Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

NiFi AD Login Provider causing NiFi start failure

Highlighted

NiFi AD Login Provider causing NiFi start failure

Explorer

Hi,

I'm running HDF 2.1.4 and have the following components working:

  • 2 Nodes NiFi Cluster (SSL Enabled using NiFi CA)
  • Ranger (integrated with NiFi and I have Initial Admin Identity working from browser)

I am now trying to configure AD on my setup. I managed to get Ranger Usync to work and I can see my AD users in Ranger but when I make the changes for NiFi the servicde won't start.

I made the following changes in Ambari under Advanced nifi-properties:

nifi.security.user.login.identity.providerldap-provider
nifi.security.identity.mapping.pattern.dn^CN=(.*?), OU=(.*?)$
nifi.security.identity.mapping.value.dn$1@$2

And this is what my Template for login-identity-providers.xml looks like

<loginIdentityProviders>
    <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">CN=xxx,OU=Administrator & Service Accounts,OU=Administration,OU=NOC,DC=xxx,DC=xxx</property>
        <property name="Manager Password">xxx_password</property>


        <property name="TLS - Keystore">/usr/hdf/current/nifi/conf/keystore.jks</property>
        <property name="TLS - Keystore Password">keystore_password</property>
        <property name="TLS - Keystore Type">jks</property>
        <property name="TLS - Truststore">/usr/hdf/current/nifi/conf/truststore.jks</property>
        <property name="TLS - Truststore Password">truststore_password</property>
        <property name="TLS - Truststore Type">jks</property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol">TLS</property>
        <property name="TLS - Shutdown Gracefully"></property>


        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>


        <property name="Url">ldap://ad_controller:389</property>
        <property name="User Search Base">OU=Administration,OU=NOC,DC=xxx,DC=xxx</property>
        <property name="User Search Filter">sAMAccountName={0}</property>


        <property name="Authentication Expiration">12 hours</property>
    </provider>
</loginIdentityProviders>

After saving these changes and restarting NiFi I get the following errors:

Traceback (most recent call last):
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/nifi.py", line 360, in <module>
    Master().execute()
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py", line 280, in execute
    method(env)
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py", line 720, in restart
    self.start(env, upgrade_type=upgrade_type)
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/nifi.py", line 164, in start
    self.configure(env, is_starting = True)
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/nifi.py", line 145, in configure
    params.nifi_flow_config_dir, params.nifi_sensitive_props_key, is_starting)
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/nifi.py", line 286, in encrypt_sensitive_properties
    if nifi_toolkit_util.contains_providers(nifi_config_dir+'/login-identity-providers.xml'):
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/nifi_toolkit_util.py", line 257, in contains_providers
    dom = xml.dom.minidom.parseString(content)
  File "/usr/lib64/python2.7/xml/dom/minidom.py", line 1931, in parseString
    return expatbuilder.parseString(string)
  File "/usr/lib64/python2.7/xml/dom/expatbuilder.py", line 940, in parseString
    return builder.parseString(string)
  File "/usr/lib64/python2.7/xml/dom/expatbuilder.py", line 223, in parseString
    parser.Parse(string, True)
xml.parsers.expat.ExpatError: not well-formed (invalid token): line 7, column 74

The login provider configuration looks ok to me but I've never configured NiFi with AD so I could well be missing something.

Any ideas?

Regards,

Geouffrey

4 REPLIES 4
Highlighted

Re: NiFi AD Login Provider causing NiFi start failure

I think this saying that Line 7 (Manager DN) Column 74 of login-identity-providers.xml has a character that is making it invalid XML.

Is it possible that you cut and pasted the DN from somewhere and maybe some extraneous bad character is in there?

Re: NiFi AD Login Provider causing NiFi start failure

Explorer

Thanks for your response Bryan. I managed to find the culprit earlier this morning.

The problem was the & in my Manager DN. After replacing this with & NiFi started and LDAP worked as well.

Highlighted

Re: NiFi AD Login Provider causing NiFi start failure

Master Guru

@Geouffrey Erasmus

I see you have configured your NiFI login-identity-providers.xml ldap-provider to use "SIMPLE" which means it will not use any of the TLS configurations properties, so no need to set any of them.

When NiFi passes the user login credentials to ldap for authentication, by the full DN for the authenticated user is returned and that is what NiFi then uses for authorization. Based on what I am seeing above, i suspect you users have a DN that looks something like this:

CN=<username>,OU=Administration,OU=NOC,DC=xxx,DC=xxx

This full DN is then passed through any configured identity mapping patterns looking for a match. Your currently configured mapping pattern will not match, so the full DN would be used. This full DN is then passed to your "Ranger" to see what authorization this user has been granted. So it is looking specifically for policies granted to that full DN user.

When you did your ldap sync in Ranger, Ranger does not create users using the DN, it instead uses the SamAccount name when creating users.

You can verify what is happening by looking in your NiFi's nifi-user.log. It should show successful authentication but denied authorization. It will show the the exact username being passed to Ranger (which in your case will be a full DN).

There are two options available that may help...

1. Create a new identity mapping pattern:

nifi.security.identity.mapping.pattern.dn2=CN=(.*?),OU=(.*?),OU=(.*?),DC=(.*?),DC=(.*?)$

nifi.security.identity.mapping.value.dn2=$1

The above pattern will match based on my assumption above about your ldap user DN patterns.

It has 5 capture groups and will return the value form capture group 1 ($1) only which will then be passed to ranger for authorization. This method assumes the CN value is going to match exactly with the ldap sync usernames in ldap.

2. Change the ldap-provider in NiFi to use username supplied by the user in the login window to check authorization rather then the returned DN form LDAP. By default NiFi will use the full DN returned by ldap when a user is successfully authenticated; however, the configuration can be changed to use he login name entered at the login screen in Nifi for authorization after authentication with ldap is successful. Often times this is the better solution. To enable this, you must add the following line to your login-identity-providers.xml file in your ldap-provider configuration:

<property name="Identity Strategy">USE_USERNAME</property>

A restart of NiFi will need to occur before changes to the config files will take affect. Since you are suing HDF and if you are using Ambari to manage your NiFi, make your changes in Ambari rather then editing these files within NIFi directly.

If you foulnd thsi answer helpful in addressing yoru question, please mark it as accepted.

Thank you,

Matt

Highlighted

Re: NiFi AD Login Provider causing NiFi start failure

Explorer

Hi Matt,

Thanks for your detailed response. Please see my reply to Bryan above for the fix to my original problem.

For the Identity Mappings I went with your suggestion number 2 and that worked perfectly. Option 1 will not really work as the AD structure might not always be the same for all users so I thought option 2 will work better.

Regards,

Geouffrey

Don't have an account?
Coming from Hortonworks? Activate your account here