Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

NiFi - Not able to connect to secured NiFi Registry from secured NiFi

Highlighted

NiFi - Not able to connect to secured NiFi Registry from secured NiFi

Getting below error while Start making an entry for Version Control in NiFi Registry:


Version Details:

  • HDF - 3.3.0
  • NiFi - 1.8.0
  • NiFi Registry - 0.3.0


NiFi Console Log:

Unable to obtain listing of buckets: org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all buckets: Untrusted proxy [CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US]. Contact the system administrator.


NiFi Registry Log:

2019-06-19 06:04:03,248 INFO [NiFi Registry Web Server-18] o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry. Returning Conflict response.
2019-06-19 06:04:03,620 INFO [NiFi Registry Web Server-17] o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated due to: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext Returning 401 response.

2019-06-19 06:22:49,013 INFO [NiFi Registry Web Server-63] o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry. Returning Conflict response.
2019-06-19 06:22:49,263 INFO [NiFi Registry Web Server-17] o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated due to: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext Returning 401 response.

2019-06-19 06:27:01,720 INFO [NiFi Registry Web Server-68] o.a.n.r.w.s.NiFiRegistrySecurityConfig Identity in proxy chain not trusted to act as a proxy: org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException: Untrusted proxy [CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US]. Returning 403 response.

2019-06-19 06:28:10,402 INFO [NiFi Registry Web Server-68] o.a.n.r.w.s.NiFiRegistrySecurityConfig Identity in proxy chain not trusted to act as a proxy: org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException: Untrusted proxy [CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US]. Returning 403 response.


Configuration:

SSL - For both NiFi and NiFi Registry, we are using a host-specific self-signed certificate. And both services refer to the same Java Keystores.

Authentication Used - LDAP

Kerberos - No

Ranger Plugin to NiFi - Yes


NiFi Service:

Authorization - Ranger

Initial Admin Identity - admin

nifi.security.user.login.identity.provider - ldap-provider

Node Identities

<property name="Node Identity 1">CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US</property>
<property name="Node Identity 2">CN=node2.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US</property>


NiFi Registry Service:

Initial Admin Identity

CN=admin, OU=Hadoop, OU=Accounts-Service, DC=Domain, DC=com

nifi.registry.security.identity.provider=ldap-identity-provider

NiFi Identities

<property name="NiFi Identity 1">CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US</property>
<property name="NiFi Identity 2">CN=node2.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US</property>

authorizers.xml

<userGroupProvider>
    <identifier>file-user-group-provider</identifier>
    <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
    <property name="Users File">{{nifi_registry_internal_config_dir}}/users.xml</property>
    <property name="Initial User Identity 1">CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US</property>
    <property name="Initial User Identity 2">CN=node2.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US</property>
    <property name="Initial User Identity 3">CN=admin, OU=Hadoop, OU=Accounts-Service, DC=Domain, DC=com</property>
    {{nifi_registry_ssl_config_content | replace("NiFi","Initial User")}}
</userGroupProvider>


<accessPolicyProvider>
    <identifier>file-access-policy-provider</identifier>
    <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
    <property name="User Group Provider">file-user-group-provider</property>
    <property name="Authorizations File">{{nifi_registry_internal_config_dir}}/authorizations.xml</property>
    <property name="Initial Admin Identity">CN=admin, OU=Hadoop, OU=Accounts-Service, DC=Domain, DC=com</property>
    {{nifi_registry_ssl_config_content}}
</accessPolicyProvider>


Note:

I am able to login to both the services using LDAP user credentials.

Also, created Ranger Policy:

/proxy - Read & Write - CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US

Read & Write - CN=node2.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US


Kindly help me to resolve this issue.

2 REPLIES 2
Highlighted

Re: NiFi - Not able to connect to secured NiFi Registry from secured NiFi

New Contributor

Has anyone solved this?  I'm having the same exact issue.

Re: NiFi - Not able to connect to secured NiFi Registry from secured NiFi

Master Guru

@krishnaraj_v13 

 

The error output is telling you that your NiFi node(s) have not been granted the proxy policy in your NiFi Registry.  Your NiFi-Registry policies are managed locally within NiFi-Registry.

Your NiFi is setup to use Ranger ti handle authorizations and i see you mentioned you granted your NiFi nodes /proxy in Ranger, but these policies only apply for NiFi and not NiFi-Registry.

Based on the authorizers.xml shared from NiFi-Registry, I can see you defined your NiFi nodes as local users in the file-user-group-provider, but did not also configure those nodes in the file-access-provider.  The file-access-provider actually created the initial policies in the authorizations.xml file and assigns users to those created policies.
Note: Both NiFi and NiFi-Registry will only create the users.xml and authorizations.xml files if they do not already exist.  So modifications to these providers in the authorizers.xml file will not result in modifications to these files if they already exist.

To resolve the error you are seeing you need to login to your NiFi-Registry with your initial admin user and grant your NiFi nodes the the following policies:
1. "Can proxy user requests".  (solves current error)
2. "Can Manage buckets" --> Read.  (allows NiFi nodes to read buckets to see if new flow versions have been committed)
Screen Shot 2020-04-14 at 12.26.55 PM.png


Hope this helps,

Matt

Don't have an account?
Coming from Hortonworks? Activate your account here