Created 06-20-2019 09:28 AM
Getting below error while Start making an entry for Version Control in NiFi Registry:
Version Details:
NiFi Console Log:
Unable to obtain listing of buckets: org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all buckets: Untrusted proxy [CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US]. Contact the system administrator.
NiFi Registry Log:
2019-06-19 06:04:03,248 INFO [NiFi Registry Web Server-18] o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry. Returning Conflict response. 2019-06-19 06:04:03,620 INFO [NiFi Registry Web Server-17] o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated due to: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext Returning 401 response. 2019-06-19 06:22:49,013 INFO [NiFi Registry Web Server-63] o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry. Returning Conflict response. 2019-06-19 06:22:49,263 INFO [NiFi Registry Web Server-17] o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated due to: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext Returning 401 response. 2019-06-19 06:27:01,720 INFO [NiFi Registry Web Server-68] o.a.n.r.w.s.NiFiRegistrySecurityConfig Identity in proxy chain not trusted to act as a proxy: org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException: Untrusted proxy [CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US]. Returning 403 response. 2019-06-19 06:28:10,402 INFO [NiFi Registry Web Server-68] o.a.n.r.w.s.NiFiRegistrySecurityConfig Identity in proxy chain not trusted to act as a proxy: org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException: Untrusted proxy [CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US]. Returning 403 response.
Configuration:
SSL - For both NiFi and NiFi Registry, we are using a host-specific self-signed certificate. And both services refer to the same Java Keystores.
Authentication Used - LDAP
Kerberos - No
Ranger Plugin to NiFi - Yes
NiFi Service:
Authorization - Ranger
Initial Admin Identity - admin
nifi.security.user.login.identity.provider - ldap-provider
Node Identities
<property name="Node Identity 1">CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US</property> <property name="Node Identity 2">CN=node2.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US</property>
NiFi Registry Service:
Initial Admin Identity
CN=admin, OU=Hadoop, OU=Accounts-Service, DC=Domain, DC=com
nifi.registry.security.identity.provider=ldap-identity-provider
NiFi Identities
<property name="NiFi Identity 1">CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US</property> <property name="NiFi Identity 2">CN=node2.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US</property>
authorizers.xml
<userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> <property name="Users File">{{nifi_registry_internal_config_dir}}/users.xml</property> <property name="Initial User Identity 1">CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US</property> <property name="Initial User Identity 2">CN=node2.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US</property> <property name="Initial User Identity 3">CN=admin, OU=Hadoop, OU=Accounts-Service, DC=Domain, DC=com</property> {{nifi_registry_ssl_config_content | replace("NiFi","Initial User")}} </userGroupProvider>
<accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">{{nifi_registry_internal_config_dir}}/authorizations.xml</property> <property name="Initial Admin Identity">CN=admin, OU=Hadoop, OU=Accounts-Service, DC=Domain, DC=com</property> {{nifi_registry_ssl_config_content}} </accessPolicyProvider>
Note:
I am able to login to both the services using LDAP user credentials.
Also, created Ranger Policy:
/proxy - Read & Write - CN=node1.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US
Read & Write - CN=node2.domain.com, OU=IT, O=COMPANY, L=Area, ST=State, C=US
Kindly help me to resolve this issue.
Created 04-13-2020 12:30 PM
Has anyone solved this? I'm having the same exact issue.
Created 04-14-2020 09:30 AM
The error output is telling you that your NiFi node(s) have not been granted the proxy policy in your NiFi Registry. Your NiFi-Registry policies are managed locally within NiFi-Registry.
Your NiFi is setup to use Ranger ti handle authorizations and i see you mentioned you granted your NiFi nodes /proxy in Ranger, but these policies only apply for NiFi and not NiFi-Registry.
Based on the authorizers.xml shared from NiFi-Registry, I can see you defined your NiFi nodes as local users in the file-user-group-provider, but did not also configure those nodes in the file-access-provider. The file-access-provider actually created the initial policies in the authorizations.xml file and assigns users to those created policies.
Note: Both NiFi and NiFi-Registry will only create the users.xml and authorizations.xml files if they do not already exist. So modifications to these providers in the authorizers.xml file will not result in modifications to these files if they already exist.
To resolve the error you are seeing you need to login to your NiFi-Registry with your initial admin user and grant your NiFi nodes the the following policies:
1. "Can proxy user requests". (solves current error)
2. "Can Manage buckets" --> Read. (allows NiFi nodes to read buckets to see if new flow versions have been committed)
Hope this helps,
Matt