Support Questions
Find answers, ask questions, and share your expertise

NIFI docker ssl issue

Highlighted

NIFI docker ssl issue

Explorer

hi, 

 

please help with access to NIfi functionality based on docker image.

 

1. I generated certs with nifi-toolkit-1.12.1:

 

./bin/tls-toolkit.sh standalone -n "acsca094a01" -C "CN=admin, OU=ApacheNiFi" -o target

 

2. Created Nifi docker instance with steps from https://hub.docker.com/r/apache/nifi, 

for this case 'Standalone Instance, Two-Way SSL'.

 

2. 1 Run docker with below command from link above:

 

docker run --name nifi \
-v /home/nifi/docker:/opt/certs \
-p 8443:8443 \
-e AUTH=tls \
-e KEYSTORE_PATH=/opt/certs/keystore.jks \
-e KEYSTORE_TYPE=JKS \
-e KEYSTORE_PASSWORD=1L929SNVaMK2HINaF+6aaOaXxNzYkhCvP9F+USSPwEg \
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
-e TRUSTSTORE_PASSWORD=3J/m5eAAJcNasdasdsasdyW7TeHH1pGkT+kEasdasda \
-e TRUSTSTORE_TYPE=JKS \
-e INITIAL_ADMIN_IDENTITY='CN=admin, OU=ApacheNiFi' \
-d \
--hostname acsca094a01 \
apache/nifi:latest

 

and I am able to reach NIFI UI with admin cert but not able to create anything, all buttons inactive/grey, see below, please help.Screen Shot 2020-11-11 at 4.47.18 PM.png

5 REPLIES 5
Highlighted

Re: NIFI docker ssl issue

Cloudera Employee

@Vapper  Looks like there are issues with authorization, can you please check your authorizations.xml file and check if the user you have mentioned in INITIAL_ADMIN_IDENTITY is assigned to all expected policies?

Highlighted

Re: NIFI docker ssl issue

Explorer

hi

 

under authorizations.xml I have: 

 

cat authorizations.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7"/>
</policy>
</policies>
</authorizations>

 

under user.xml:

 

cat users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7" identity="CN=admin, OU=ApacheNiFi"/>
</users>
</tenants>

 

so user identity="CN=admin, OU=ApacheNiFi" with  identifier="6a74eaf1-1cb9-341d-be5b-ec95d3ee0ba7" is present in authorizations.xml

 

please let me know if you can see any issues or additional info needed

Highlighted

Re: NIFI docker ssl issue

Cloudera Employee

Do you see any Warns, Errors for "CN=admin, OU=ApacheNiFi" user in nifi-user.log file when you login to the ui? 

Highlighted

Re: NIFI docker ssl issue

Explorer

hi 

 

found in user logs, no errors, just warns:

 

2020-11-21 18:36:48,717 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=root, OU=ApacheNiFi
2020-11-21 18:36:53,172 WARN [NiFi Web Server-23] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.
java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.
at org.apache.nifi.web.api.AccessResource.createAccessTokenFromTicket(AccessResource.java:644)

2020-11-21 18:36:53,317 WARN [NiFi Web Server-24] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response.
java.lang.IllegalStateException: OpenId Connect is not configured.
at org.apache.nifi.web.api.AccessResource.oidcExchange(AccessResource.java:301)

 

how to fix that ?

Re: NIFI docker ssl issue

Explorer

also just small clarification, I regenerated cert and tried  'CN=root, OU=ApacheNiFi'  instead 'CN=admin, OU=ApacheNiFi'  but still an issue, same errors in logs, please help