Created 03-19-2024 03:10 PM
Good day -- I am having trouble getting NiFi Registry to work with OIDC. I have NiFi itself, configured successfully -- working with Keycloak as the OIDC provider. Everything is containerized -- I have a Docker stack running Traefik, Bind9, and Keycloak.
I have another stack running NiFi (X2), Zookeeper, and NiFi Registry.
As I stated, I have NiFi set up and working just fine with Keycloak. However, NiFi Registry is not prompting me for any login. It is not routing the request back to Keycloak for login, and when you see the NiFi Registry page, there is no identity listed and no menu options available.
It just looks like this:
I have my authorizers.xml file set up this way:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Initial User Identity 2">random@random.com</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">random@random.com</property>
<property name="NiFi Group Name"></property>
<!--<property name="NiFi Identity 1"></property>-->
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
And I have the relevant parts of my nifi-registry.properties configured this way:
# security properties #
nifi.registry.security.keystore=/opt/nifi-registry/nifi-registry-current/certs/p12/random.com.p12
nifi.registry.security.keystoreType=pkcs12
nifi.registry.security.keystorePasswd=obfuscatedPassword
nifi.registry.security.keyPasswd=obfuscatedPassword
nifi.registry.security.truststore=/opt/nifi-registry/nifi-registry-current/certs/jks/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=obfuscatedPassword
nifi.registry.security.needClientAuth=false
nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml
nifi.registry.security.authorizer=managed-authorizer
nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml
nifi.registry.security.identity.provider=openid
# OIDC #
nifi.registry.security.user.oidc.discovery.url=https://random.com/realms/random/.well-known/openid-configuration
nifi.registry.security.user.oidc.connect.timeout=5 secs
nifi.registry.security.user.oidc.read.timeout=5 secs
nifi.registry.security.user.oidc.client.id=flows-registry.random.com
nifi.registry.security.user.oidc.client.secret=obfscatedSecret
nifi.registry.security.user.oidc.preferred.jwsalgorithm=
nifi.registry.security.user.oidc.additional.scopes=openid,email,profile,offline_access
nifi.registry.security.user.oidc.claim.identifying.user=email
nifi.registry.security.user.oidc.fallback.claims.identifying.user=email
nifi.registry.security.user.oidc.claim.groups=groups
nifi.registry.security.user.oidc.truststore.strategy=JDK
nifi.registry.security.user.oidc.token.refresh.window=60 secs
notably, i ensured that I set this line `
Created 03-20-2024 06:46 AM
I'm hoping to add some additional clarity to this question in the form of a partial log extract of relevant information, which you will see below, followed by additional context that I will provide:
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apache.nifi.registry.web.security.authentication.oidc.OidcService]: Constructor threw exception
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:223)
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:111)
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:315)
... 60 common frames omitted
Caused by: java.lang.RuntimeException: OpenId Connect support cannot be enabled if the Login Identity Provider or Apache Knox SSO is configured.
at org.apache.nifi.registry.web.security.authentication.oidc.StandardOidcIdentityProvider.validateOIDCConfiguration(StandardOidcIdentityProvider.java:200)
at org.apache.nifi.registry.web.security.authentication.oidc.StandardOidcIdentityProvider.initializeProvider(StandardOidcIdentityProvider.java:120)
at org.apache.nifi.registry.web.security.authentication.oidc.OidcService.<init>(OidcService.java:71)
at org.apache.nifi.registry.web.security.authentication.oidc.OidcService.<init>(OidcService.java:54)
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:210)
... 62 common frames omitted
2024-03-20 12:46:17,451 INFO [main] o.e.jetty.server.handler.ContextHandler Started oeje10w.WebAppContext@9742012{nifi-registry-docs,/nifi-registry-docs,b=file:///opt/nifi-registry/nifi-registry-current/work/jetty/nifi-registry-web-docs-2.0.0-M2.war/webapp/,a=AVAILABLE,h=oeje10s.SessionHandler@60773809{STARTED}}{./lib/nifi-registry-web-docs-2.0.0-M2.war}
Here is the additional context:
1. Upon initial loading of the Docker Stack, I had the Environment Variable relating to the login identity set as follows:
CN=admin
2. I spun up the docker stack.
3. I had two new files which I had set up as I indicated in the original post, above.
4. While the stack was up, I copied in the two new files: `authorizers.xml` and `nifi-registry.properties`.
5. importantly, I had the relevant volume created in a semi-persistent way. At the bottom of the docker file, I had this:
volumes:
nifi_registry_conf:
I also had the correlative setting up higher in the yaml, like this:
volumes:
- nifi_registry_conf:/opt/nifi-registry/nifi-registry-current/conf
6. I took down the docker stack.
7. I spun up the docker stack, again, confirming that the contents of the two files in question were indeed present as anticipated.
8. The above logs occurred, which may have something to do with NiFi Registry failing to redirect a request to Keycloak.
IMPORTANTLY:
I have tried this various ways -- all of which produced similar messages in the logs:
1. I have spun up the docker stack without an INITIAL_ADMIN_IDENTITY at all, and repeated the aforementioned processes, with the same basic result.
2. I have spun up the docker stack with an INITIAL_ADMIN_IDENTITY, and this time, I copied out four files: `nifi-registry.properties`, `authorizers.xml`, `authorizations.xml`, and `users.xml`. Upon doing this, I changed the values in the `users.xml` from `CN=admin` to `obfuscatedemail@random.com`. Then I brought the docker stack down and removed the semi-persistent volumes. I then commented out the INITIAL_ADMIN_IDENTITY field, and spun up the docker stack again. Now I copied back in these four files, and brought the docker stack down again. Then I spun it back up again (so that it would start with the new values). No matter -- the same basic result with the same basic logs.
3. I did a similar thing to item 2, above, but only with the `nifi-registry.properties` file and the `authorizers.xml` file. Then I exec'd into the docker container and removed the `users.xml` and `authorizations.xml` files completely. Then I took down the stack and spun it back up (which forces it to recreate new `users.xml` and `authorizations.xml` files. No matter -- the same basic result with the same basic logs.
OBSERVATIONS: The error message `Caused by: java.lang.RuntimeException: OpenId Connect support cannot be enabled if the Login Identity Provider or Apache Knox SSO is configured.` seems to imply or reference a setting in `nifi.properties` that does NOT exist in `nifi-registry.properties` -- the `nifi.security.user.login.identity.provider` field. A correlative field in `nifi-registry.properties` would be, for example, `nifi.registry.security.user.login.identity.provider`. However, as I said, this field doesn't exist. The error message is generic in the sense that it seems to indicate potential frustration with EITHER Apache Knox SSO, or Login Identity Provider. Since none of my setup involved Apache Knox, the assumption is that the program is upset about something pertaining to the Login Identity Provider. However, I have no idea what it might be upset about or what it is referring to.
It is of very little help that while the `Nifi System Administrator's Guide` has an entire section on OpenID Connect: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#openid_connect , the `Nifi Registry System Administrator's Guide` has no correlative section or correlative information.
Created 04-04-2024 04:23 AM
Good Morning -- any takers on helping answer this question? I would be super appreciative.
Created 03-20-2024 10:07 AM