Support Questions

VidyaSargur · ‎02-14-2020

Hello

I used tls toolkit to generate keys and certificates

tls-toolkit.sh  standalone -n localhost -C 'CN=admin,OU=NIFI'

Started the nifi through the 'latest' docker image

docker run --name securednifi \
  -v /home/peter/playground/nifirenderdemo/certs:/opt/certs \
  -p 8443:8443 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/localhost/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD="xyaCZWLb8GHM20/dghr6nL0p2Z8r6sK5Q81cRZAA/A0" \
  -e TRUSTSTORE_PATH=/opt/certs/localhost/truststore.jks \
  -e TRUSTSTORE_PASSWORD="4fmyZFm1FevdAmeYEsCHxjzSB/S8sAb+/9w7VQZ0Lms" \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin,OU=NIFI' \
  -d \
  apache/nifi:latest

Passwords were copied from the locahost/nifi.properties file generated by tls-toolkit

Certificates was imported in browser

Trying to open nifi gives

Insufficient Permissions
Unknown user with identity 'CN=admin, OU=NIFI'. Contact the system administrator.

Checked
- nifi.security properties in nifi.properties
- users.xml - identity
- authorizations.xml - identifier of policy elements matches users.xml

Noticed
- The host in nifi.properties configured for nifi.remote.input.host refers to the docker host name (ca....)
- In nifi-users.log there is

2020-02-14 10:56:53,454 INFO [main] o.a.n.a.FileAccessPolicyProvider Populating authorizations for Initial Admin: CN=admin,OU=NIFI
...
2020-02-14 10:57:43,063 WARN [NiFi Web Server-75] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.
java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.
        at org.apache.nifi.web.api.AccessResource.createAccessTokenFromTicket(AccessResource.java:641)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

...
2020-02-14 10:57:43,362 WARN [NiFi Web Server-75] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response.
java.lang.IllegalStateException: OpenId Connect is not configured.
        at org.apache.nifi.web.api.AccessResource.oidcExchange(AccessResource.java:298)
...

2020-02-14 10:57:43,472 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=admin, OU=NIFI) GET https://localhost:8443/nifi-api/flow/current-user (source ip: 172.17.0.1)
2020-02-14 10:57:43,481 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=admin, OU=NIFI
2020-02-14 10:57:43,817 INFO [NiFi Web Server-21] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=admin, OU=NIFI], groups[] does not have permission to access the requested resource. Unknown user with identity 'CN=admin, OU=NIFI'. Returning Forbidden response.

Not sure any of this is a real problem. I also do not immediately find information on the above in the context of two way ssl without ldap or registry

At this point I am out of inspiration tbh

So, all tips really appreciated!

Tx

Peter

peter_coppens · ‎02-21-2020

I ended up building from source based on 1.11.1 tag and then it works fine

Cloudera Community

Support Questions

Nifi - Setting up two way ssl with docker image - Insufficient Permissions