Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

NiFi single user Certificate and Token not found

Labels:
avatar
author-rank Arqui
Explorer

Created on ‎06-03-2022 11:40 PM - edited ‎06-03-2022 11:43 PM

Hello,

 

Hello,

I've been trying to setup NiFi with single user authentication but got stuck in a "Access Unknown: Certificate and Token not found" error, and I'm unable to find a solution. Any help would be greatily apreciate.

So, I'm trying to deploy in a remote machine with Docker, with authentication provided by NiFi, using a Nginx as reverse proxy.

Maybe I have to pass p12 file to NiFi, but I have no idea how to proced.

My docker-compose file is as follows

 

version: '3.9'

x-base: &base
  image: apache/nifi:1.16.2
  networks:
    - nifi

x-nifi-environment: &nifi-environment
  NIFI_WEB_HTTPS_PORT: 8443
  NIFI_CLUSTER_IS_NODE: "true"
  NIFI_ZK_CONNECT_STRING: "zookeeper:2181"
  NIFI_ELECTION_MAX_WAIT: "30 sec"
  NIFI_ELECTION_MAX_CANDIDATES: 2
  NIFI_SENSITIVE_PROPS_KEY: "my-random-string"
  NIFI_WEB_PROXY_CONTEXT_PATH: "//"
  NIFI_CLUSTER_NODE_PROTOCOL_PORT: 8082
  NIFI_WEB_PROXY_HOST: "nifi0:8443,nifi0,nifi0.mysite.com,nifi1:8443,nifi1,nifi1.mysite.com,nifi2:8443,nifi2,nifi2.mysite.com,nifi.mysite.com"
  NIFI_WEB_HTTPS_HOST: "0.0.0.0"
  SINGLE_USER_CREDENTIALS_USERNAME: "my_admin"
  SINGLE_USER_CREDENTIALS_PASSWORD: "PASSWORD_GENERATED_BY_NIFI_TOOLKIT"
  AUTH: "tls"
  KEYSTORE_PATH: "/opt/certs/keystore.jks"
  KEYSTORE_TYPE: "JKS"
  KEYSTORE_PASSWORD: "KEYSTORE_PASSWORD_GENERATED_BY_NIFI_TOOLKIT"
  TRUSTSTORE_PATH: "/opt/certs/truststore.jks"
  TRUSTSTORE_TYPE: "JKS"
  TRUSTSTORE_PASSWORD: "TRUSTSTORE_PASSWORD_GENERATED_BY_NIFI_TOOLKIT"
  NIFI_SECURITY_USER_AUTHORIZER: "single-user-authorizer"
  NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER: "single-user-provider"
  INITIAL_ADMIN_IDENTITY: "CN=my_admin, OU=NiFi"

services:
  zookeeper:
    container_name: zookeeper
    image: bitnami/zookeeper:3.8.0
    environment:
      - ALLOW_ANONYMOUS_LOGIN=yes
    networks:
      - nifi

  nifi0:
    <<: *base
    container_name: nifi0
    volumes:
      - nifi_certs:/opt/certs:ro
      - nifi0_conf:/opt/nifi/nifi-current/conf
      - nifi0_extensions:/opt/nifi/nifi-current/extensions
      - nifi0_database_repository:/opt/nifi/nifi-current/database_repository
      - nifi0_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
      - nifi0_content_repository:/opt/nifi/nifi-current/content_repository
      - nifi0_provenance_repository:/opt/nifi/nifi-current/provenance_repository
      - nifi0_state:/opt/nifi/nifi-current/state
      - nifi0_logs:/opt/nifi/nifi-current/logs
    environment:
      <<: *nifi-environment
      NIFI_CLUSTER_ADDRESS: "nifi0"
    networks:
      - nifi
      - npm_bridge

  nifi1:
    <<: *base
    container_name: nifi1
    volumes:
      - nifi_certs:/opt/certs:ro
      - nifi1_conf:/opt/nifi/nifi-current/conf
      - nifi1_extensions:/opt/nifi/nifi-current/extensions
      - nifi1_database_repository:/opt/nifi/nifi-current/database_repository
      - nifi1_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
      - nifi1_content_repository:/opt/nifi/nifi-current/content_repository
      - nifi1_provenance_repository:/opt/nifi/nifi-current/provenance_repository
      - nifi1_state:/opt/nifi/nifi-current/state
      - nifi1_logs:/opt/nifi/nifi-current/logs
    environment:
      <<: *nifi-environment
      NIFI_CLUSTER_ADDRESS: "nifi1"
    networks:
      - nifi
      - npm_bridge

networks:
  nifi:
    driver: bridge
  npm_bridge:
    external: true
volumes:
  nifi_certs:
    external: true
  # nifi 0
  nifi0_conf:
  nifi0_extensions:
  nifi0_database_repository:
  nifi0_flowfile_repository:
  nifi0_content_repository:
  nifi0_provenance_repository:
  nifi0_state:
  nifi0_logs:
  # nifi 1
  nifi1_conf:
  nifi1_extensions:
  nifi1_database_repository:
  nifi1_flowfile_repository:
  nifi1_content_repository:
  nifi1_provenance_repository:
  nifi1_state:
  nifi1_logs:


 

I'm using Nginx Proxy Manager, so my config is as follows

 

server {
set $forward_scheme https;
set $server "nifi0";
set $port 8443;

listen 80;
listen 443 ssl http2;

server_name nifi0.mysite.com;

# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
# letsencrypt certificate
ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;
# Block Exploits
include conf.d/include/block-exploits.conf;
# Force SSL
include conf.d/include/force-ssl.conf;
access_log /data/logs/proxy-host-3_access.log proxy;
error_log /data/logs/proxy-host-3_error.log warn;

# My actual configuration
location / {
proxy_set_header X-ProxyScheme https;
proxy_set_header X-ProxyHost $host;
proxy_set_header X-ProxyPort 443;
proxy_set_header X-ProxyContextPath /;
proxy_set_header X-ProxiedEntitiesChain <$ssl_client_s_dn>;
proxy_pass $forward_scheme://$server:$port$request_uri;
}

# Custom
include /data/nginx/custom/server_proxy[.]conf;
}

 

The error is:

NiFi login errorNiFi login error

But no error is generated at nifi-user.log file.

 

Thank you.

9,103 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank araujo author-rank
Super Guru

Created ‎06-13-2022 05:10 PM

Hi, @Arqui ,

 

I've made a few changes to your docker-compose.yml file to automatically generate certificates and set credentials. Please check it out here.

 

You don't need to provide or configure anything manually. Just start the docker composer, connect to https://localhost:8443/nifi and authenticate with admin/supersecret1 (you can change username and password in the compose configuration.

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

9,005 Views
0
7 REPLIES 7

avatar
author-rank araujo author-rank
Super Guru

Created ‎06-08-2022 11:34 PM

@Arqui ,

 

Your initial admin should be simply:

  INITIAL_ADMIN_IDENTITY: "my_admin"

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
9,048 Views
0 Kudos

avatar
author-rank Arqui
Explorer

Created ‎06-10-2022 12:48 PM

Hello @araujo, thank you so much for your response, I've changed "INITIAL_ADMIN_IDENTITY" value to "my_admin", but the same error has happend.

I'm trying to follow this tutorial: Setting Up a Secure Apache NiFi Registry, in his case, the bowser asks for the p12 cert file, in my case doesn't happen, maybe because it's running behind a proxy?

I've no idea how to pass this cert, I did try to import to the browser, but nothing happend, besides, informing the wrong user/pass it does say they're incorrect, and more, for this error, no log is generated, so I'm lost.

If you have any other idea, please let me know, thanks again.

9,029 Views
0 Kudos

avatar
author-rank araujo author-rank
Super Guru

Created ‎06-13-2022 05:10 PM

Hi, @Arqui ,

 

I've made a few changes to your docker-compose.yml file to automatically generate certificates and set credentials. Please check it out here.

 

You don't need to provide or configure anything manually. Just start the docker composer, connect to https://localhost:8443/nifi and authenticate with admin/supersecret1 (you can change username and password in the compose configuration.

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
9,006 Views
0

avatar
author-rank Arqui
Explorer

Created ‎06-22-2022 01:03 PM

Hi @araujo.

It's working perfectly, thank you so much.
One last thing, before I was able to proxy via nginx, but now it gives connection refused, do you have an idea of where I should look for?
Thanks.

8,967 Views
0 Kudos

avatar
author-rank araujo author-rank
Super Guru

Created ‎06-22-2022 03:55 PM

@Arqui ,

 

Are you running your nginx externally? How are you trying to connect?

 

Cheers,

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
8,952 Views
0 Kudos

avatar
author-rank Arqui
Explorer

Created ‎06-24-2022 11:08 AM

Hi @araujo  I'm using Nginx Proxy Manager, in the same Docker, maybe was working before because the cert was not
I'm trying to connect via localhost.

8,918 Views
0 Kudos

avatar
author-rank araujo author-rank
Super Guru

Created ‎06-22-2022 06:20 PM

@Arqui ,

 

I've added nginx as a load balancer/proxy to the compose file.

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
8,940 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements