements to the create-database command
Community Announcements
September 2024 Community Highlights
View More Announcements