Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Nifi several issues trying to resolve Untrusted proxy message

Solved Go to solution
Highlighted

Nifi several issues trying to resolve Untrusted proxy message

Expert Contributor

Hello community,

I'm trying to setup a Nifi cluster with external certifcates (used tinycerts.org) and after setup SSL and LDAP authentication and add my nodes SSL CNs to authorizations.xml via ambari, I have the following message when trying to access to nifi console:

Insufficient Permissions
log outhome
Untrusted proxy CN=node04.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES
I have tried what is told in this link https://community.hortonworks.com/questions/80246/nifi-untrusted-proxy.html reading the pkcs12 certificate with keytool and getting the CN of the owner part of the certificate:
Alias name: 1
Creation date: Sep 13, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=node01.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES
Issuer: CN=Arq de Sistemas CA, OU=Secure Digital Certificate Signing, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES
Serial number: 2cbd
Valid from: Tue Sep 12 11:14:33 CEST 2017 until: Wed Sep 12 11:14:33 CEST 2018


Even with that I still having the same issue so after a bit of research I found this post https://community.hortonworks.com/questions/110527/nifi-hdf30-untrusted-proxy.html

When I remove users.xml and authorizations.xml nifi is not able to create from authorizers.xml, and create an empty ones after that the nifi instances are unable to start and shows this error:

2017-09-13 17:26:47,480 ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiSecurityConfiguration': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.apache.nifi.web.NiFiWebApiSecurityConfiguration.setX509AuthenticationProvider(org.apache.nifi.web.security.x509.X509AuthenticationProvider); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'x509AuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Cannot provide an Initial Admin Identity and a Legacy Authorized Users File
2017-09-13 17:26:47,491 ERROR [NiFi logging handler] org.apache.nifi.StdErr Shutting down...


SSL works fine with the certificates.. my authorizers.xml is the following:

        <!--
        Licensed to the Apache Software Foundation (ASF) under one or more
        contributor license agreements.  See the NOTICE file distributed with
        this work for additional information regarding copyright ownership.
        The ASF licenses this file to You under the Apache License, Version 2.0
        (the "License"); you may not use this file except in compliance with
        the License.  You may obtain a copy of the License at
        http://www.apache.org/licenses/LICENSE-2.0
        Unless required by applicable law or agreed to in writing, software
        distributed under the License is distributed on an "AS IS" BASIS,
        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
        See the License for the specific language governing permissions and
        limitations under the License.
        -->
        <!--
        This file lists the authority providers to use when running securely. In order
        to use a specific provider it must be configured here and it's identifier
        must be specified in the nifi.properties file.
        -->
        <authorizers>


        <!--
        The FileAuthorizer is NiFi"s provided authorizer and has the following properties:
        - Authorizations File - The file where the FileAuthorizer will store policies.
        - Users File - The file where the FileAuthorizer will store users and groups.
        - Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
            given the ability to create additional users, groups, and policies. The value of this property could be
            a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
            are no other users, groups, and policies defined. If this property is specified then a Legacy Authorized
            Users File can not be specified.
            NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
            so the value should be the unmapped identity.
        - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
            converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
            not be specified, and this property will only be used when there are no other users, groups, and policies defined.
        - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
            should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
            The name of each property must be unique, for example for a three node cluster:
            "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
            NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
            so the values should be the unmapped identities (i.e. full DN from a certificate).
        -->
        <authorizer>
        <identifier>file-provider</identifier>


        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property>
        <property name="Users File">/var/lib/nifi/conf/users.xml</property>
        <property name="Initial Admin Identity">cn=testuser,ou=Users,dc=nifi,dc=int</property>
        <property name="Legacy Authorized Users File">/root/authorized-users.xml</property>






<!-- Provide the identity (typically a DN) of each node when clustered (see tool tip for detailed description of Node Identity). Must be specified when Ranger Nifi plugin will not be used for authorization. -->




<property name="Node Identity 1">CN=node01.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES</property>
<property name="Node Identity 2">CN=node03.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES</property>
<property name="Node Identity 3">CN=node04.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES</property>


        </authorizer>
        </authorizers>

Do you know what maybe happening?

Thank you in advance.

Best regards.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Nifi several issues trying to resolve Untrusted proxy message

Master Guru
@Juan Manuel Nieto

You cannot specify both an "Initial Admin Identity" and a "Legacy Authorized Users File" in the authorizers.xml file.

Try removing the the legacy Authorized Users File and restarting NiFi to see if the users.xml and authorizations.xml files get generated.

Thanks,
Matt

View solution in original post

3 REPLIES 3
Highlighted

Re: Nifi several issues trying to resolve Untrusted proxy message

Master Guru
@Juan Manuel Nieto

You cannot specify both an "Initial Admin Identity" and a "Legacy Authorized Users File" in the authorizers.xml file.

Try removing the the legacy Authorized Users File and restarting NiFi to see if the users.xml and authorizations.xml files get generated.

Thanks,
Matt

View solution in original post

Re: Nifi several issues trying to resolve Untrusted proxy message

Expert Contributor

Thanks @Matt Clarke

I added that entry because I had previous issues with the LDAP admin user, now I understand better how it works.
I just removed the "Legacy Authorized Users File" value and it works.

Highlighted

Re: Nifi several issues trying to resolve Untrusted proxy message

Contributor
Don't have an account?
Coming from Hortonworks? Activate your account here