Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

nifi registry security - able to login with certs but not geeting login page

Labels:
avatar
Former Member

Created on ‎12-22-2019 02:58 AM - last edited on ‎12-22-2019 05:46 AM by Community Manager Community Manager

nifi registry security - able to login with certs but not getting login page when canceling certs 

 

updated login-identity-provider.xml as below not sure what is missing 


<identityProviders>
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">xxxxxxxx</property>
<property name="Manager Password">>xxxxxxxx</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://abc:389</property>
<property name="User Search Base">OU=managed,DC=ams,DC=xx,DC=com</property>
<property name="User Search Filter">sAMAccountName={0}</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
<property name="Sync Interval">30 secs</property>
</provider>
</identityProviders>

 

please let me know what is missing here 

4,301 Views
0 Kudos
2 ACCEPTED SOLUTIONS

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎12-26-2019 08:38 AM

@Former Member 

 

Make sure you have configured "nifi.registry.security.needClientAuth=false".
When not set it defaults to true.

NeedClientAuth=true tells NiFi that in the TLS handshake it will "require" client to present a client side certificate.  If one is not presented, the connection will just close and NiFi-Registry will never try any other authentication method.

This property must be set to false in order for NiFi-Registry to support any authentication method other than TLS.

Hope this gets you going,

Matt

View solution in original post

4,310 Views
1

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎12-27-2019 07:14 AM - edited ‎12-27-2019 07:15 AM

@Former Member 

Since you are asking a new question unrelated to the question asked in the original subject, I kindly ask that you start a new question.  Would be happy to help.  Asking multiple questions in one thread makes a thread harder to follow for other users of this community forum.

If you feel this question subject has been answered, please accept a solution provided to close out this thread.

Thank you,

Matt

View solution in original post

4,218 Views
0 Kudos
6 REPLIES 6

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎12-23-2019 10:24 AM

@Former Member 

Simply configuring the ldap-provider in the identity-providers.xml file will not result in NiFi-Registry using it.
Make sure you have set the following property in the nifi-registry.properties file:

nifi.registry.security.identity.provider=ldap-provider


This tells NiFi to use the "ldap-provider" configured in that file.

Also make sure the file is named "identity-providers.xml" and not "login-identity-providers.xml".   NiFi-Registry uses the former while NiFi uses the latter identity providers filename.

One other things to consider... If NiFi-Registry is configured to support Spnego:

nifi.registry.kerberos.spnego.authentication.expiration=12 hours
nifi.registry.kerberos.spnego.keytab.location=
nifi.registry.kerberos.spnego.principal=

Spnego auth will be attempted before any configured identity provider.  So all it takes is to have Spnego enabled in your browser and NiFi-Registry to be setup to support Spnego auth and you will not see login page as well.  If you do not have Spnego enabled in your browser, then this is not your issue because even if configured if browser does not return Spengo creds, NiFi-Registry will move on to next configured authentication provider.

 

Hope this helps,

Matt

4,279 Views
0 Kudos

avatar
Former Member

Created ‎12-25-2019 06:41 PM

@Matt 

yes, updated nifi-reg.properties file

nifi.registry.security.identity.provider=ldap-provider

 but still no luck 

 

# security properties #

nifi.registry.security.keystore=./conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=xxxxxxxx
nifi.registry.security.keyPasswd=xxxxxx
nifi.registry.security.truststore=./conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=xxxxxxxxxxx
nifi.registry.security.user.authorizer=managed-authorizer
#nifi.registry.security.user.login.identity.provider=ldap-identity-provider


nifi.registry.security.needClientAuth=

nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml
nifi.registry.security.authorizer=managed-authorizer
nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml
nifi.registry.security.identity.provider=ldap-provider

 

4,261 Views
0 Kudos

avatar
Former Member

Created ‎12-25-2019 07:33 PM

do i need to configure authorization.xml to get the login page alone?

please advice. Thanks!

4,256 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎12-26-2019 08:38 AM

@Former Member 

 

Make sure you have configured "nifi.registry.security.needClientAuth=false".
When not set it defaults to true.

NeedClientAuth=true tells NiFi that in the TLS handshake it will "require" client to present a client side certificate.  If one is not presented, the connection will just close and NiFi-Registry will never try any other authentication method.

This property must be set to false in order for NiFi-Registry to support any authentication method other than TLS.

Hope this gets you going,

Matt

4,311 Views
1

avatar
Former Member

Created ‎12-26-2019 12:55 PM

@MattWho 

this really helps, now i am getting login page once after the setting the value to false 

nifi.registry.security.needClientAuth=false

 

Really Appreciate it.

 

Can you help to configure file-based user authorizations as well in authorizers.xml

 

i hope below part should be enough 

 

userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Initial User Identity 1">CN=sys_admin, OU=RegPoc</property>
</userGroupProvider>

 

<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=sys_admin, OU=RegPoc</property>

<!--<property name="NiFi Identity 1"></property>-->
</accessPolicyProvider>

 

what should be the node identity here ?

4,230 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎12-27-2019 07:14 AM - edited ‎12-27-2019 07:15 AM

@Former Member 

Since you are asking a new question unrelated to the question asked in the original subject, I kindly ask that you start a new question.  Would be happy to help.  Asking multiple questions in one thread makes a thread harder to follow for other users of this community forum.

If you feel this question subject has been answered, please accept a solution provided to close out this thread.

Thank you,

Matt

4,219 Views
0 Kudos
Announcements
Product Announcements
Introducing Cloudera 7.3.1: Unified Runtime, Modernized Vers...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
What's New @ Cloudera
Cloudera Operational Database supports assigning ODAdmin rol...
What's New @ Cloudera
Security-Enhanced Linux (SELinux) support in Cloudera Operat...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
View More Announcements