Created 01-25-2018 09:25 PM
I have completed the ldap set up for Nifi. After restarting I am able to authenticate with the initial admin but rather than being directed to the canvas, I am taking back to the /nifi/login page. The page says "Success" with a logout and home link and a message below that says "You are already logged in". Clicking the Home link takes me back to the same page.
After enabling debugging here is the messages I see in the nifi-users.log file:
2018-01-25 15:50:56,006 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null 2018-01-25 15:50:56,007 DEBUG [NiFi Web Server-20] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request. 2018-01-25 15:50:56,007 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null 2018-01-25 15:50:56,007 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1lNzgzMTV0LG91PVVzZXJzLG91PUFjY291bnRzLGRjPWludGVybmFsLGRjPXNsbWJhbmssZGM9bmV0IiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZTc4MzE1dCIsImtpZCI6NCwiZXhwIjoxNTE2OTU2NjU0LCJpYXQiOjE1MTY5MTM0NTR9.a8f8h-Jv2_2qo-0kr9KTCTGFKW3SMeuN772RcUPLZLM) GET https://s617985dc2vl485.internal.redacted.net:9091/nifi-api/flow/current-user (source ip: 10.0.108.100) 2018-01-25 15:50:56,010 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=e78315t,ou=Users,ou=Accounts,dc=internal,dc=redacted,dc=net 2018-01-25 15:50:56,013 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: cn=e78315t,ou=Users,ou=Accounts,dc=internal,dc=redacted,dc=net 2018-01-25 15:50:56,013 DEBUG [NiFi Web Server-20] o.a.n.w.s.a.NiFiAnonymousUserFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'cn=e78315t,ou=Users,ou=Accounts,dc=internal,dc=redacted,dc=net' 2018-01-25 15:50:56,138 DEBUG [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null 2018-01-25 15:50:56,138 DEBUG [NiFi Web Server-21] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request. 2018-01-25 15:50:56,138 DEBUG [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null 2018-01-25 15:50:56,138 DEBUG [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null 2018-01-25 15:50:56,139 DEBUG [NiFi Web Server-21] o.a.n.w.s.a.NiFiAnonymousUserFilter Populated SecurityContextHolder with anonymous token: 'anonymous' 2018-01-25 15:50:56,141 INFO [NiFi Web Server-21] o.a.n.w.a.c.AccessDeniedExceptionMapper anonymous does not have permission to access the requested resource. Unknown user with identity 'anonymous'. Returning Unauthorized response. 2018-01-25 15:50:56,145 DEBUG [NiFi Web Server-21] o.a.n.w.a.c.AccessDeniedExceptionMapper org.apache.nifi.authorization.AccessDeniedException: Unknown user with identity 'anonymous'. at org.apache.nifi.web.api.FlowResource.authorizeFlow(FlowResource.java:229) at org.apache.nifi.web.api.FlowResource.getCurrentUser(FlowResource.java:315) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
I have validated this specific dn as valid in the users.xml and authorizations.xml file. Does anyone have any idea where I need to look?
Thanks
Created 01-25-2018 10:11 PM
Is this a NiFi Cluster?
Do you have an external load-balancer sitting in front of your NiFi URL? If so you need to make sure you have enable sticky sessions. A Token is only good for the node from which it was issued. So If subsequent requests to a load-balanced URL go to a different node the token your browser presents will not be known to that node.
Thank you,
Matt
Created 01-26-2018 02:08 PM
Thank you for your response. No this is not a cluster and and there is no load balancer. Is there a way to debug if the token is having problems being generated?
Thanks again,
Chad
Created 01-26-2018 07:29 PM
You could use curl to verify that the access token nifi rest-api end-point is returning a token to you.
# curl 'https://<nifihostname>:<port>/nifi-api/access/token' --data 'username=<username>&password=<password>' -k
This should return a long string of characters which is your token.
Once you know above works, you can use the following to store a retrieved token in to a variable for easier use in subsequent curl rest-api calls:
# token="$(curl 'https://<nifihostname>:<port>/nifi-api/access/token' --data 'username=<username>&password=<password>' -k)"
That token can then be used in subsequent calls to the rest-api as follows:
# curl 'https://<nifihostname>:<port>/nifi-api/flow/current-user' -H "Authorization: Bearer $token" -k
The above for example would return JSON output like:
{"identity":"<username or DN>","anonymous":false,"provenancePermissions":{"canRead":false,"canWrite":false},"countersPermissions":{"canRead":false,"canWrite":false},"tenantsPermissions":{"canRead":true,"canWrite":true},"controllerPermissions":{"canRead":true,"canWrite":true},"policiesPermissions":{"canRead":true,"canWrite":true},"systemPermissions":{"canRead":false,"canWrite":false},"restrictedComponentsPermissions":{"canRead":false,"canWrite":true}}
With your browser, the exchange is not much different.
When you login, you are hitting that same endpoint to get a JWT token.
Your browser stores that token for subsequent requests sent to the same NiFi (such as loading the flow/canvas).
When the token arrives in the subsequent requests it is checked against the server side equivalent for that token which will be stores in the "nifi-user-keys.h2.db". This can be found in the NiFi database repository directory.
So make sure this file exists, is owned by same user running NiFi process, and you have not run out of disk space.
If the token looks good and user authentication is valid for the resource being requested, you'll get a response.
The login-identity-providers.xml file configuration for your ldap-provider dictates how long these tokens remain good for. Default expiration is 12 hours at which time the client will need to get a new token.
Thank you,
Matt
Created 01-29-2018 02:26 PM
@Matt Clarke You nailed it! I was having a permissions problem with the nifi-user-keys-h2.db file. I corrected that and it working perfectly! Thank you so much!
Created 02-12-2018 02:19 PM
Awesome, Glad to hear I was able to help. Please Take a moment to click "accept" below the answer to close out this thread.
Created 07-26-2019 12:52 PM
Hi Matt,
I am facing similar issue in my ambari cluster, which has only one node for now.
This is a kerberos enabled cluster with realm name MASTER, and I have added a principal for nifi as nifiadmin@MASTER.
I am enabling SSL and I am able to login to the SSL enabled nifi. But there I am facing the below issue
"
An unexpected error has occurred
javax.net.ssl.SSLPeerUnverifiedException: Hostname master not verified: certificate: sha256/OeYwuYhOAaTVnMMLvGSCJZU= DN: CN=nifiadmin@MASTER, OU=NIFI, O=SELF, L=CN, ST=TN, C=IN subjectAltNames: []
"
So I have tried the above steps mentioned by you here,
1. curl 'https://<nifihostname>:<port>/nifi-api/access/token' --data 'username=<username>&password=<password>' -k
Gave me string of characters as mentioned by you.
2. token="$(curl 'https://<nifihostname>:<port>/nifi-api/access/token' --data 'username=<username>&password=<password>' -k)"
This was also successful.
3. curl 'https://<nifihostname>:<port>/nifi-api/flow/current-user' -H "Authorization: Bearer $token" -k
Here it failed saying the below:
javax.net.ssl.SSLPeerUnverifiedException: Hostname master not verified: certificate: sha256/OeYwuYhOAaTVnMMLvGSCJZU= DN: CN=nifiadmin@MASTER, OU=NIFI, O=SELF, L=CN, ST=TN, C=IN subjectAltNames: []
Could you please help me to sort this out...
Thanks in advance,
Sarath.