Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

NiFi Untrusted proxy

avatar
Master Guru

I am getting error Untrusted proxy CN=xxx.field.hortonworks.com, OU=NIFI while trying to log into NiFi UI via my admin ssl cert.

I read this post but not able to follow how to provide my proxy access..truly didn't know I was using a proxy

https://community.hortonworks.com/questions/61159/getting-untrusted-proxy-message-while-trying-to-se...

I added my DN to the node identities

<!-- Provide the identity (typically a DN) of each node when clustered (see tool tip for detailed description of Node Identity). Must be specified when Ranger Nifi plugin will not be used for authorization. -->




<property name="Node Identity 1">xxx.field.hortonworks.com</property>
<!--
<property name="Node Identity 2"></property>
<property name="Node Identity 3"></property>
<property name="Node Identity 4"></property>
-->

Here is my authorizers.xml


        <!--
        Licensed to the Apache Software Foundation (ASF) under one or more
        contributor license agreements.  See the NOTICE file distributed with
        this work for additional information regarding copyright ownership.
        The ASF licenses this file to You under the Apache License, Version 2.0
        (the "License"); you may not use this file except in compliance with
        the License.  You may obtain a copy of the License at
        http://www.apache.org/licenses/LICENSE-2.0
        Unless required by applicable law or agreed to in writing, software
        distributed under the License is distributed on an "AS IS" BASIS,
        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
        See the License for the specific language governing permissions and
        limitations under the License.
        -->
        <!--
        This file lists the authority providers to use when running securely. In order
        to use a specific provider it must be configured here and it's identifier
        must be specified in the nifi.properties file.
        -->
        <authorizers>
        
        <!--
        The FileAuthorizer is NiFi"s provided authorizer and has the following properties:
        - Authorizations File - The file where the FileAuthorizer will store policies.
        - Users File - The file where the FileAuthorizer will store users and groups.
        - Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
            given the ability to create additional users, groups, and policies. The value of this property could be
            a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
            are no other users, groups, and policies defined. If this property is specified then a Legacy Authorized
            Users File can not be specified.
            NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
            so the value should be the unmapped identity.
        - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
            converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
            not be specified, and this property will only be used when there are no other users, groups, and policies defined.
        - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
            should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
            The name of each property must be unique, for example for a three node cluster:
            "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
            NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
            so the values should be the unmapped identities (i.e. full DN from a certificate).        
        -->
        <authorizer>
        <identifier>{{nifi_authorizer}}</identifier>
        {% if has_ranger_admin and enable_ranger_nifi %}
        <class>org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer</class>
        <property name="Ranger Audit Config Path">{{nifi_config_dir}}/ranger-nifi-audit.xml</property>
        <property name="Ranger Security Config Path">{{nifi_config_dir}}/ranger-nifi-security.xml</property>
        <property name="Ranger Service Type">nifi</property>
        <property name="Ranger Application Id">nifi</property>
        <property name="Allow Anonymous">true</property>
        <property name="Ranger Admin Identity">{{ranger_admin_identity}}</property>
        {% if security_enabled %}
        <property name="Ranger Kerberos Enabled">true</property>
        {% else %}
        <property name="Ranger Kerberos Enabled">false</property>
        {% endif %}
        {% else %}
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">{{nifi_flow_config_dir}}/authorizations.xml</property>
        <property name="Users File">{{nifi_flow_config_dir}}/users.xml</property>
        <property name="Initial Admin Identity">{{nifi_initial_admin_id}}</property>
        <property name="Legacy Authorized Users File"></property>
        {% endif %}


        {{nifi_ssl_config_content}}


        </authorizer>
        </authorizers>

Any suggestions?

1 ACCEPTED SOLUTION

avatar
Master Guru

The value in your Node Identity is just a hostname, it needs to be the full DN like "CN=xxx.field.hortonworks.com, OU=NIFI", it is also case and white-space sensitive so needs to be exactly how the DN would be listed from your cert.

If you update the node identities you need to blow away users.xml and authorizations.xml again.

View solution in original post

7 REPLIES 7

avatar
Master Guru

The value in your Node Identity is just a hostname, it needs to be the full DN like "CN=xxx.field.hortonworks.com, OU=NIFI", it is also case and white-space sensitive so needs to be exactly how the DN would be listed from your cert.

If you update the node identities you need to blow away users.xml and authorizations.xml again.

avatar
Super Mentor

The only time it would not be the full DN is if you configured pattern mapping in your nifi.properties file.

avatar
Master Guru

@Bryan Bende I used your suggestion and continue to get error

Untrusted proxy CN=sunman0.field.hortonworks.com, OU=NIFI

Log error:

2017-01-27 22:38:53,187 INFO [NiFi Web Server-47] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=nifiadmin, OU=FIELD.HORTONWORKS.COM) GET https://sunman0.field.hortonworks.com:9091/nifi-api/flow/current-user (source ip: xx.xx.80.117)
2017-01-27 22:38:53,191 INFO [NiFi Web Server-47] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=nifiadmin, OU=FIELD.HORTONWORKS.COM
2017-01-27 22:38:53,340 INFO [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<CN=nifiadmin, OU=FIELD.HORTONWORKS.COM><CN=sunman0.field.hortonworks.com, OU=NIFI>) GET https://sunman0.field.hortonworks.com:9091/nifi-api/flow/current-user (source ip: xxx.xx.197.193)
2017-01-27 22:38:53,347 INFO [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=sunman0.field.hortonworks.com, OU=NIFI

I updated the node identities

<!-- Provide the identity (typically a DN) of each node when clustered (see tool tip for detailed description of Node Identity). Must be specified when Ranger Nifi plugin will not be used for authorization. -->




<property name="Node Identity 1">"CN=sunman0.field.hortonworks.com, OU=NIFI"</property>
<!--
<property name="Node Identity 2"></property>
<property name="Node Identity 3"></property>
<property name="Node Identity 4"></property>
-->

lastly I removed authorizations.xml and user.xml and restarted nifi.

avatar
Master Guru

shoot Do i need to remove the double quotes?

avatar
Master Guru

That was it. i removed double quotes and it worked.

avatar
Contributor

I had the same error (i.e. untrusted proxy) and tried the posted suggestions but no luck.


My authentication mechanism is oidc through azure ad.

I was able to run nifi in debug mode and got following stack trace:
...
2021-06-04 17:49:09,091 DEBUG [NiFi Web Server-17] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null
2021-06-04 17:49:09,102 DEBUG [NiFi Web Server-17] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.
2021-06-04 17:49:09,102 DEBUG [NiFi Web Server-17] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null
2021-06-04 17:49:09,107 INFO [NiFi Web Server-17] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifi4.{valid_domain}.com/nifi-api/flow/current-user (source ip: 10.2.2.7)
2021-06-04 17:49:09,210 INFO [NiFi Web Server-17] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for user@{valid_domain}.com
2021-06-04 17:49:09,211 DEBUG [NiFi Web Server-17] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: user@{valid_domain}.com
2021-06-04 17:49:09,211 DEBUG [NiFi Web Server-17] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: user@{valid_domain}.com
2021-06-04 17:49:09,211 DEBUG [NiFi Web Server-17] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: user@{valid_domain}.com
2021-06-04 17:49:09,891 DEBUG [NiFi Web Server-15] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null
2021-06-04 17:49:09,891 DEBUG [NiFi Web Server-15] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntitiesChain - <user@{valid_domain}.com>
2021-06-04 17:49:09,891 DEBUG [NiFi Web Server-15] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntityGroups - <>
2021-06-04 17:49:09,892 INFO [NiFi Web Server-15] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<user@{valid_domain}.com><CN=nifi4.{valid_domain}.com, OU=NIFI>) GET https://nifi4.{valid_domain}.com/nifi-api/flow/current-user (source ip: 10.2.2.7)
2021-06-04 17:49:09,896 WARN [NiFi Web Server-15] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=nifi4.{valid_domain}.com, OU=NIFI
2021-06-04 17:49:09,897 DEBUG [NiFi Web Server-15] o.a.n.w.s.NiFiAuthenticationFilter
org.apache.nifi.web.security.UntrustedProxyException: Untrusted proxy CN=nifi4.{valid_domain}.com, OU=NIFI
at org.apache.nifi.web.security.x509.X509AuthenticationProvider.authenticate(X509AuthenticationProvider.java:133)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:79)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:59)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:487)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:336)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:301)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.security.headers.StrictTransportSecurityFilter.doFilter(StrictTransportSecurityFilter.java:48)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.security.headers.XContentTypeOptionsFilter.doFilter(XContentTypeOptionsFilter.java:48)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.security.headers.XSSProtectionFilter.doFilter(XSSProtectionFilter.java:48)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.security.headers.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:47)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.security.headers.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:48)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:763)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191)
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:279)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
at java.lang.Thread.run(Unknown Source)

...

So I can clearly see that the authentication was successful (during the login, the browser was redirected to azure portal, after login, it was redirected back to nifi node). 

I have setup a 3-node nifi cluster (version 1.13.2) using embedded zookeeper with security enabled using configurations and TLS certificates generated by the tool kit. 

In the stack trace, I am wondering what x509 certificate is causing the unproxy exception (i.e. org.apache.nifi.web.security.x509.X509AuthenticationProvider.authenticate(X509AuthenticationProvider.java) and how to resolve this issue.

I am aware that there are 3 TLS certificates (one for each server) stored in keystore and 1 self-signed CA (stored in truststore) for nifi cluster. 

Need expert's help please.

avatar
Super Mentor

@myuintelli2021 

Assisting on your new post here:
https://community.cloudera.com/t5/Support-Questions/Nifi-untrusted-proxy-caused-by-Untrusted-Proxy-E...

Your choice of user authentication does not matter here.  Authentication and Authorization processes are handled independently of one another.  The Authentication of users/clients results in a string which is evaluated against identity mapping properties and then passed to the configured authorizer for authorization.

Your exception points and missing /proxy authorization for your node strings.

Hope this helps,

Matt