Created 06-23-2022 03:15 AM
Hello there,
I'm upgrading a Nifi cluster (managed by ambri) to v1.15.3, therefore I have to secure it and activate ssl. I followed the installation steps from the official documentations, generated certificates (using Ambari Certificate Authority), and configured the Node Identities in Ambari. Still I have the "Untrusted proxy" error when I try to reach Nifi web interface.
Below is my configuration :
authorizers.xml
<authorizers>
            <userGroupProvider>
            <identifier>file-user-group-provider</identifier>
            <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
            <property name="Users File">./conf/users.xml</property>
            <property name="Legacy Authorized Users File" />
            <property name="Initial User Identity 0">CN=admin, OU=NIFI</property>
<property name="Initial User Identity 1">CN=nif1-adm.mydomain.com, OU=NIFI</property>
<property name="Initial User Identity 2">CN=nif2-adm.mydomain.com, OU=NIFI</property>
<property name="Initial User Identity 3">CN=nif3-adm.mydomain.com, OU=NIFI</property>
            </userGroupProvider>
            <accessPolicyProvider>
            <identifier>file-access-policy-provider</identifier>
            <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
            <property name="User Group Provider">file-user-group-provider</property>
            <property name="Authorizations File">./conf/authorizations.xml</property>
            <property name="Initial Admin Identity">CN=admin, OU=NIFI</property>
            <property name="Legacy Authorized Users File" />
<property name="Node Identity 1">CN=nif1-adm.mydomain.com, OU=NIFI</property>
<property name="Node Identity 2">CN=nif2-adm.mydomain.com, OU=NIFI</property>
<property name="Node Identity 3">CN=nif3-adm.mydomain.com, OU=NIFI</property>
            </accessPolicyProvider>
            <authorizer>
            <identifier>file-provider</identifier>
            <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
            <property name="Access Policy Provider">file-access-policy-provider</property>
            </authorizer>
users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e" identity="CN=nif2-adm.mydomain.com, OU=NIFI"/>
        <user identifier="47c717db-75da-3d54-8ab3-1731497291c7" identity="CN=admin, OU=NIFI"/>
        <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2" identity="CN=nif3-adm.mydomain.com, OU=NIFI"/>
        <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85" identity="CN=nif1-adm.mydomain.com, OU=NIFI"/>
    </users>
</tenants>
authorizations.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="260562db-2b2b-390b-8145-b5d7c772f16c" resource="/data/process-groups/296adb65-017d-10                                                                                                                            00-9a99-58089f2f0766" action="R">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
            <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/>
            <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/>
            <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/>
        </policy>
        <policy identifier="b77d6f8f-ceb3-3131-8973-9cc5c6ccb566" resource="/data/process-groups/296adb65-017d-10                                                                                                                            00-9a99-58089f2f0766" action="W">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
            <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/>
            <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/>
            <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/>
        </policy>
        <policy identifier="d9966a39-db8d-3533-b6e5-c4e18045f1d0" resource="/process-groups/296adb65-017d-1000-9a                                                                                                                            99-58089f2f0766" action="R">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="68a09709-f44f-3b57-912d-96295e1574bf" resource="/process-groups/296adb65-017d-1000-9a                                                                                                                            99-58089f2f0766" action="W">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
            <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/>
        </policy>
        <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
            <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/>
            <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/>
            <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/>
        </policy>
    </policies>
</authorizations>My 3 hosts have the /proxy Write permission, still I face the error message.
I suspect an issue with the mismatch between hostnames in Ambari and hostnames in Nifi, but can't find a workaround.
Thanks in advance for your support.
Regards.
Vincent.
Created 06-28-2022 11:12 AM
@VinceSailor 
Check your nifi.properties file for an identity mapping pattern that contains a Java regex that matches on your DNs.  If one does match, the corresponding value is returned and passed to authorizer.
so it might be possible your authorizer is only getting:
nif1-adm.mydomain.com
instead of:
CN=nif1-adm.mydomain.com, OU=NIFI
Thus resulting in your untrusted proxy exception.
That untrusted proxy error should include the exact identity string the authorizer was passed.
If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.
Thank you,
Matt
Created 06-24-2022 01:44 PM
Can you check in nifi-users.xml the authorization error? This will show us the principal which is trying to connect. It should be the owner of the certificate store into keystore.jks. Make sure that matches with the principals that are created into users.xml
Created on 07-12-2022 12:15 AM - edited 07-12-2022 05:38 AM
Hello,
Sorry did not notice your reply.
nifi-users.log :
nifi-user_2022-06-03.log:2022-06-03 16:33:07,833 WARN [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed x.x.x.x GET https://nif1-adm.mydomain.com:9091/nifi-api/flow/current-user [Untrusted proxy CN=nif1-adm.mydomain.com, OU=NIFI]
I tried with the 3 members of the cluster, resulting in the same error.
Keystore :
keytool -v -list -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Jul 12, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=nif1-adm.mydomain.com, OU=NIFI
Issuer: CN=amb1.mydomain.com, OU=NIFI
Thanks !
Regards.
Created 06-24-2022 09:29 PM
Could you please share the full "untrusted proxy" message?
Cheers,
André
Created on 07-12-2022 05:36 AM - edited 07-12-2022 05:36 AM
Hello André,
Below is the error log :
nifi-user_2022-06-03.log:2022-06-03 16:33:07,833 WARN [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.97.225.179 GET https://nif1-adm.mydomain.com:9091/nifi-api/flow/current-user [Untrusted proxy CN=nif1-adm.mydomain.com, OU=NIFI]
Attached the screenshot :
Kind regards.
Created 06-28-2022 11:12 AM
@VinceSailor 
Check your nifi.properties file for an identity mapping pattern that contains a Java regex that matches on your DNs.  If one does match, the corresponding value is returned and passed to authorizer.
so it might be possible your authorizer is only getting:
nif1-adm.mydomain.com
instead of:
CN=nif1-adm.mydomain.com, OU=NIFI
Thus resulting in your untrusted proxy exception.
That untrusted proxy error should include the exact identity string the authorizer was passed.
If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.
Thank you,
Matt
Created 07-13-2022 05:16 AM
Hello Matt,
Thank you ! this solved the error (now I'm facing another one, but will figure it out 🙂 ). For further reference I had to configure those 3 lines in nifi.properties :
nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)
nifi.security.identity.mapping.transform.dn=NONE
nifi.security.identity.mapping.value.dn=$1@$2
Thanks.
Vince.
 
					
				
				
			
		
