Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Nifi SSL - Insufficient Permissions : Untrusted proxy

avatar
Explorer

Hello there,

 

I'm upgrading a Nifi cluster (managed by ambri) to v1.15.3, therefore I have to secure it and activate ssl. I followed the installation steps from the official documentations, generated certificates (using Ambari Certificate Authority), and configured the Node Identities in Ambari. Still I have the "Untrusted proxy" error when I try to reach Nifi web interface.

 

Below is my configuration :

  • Nifi hosts as declared in Ambari :
    • nif1.mydomain.com
    • nif2.mydomain.com
    • nif3.mydomain.com
  • I'm accessing them (ssh & https) using other FQDNs, which I used to generate the certificates :
    • nif1-adm.mydomain.com
    • nif2-adm.mydomain.com
    • nif3-adm.mydomain.com

authorizers.xml

 

<authorizers>


            <userGroupProvider>
            <identifier>file-user-group-provider</identifier>
            <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
            <property name="Users File">./conf/users.xml</property>
            <property name="Legacy Authorized Users File" />
            <property name="Initial User Identity 0">CN=admin, OU=NIFI</property>

<property name="Initial User Identity 1">CN=nif1-adm.mydomain.com, OU=NIFI</property>
<property name="Initial User Identity 2">CN=nif2-adm.mydomain.com, OU=NIFI</property>
<property name="Initial User Identity 3">CN=nif3-adm.mydomain.com, OU=NIFI</property>
            </userGroupProvider>

            <accessPolicyProvider>
            <identifier>file-access-policy-provider</identifier>
            <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
            <property name="User Group Provider">file-user-group-provider</property>
            <property name="Authorizations File">./conf/authorizations.xml</property>
            <property name="Initial Admin Identity">CN=admin, OU=NIFI</property>
            <property name="Legacy Authorized Users File" />

<property name="Node Identity 1">CN=nif1-adm.mydomain.com, OU=NIFI</property>
<property name="Node Identity 2">CN=nif2-adm.mydomain.com, OU=NIFI</property>
<property name="Node Identity 3">CN=nif3-adm.mydomain.com, OU=NIFI</property>
            </accessPolicyProvider>

            <authorizer>
            <identifier>file-provider</identifier>
            <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
            <property name="Access Policy Provider">file-access-policy-provider</property>

            </authorizer>

 

users.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e" identity="CN=nif2-adm.mydomain.com, OU=NIFI"/>
        <user identifier="47c717db-75da-3d54-8ab3-1731497291c7" identity="CN=admin, OU=NIFI"/>
        <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2" identity="CN=nif3-adm.mydomain.com, OU=NIFI"/>
        <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85" identity="CN=nif1-adm.mydomain.com, OU=NIFI"/>
    </users>
</tenants>

authorizations.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="260562db-2b2b-390b-8145-b5d7c772f16c" resource="/data/process-groups/296adb65-017d-10                                                                                                                            00-9a99-58089f2f0766" action="R">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
            <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/>
            <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/>
            <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/>
        </policy>
        <policy identifier="b77d6f8f-ceb3-3131-8973-9cc5c6ccb566" resource="/data/process-groups/296adb65-017d-10                                                                                                                            00-9a99-58089f2f0766" action="W">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
            <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/>
            <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/>
            <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/>
        </policy>
        <policy identifier="d9966a39-db8d-3533-b6e5-c4e18045f1d0" resource="/process-groups/296adb65-017d-1000-9a                                                                                                                            99-58089f2f0766" action="R">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="68a09709-f44f-3b57-912d-96295e1574bf" resource="/process-groups/296adb65-017d-1000-9a                                                                                                                            99-58089f2f0766" action="W">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
            <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/>
            <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/>
            <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/>
        </policy>
    </policies>
</authorizations>

My 3 hosts have the /proxy Write permission, still I face the error message.

 

I suspect an issue with the mismatch between hostnames in Ambari and hostnames in Nifi, but can't find a workaround.

 

Thanks in advance for your support.

 

Regards.

 

Vincent.

1 ACCEPTED SOLUTION

avatar
Super Mentor

@VinceSailor 
Check your nifi.properties file for an identity mapping pattern that contains a Java regex that matches on your DNs.  If one does match, the corresponding value is returned and passed to authorizer.

so it might be possible your authorizer is only getting:

 

nif1-adm.mydomain.com

 

instead of:

CN=nif1-adm.mydomain.com, OU=NIFI

Thus resulting in your untrusted proxy exception.
That untrusted proxy error should include the exact identity string the authorizer was passed.

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

 

View solution in original post

6 REPLIES 6

avatar
Rising Star

Can you check in nifi-users.xml the authorization error? This will show us the principal which is trying to connect. It should be the owner of the certificate store into keystore.jks. Make sure that matches with the principals that are created into users.xml

avatar
Explorer

Hello,

Sorry did not notice your reply.

nifi-users.log :

nifi-user_2022-06-03.log:2022-06-03 16:33:07,833 WARN [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed x.x.x.x GET https://nif1-adm.mydomain.com:9091/nifi-api/flow/current-user [Untrusted proxy CN=nif1-adm.mydomain.com, OU=NIFI]

 

I tried with the 3 members of the cluster, resulting in the same error.

 

Keystore :

 

keytool -v -list -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: nifi-key
Creation date: Jul 12, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=nif1-adm.mydomain.com, OU=NIFI
Issuer: CN=amb1.mydomain.com, OU=NIFI

 

 

Thanks !

Regards.

 

 

avatar
Super Guru

@VinceSailor ,

 

Could you please share the full "untrusted proxy" message?

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Explorer

Hello André,

Below is the error log :

nifi-user_2022-06-03.log:2022-06-03 16:33:07,833 WARN [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.97.225.179 GET https://nif1-adm.mydomain.com:9091/nifi-api/flow/current-user [Untrusted proxy CN=nif1-adm.mydomain.com, OU=NIFI]

 

Attached the screenshot :

 

nifi_untrusted_proxy.png

 

 

Kind regards.

avatar
Super Mentor

@VinceSailor 
Check your nifi.properties file for an identity mapping pattern that contains a Java regex that matches on your DNs.  If one does match, the corresponding value is returned and passed to authorizer.

so it might be possible your authorizer is only getting:

 

nif1-adm.mydomain.com

 

instead of:

CN=nif1-adm.mydomain.com, OU=NIFI

Thus resulting in your untrusted proxy exception.
That untrusted proxy error should include the exact identity string the authorizer was passed.

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

 

avatar
Explorer

Hello Matt,

Thank you ! this solved the error (now I'm facing another one, but will figure it out 🙂 ). For further reference I had to configure those 3 lines in nifi.properties :

nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)
nifi.security.identity.mapping.transform.dn=NONE
nifi.security.identity.mapping.value.dn=$1@$2

 

Thanks.

Vince.