Support Questions

dnguyen · ‎02-21-2019

I'd like to turn on SSL mode for Nifi UI.

I'm having a single Nifi node which is running:

- HDF 3.1.2

- Nifi 1.5

This is what I have done:

- I used TLS Toolkit (standalone mode) to generate keystore/truststore and P12 file as instructed in here: https://community.hortonworks.com/articles/58233/using-the-tls-toolkit-to-simplify-security.html

- I imported above P12 to my browser in my laptop (note that my Nifi is running in a cloud server - not my laptop).

- I'm able to access Nifi UI in secured port but it shows "Insufficient Permissions" error from the UI:

- I have tried deleting "authorizations.xml" and "users.xml" under "/var/lib/nifi/conf" before restating Nifi but that doesn't help to resolve it.

Can anyone please help me figure out what I would miss?

- I have attached content of my "users.xml" and "authorizations.xml".

- This is content of my authorizers.xml:

<authorizers>
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property>
<property name="Users File">/var/lib/nifi/conf/users.xml</property>
<property name="Initial Admin Identity">CN=scarroll, OU=NIFI</property>
<property name="Legacy Authorized Users File"></property>
<!-- Provide the identity (typically a DN) of each node when clustered (see tool tip for detailed description of Node Identity). Must be specified when Ranger Nifi plugin will not be used for authorization. -->
<property name="CN=localhost, OU=NIFI"></property>
<!--
<property name="Node Identity 2"></property>
<property name="Node Identity 3"></property>
<property name="Node Identity 4"></property>
-->
</authorizer>
</authorizers>

- This is content of my P12 file (truncated, the one I imported to my browser) which contains 2 certificates:

keytool -list -v -keystore CN=scarroll_OU=NIFI.p12 -storetype PKCS12
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: nifi-key
Creation date: Feb 21, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=scarroll, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 16910e7d2b300000000
Valid from: Thu Feb 21 11:33:42 EST 2019 until: Sun Feb 20 11:33:42 EST 2022
Certificate fingerprints:...
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:
....

Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 16910e7c21e00000000
Valid from: Thu Feb 21 11:33:37 EST 2019 until: Sun Feb 20 11:33:37 EST 2022
Certificate fingerprints:...
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

- This is content of keystore (truncated) in my Nifi server:

Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: nifi-key
Creation date: Feb 21, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 16910e7c84000000000
Valid from: Thu Feb 21 11:33:39 EST 2019 until: Sun Feb 20 11:33:39 EST 2022
Certificate fingerprints:...

Extensions:
...


Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 16910e7c21e00000000
Valid from: Thu Feb 21 11:33:37 EST 2019 until: Sun Feb 20 11:33:37 EST 2022
Certificate fingerprints:
...
Signature algorithm name: SHA256withRSA
Version: 3

- This is content of trustore (truncated) in my Nifi server:

Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: nifi-cert
Creation date: Feb 21, 2019
Entry type: trustedCertEntry

Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 16910e7c21e00000000
Valid from: Thu Feb 21 11:33:37 EST 2019 until: Sun Feb 20 11:33:37 EST 2022
Certificate fingerprints:
...
Version: 3

Extensions:

- users.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="fea243e2-c7e5-3a98-b666-f646700c4b89" identity="CN=scarroll, OU=NIFI"/>
    </users>
</tenants>

authorizations.xml users.xml

MattWho · ‎02-21-2019

@Daniel Nguyen

I see a mistake in your authorizers.xml:

<property name="CN=localhost, OU=NIFI"></property>

The above line should actually be:

<property name="Node Identity 1">CN=localhost, OU=NIFI</property>

Keep in mind that NiFi only builds the users.xml and authorizations.xml files from the authorizers.xml file configuration if those files do not already exist.
So once you fix your authorizers,xml, you will need to delete or rename your existing users.xml and authorizations.xml files before starting NiFi.

-

Thanks,

Matt

-

If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.

View solution in original post

MattWho · ‎02-21-2019

@Daniel Nguyen

I see a mistake in your authorizers.xml:

<property name="CN=localhost, OU=NIFI"></property>

The above line should actually be:

<property name="Node Identity 1">CN=localhost, OU=NIFI</property>

Keep in mind that NiFi only builds the users.xml and authorizations.xml files from the authorizers.xml file configuration if those files do not already exist.
So once you fix your authorizers,xml, you will need to delete or rename your existing users.xml and authorizations.xml files before starting NiFi.

-

Thanks,

Matt

-

If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.

dnguyen · ‎02-21-2019

@Matt Clarke: Thank you for pointing out that! I changed and it did solve my problem. I'm able to view my dataflow right now.

There is a warning in my browser saying the connection is not secured:

What would I do next to make sure the connection is secured?

MattWho · ‎02-21-2019

@Daniel Nguyen

NiFi is secured. However you have secured it using self signed certificates. Your browser does not know the entity which signed your server certificate, so it considers the site you are visiting as untrusted. I am sure you were prompted to add an exception for your server's certificate by your browser when you first tried to access the URL.
-

All that exception you add is your way of taking responsibility for proceeding to the site when your browser does not know it should trust it. The fact that your browser does not trust the site has nothing to do with the security level of NiFi's URL.

-

If you want this "notification" to go away you are going to need to add the public cert for your server's certificates issuer to the list of trusted entities in your browser(s). Or you will need to get new server certificates issued by a Certificate Authority (CA) your browser is already configured to trust. (for example VeriSign, GoDaddy, GlobalSign, etc...). Of course there is a cost associated with getting certs issued/signed by a public authority.

-

Many users of NiFi have their won corporately managed CA that issues/signs certificates for use by users and server within their organization. And those corporate CAs may already be loaded on to browsers on corporately managed assets.

-

Thanks,

Matt

dnguyen · ‎02-21-2019

@Matt Clarke: Thank you for your detailed explanation!

Cloudera Community

Support Questions

Nifi-UI - Insufficient Permissions: Untrusted Proxy