Support Questions

cjervis · ‎10-28-2019

Hello all,

I am having an odd issue with NIFI. The cluster stands, and it works but I am unable to log in. I am getting "Untrusted proxy CN=server.domain.com, OU=NIFI" That is not the OU for the zookeeper node I am using. It should be OU=nifi_test. I discovered this in nifi-user.log:

2019-10-28 14:36:26,958 INFO [NiFi Web Server-132] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=nifi_admin, OU=nifi_test) GET <a href="https://server.domain:port/nifi-api/flow/current-user" target="_blank">https://server.domain:port/nifi-api/flow/current-user</a> (source ip: ipaddress)
2019-10-28 14:36:26,962 INFO [NiFi Web Server-132] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=nifi_admin, OU=nifi_test
2019-10-28 14:36:27,273 INFO [NiFi Web Server-133] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<CN=nifi_admin, OU=nifi_test><CN=server.domain:port, OU=NIFI>) GET <a href="https://server.domain:port/nifi-api/flow/current-user" target="_blank">https://server.domain:port/nifi-api/flow/current-user</a> (source ip: ipaddress)
2019-10-28 14:36:27,277 WARN [NiFi Web Server-133] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=server.domain:port, OU=NIFI

It's going through everything as it should, until that last part. Where in the world is that other OU getting picked up at? I can't find it anywhere in any config. I grepped the conf directory and couldn't find a reference to NIFI outside of some commented lines. Any help would be much appreciated!

Dale1979 · ‎11-06-2019

We discovered what the issue was. In generating the certs using the nifi toolkit, we were not using the --nifiDnSuffix switch. So the zookeeper OU was defaulting to NIFI. As soon as I found that, it resolved the issue.

View solution in original post

MattWho · ‎10-28-2019

@Dale1979

It would appear you have a multi-node NiFi cluster that is using the NiFi CA to issue the certificate for each NiFi node.

Within a NiFi cluster, one node will be elected cluster coordinator. While you can access your NiFi cluster from any node in the cluster, any user requests (including displaying the UI) need to be replicated to the cluster coordinator. This replication request is performed by the node which you are authenticated in to on behalf of you as the user. Thus requiring that the node itself has been authorized to act as a proxy for your user.

Within your authorizers.xml file you should find a file-user-group-provider which should have been configured a separate "Initial User Identity <num>" property for each of your NiFi nodes. The file-user-group-provider is used add the initial users in the users.xml file. The value would match the DN of the certificate found in each node's keystore.jks file. Using you output as an example, you should see a line like this:

<property name="Initial User Identity 2">CN=server.domain:port, OU=NIFI</property>

Above would be followed by additional similar lines with new number for each of your other NiFi nodes.
Note: Having a port number in your CN name is unexpected.

IMPORTANT: NiFi will only generate the users.xml and authorizations.xml files from the configuration in the authorizers.xml file the very first time. If you make edits to either the file-user-group-provider (build users.xml) or File-access-provider (builds authorizations.xml), those changes will not be reflected in the already existing users.xml and authorizations.xml files. You must delete these files so they are recreated. The expectation is that following successful securing of NiFi, all additional users and authorizers are added directly via the NiFi UI.

Hope this helps,
Matt

Dale1979 · ‎11-06-2019

We discovered what the issue was. In generating the certs using the nifi toolkit, we were not using the --nifiDnSuffix switch. So the zookeeper OU was defaulting to NIFI. As soon as I found that, it resolved the issue.

Cloudera Community

Support Questions

NIFI Proxy issues