Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

NiFi Security Failed on Single Node

NiFi Security Failed on Single Node

Explorer

93268-authorizations-xml.jpg

I tried to add security to one of my HDF cluster, but failed. So I start with one NiFi local node, but still failed.

Here are my main steps following some web links listed below:

1. Installed nifi 1.5

2. Installed nifi toolkit 1.5

3. Ran toolkit -

./tls-toolkit.sh standalone -n 'localhost' -C 'CN=ML,OU=NIFI' -O -o ../security_output

4. Copied generated keystore, truststore and nifi properties to nifi/config folder

5. Imported the generated certificate to chrome browser

6. Modified authorizers.xml as attached.

7. With required restarts. Now when i enter the below url in the browser, I see the below error.

https://localhost:9443/nifi/

Insufficient Permissions - home Unknown user with identity 'CN=ML, OU=NIFI'. Contact the system administrator.

authorizers.xml

-------------------------------------------

<userGroupProvider>

<identifier>file-user-group-provider</identifier>

<class>org.apache.nifi.authorization.FileUserGroupProvider</class>

<property name="Users File">./conf/users.xml</property>

<property name="Legacy Authorized Users File"></property>

<property name="Initial User Identity 1">CN=ML,OU=NIFI</property>

</userGroupProvider>

<accessPolicyProvider>

<identifier>file-access-policy-provider</identifier>

<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>

<property name="User Group Provider">file-user-group-provider</property>

<property name="Authorizations File">./conf/authorizations.xml</property>

<property name="Initial Admin Identity">CN=ML,OU=NIFI</property>

<property name="Legacy Authorized Users File"></property>

<property name="Node Identity 1"></property>

</accessPolicyProvider>

---------------------------------------------------------------------------------------------------------------

Generated users.xml

-------------------------------------------------------

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<tenants>

<groups/>

<users>

<user identifier="10375150-f717-3891-afda-e009d1f1184b" identity="CN=ML,OU=NIFI"/>

</users>

</tenants>

------------------------------------------------------------------------------------------------------------------

Generated authorizations.xml

see attached image

----------------------------------------------------------------------------------------------------------------

nifi-app.log

See attached image

----------------------------------------------------------------------------------------------------------------

nifi.properties

See attached image

--------------------------------------------------------------------------------------------------------

Some links I referred:

https://community.hortonworks.com/content/kbentry/58233/using-the-tls-toolkit-to-simplify-security.h...

https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/

https://lists.apache.org/thread.html/%3CCAG6AKAEXOJtDRw07L=quzn+EMO7N5=n0_B8tBC-w6Edd2vptYw@mail.gma...

Here are what I tried:

Both nifi-1.5 and nifi-1.8

AWS instance

Local virtual machine (Ubuntu 18.04)

This should be straight but I just can't fig out what I did wrong or what I missed. I have been stuck here for days. Your help is really appreciated.

Thanks a lot.

93271-https-error.jpg

93270-nifi-properties.jpg

93269-nifi-user-log.jpg

1 REPLY 1
Highlighted

Re: NiFi Security Failed on Single Node

Master Guru
@Bright Lee

-

It appears the user string you used in your authorizers.xml file does not match the user DN from the certificate.

-

The insufficient permissions output you see shows "CN=ML, OU=NIFI"

however you authorizers.xml and generated users,xml shows this as "CN=ML,OU=NIFI"

-

You will notice you user DN actually has a <space> after the comma.

-

Just editing your authorizers.xml will not result in your users.xml file being updated. The users.xml and authorization.xml files are only generated one time. If they already exist they are not regenerated or edited via authorizers.xml. I suggest fixing authorizers.xml and removing the users.xml and authorizers.xml files they they are recreated correctly.

-

Thank you,

Matt

-

If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.

Don't have an account?
Coming from Hortonworks? Activate your account here