Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Nifi Server dont starts after going secure.

Labels:
avatar
author-rank martin_keller
Explorer

Created ‎02-07-2018 06:07 PM

We use Nifi 1.5.0 with 'nifi-toolkit-1.5.0.3.1.0.0-564' on Windows, standalone (no cluster, we are at the beginning of the nifi-way)

After reconfiguring for SSL, following div. instruction, an testing a lot of different configs, restarting with 'clean' installation etc.; I am stalled:

  • Certs etc. are made with nifi toolkit, standalone:
    tls-toolkit.bat standalone -n localhost -C "CN=admin,OU=NIFI"
  • authorizers.xml is like this (only change):
    ...
    <property name="Initial Admin Identity">CN=admin, OU=NIFI</property>
    ...
  • keystore and truststore are in ./conf (I also tested with absolute path)
  • client cert is imported

Any Configuration like this start up and stops with some exceptions. Without "Initial Admin Identity" attribute in authorizers.xml the server starts normaly, but no one can login due to permission issues.

The nifi-user.log and nifi-bootstrap.log looks ok, but not nifi-app.log:
more or less all exceptions ends up with something like:

2018-02-07 17:06:28,110 INFO [main] o.eclipse.jetty.server.AbstractConnector Started ServerConnector@776a7ec6{SSL,[ssl, http/1.1]}{localhost:9443}
2018-02-07 17:06:28,110 INFO [main] org.eclipse.jetty.server.Server Started @31471ms
2018-02-07 17:06:28,111 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is org.springframework.beans.factory.BeanExpressionException: Expression parsing failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setX509AuthenticationProvider' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'x509AuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin CN=admin, OU=NIFI to seed policies
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:667)
	at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:88)
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:366)
....
Caused by: ... AuthorizerCreationException: Unable to locate initial admin CN=admin, OU=NIFI to seed policies
....
....
2018-02-07 17:06:28,122 INFO [Thread-1] org.eclipse.jetty.server.session Stopped scavenging

Any hints?

Thanks a lot; .m.

5,930 Views
0 Kudos
4 REPLIES 4

avatar
author-rank alopresto author-rank
Guru

Created ‎02-07-2018 06:36 PM

It appears that you are specifying a different DN string in your command-line invocation of the TLS Toolkit and your initial admin identity:

tls-toolkit.bat standalone -n localhost -C "CN=admin,OU=NIFI"

<property name="Initial Admin Identity">CN=admin, OU=NIFI</property>

There is a space between "admin," and "OU=NIFI" in the IAI property definition, but not in the certificate generation command. These strings need to match for NiFi to authenticate the user via client certificate/LDAP/Kerberos.

4,737 Views
0 Kudos

avatar
author-rank martin_keller
Explorer

Created ‎02-07-2018 08:29 PM

Thanks for replying.

I tested different strings; I found a lot of issues about different writings; but it didnt solved our problems.

Other Hints?

4,737 Views
0 Kudos

avatar
author-rank alopresto author-rank
Guru

Created ‎02-08-2018 12:15 AM

Try removing the users.xml and authorizations.xml files (back these up if you have made other changes prior to securing the application). These files are generated and populated if they are not present at application startup, which means they will be auto-generated the first time the application is run, but not re-generated automatically once they exist. Ensure your files look something like the following:

users.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c" identity="CN=alopresto, OU=Apache NiFi"/>
    </users>
</tenants>

authorizers.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">CN=alopresto, OU=Apache NiFi</property>
        <property name="Legacy Authorized Users File"></property>
    </authorizer>
</authorizers>

authorizations.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="0f4d2dd0-7c8b-39ce-8292-0e459a8dd69f" resource="/flow" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="9f665453-1e5f-36b4-8f4c-e125491c1fd2" resource="/data/process-groups/4aa66ece-015a-1000-4348-efd94f63c4df" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="38e2a10c-a75f-3b48-8954-6e5af69c837b" resource="/data/process-groups/4aa66ece-015a-1000-4348-efd94f63c4df" action="W">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="67684272-2833-32e6-954a-d33b7dfc80b2" resource="/process-groups/4aa66ece-015a-1000-4348-efd94f63c4df" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="ce02741b-adb1-37cf-a818-7d5476e49805" resource="/process-groups/4aa66ece-015a-1000-4348-efd94f63c4df" action="W">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="2148640b-305c-3c53-8a92-5111159729a1" resource="/restricted-components" action="W">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="cc00676b-e0bb-34be-8ae5-89a35dd3ebcb" resource="/tenants" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="2bf2a497-4045-37d6-8a7f-e8b2753da197" resource="/tenants" action="W">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="9abc4f3b-008c-3ad2-81d3-85410b435c2e" resource="/policies" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="f4d3b871-7144-3d22-b93d-67110a369647" resource="/policies" action="W">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="e6cdf807-d293-3c5c-8123-0b42c4370a7e" resource="/controller" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="03947efb-1e7c-3c42-90ac-ba0ebd1e64fd" resource="/controller" action="W">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
        <policy identifier="015a1025-3be1-13fc-af08-0f6bf4e9285a" resource="/provenance" action="R">
            <user identifier="69d36646-d7cd-33ef-83a7-54d95f67214c"/>
        </policy>
    </policies>
</authorizations>
4,737 Views
0 Kudos

avatar
author-rank martin_keller
Explorer

Created ‎02-08-2018 09:49 AM

thanks for your detailed answer.

It looks better know, users.xml and authorizations.xml seems to be correct (what they did not before).

Actually I have to go through 2 steps:

First I replace in nifi.properties then line "nifi.security.user.authorizer=managed-authorizer" wicth "nifi.security.user.authorizer=file-provider" and clean authorizers.xml, leaving only file-provider and userGroupProvider. After 'cleaning' Nifi (deleting then(empty) users.xml and authorizations.xml and keystore etc.) and rebuilding with nifi-toolkit, Nifi starts and populates users.xml and authorizations.xml with reasonable entries, but stops again.

Second, I undo the changes in nifi.properties and authorizers.xml and restart Nifi. It runs now stable. puh.

4,737 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements