Support Questions
Find answers, ask questions, and share your expertise

Unable to Log Into Nifi from Knox?

Unable to Log Into Nifi from Knox?

Explorer

I am implementing an HDP 3.1/HDF 3.3 cluster currently, secured using MIT KDC and OpenLDAP server. At one point I had the ability to access Nifi through the Knox proxy, but after adding encryption everywhere, I no longer can do so. I can log into Nifi using my LDAP credentials when I access Nifi directly just fine.

Whenever I try to access through Knox, however, I first am shown to Nifi as anonymous (which is rejected by Ranger), and then, once I log in, it shows some Kerberos output that seems to show I was successful, but then it shows the following screen to me in my browser. The same process happens whether I use the topology which authenticates against LDAP, or the topology which uses anonymous authentication, for services such as Ambari or Atlas that do their own authentication.

When I first access the Nifi page through Knox (at which point it takes me to the login page), I see this, even if I'm logged in already to Knox.

2019-06-11 01:35:32,400 DEBUG [NiFi Web Server-223] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null
2019-06-11 01:35:32,401 DEBUG [NiFi Web Server-223] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.
2019-06-11 01:35:32,401 DEBUG [NiFi Web Server-223] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null
2019-06-11 01:35:32,401 DEBUG [NiFi Web Server-223] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null
2019-06-11 01:35:32,401 DEBUG [NiFi Web Server-223] o.a.n.w.s.NiFiAuthenticationFilter Checking secure context token: null
2019-06-11 01:35:32,401 DEBUG [NiFi Web Server-223] o.a.n.w.s.a.NiFiAnonymousUserFilter Populated SecurityContextHolder with anonymous token: 'anonymous'
2019-06-11 01:35:32,402 INFO [NiFi Web Server-223] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], groups[none] does not have permission to access the requested resource. Unable to view the user interface. Returning Unauthorized response.
2019-06-11 01:35:32,403 DEBUG [NiFi Web Server-223] o.a.n.w.a.c.AccessDeniedExceptionMapper
org.apache.nifi.authorization.AccessDeniedException: Unable to view the user interface.
at org.apache.nifi.authorization.resource.Authorizable.authorize(Authorizable.java:285)
at org.apache.nifi.authorization.resource.Authorizable.authorize(Authorizable.java:298)
at org.apache.nifi.web.api.FlowResource.lambda$authorizeFlow$0(FlowResource.java:226)
at org.apache.nifi.web.StandardNiFiServiceFacade.authorizeAccess(StandardNiFiServiceFacade.java:374)

...

This is the only thing of interest that comes out in the Nifi Logs when I try to log in directly with Nifi through Knox:

2019-06-11 01:34:07,093 DEBUG [NiFi Web Server-21] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.

Any ideas what the issue is, or where I need to look to solve this? Neither the Knox logs or the Nifi logs seem to indicate why the log-in portion doesn't seem to work properly.

image.png


Don't have an account?