Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Unable to Log Into Nifi from Knox?

Highlighted

Unable to Log Into Nifi from Knox?

Explorer

I am implementing an HDP 3.1/HDF 3.3 cluster currently, secured using MIT KDC and OpenLDAP server. At one point I had the ability to access Nifi through the Knox proxy, but after adding encryption everywhere, I no longer can do so. I can log into Nifi using my LDAP credentials when I access Nifi directly just fine.

Whenever I try to access through Knox, however, I first am shown to Nifi as anonymous (which is rejected by Ranger), and then, once I log in, it shows some Kerberos output that seems to show I was successful, but then it shows the following screen to me in my browser. The same process happens whether I use the topology which authenticates against LDAP, or the topology which uses anonymous authentication, for services such as Ambari or Atlas that do their own authentication.

When I first access the Nifi page through Knox (at which point it takes me to the login page), I see this, even if I'm logged in already to Knox.

2019-06-11 01:35:32,400 DEBUG [NiFi Web Server-223] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null
2019-06-11 01:35:32,401 DEBUG [NiFi Web Server-223] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.
2019-06-11 01:35:32,401 DEBUG [NiFi Web Server-223] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null
2019-06-11 01:35:32,401 DEBUG [NiFi Web Server-223] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null
2019-06-11 01:35:32,401 DEBUG [NiFi Web Server-223] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null
2019-06-11 01:35:32,401 DEBUG [NiFi Web Server-223] o.a.n.w.s.a.NiFiAnonymousUserFilter Populated SecurityContextHolder with anonymous token: 'anonymous'
2019-06-11 01:35:32,402 INFO [NiFi Web Server-223] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], groups[none] does not have permission to access the requested resource. Unable to view the user interface. Returning Unauthorized response.
2019-06-11 01:35:32,403 DEBUG [NiFi Web Server-223] o.a.n.w.a.c.AccessDeniedExceptionMapper
org.apache.nifi.authorization.AccessDeniedException: Unable to view the user interface.
at org.apache.nifi.authorization.resource.Authorizable.authorize(Authorizable.java:285)
at org.apache.nifi.authorization.resource.Authorizable.authorize(Authorizable.java:298)
at org.apache.nifi.web.api.FlowResource.lambda$authorizeFlow$0(FlowResource.java:226)
at org.apache.nifi.web.StandardNiFiServiceFacade.authorizeAccess(StandardNiFiServiceFacade.java:374)

...

This is the only thing of interest that comes out in the Nifi Logs when I try to log in directly with Nifi through Knox:

2019-06-11 01:34:07,093 DEBUG [NiFi Web Server-21] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.

Any ideas what the issue is, or where I need to look to solve this? Neither the Knox logs or the Nifi logs seem to indicate why the log-in portion doesn't seem to work properly.

image.png