Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

NiFi Untrusted proxy

Solved Go to solution

NiFi Untrusted proxy

Super Guru

I am getting error Untrusted proxy CN=xxx.field.hortonworks.com, OU=NIFI while trying to log into NiFi UI via my admin ssl cert.

I read this post but not able to follow how to provide my proxy access..truly didn't know I was using a proxy

https://community.hortonworks.com/questions/61159/getting-untrusted-proxy-message-while-trying-to-se...

I added my DN to the node identities

<!-- Provide the identity (typically a DN) of each node when clustered (see tool tip for detailed description of Node Identity). Must be specified when Ranger Nifi plugin will not be used for authorization. -->




<property name="Node Identity 1">xxx.field.hortonworks.com</property>
<!--
<property name="Node Identity 2"></property>
<property name="Node Identity 3"></property>
<property name="Node Identity 4"></property>
-->

Here is my authorizers.xml


        <!--
        Licensed to the Apache Software Foundation (ASF) under one or more
        contributor license agreements.  See the NOTICE file distributed with
        this work for additional information regarding copyright ownership.
        The ASF licenses this file to You under the Apache License, Version 2.0
        (the "License"); you may not use this file except in compliance with
        the License.  You may obtain a copy of the License at
        http://www.apache.org/licenses/LICENSE-2.0
        Unless required by applicable law or agreed to in writing, software
        distributed under the License is distributed on an "AS IS" BASIS,
        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
        See the License for the specific language governing permissions and
        limitations under the License.
        -->
        <!--
        This file lists the authority providers to use when running securely. In order
        to use a specific provider it must be configured here and it's identifier
        must be specified in the nifi.properties file.
        -->
        <authorizers>
        
        <!--
        The FileAuthorizer is NiFi"s provided authorizer and has the following properties:
        - Authorizations File - The file where the FileAuthorizer will store policies.
        - Users File - The file where the FileAuthorizer will store users and groups.
        - Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
            given the ability to create additional users, groups, and policies. The value of this property could be
            a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
            are no other users, groups, and policies defined. If this property is specified then a Legacy Authorized
            Users File can not be specified.
            NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
            so the value should be the unmapped identity.
        - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
            converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
            not be specified, and this property will only be used when there are no other users, groups, and policies defined.
        - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
            should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
            The name of each property must be unique, for example for a three node cluster:
            "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
            NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
            so the values should be the unmapped identities (i.e. full DN from a certificate).        
        -->
        <authorizer>
        <identifier>{{nifi_authorizer}}</identifier>
        {% if has_ranger_admin and enable_ranger_nifi %}
        <class>org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer</class>
        <property name="Ranger Audit Config Path">{{nifi_config_dir}}/ranger-nifi-audit.xml</property>
        <property name="Ranger Security Config Path">{{nifi_config_dir}}/ranger-nifi-security.xml</property>
        <property name="Ranger Service Type">nifi</property>
        <property name="Ranger Application Id">nifi</property>
        <property name="Allow Anonymous">true</property>
        <property name="Ranger Admin Identity">{{ranger_admin_identity}}</property>
        {% if security_enabled %}
        <property name="Ranger Kerberos Enabled">true</property>
        {% else %}
        <property name="Ranger Kerberos Enabled">false</property>
        {% endif %}
        {% else %}
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">{{nifi_flow_config_dir}}/authorizations.xml</property>
        <property name="Users File">{{nifi_flow_config_dir}}/users.xml</property>
        <property name="Initial Admin Identity">{{nifi_initial_admin_id}}</property>
        <property name="Legacy Authorized Users File"></property>
        {% endif %}


        {{nifi_ssl_config_content}}


        </authorizer>
        </authorizers>

Any suggestions?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: NiFi Untrusted proxy

The value in your Node Identity is just a hostname, it needs to be the full DN like "CN=xxx.field.hortonworks.com, OU=NIFI", it is also case and white-space sensitive so needs to be exactly how the DN would be listed from your cert.

If you update the node identities you need to blow away users.xml and authorizations.xml again.

View solution in original post

5 REPLIES 5
Highlighted

Re: NiFi Untrusted proxy

The value in your Node Identity is just a hostname, it needs to be the full DN like "CN=xxx.field.hortonworks.com, OU=NIFI", it is also case and white-space sensitive so needs to be exactly how the DN would be listed from your cert.

If you update the node identities you need to blow away users.xml and authorizations.xml again.

View solution in original post

Highlighted

Re: NiFi Untrusted proxy

Master Guru

The only time it would not be the full DN is if you configured pattern mapping in your nifi.properties file.

Highlighted

Re: NiFi Untrusted proxy

Super Guru

@Bryan Bende I used your suggestion and continue to get error

Untrusted proxy CN=sunman0.field.hortonworks.com, OU=NIFI

Log error:

2017-01-27 22:38:53,187 INFO [NiFi Web Server-47] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=nifiadmin, OU=FIELD.HORTONWORKS.COM) GET https://sunman0.field.hortonworks.com:9091/nifi-api/flow/current-user (source ip: xx.xx.80.117)
2017-01-27 22:38:53,191 INFO [NiFi Web Server-47] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=nifiadmin, OU=FIELD.HORTONWORKS.COM
2017-01-27 22:38:53,340 INFO [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<CN=nifiadmin, OU=FIELD.HORTONWORKS.COM><CN=sunman0.field.hortonworks.com, OU=NIFI>) GET https://sunman0.field.hortonworks.com:9091/nifi-api/flow/current-user (source ip: xxx.xx.197.193)
2017-01-27 22:38:53,347 INFO [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=sunman0.field.hortonworks.com, OU=NIFI

I updated the node identities

<!-- Provide the identity (typically a DN) of each node when clustered (see tool tip for detailed description of Node Identity). Must be specified when Ranger Nifi plugin will not be used for authorization. -->




<property name="Node Identity 1">"CN=sunman0.field.hortonworks.com, OU=NIFI"</property>
<!--
<property name="Node Identity 2"></property>
<property name="Node Identity 3"></property>
<property name="Node Identity 4"></property>
-->

lastly I removed authorizations.xml and user.xml and restarted nifi.

Highlighted

Re: NiFi Untrusted proxy

Super Guru

shoot Do i need to remove the double quotes?

Highlighted

Re: NiFi Untrusted proxy

Super Guru

That was it. i removed double quotes and it worked.

Don't have an account?
Coming from Hortonworks? Activate your account here