Hello there,
I'm upgrading a Nifi cluster (managed by ambri) to v1.15.3, therefore I have to secure it and activate ssl. I followed the installation steps from the official documentations, generated certificates (using Ambari Certificate Authority), and configured the Node Identities in Ambari. Still I have the "Untrusted proxy" error when I try to reach Nifi web interface.
Below is my configuration :
- Nifi hosts as declared in Ambari :
- nif1.mydomain.com
- nif2.mydomain.com
- nif3.mydomain.com
- I'm accessing them (ssh & https) using other FQDNs, which I used to generate the certificates :
- nif1-adm.mydomain.com
- nif2-adm.mydomain.com
- nif3-adm.mydomain.com
authorizers.xml
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File" />
<property name="Initial User Identity 0">CN=admin, OU=NIFI</property>
<property name="Initial User Identity 1">CN=nif1-adm.mydomain.com, OU=NIFI</property>
<property name="Initial User Identity 2">CN=nif2-adm.mydomain.com, OU=NIFI</property>
<property name="Initial User Identity 3">CN=nif3-adm.mydomain.com, OU=NIFI</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=admin, OU=NIFI</property>
<property name="Legacy Authorized Users File" />
<property name="Node Identity 1">CN=nif1-adm.mydomain.com, OU=NIFI</property>
<property name="Node Identity 2">CN=nif2-adm.mydomain.com, OU=NIFI</property>
<property name="Node Identity 3">CN=nif3-adm.mydomain.com, OU=NIFI</property>
</accessPolicyProvider>
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e" identity="CN=nif2-adm.mydomain.com, OU=NIFI"/>
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7" identity="CN=admin, OU=NIFI"/>
<user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2" identity="CN=nif3-adm.mydomain.com, OU=NIFI"/>
<user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85" identity="CN=nif1-adm.mydomain.com, OU=NIFI"/>
</users>
</tenants>
authorizations.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
</policy>
<policy identifier="260562db-2b2b-390b-8145-b5d7c772f16c" resource="/data/process-groups/296adb65-017d-10 00-9a99-58089f2f0766" action="R">
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
<user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/>
<user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/>
<user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/>
</policy>
<policy identifier="b77d6f8f-ceb3-3131-8973-9cc5c6ccb566" resource="/data/process-groups/296adb65-017d-10 00-9a99-58089f2f0766" action="W">
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
<user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/>
<user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/>
<user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/>
</policy>
<policy identifier="d9966a39-db8d-3533-b6e5-c4e18045f1d0" resource="/process-groups/296adb65-017d-1000-9a 99-58089f2f0766" action="R">
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
</policy>
<policy identifier="68a09709-f44f-3b57-912d-96295e1574bf" resource="/process-groups/296adb65-017d-1000-9a 99-58089f2f0766" action="W">
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
<user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
</policy>
<policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
<user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/>
<user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/>
<user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/>
</policy>
</policies>
</authorizations>
My 3 hosts have the /proxy Write permission, still I face the error message.
I suspect an issue with the mismatch between hostnames in Ambari and hostnames in Nifi, but can't find a workaround.
Thanks in advance for your support.
Regards.
Vincent.
