Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

NIFI docker ssl issue

Labels:
avatar
author-rank Vapper
Explorer

Created on ‎11-11-2020 07:02 AM - edited ‎11-11-2020 12:58 PM

hi, 

 

please help with access to NIfi functionality based on docker image.

 

1. I generated certs with nifi-toolkit-1.12.1:

 

./bin/tls-toolkit.sh standalone -n "acsca094a01" -C "CN=admin, OU=ApacheNiFi" -o target

 

2. Created Nifi docker instance with steps from https://hub.docker.com/r/apache/nifi, 

for this case 'Standalone Instance, Two-Way SSL'.

 

2. 1 Run docker with below command from link above:

 

docker run --name nifi \
-v /home/nifi/docker:/opt/certs \
-p 8443:8443 \
-e AUTH=tls \
-e KEYSTORE_PATH=/opt/certs/keystore.jks \
-e KEYSTORE_TYPE=JKS \
-e KEYSTORE_PASSWORD=1L929SNVaMK2HINaF+6aaOaXxNzYkhCvP9F+USSPwEg \
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
-e TRUSTSTORE_PASSWORD=3J/m5eAAJcNasdasdsasdyW7TeHH1pGkT+kEasdasda \
-e TRUSTSTORE_TYPE=JKS \
-e INITIAL_ADMIN_IDENTITY='CN=admin, OU=ApacheNiFi' \
-d \
--hostname acsca094a01 \
apache/nifi:latest

 

and I am able to reach NIFI UI with admin cert but not able to create anything, all buttons inactive/grey, see below, please help.Screen Shot 2020-11-11 at 4.47.18 PM.png

3,161 Views
0 Kudos
5 REPLIES 5

avatar
author-rank ashinde author-rank
Expert Contributor

Created ‎11-17-2020 08:16 AM

@Vapper  Looks like there are issues with authorization, can you please check your authorizations.xml file and check if the user you have mentioned in INITIAL_ADMIN_IDENTITY is assigned to all expected policies?

3,125 Views
0 Kudos

avatar
author-rank Vapper
Explorer

Created on ‎11-20-2020 02:00 AM - edited ‎11-20-2020 02:01 AM

hi

 

under authorizations.xml I have: 

 

cat authorizations.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
</policies>
</authorizations>

 

under user.xml:

 

cat users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7" identity="CN=admin, OU=ApacheNiFi"/>
</users>
</tenants>

 

so user identity="CN=admin, OU=ApacheNiFi" with  identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7" is present in authorizations.xml

 

please let me know if you can see any issues or additional info needed

3,106 Views
0 Kudos

avatar
author-rank ashinde author-rank
Expert Contributor

Created ‎11-20-2020 02:30 AM

Do you see any Warns, Errors for "CN=admin, OU=ApacheNiFi" user in nifi-user.log file when you login to the ui? 

3,098 Views
0 Kudos

avatar
author-rank Vapper
Explorer

Created on ‎11-21-2020 10:38 AM - edited ‎11-21-2020 10:59 AM

hi 

 

found in user logs, no errors, just warns:

 

2020-11-21 18:36:48,717 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=root, OU=ApacheNiFi
2020-11-21 18:36:53,172 WARN [NiFi Web Server-23] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.
java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.
at org.apache.nifi.web.api.AccessResource.createAccessTokenFromTicket(AccessResource.java:644)

2020-11-21 18:36:53,317 WARN [NiFi Web Server-24] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response.
java.lang.IllegalStateException: OpenId Connect is not configured.
at org.apache.nifi.web.api.AccessResource.oidcExchange(AccessResource.java:301)

 

how to fix that ?

3,074 Views
0 Kudos

avatar
author-rank Vapper
Explorer

Created on ‎11-22-2020 04:55 AM - edited ‎11-22-2020 04:56 AM

also just small clarification, I regenerated cert and tried  'CN=root, OU=ApacheNiFi'  instead 'CN=admin, OU=ApacheNiFi'  but still an issue, same errors in logs, please help

3,053 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements